search

tats / w3m

Debian's w3m: WWW browsable pager
https://tracker.debian.org/pkg/w3m
Other
870 stars 91 forks source link

[BUG] Out of bound read in Strnew_size , Str.c:61 #270

Closed iskindar closed 1 year ago

iskindar commented 1 year ago

Hello, I found a out-of-bound read in w3m, function Strnew_size , Str.c:61 while testing my new fuzzer.

Steps to reproduce

export CC=gcc
export CFLAGS="-fsanitize=address -g"
./configure && make -j
./w3m -dump $POC

Dockerized reproduce steps (recommended)

docker pull debian:11 && docker run -it debian:11 bash
## now step into the container
apt update && apt install wget git unzip gcc g++ make libgc-dev libtinfo-dev -y
git clone https://github.com/tats/w3m && pushd w3m
export CC="gcc -fsanitize=address -g" && ./configure && make -j
wget https://github.com/tats/w3m/files/11905204/poc1.zip && unzip poc1.zip
./w3m -dump ./poc1

Platform

$ cat /etc/issue
Debian GNU/Linux 11 \n \l
$ ./w3m -version 
w3m version w3m/0.5.3+git20230129, options lang=en,m17n,image,color,ansi-color,mouse,menu,cookie,external-uri-loader,w3mmailer,nntp,gopher,ipv6,alarm,mark

ASAN

AddressSanitizer:DEADLYSIGNAL
=================================================================
==85==ERROR: AddressSanitizer: SEGV on unknown address (pc 0x7f147749b742 bp 0x000000000080 sp 0x7ffddcd7c740 T0)
==85==The signal is caused by a READ memory access.
==85==Hint: this fault was caused by a dereference of a high value address (see register values below).  Dissassemble the provided pc to learn which register was used.
    #0 0x7f147749b742 in GC_malloc_kind_global (/usr/lib/x86_64-linux-gnu/libgc.so.1+0x19742)
    #1 0x5639c506e050 in Strnew_size /w3m/Str.c:61
    #2 0x5639c507a2fb in wc_conv_to_ces /w3m/libwc/conv.c:70
    #3 0x5639c4fbde57 in _saveBuffer /w3m/file.c:7875
    #4 0x5639c4f6cb97 in do_dump /w3m/main.c:1409
    #5 0x5639c4f65a4d in main /w3m/main.c:1115
    #6 0x7f14772a2d09 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x23d09)
    #7 0x5639c4f69979 in _start (/w3m/w3m+0xb3979)

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV (/usr/lib/x86_64-linux-gnu/libgc.so.1+0x19742) in GC_malloc_kind_global
==85==ABORTING

POC

poc1.zip

iskindar commented 1 year ago

Affected version :

Not Affected version: < 0.5.3+git20220429-1

rkta commented 1 year ago

On Thu, Jun 29, 2023 at 04:40:34AM -0700, Zhijie Zhang wrote:

Hello, I found a out-of-bound write in w3m, [Snip] ==85==The signal is caused by a READ memory access.

Is it read or write?

Cannot reproduce.

iskindar commented 1 year ago

Is it read or write?

It is read. My fault.

Cannot reproduce.

Have you tried the dockerized reproduction steps? I tried it just now, and it worked.

image-20230710195042030

I reduce the input file which is poc1_trim.zip Maybe you can try it again? If you reproduce successfully, you may see similar output like below.

image-20230710200312114

Pls told me if it's still not available.

iskindar commented 1 year ago

I tried to reproduce it on Debian stable but also failed. It seems this bug only occurs on some specific OS systems with this PoC.

rkta commented 1 year ago

On Mon, Jul 10, 2023 at 05:16:28AM -0700, Zhijie Zhang wrote:

I tried to reproduce it on Debian stable but failed. It seems this bug only occurs on some specific OS systems.

Then why does your initial report says that OS is Debian 11? Please provide correct info about the test environment.

iskindar commented 1 year ago

Sorry for not making it clear before.

I can reproduce it on Debian 11 with the following command.

docker pull debian:11 && docker run -it debian:11 bash
## now step into the container
...
./w3m -dump ./poc1

Since you said that your Debian version is Debian stable in other issues, I tried to reproduce it on Debian stable with the following command just now but failed. 

docker pull debian:stable && docker run -it debian:stable bash
## now step into the container
...
./w3m -dump ./poc1

Actually, the Debian stable in docker images is Debian 12.

$ cat /etc/issue
Debian GNU/Linux 12 \n \l

So the bug is reproducible at Debian 11 not reproducible at Debian stable (12). My test environment is Debian 11 as the initial report said.

rkta commented 1 year ago

JFTR, I can reproduce it using docker with images debian:11 and debian:12.

I can not reproduce it on my VPS with Debian 11 nor with Debian 12 and also not on a laptop running Devuan GNU/Linux 4, which is a Debian 11 without systemd.

pedrohc commented 1 year ago

Assigned CVE-2023-38252 for this issue. If you wish to dispute please open a ticket here: https://access.redhat.com/security/team/contact

rkta commented 1 year ago

On Thu, Jul 13, 2023 at 09:31:40AM -0700, Pedro Sampaio wrote:

Assigned CVE-2023-38252 for this issue. If you wish to dispute please open a ticket here: https://access.redhat.com/security/team/contact

This is a READ violation, not write as the CVE states.

pedrohc commented 1 year ago

On Thu, Jul 13, 2023 at 09:31:40AM -0700, Pedro Sampaio wrote: Assigned CVE-2023-38252 for this issue. If you wish to dispute please open a ticket here: https://access.redhat.com/security/team/contact This is a READ violation, not write as the CVE states.

Fixed, thanks.

tats commented 1 year ago

Prevented with https://github.com/tats/w3m/pull/273