Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[BUG] Out-of-bound read in growbuf_to_Str , indep.c:441 #271

Closed
iskindar opened this issue Jun 29, 2023 · 3 comments
Closed

[BUG] Out-of-bound read in growbuf_to_Str , indep.c:441 #271

iskindar opened this issue Jun 29, 2023 · 3 comments

Comments

@iskindar
Copy link

iskindar commented Jun 29, 2023
edited
Loading

Hello, I found a out-of-bound read in w3m, function growbuf_to_Str , indep.c:61 while testing my new fuzzer.

Steps to reproduce

docker pull ubuntu:20.04 && docker run -it ubuntu:20.04 bash
## now step into the container
apt update && apt install wget git unzip gcc g++ make libgc-dev libtinfo-dev -y
git clone https://github.com/tats/w3m && pushd w3m
export CC="gcc -fsanitize=address -g" && ./configure && make -j
wget https://github.com/tats/w3m/files/11905598/poc2.zip && unzip poc2.zip
./w3m -dump ./poc2

Platform

  • OS: ubuntu 20.04 (not reproducible on Debian 11)
$ cat /etc/issue
Ubuntu 20.04.6 LTS \n \l

$ ./w3m -version 
w3m version w3m/0.5.3+git20230129, options lang=en,m17n,image,color,ansi-color,mouse,menu,cookie,external-uri-loader,w3mmailer,nntp,gopher,ipv6,alarm,mark

ASAN

AddressSanitizer:DEADLYSIGNAL
=================================================================
==6186==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc 0x7f1f28b1e6c3 bp 0x7f1f28b39350 sp 0x7ffc233d2460 T0)
==6186==The signal is caused by a READ memory access.
==6186==Hint: address points to the zero page.
    #0 0x7f1f28b1e6c2 in GC_generic_malloc_inner (/lib/x86_64-linux-gnu/libgc.so.1+0x156c2)
    #1 0x7f1f28b1fc08 in GC_generic_malloc_many (/lib/x86_64-linux-gnu/libgc.so.1+0x16c08)
    #2 0x7f1f28b2b81c in GC_malloc_kind (/lib/x86_64-linux-gnu/libgc.so.1+0x2281c)
    #3 0x560b5fb95165 in growbuf_to_Str /w3m/indep.c:794
    #4 0x560b5fb8c911 in StrISgets2 /w3m/istream.c:238
    #5 0x560b5fac5a5c in loadBuffer /w3m/file.c:7693
    #6 0x560b5faeac5b in loadSomething /w3m/file.c:232
    #7 0x560b5faeac5b in loadGeneralFile /w3m/file.c:2288
    #8 0x560b5fa88807 in main /w3m/main.c:1061
    #9 0x7f1f2890b082 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x24082)
    #10 0x560b5fa8c56d in _start (/w3m/w3m+0xb256d)

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV (/lib/x86_64-linux-gnu/libgc.so.1+0x156c2) in GC_generic_malloc_inner
==6186==ABORTING

POC

poc2.zip
@iskindar
Copy link
Author

iskindar commented Jul 6, 2023

Affected version :

  • 0.5.3+git20230129
  • 0.5.3+git20230121-1
  • 0.5.3+git20230121-2

Not Affected version: < 0.5.3+git20220429-1

@iskindar iskindar changed the title [BUG] Out-of-bound write in growbuf_to_Str , indep.c:441 [BUG] Out-of-bound read in growbuf_to_Str , indep.c:441 Jul 10, 2023
@pedrohc
Copy link

pedrohc commented Jul 13, 2023

Assigned CVE-2023-38253 for this issue. If you wish to dispute please open a ticket here:
https://access.redhat.com/security/team/contact

@tats tats mentioned this issue Jul 15, 2023
Merged
@tats
Copy link
Owner

tats commented Jul 18, 2023

Prevented with #273

@tats tats closed this as completed Jul 18, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@tats @pedrohc @iskindar