Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[BUG] Out of bound read in Strnew_size , Str.c:61 #270

Closed
iskindar opened this issue Jun 29, 2023 · 11 comments
Closed

[BUG] Out of bound read in Strnew_size , Str.c:61 #270

iskindar opened this issue Jun 29, 2023 · 11 comments

Comments

@iskindar
Copy link

iskindar commented Jun 29, 2023

Hello, I found a out-of-bound read in w3m, function Strnew_size , Str.c:61 while testing my new fuzzer.

Steps to reproduce

export CC=gcc
export CFLAGS="-fsanitize=address -g"
./configure && make -j
./w3m -dump $POC

Dockerized reproduce steps (recommended)

docker pull debian:11 && docker run -it debian:11 bash
## now step into the container
apt update && apt install wget git unzip gcc g++ make libgc-dev libtinfo-dev -y
git clone https://github.com/tats/w3m && pushd w3m
export CC="gcc -fsanitize=address -g" && ./configure && make -j
wget https://github.com/tats/w3m/files/11905204/poc1.zip && unzip poc1.zip
./w3m -dump ./poc1

Platform

  • OS: Debian 11
$ cat /etc/issue
Debian GNU/Linux 11 \n \l
$ ./w3m -version 
w3m version w3m/0.5.3+git20230129, options lang=en,m17n,image,color,ansi-color,mouse,menu,cookie,external-uri-loader,w3mmailer,nntp,gopher,ipv6,alarm,mark

ASAN

AddressSanitizer:DEADLYSIGNAL
=================================================================
==85==ERROR: AddressSanitizer: SEGV on unknown address (pc 0x7f147749b742 bp 0x000000000080 sp 0x7ffddcd7c740 T0)
==85==The signal is caused by a READ memory access.
==85==Hint: this fault was caused by a dereference of a high value address (see register values below).  Dissassemble the provided pc to learn which register was used.
    #0 0x7f147749b742 in GC_malloc_kind_global (/usr/lib/x86_64-linux-gnu/libgc.so.1+0x19742)
    #1 0x5639c506e050 in Strnew_size /w3m/Str.c:61
    #2 0x5639c507a2fb in wc_conv_to_ces /w3m/libwc/conv.c:70
    #3 0x5639c4fbde57 in _saveBuffer /w3m/file.c:7875
    #4 0x5639c4f6cb97 in do_dump /w3m/main.c:1409
    #5 0x5639c4f65a4d in main /w3m/main.c:1115
    #6 0x7f14772a2d09 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x23d09)
    #7 0x5639c4f69979 in _start (/w3m/w3m+0xb3979)

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV (/usr/lib/x86_64-linux-gnu/libgc.so.1+0x19742) in GC_malloc_kind_global
==85==ABORTING

POC

poc1.zip

@iskindar
Copy link
Author

iskindar commented Jul 6, 2023

Affected version :

  • 0.5.3+git20230129
  • 0.5.3+git20230121-1
  • 0.5.3+git20230121-2

Not Affected version: < 0.5.3+git20220429-1

@rkta
Copy link
Contributor

rkta commented Jul 10, 2023 via email

@iskindar
Copy link
Author

Is it read or write?

It is read. My fault.

Cannot reproduce.

Have you tried the dockerized reproduction steps? I tried it just now, and it worked.

image-20230710195042030

I reduce the input file which is poc1_trim.zip
Maybe you can try it again? If you reproduce successfully, you may see similar output like below.

image-20230710200312114

Pls told me if it's still not available.

@iskindar iskindar changed the title [BUG] Out of bound write in Strnew_size , Str.c:61 [BUG] Out of bound read in Strnew_size , Str.c:61 Jul 10, 2023
@iskindar
Copy link
Author

iskindar commented Jul 10, 2023

I tried to reproduce it on Debian stable but also failed. It seems this bug only occurs on some specific OS systems with this PoC.

@rkta
Copy link
Contributor

rkta commented Jul 10, 2023 via email

@iskindar
Copy link
Author

Sorry for not making it clear before.

I can reproduce it on Debian 11 with the following command.

docker pull debian:11 && docker run -it debian:11 bash
## now step into the container
...
./w3m -dump ./poc1

Since you said that your Debian version is Debian stable in other issues, I tried to reproduce it on Debian stable with the following command just now but failed.

docker pull debian:stable && docker run -it debian:stable bash
## now step into the container
...
./w3m -dump ./poc1

Actually, the Debian stable in docker images is Debian 12.

$ cat /etc/issue
Debian GNU/Linux 12 \n \l

So the bug is reproducible at Debian 11 not reproducible at Debian stable (12).
My test environment is Debian 11 as the initial report said.

@rkta
Copy link
Contributor

rkta commented Jul 11, 2023 via email

@pedrohc
Copy link

pedrohc commented Jul 13, 2023

Assigned CVE-2023-38252 for this issue. If you wish to dispute please open a ticket here:
https://access.redhat.com/security/team/contact

@rkta
Copy link
Contributor

rkta commented Jul 14, 2023 via email

@pedrohc
Copy link

pedrohc commented Jul 14, 2023

On Thu, Jul 13, 2023 at 09:31:40AM -0700, Pedro Sampaio wrote: Assigned CVE-2023-38252 for this issue. If you wish to dispute please open a ticket here: https://access.redhat.com/security/team/contact
This is a READ violation, not write as the CVE states.

Fixed, thanks.

@tats
Copy link
Owner

tats commented Jul 18, 2023

Prevented with #273

@tats tats closed this as completed Jul 18, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

4 participants