Bug 1643754 - There is a Segmentation fault on unknown address in function _nc_parse_entry in libncurses.
Summary: There is a Segmentation fault on unknown address in function _nc_parse_entry ...
Keywords:
Status: CLOSED DUPLICATE of bug 1576823
Alias: None
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: ncurses
Version: 7.7-Alt
Hardware: All
OS: All
unspecified
urgent
Target Milestone: rc
: ---
Assignee: Miroslav Lichvar
QA Contact: qe-baseos-daemons
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2018-10-28 12:27 UTC by shuitao gan
Modified: 2019-06-20 15:55 UTC (History)
7 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2019-06-20 15:55:08 UTC


Attachments (Terms of Use)
Trigger by "./captoinfo POC1" (716 bytes, application/x-rar)
2018-10-28 12:27 UTC, shuitao gan
no flags Details

Description shuitao gan 2018-10-28 12:27:16 UTC
Created attachment 1498273 [details]
Trigger by "./captoinfo POC1"

version: ncurses6.1
Summary: 

There is a Segmentation fault on unknown address in function _nc_parse_entry in libncurses. 

Description:

The asan debug is as follows:

$./captoinfo POC1

=================================================================
==84668==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc 0x7f91e96dea73 sp 0x7ffe1ffc7318 bp 0x7ffe1ffc7350 T0)
==84668==WARNING: Trying to symbolize code, but external symbolizer is not initialized!
    #0 0x7f91e96dea72 (/lib/x86_64-linux-gnu/libc.so.6+0x89a72)
    #1 0x4587b2 (/home/company/real_sanitize/poc_check/ncurses/captoinfo_addr+0x4587b2)
    #2 0x4ff3ca (/home/company/real_sanitize/poc_check/ncurses/captoinfo_addr+0x4ff3ca)
    #3 0x4ee143 (/home/company/real_sanitize/poc_check/ncurses/captoinfo_addr+0x4ee143)
    #4 0x482739 (/home/company/real_sanitize/poc_check/ncurses/captoinfo_addr+0x482739)
    #5 0x7f91e9675a3f (/lib/x86_64-linux-gnu/libc.so.6+0x20a3f)
    #6 0x47e428 (/home/company/real_sanitize/poc_check/ncurses/captoinfo_addr+0x47e428)

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV ??:0 ??
==84668==ABORTING


normal execution as below:

$./captoinfo POC1

Program received signal SIGSEGV, Segmentation fault.
__strchr_avx2 () at ../sysdeps/x86_64/multiarch/strchr-avx2.S:57
57	../sysdeps/x86_64/multiarch/strchr-avx2.S: No such file or directory.
(gdb) bt
#0  __strchr_avx2 () at ../sysdeps/x86_64/multiarch/strchr-avx2.S:57
#1  0x000000000047e240 in _nc_parse_entry ()
#2  0x0000000000471394 in _nc_read_entry_source ()
#3  0x0000000000406505 in main ()

Comment 2 Miroslav Lichvar 2018-10-29 08:57:28 UTC
In RHEL7 there is no ncurses-6.1. Can you please report it on the upstream mailing list?

Comment 3 Leonardo Taccari 2018-11-12 22:46:09 UTC
Hello shuitao and Miroslav,
Is this maybe a duplicate of CVE-2018-10754?


Thank you!

Comment 4 Thomas E. Dickey 2018-11-28 21:47:21 UTC
It doesn't crash with current ncurses, and as noted is not relevant to RHEL7.
In a quick check, it doesn't crash with ncurses 6.1 release, either.

Comment 5 Sylvain Beucler 2019-04-10 13:28:04 UTC
Hi,

FYI I can reproduce the crash with ncurses 5.9 and 6.1 on Debian 8:

# ./captoinfo -V
ncurses 6.1.20180127

# LANG=C gdb --args ./captoinfo poc1
GNU gdb (Debian 7.7.1+dfsg-5) 7.7.1
Copyright (C) 2014 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.  Type "show copying"
and "show warranty" for details.
This GDB was configured as "x86_64-linux-gnu".
Type "show configuration" for configuration details.
For bug reporting instructions, please see:
<http://www.gnu.org/software/gdb/bugs/>.
Find the GDB manual and other documentation resources online at:
<http://www.gnu.org/software/gdb/documentation/>.
For help, type "help".
Type "apropos word" to search for commands related to "word"...
Reading symbols from ./captoinfo...(no debugging symbols found)...done.
(gdb) r
Starting program: /usr/src/ncurses-6.1/destdir/usr/bin/captoinfo poc1
"poc1", line 1, col 32: dubious character `*' in name or alias field
"poc1", line 1, col 32: invalid entry name "a*��*���Ԧ��jϣѣ�5"
"poc1", line 1, col 33, terminal 'invalid': Illegal character (expected alphanumeric or @%&*!#) - '`'
"poc1", line 2, col 8, terminal 'invalid': Illegal character - '*'
"poc1", line 2, col 8, terminal 'invalid': unknown capability 'P'
"poc1", line 2, col 10, terminal 'invalid': unknown capability '9'
"poc1", line 2, col 12, terminal 'invalid': Illegal character (expected alphanumeric or @%&*!#) - ':'
"poc1", line 2, col 16, terminal 'invalid': Illegal character (expected alphanumeric or @%&*!#) - 'M-T'
"poc1", line 2, col 25, terminal 'invalid': unknown capability '5'
"poc1", line 2, col 27, terminal 'invalid': unknown capability '&'
"poc1", line 3, col 6, terminal 'invalid': invalid entry name "jԣ�5"
"poc1", line 3, col 7, terminal 'invalid': Illegal character (expected alphanumeric or @%&*!#) - '`'
"poc1", line 3, col 13, terminal 'invalid': Illegal character (expected alphanumeric or @%&*!#) - 'M-&'
"poc1", line 3, col 18, terminal 'invalid': Illegal character (expected alphanumeric or @%&*!#) - ':'
"poc1", line 3, col 24, terminal 'invalid': Illegal character (expected alphanumeric or @%&*!#) - ':'
"poc1", line 4, col 4095, terminal 'jԣ�5': older tic versions may treat the description field as an alias
"poc1", line 4, col 4095, terminal 'jԣ�5': invalid entry name "jԣ�5"
"poc1", line 4, col 4095, terminal 'invalid': alias `555555555555555555555555555555555555555555555555555555555555555555555555555555555555555555555555555555555555555555555555555555555555555555555555555555555555555555555555555555555557555555555555555555555555555555555555555555555555555555555555555555555555555555555555555555555555555555555555555555555555555555555555555555555555555555555555555555555555555555555555555555555555555555555555555555555555555555555555555555555555555555'55555555555555555555555555555555555555555555555555555555555555' may be too long
"poc1", line 4, col 4095, terminal 'invalid': alias `�����������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������5555555555555555555555555555555555555555555555555555555555555555555555555555555555555555555555555555555555555555555555555555555555555555555555555555555555555555555555555555555b���55555555555555555555555555555555555555555555555555555555555555555555555555555555555555555555555555555555555555555555555555555555�5555555555555555555pppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppT22dpppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppyppppppppppppppppppppp' may be too long
"poc1", line 4, col 4095, terminal 'invalid': alias `ppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppMpppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppp' may be too long
"poc1", line 4, col 4095, terminal 'invalid': alias `pppppppppppppppppppppppppppppppppppppppppppppppppp����������������������������' may be too long
"poc1", line 4, col 4096, terminal 'invalid': Illegal character (expected alphanumeric or @%&*!#) - '~V'
"poc1", line 4, col 4931, terminal 'invalid': Illegal character (expected alphanumeric or @%&*!#) - ':'
"poc1", line 4, col 4937, terminal 'invalid': Illegal character (expected alphanumeric or @%&*!#) - ':'
"poc1", line 4, col 4944, terminal 'invalid': Too much data, some is lost: a
"poc1", line 4, col 4946, terminal 'invalid': Illegal character (expected alphanumeric or @%&*!#) - 'M-#'
"poc1", line 4, col 4951, terminal 'invalid': Illegal character (expected alphanumeric or @%&*!#) - ':'
"poc1", line 4, col 4963, terminal 'invalid': Illegal character (expected alphanumeric or @%&*!#) - '`'
"poc1", line 4, col 4968, terminal 'invalid': Illegal character (expected alphanumeric or @%&*!#) - ':'
"poc1", line 4, col 4972, terminal 'invalid': Illegal character (expected alphanumeric or @%&*!#) - 'M-T'
"poc1", line 4, col 4981, terminal 'invalid': Legacy termcap allows only a trailing tc= clause
"poc1", line 4, col 4981, terminal 'invalid': unknown capability '5'
"poc1", line 4, col 4983, terminal 'invalid': unknown capability '&'

Program received signal SIGSEGV, Segmentation fault.
__strchr_sse2 () at ../sysdeps/x86_64/multiarch/../strchr.S:32
32	../sysdeps/x86_64/multiarch/../strchr.S: No such file or directory.
(gdb) bt
#0  __strchr_sse2 () at ../sysdeps/x86_64/multiarch/../strchr.S:32
#1  0x0000000000419b0e in ?? ()
#2  0x00000000004161dc in ?? ()
#3  0x0000000000402309 in ?? ()
#4  0x00007ffff7a52b45 in __libc_start_main (main=0x401a60, argc=2, argv=0x7fffffffe648, init=<optimized out>, fini=<optimized out>, rtld_fini=<optimized out>, stack_end=0x7fffffffe638)
    at libc-start.c:287
#5  0x0000000000402ae5 in ?? ()



# captoinfo -V
ncurses 5.9.20140913

# LANG=C gdb --args captoinfo poc1
GNU gdb (Debian 7.7.1+dfsg-5) 7.7.1
Copyright (C) 2014 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.  Type "show copying"
and "show warranty" for details.
This GDB was configured as "x86_64-linux-gnu".
Type "show configuration" for configuration details.
For bug reporting instructions, please see:
<http://www.gnu.org/software/gdb/bugs/>.
Find the GDB manual and other documentation resources online at:
<http://www.gnu.org/software/gdb/documentation/>.
For help, type "help".
Type "apropos word" to search for commands related to "word"...
Reading symbols from captoinfo...(no debugging symbols found)...done.
(gdb) r
Starting program: /usr/src/ncurses-6.1/destdir/usr/bin/captoinfo poc1
"poc1", line 1, col 32: dubious character `*' in name or alias field
"poc1", line 1, col 32: invalid entry name "a*��*���Ԧ��jϣѣ�5"
"poc1", line 1, col 33, terminal 'invalid': Illegal character (expected alphanumeric or @%&*!#) - '`'
"poc1", line 2, col 8, terminal 'invalid': Illegal character - '*'
"poc1", line 2, col 8, terminal 'invalid': unknown capability 'P'
"poc1", line 2, col 10, terminal 'invalid': unknown capability '9'
"poc1", line 2, col 12, terminal 'invalid': Illegal character (expected alphanumeric or @%&*!#) - ':'
"poc1", line 2, col 16, terminal 'invalid': Illegal character (expected alphanumeric or @%&*!#) - 'M-T'
"poc1", line 2, col 25, terminal 'invalid': unknown capability '5'
"poc1", line 2, col 27, terminal 'invalid': unknown capability '&'
"poc1", line 3, col 6, terminal 'invalid': invalid entry name "jԣ�5"
"poc1", line 3, col 7, terminal 'invalid': Illegal character (expected alphanumeric or @%&*!#) - '`'
"poc1", line 3, col 13, terminal 'invalid': Illegal character (expected alphanumeric or @%&*!#) - 'M-&'
"poc1", line 3, col 18, terminal 'invalid': Illegal character (expected alphanumeric or @%&*!#) - ':'
"poc1", line 3, col 24, terminal 'invalid': Illegal character (expected alphanumeric or @%&*!#) - ':'
"poc1", line 4, col 4095, terminal 'jԣ�5': older tic versions may treat the description field as an alias
"poc1", line 4, col 4095, terminal 'jԣ�5': invalid entry name "jԣ�5"
"poc1", line 4, col 4095, terminal 'invalid': alias `555555555555555555555555555555555555555555555555555555555555555555555555555555555555555555555555555555555555555555555555555555555555555555555555555555555555555555555555555555555557555555555555555555555555555555555555555555555555555555555555555555555555555555555555555555555555555555555555555555555555555555555555555555555555555555555555555555555555555555555555555555555555555555555555555555555555555555555555555555555555555555'55555555555555555555555555555555555555555555555555555555555555' may be too long
"poc1", line 4, col 4095, terminal 'invalid': alias `�����������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������5555555555555555555555555555555555555555555555555555555555555555555555555555555555555555555555555555555555555555555555555555555555555555555555555555555555555555555555555555555b���55555555555555555555555555555555555555555555555555555555555555555555555555555555555555555555555555555555555555555555555555555555�5555555555555555555pppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppT22dpppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppyppppppppppppppppppppp' may be too long
"poc1", line 4, col 4095, terminal 'invalid': alias `ppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppMpppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppp' may be too long
"poc1", line 4, col 4095, terminal 'invalid': alias `pppppppppppppppppppppppppppppppppppppppppppppppppp����������������������������' may be too long
"poc1", line 4, col 4096, terminal 'invalid': Illegal character (expected alphanumeric or @%&*!#) - '~V'
"poc1", line 4, col 4931, terminal 'invalid': Illegal character (expected alphanumeric or @%&*!#) - ':'
"poc1", line 4, col 4937, terminal 'invalid': Illegal character (expected alphanumeric or @%&*!#) - ':'
"poc1", line 4, col 4944, terminal 'invalid': Too much data, some is lost: a
"poc1", line 4, col 4946, terminal 'invalid': Illegal character (expected alphanumeric or @%&*!#) - 'M-#'
"poc1", line 4, col 4951, terminal 'invalid': Illegal character (expected alphanumeric or @%&*!#) - ':'
"poc1", line 4, col 4963, terminal 'invalid': Illegal character (expected alphanumeric or @%&*!#) - '`'
"poc1", line 4, col 4968, terminal 'invalid': Illegal character (expected alphanumeric or @%&*!#) - ':'
"poc1", line 4, col 4972, terminal 'invalid': Illegal character (expected alphanumeric or @%&*!#) - 'M-T'
"poc1", line 4, col 4981, terminal 'invalid': Legacy termcap allows only a trailing tc= clause
"poc1", line 4, col 4981, terminal 'invalid': unknown capability '5'
"poc1", line 4, col 4983, terminal 'invalid': unknown capability '&'

Program received signal SIGSEGV, Segmentation fault.
__strchr_sse2 () at ../sysdeps/x86_64/multiarch/../strchr.S:32
32	../sysdeps/x86_64/multiarch/../strchr.S: No such file or directory.

Comment 6 Thomas E. Dickey 2019-04-10 20:08:51 UTC
Debian 8 doesn't have ncurses 6.1 (again, the point of this bug tracking system is problems in packages provided by Red Hat, not unverified builds by users).

Comment 7 Sylvain Beucler 2019-04-10 21:08:12 UTC
Sure. What happens is:
I read:
"In a quick check, it doesn't crash with ncurses 6.1 release, either."
I test:
- segfault with Deb8's 5.9 package
- segfault with ncurses 6.1 recompiled on Deb8.
I thought I'd share the result.
I'll probably forward these to upstream tomorrow - unless that was already done?

I'm part of the Debian LTS team btw, doing this as part of investigating CVE-2018-19217.

Comment 8 Sylvain Beucler 2019-04-11 10:40:25 UTC
FYI this one had been fixed in 6.1-20180414 (from https://invisible-mirror.net/archives/ncurses/6.1/dev-patches.zip)

20180414
       + add a null-pointer check in _nc_parse_entry to handle an error when
         a use-name is invalid syntax (report by Chung-Yi Lin).

Unrelated to CVE-2018-19217 AFAICT, this one was assigned CVE-2018-19211.

Comment 9 Sylvain Beucler 2019-04-14 11:14:32 UTC
For the record this is also a duplicate of #1576119 / CVE-2018-10754.

Comment 10 Tomáš Hozza 🤓 2019-06-20 15:55:08 UTC

*** This bug has been marked as a duplicate of bug 1576823 ***


Note You need to log in before you can comment on or make changes to this bug.