Bug 1665510 (CVE-2019-5882) - CVE-2019-5882 irssi: Use-after-free when hidden lines were expired from the scroll buffer
Summary: CVE-2019-5882 irssi: Use-after-free when hidden lines were expired from the s...
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2019-5882
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
low
low
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 1665511 1667551
Blocks: 1665512
TreeView+ depends on / blocked
 
Reported: 2019-01-11 15:41 UTC by Andrej Nemec
Modified: 2021-10-27 03:19 UTC (History)
3 users (show)

Fixed In Version: irssi 1.1.2
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2021-10-27 03:19:58 UTC
Embargoed:


Attachments (Terms of Use)

Description Andrej Nemec 2019-01-11 15:41:49 UTC
Irssi 1.1.x before 1.1.2 has a use after free when hidden lines are expired from the scroll buffer.

References:

https://github.com/irssi/irssi/pull/948
https://irssi.org/NEWS/#v1-1-2
https://irssi.org/security/irssi_sa_2019_01.txt

Comment 1 Andrej Nemec 2019-01-11 15:41:57 UTC
Created irssi tracking bugs for this issue:

Affects: fedora-all [bug 1665511]

Comment 2 Scott Gayou 2019-01-18 18:24:27 UTC
Managed to reproduce this, I think.

```
==7054== Memcheck, a memory error detector
==7054== Copyright (C) 2002-2017, and GNU GPL'd, by Julian Seward et al.
==7054== Using Valgrind-3.14.0 and LibVEX; rerun with -h for copyright info
==7054== Command: irssi
==7054== Parent PID: 6978
==7054== 
==7055== 
==7055== HEAP SUMMARY:
==7055==     in use at exit: 1,166,438 bytes in 14,059 blocks
==7055==   total heap usage: 80,453 allocs, 66,394 frees, 3,467,880 bytes allocated
==7055== 
==7055== LEAK SUMMARY:
==7055==    definitely lost: 0 bytes in 0 blocks
==7055==    indirectly lost: 0 bytes in 0 blocks
==7055==      possibly lost: 346,002 bytes in 594 blocks
==7055==    still reachable: 820,436 bytes in 13,465 blocks
==7055==                       of which reachable via heuristic:
==7055==                         newarray           : 1,904 bytes in 60 blocks
==7055==         suppressed: 0 bytes in 0 blocks
==7055== Rerun with --leak-check=full to see details of leaked memory
==7055== 
==7055== For counts of detected and suppressed errors, rerun with: -v
==7055== ERROR SUMMARY: 0 errors from 0 contexts (suppressed: 0 from 0)
==7054== Invalid read of size 4
==7054==    at 0x142CC0: view_draw.part.7.constprop.11 (textbuffer-view.c:740)
==7054==    by 0x143049: view_draw (textbuffer-view.c:736)
==7054==    by 0x143049: textbuffer_view_redraw (textbuffer-view.c:1397)
==7054==    by 0x136EA6: mainwindows_redraw_dirty (mainwindows.c:661)
==7054==    by 0x144037: dirty_check.part.0 (irssi.c:128)
==7054==    by 0x12D71E: dirty_check (irssi.c:111)
==7054==    by 0x12D71E: main (irssi.c:328)
==7054==  Address 0x920d6b8 is 24 bytes inside a block of size 40 free'd
==7054==    at 0x4C3208C: free (vg_replace_malloc.c:540)
==7054==    by 0x628C551: g_free (in /usr/lib64/libglib-2.0.so.0.5600.4)
==7054==    by 0x62A4793: g_slice_free1 (in /usr/lib64/libglib-2.0.so.0.5600.4)
==7054==    by 0x130137: remove_old_lines (gui-printtext.c:159)
==7054==    by 0x130137: sig_gui_printtext_finished (gui-printtext.c:276)
==7054==    by 0x1B4011: signal_emit_real (signals.c:242)
==7054==    by 0x1B4688: signal_emit_id (signals.c:304)
==7054==    by 0x1B4011: signal_emit_real (signals.c:242)
==7054==    by 0x1B4688: signal_emit_id (signals.c:304)
==7054==    by 0x16D34F: print_line (printtext.c:182)
==7054==    by 0x16DC5F: printformat_module_dest_charargs (printtext.c:80)
==7054==    by 0x16DCE7: printformat_module_dest_args (printtext.c:58)
==7054==    by 0x16DF5B: printformat_module_window_args (printtext.c:120)
==7054==  Block was alloc'd at
==7054==    at 0x4C30E8B: malloc (vg_replace_malloc.c:309)
==7054==    by 0x628C445: g_malloc (in /usr/lib64/libglib-2.0.so.0.5600.4)
==7054==    by 0x62A4066: g_slice_alloc (in /usr/lib64/libglib-2.0.so.0.5600.4)
==7054==    by 0x13FA9E: textbuffer_line_create (textbuffer.c:195)
==7054==    by 0x13FA9E: textbuffer_line_insert (textbuffer.c:207)
==7054==    by 0x13FA9E: textbuffer_insert (textbuffer.c:362)
==7054==    by 0x130332: sig_gui_print_text (gui-printtext.c:259)
==7054==    by 0x1B4011: signal_emit_real (signals.c:242)
==7054==    by 0x1B4688: signal_emit_id (signals.c:304)
==7054==    by 0x168F3F: format_send_to_gui (formats.c:1250)
==7054==    by 0x16D4C0: sig_print_text (printtext.c:470)
==7054==    by 0x1B4011: signal_emit_real (signals.c:242)
==7054==    by 0x1B4688: signal_emit_id (signals.c:304)
==7054==    by 0x16D34F: print_line (printtext.c:182)
==7054== 
==7054== Invalid read of size 8
==7054==    at 0x142CE5: view_draw.part.7.constprop.11 (textbuffer-view.c:746)
==7054==    by 0x143049: view_draw (textbuffer-view.c:736)
==7054==    by 0x143049: textbuffer_view_redraw (textbuffer-view.c:1397)
==7054==    by 0x136EA6: mainwindows_redraw_dirty (mainwindows.c:661)
==7054==    by 0x144037: dirty_check.part.0 (irssi.c:128)
==7054==    by 0x12D71E: dirty_check (irssi.c:111)
==7054==    by 0x12D71E: main (irssi.c:328)
==7054==  Address 0x920d6a8 is 8 bytes inside a block of size 40 free'd
==7054==    at 0x4C3208C: free (vg_replace_malloc.c:540)
==7054==    by 0x628C551: g_free (in /usr/lib64/libglib-2.0.so.0.5600.4)
==7054==    by 0x62A4793: g_slice_free1 (in /usr/lib64/libglib-2.0.so.0.5600.4)
==7054==    by 0x130137: remove_old_lines (gui-printtext.c:159)
==7054==    by 0x130137: sig_gui_printtext_finished (gui-printtext.c:276)
==7054==    by 0x1B4011: signal_emit_real (signals.c:242)
==7054==    by 0x1B4688: signal_emit_id (signals.c:304)
==7054==    by 0x1B4011: signal_emit_real (signals.c:242)
==7054==    by 0x1B4688: signal_emit_id (signals.c:304)
==7054==    by 0x16D34F: print_line (printtext.c:182)
==7054==    by 0x16DC5F: printformat_module_dest_charargs (printtext.c:80)
==7054==    by 0x16DCE7: printformat_module_dest_args (printtext.c:58)
==7054==    by 0x16DF5B: printformat_module_window_args (printtext.c:120)
==7054==  Block was alloc'd at
==7054==    at 0x4C30E8B: malloc (vg_replace_malloc.c:309)
==7054==    by 0x628C445: g_malloc (in /usr/lib64/libglib-2.0.so.0.5600.4)
==7054==    by 0x62A4066: g_slice_alloc (in /usr/lib64/libglib-2.0.so.0.5600.4)
==7054==    by 0x13FA9E: textbuffer_line_create (textbuffer.c:195)
==7054==    by 0x13FA9E: textbuffer_line_insert (textbuffer.c:207)
==7054==    by 0x13FA9E: textbuffer_insert (textbuffer.c:362)
==7054==    by 0x130332: sig_gui_print_text (gui-printtext.c:259)
==7054==    by 0x1B4011: signal_emit_real (signals.c:242)
==7054==    by 0x1B4688: signal_emit_id (signals.c:304)
==7054==    by 0x168F3F: format_send_to_gui (formats.c:1250)
==7054==    by 0x16D4C0: sig_print_text (printtext.c:470)
==7054==    by 0x1B4011: signal_emit_real (signals.c:242)
==7054==    by 0x1B4688: signal_emit_id (signals.c:304)
==7054==    by 0x16D34F: print_line (printtext.c:182)
==7054== 
==7054== 
==7054== HEAP SUMMARY:
==7054==     in use at exit: 645,795 bytes in 9,950 blocks
==7054==   total heap usage: 129,922 allocs, 119,972 frees, 6,797,792 bytes allocated
==7054== 
==7054== LEAK SUMMARY:
==7054==    definitely lost: 0 bytes in 0 blocks
==7054==    indirectly lost: 0 bytes in 0 blocks
==7054==      possibly lost: 272 bytes in 1 blocks
==7054==    still reachable: 645,523 bytes in 9,949 blocks
==7054==         suppressed: 0 bytes in 0 blocks
==7054== Rerun with --leak-check=full to see details of leaked memory
==7054== 
==7054== For counts of detected and suppressed errors, rerun with: -v
==7054== ERROR SUMMARY: 2 errors from 2 contexts (suppressed: 0 from 0)
```

Vague steps to reproduce:



Run irssi in valgrind. Connect to a network, join a test channel you can auto gain operator in. Set settings to following:

/set scrollback_burst_remove 0
/set scrollback_lines 5
/set scrollback_time 0

Now, spam 10-15 lines. Next, set /window hidelevel topic

You should get this message:

Irssi: Window hidden level is now TOPICS HIDDEN

Now, set a bunch of topics, more than 5.

i.e.

/topic test1
/topic test2
/topic test3
/topic test4
/topic test5
/topic test6
/topic test7

I think this triggers the flaw. If it isn't working, try interspersing a few more real, not topic messages via chatting between the /topic sets.


Note You need to log in before you can comment on or make changes to this bug.