Closed iskindar closed 1 year ago
Affected version :
Not Affected version: < 0.5.3+git20220429-1
Introduced in
commit 419ca82d57c72242817b55e2eaa4cdbf6916e7fa (HEAD, refs/bisect/bad) Author: Tatsuya Kinoshita @.***> Date: 2022-12-20T21:16:48+09:00
Fix m17n backspace handling causes out-of-bounds write in checkType
[CVE-2022-38223]
Bug-Debian: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1019599
Bug-Debian: https://github.com/tats/w3m/issues/242
In function checkType in line 386 plens pointer goes out of bounds. Garbage is assigned to plen, this garbage is subtracted from prop and prop is later derefenced which leads to the SIGSEV.
(The poc file is full of backspaces.)
From how I understand the code, plen is the length of the current (or previous?) character. In order to process backspace chars correctly over multi-char characters we store the length of each character in plens_buffer. When reaching a backspace we pop the last length from the array.
Now, if we get more backspace chars than we have characters processed the pointer will go out of bounds.
Below is a fix which prevents the pointer from going out of bounds and setting plen to 0 when there is nothing left to process.
This also fixes [BUG] Out of bound read in Strnew_size , Str.c:61 #270
diff --git a/etc.c b/etc.c index 128717b1..efcfab92 100644 --- a/etc.c +++ b/etc.c @@ -393,7 +393,8 @@ checkType(Str s, Lineprop oprop, Linecolor ocolor) if (color) color -= plen;
@rkta Could you please create a pull request?
On Wed, Jul 12, 2023 at 06:59:48AM -0700, Tatsuya Kinoshita wrote:
@rkta Could you please create a pull request?
Fixed with https://github.com/tats/w3m/pull/273
This has recieved a separate CVE: CVE-2023-4255
On Fri, Dec 22, 2023 at 08:21:39AM -0800, Salvatore Bonaccorso wrote:
This has recieved a separate CVE: CVE-2023-4255
Did you mean to add this to #282? It's not sure to me what the new CVE is about.
Hi, I think the fix for CVE-2022-38223 in 419ca82 is not complete and it is still possible to trigger the same bug with a different poc in tats/w3m#242. The bug is an out of bound write in checkType, etc.c:478.
Version
w3m latest commit 93ad5ee
How to reproduce
ubuntu 20.04 dockerized reproduce steps
Debian 11 dockerized reproduce steps
ASAN log
Platform
The bug was found by my fuzzer on Ubuntu 20.04.5. In addition, the bug can also be reproduced on Debian 11 with the default version of gcc.
PoC
ubuntu poc0.zip debian poc0.zip
PS: The poc is different from that of tats/w3m#242 .