Bug 1484291 – There is an illegal address access in strings.c of libncurses.

Bugzilla will be upgraded to version 5.0. The upgrade date is tentatively scheduled for 2 December 2018, pending final testing and feedback.

Bug 1484291 - There is an illegal address access in strings.c of libncurses.

Summary:	There is an illegal address access in strings.c of libncurses.

Status:	CLOSED DUPLICATE of bug 1488922

Aliases:	None

Product:	Red Hat Enterprise Linux 7
Classification:	Red Hat
Component:	ncurses (Show other bugs)
Sub Component:
Version:	7.5-Alt
Hardware:	Unspecified Unspecified

Priority	unspecified Severity unspecified
Target Milestone:	rc
Target Release:	---
Assigned To:	Miroslav Lichvar
QA Contact:	qe-baseos-daemons
Docs Contact:

URL:
Whiteboard:
Keywords:

Depends On:
Blocks:	CVE-2017-13734
	Show dependency tree / graph

Reported:	2017-08-23 04:11 EDT by owl337
Modified:	2018-07-27 11:25 EDT (History)
CC List:	2 users (show)

See Also:
Fixed In Version:
Doc Type:	If docs needed, set a value
Doc Text:
Story Points:	---
Clone Of:
Environment:
Last Closed:	2018-07-27 11:25:10 EDT
Type:	Bug
Regression:	---
Mount Type:	---
Documentation:	---
CRM:
Verified Versions:
Category:	---
oVirt Team:	---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team:	---

Attachments	(Terms of Use)
Triggered by " ./infotocap POC13 " (687 bytes, application/x-rar) 2017-08-23 04:11 EDT, owl337	no flags	Details
The modified POC (181 bytes, application/x-rar) 2017-08-25 23:10 EDT, owl337	no flags	Details
Add an attachment (proposed patch, testcase, etc.)

Groups: None (edit)

Description owl337 2017-08-23 04:11:15 EDT

Created attachment 1316983 [details]
Triggered by " ./infotocap POC13 "

Description of problem:

There is an illegal address access in strings.c of libncurses.

Version-Release number of selected component (if applicable):

<= latest version

How reproducible:

./infotocap POC13

Steps to Reproduce:

$ ./../../../infotocap POC13
"id:000315,sig:11,src:000798,op:havoc,rep:16", line 1, col 9: dubious character `*' in name or alias field
"id:000315,sig:11,src:000798,op:havoc,rep:16", line 1, col 11, terminal 'a*9拢觻[': Illegal character (expected alphanumeric or @%&*!#) - ':'
"id:000315,sig:11,src:000798,op:havoc,rep:16", line 1, col 14, terminal 'a*9拢觻[': Illegal character (expected alphanumeric or @%&*!#) - ':'
"id:000315,sig:11,src:000798,op:havoc,rep:16", line 1, col 22, terminal 'a*9拢觻[': Illegal character (expected alphanumeric or @%&*!#) - ';'
"id:000315,sig:11,src:000798,op:havoc,rep:16", line 1, col 24, terminal 'a*9拢觻[': Illegal character (expected alphanumeric or @%&*!#) - ','
"id:000315,sig:11,src:000798,op:havoc,rep:16", line 1, col 68, terminal 'a*9拢觻[': Illegal character - '^\'
"id:000315,sig:11,src:000798,op:havoc,rep:16", line 1, col 68, terminal 'a*9拢觻[': unknown capability '5'
"id:000315,sig:11,src:000798,op:havoc,rep:16", line 1, col 69, terminal 'a*9拢觻[': Illegal character (expected alphanumeric or @%&*!#) - '^\'
"id:000315,sig:11,src:000798,op:havoc,rep:16", line 1, col 180, terminal 'a*9拢觻[': Illegal character (expected alphanumeric or @%&*!#) - ':'
"id:000315,sig:11,src:000798,op:havoc,rep:16", line 1, col 183, terminal 'a*9拢觻[': Illegal character (expected alphanumeric or @%&*!#) - ':'
"id:000315,sig:11,src:000798,op:havoc,rep:16", line 1, col 190, terminal 'a*9拢觻[': Illegal character (expected alphanumeric or @%&*!#) - ';'
"id:000315,sig:11,src:000798,op:havoc,rep:16", line 1, col 192, terminal 'a*9拢觻[': Illegal character (expected alphanumeric or @%&*!#) - ','
"id:000315,sig:11,src:000798,op:havoc,rep:16", line 1, col 208, terminal 'a*9拢觻[': Missing separator after `ac', have ^\
"id:000315,sig:11,src:000798,op:havoc,rep:16", line 1, col 209, terminal 'a*9拢觻[': Illegal character (expected alphanumeric or @%&*!#) - '^\'
Segmentation fault


The GDB debugging information is as follows:
(gdb) set args POC13
(gdb) set args POC13
(gdb) r
Starting program: /home/icy/secreal/ncurses-6.0-20170819/install/bin/infotocap POC13
"POC31", line 1, col 9: dubious character `*' in name or alias field
"POC13", line 1, col 11, terminal 'a*9??[': Illegal character (expected alphanumeric or @%&*!#) - ':'
"POC13", line 1, col 14, terminal 'a*9??[': Illegal character (expected alphanumeric or @%&*!#) - ':'
"POC13", line 1, col 22, terminal 'a*9??[': Illegal character (expected alphanumeric or @%&*!#) - ';'
"POC13", line 1, col 24, terminal 'a*9??[': Illegal character (expected alphanumeric or @%&*!#) - ','
"POC13", line 1, col 68, terminal 'a*9??[': Illegal character - '^\'
"POC13", line 1, col 68, terminal 'a*9??[': unknown capability '5'
"POC13", line 1, col 69, terminal 'a*9??[': Illegal character (expected alphanumeric or @%&*!#) - '^\'
"POC13", line 1, col 180, terminal 'a*9??[': Illegal character (expected alphanumeric or @%&*!#) - ':'
"POC13", line 1, col 183, terminal 'a*9??[': Illegal character (expected alphanumeric or @%&*!#) - ':'
"POC13", line 1, col 190, terminal 'a*9??[': Illegal character (expected alphanumeric or @%&*!#) - ';'
"POC13", line 1, col 192, terminal 'a*9??[': Illegal character (expected alphanumeric or @%&*!#) - ','
"POC13", line 1, col 208, terminal 'a*9??[': Missing separator after `ac', have ^\
"POC13", line 1, col 209, terminal 'a*9??[': Illegal character (expected alphanumeric or @%&*!#) - '^\'

Program received signal SIGSEGV, Segmentation fault.
strlen () at ../sysdeps/x86_64/strlen.S:137
137	../sysdeps/x86_64/strlen.S: No such file or directory.
(gdb) bt 
#0  strlen () at ../sysdeps/x86_64/strlen.S:137
#1  0x00000000004528e2 in _nc_safe_strcat (dst=0x7fffffffadc0, 
    src=0xffffffffffffffff <error: Cannot access memory at address 0xffffffffffffffff>)
    at ../ncurses/./tinfo/strings.c:109
#2  0x0000000000446bfa in postprocess_termcap (tp=<optimized out>, has_base=<optimized out>)
    at ../ncurses/./tinfo/parse_entry.c:923
#3  _nc_parse_entry (entryp=0x7fffffffaf38, literal=<optimized out>, silent=<optimized out>)
    at ../ncurses/./tinfo/parse_entry.c:520
#4  0x000000000043db23 in _nc_read_entry_source (fp=<optimized out>, buf=<optimized out>, literal=0, silent=false, 
    hook=0x0) at ../ncurses/./tinfo/comp_parse.c:225
#5  0x0000000000403039 in main (argc=<optimized out>, argv=<optimized out>) at ../progs/tic.c:958

Trigged in:
_nc_safe_strcat (dst=0x7fffffffadc0, src=0x67d6ad "\r") at ../ncurses/./tinfo/strings.c:109
109		size_t len = strlen(src);

104	 */
105	NCURSES_EXPORT(bool)
106	_nc_safe_strcat(string_desc * dst, const char *src)
107	{
108	    if (src != 0) {
109		size_t len = strlen(src);
110	
111		if (len < dst->s_size) {
112		    if (dst->s_tail != 0) {
113			_nc_STRCPY(dst->s_tail, src, dst->s_size);

Actual results:

crash

Expected results:

crash

Additional info:

Credits:

This vulnerability is detected by team OWL337, with our custom fuzzer collAFL. Please contact ganshuitao@gmail.com   and chaoz@tsinghua.edu.cn if you need more info about the team, the tool or the vulnerability.

Comment 2 Thomas E. Dickey 2017-08-25 18:42:44 EDT

The given test-case does not produce the reported problem.

Comment 3 owl337 2017-08-25 23:10 EDT

Created attachment 1318358 [details]
The modified POC

Sorry for this mistake.

Comment 4 Thomas E. Dickey 2017-08-26 09:57:39 EDT

I made a fix for this report which will be in the next set of updates.

Note You need to log in before you can comment on or make changes to this bug.