Bug 1643754 - There is a Segmentation fault on unknown address in function _nc_parse_entry in libncurses. [NEEDINFO]
Summary: There is a Segmentation fault on unknown address in function _nc_parse_entry ...
Status: NEW
Alias: None
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: ncurses   
(Show other bugs)
Version: 7.7-Alt
Hardware: All
OS: All
Target Milestone: rc
: ---
Assignee: Miroslav Lichvar
QA Contact: qe-baseos-daemons
Keywords: Security
Depends On:
TreeView+ depends on / blocked
Reported: 2018-10-28 12:27 UTC by shuitao gan
Modified: 2018-11-28 21:47 UTC (History)
5 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of:
Last Closed:
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---
iamleot+rhbugzilla: needinfo? (ganshuitao)

Attachments (Terms of Use)
Trigger by "./captoinfo POC1" (716 bytes, application/x-rar)
2018-10-28 12:27 UTC, shuitao gan
no flags Details

Description shuitao gan 2018-10-28 12:27:16 UTC
Created attachment 1498273 [details]
Trigger by "./captoinfo POC1"

version: ncurses6.1

There is a Segmentation fault on unknown address in function _nc_parse_entry in libncurses. 


The asan debug is as follows:

$./captoinfo POC1

==84668==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc 0x7f91e96dea73 sp 0x7ffe1ffc7318 bp 0x7ffe1ffc7350 T0)
==84668==WARNING: Trying to symbolize code, but external symbolizer is not initialized!
    #0 0x7f91e96dea72 (/lib/x86_64-linux-gnu/libc.so.6+0x89a72)
    #1 0x4587b2 (/home/company/real_sanitize/poc_check/ncurses/captoinfo_addr+0x4587b2)
    #2 0x4ff3ca (/home/company/real_sanitize/poc_check/ncurses/captoinfo_addr+0x4ff3ca)
    #3 0x4ee143 (/home/company/real_sanitize/poc_check/ncurses/captoinfo_addr+0x4ee143)
    #4 0x482739 (/home/company/real_sanitize/poc_check/ncurses/captoinfo_addr+0x482739)
    #5 0x7f91e9675a3f (/lib/x86_64-linux-gnu/libc.so.6+0x20a3f)
    #6 0x47e428 (/home/company/real_sanitize/poc_check/ncurses/captoinfo_addr+0x47e428)

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV ??:0 ??

normal execution as below:

$./captoinfo POC1

Program received signal SIGSEGV, Segmentation fault.
__strchr_avx2 () at ../sysdeps/x86_64/multiarch/strchr-avx2.S:57
57	../sysdeps/x86_64/multiarch/strchr-avx2.S: No such file or directory.
(gdb) bt
#0  __strchr_avx2 () at ../sysdeps/x86_64/multiarch/strchr-avx2.S:57
#1  0x000000000047e240 in _nc_parse_entry ()
#2  0x0000000000471394 in _nc_read_entry_source ()
#3  0x0000000000406505 in main ()

Comment 2 Miroslav Lichvar 2018-10-29 08:57:28 UTC
In RHEL7 there is no ncurses-6.1. Can you please report it on the upstream mailing list?

Comment 3 Leonardo Taccari 2018-11-12 22:46:09 UTC
Hello shuitao and Miroslav,
Is this maybe a duplicate of CVE-2018-10754?

Thank you!

Comment 4 Thomas E. Dickey 2018-11-28 21:47:21 UTC
It doesn't crash with current ncurses, and as noted is not relevant to RHEL7.
In a quick check, it doesn't crash with ncurses 6.1 release, either.

Note You need to log in before you can comment on or make changes to this bug.