search

tats / w3m

Debian's w3m: WWW browsable pager
https://tracker.debian.org/pkg/w3m
Other
870 stars 91 forks source link

[BUG] Out-of-bound read in growbuf_to_Str , indep.c:441 #271

Closed iskindar closed 1 year ago

iskindar commented 1 year ago

Hello, I found a out-of-bound read in w3m, function growbuf_to_Str , indep.c:61 while testing my new fuzzer.

Steps to reproduce

docker pull ubuntu:20.04 && docker run -it ubuntu:20.04 bash
## now step into the container
apt update && apt install wget git unzip gcc g++ make libgc-dev libtinfo-dev -y
git clone https://github.com/tats/w3m && pushd w3m
export CC="gcc -fsanitize=address -g" && ./configure && make -j
wget https://github.com/tats/w3m/files/11905598/poc2.zip && unzip poc2.zip
./w3m -dump ./poc2

Platform

$ cat /etc/issue
Ubuntu 20.04.6 LTS \n \l
$ ./w3m -version 
w3m version w3m/0.5.3+git20230129, options lang=en,m17n,image,color,ansi-color,mouse,menu,cookie,external-uri-loader,w3mmailer,nntp,gopher,ipv6,alarm,mark

ASAN

AddressSanitizer:DEADLYSIGNAL
=================================================================
==6186==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc 0x7f1f28b1e6c3 bp 0x7f1f28b39350 sp 0x7ffc233d2460 T0)
==6186==The signal is caused by a READ memory access.
==6186==Hint: address points to the zero page.
    #0 0x7f1f28b1e6c2 in GC_generic_malloc_inner (/lib/x86_64-linux-gnu/libgc.so.1+0x156c2)
    #1 0x7f1f28b1fc08 in GC_generic_malloc_many (/lib/x86_64-linux-gnu/libgc.so.1+0x16c08)
    #2 0x7f1f28b2b81c in GC_malloc_kind (/lib/x86_64-linux-gnu/libgc.so.1+0x2281c)
    #3 0x560b5fb95165 in growbuf_to_Str /w3m/indep.c:794
    #4 0x560b5fb8c911 in StrISgets2 /w3m/istream.c:238
    #5 0x560b5fac5a5c in loadBuffer /w3m/file.c:7693
    #6 0x560b5faeac5b in loadSomething /w3m/file.c:232
    #7 0x560b5faeac5b in loadGeneralFile /w3m/file.c:2288
    #8 0x560b5fa88807 in main /w3m/main.c:1061
    #9 0x7f1f2890b082 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x24082)
    #10 0x560b5fa8c56d in _start (/w3m/w3m+0xb256d)

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV (/lib/x86_64-linux-gnu/libgc.so.1+0x156c2) in GC_generic_malloc_inner
==6186==ABORTING

POC

poc2.zip

iskindar commented 1 year ago

Affected version :

Not Affected version: < 0.5.3+git20220429-1

pedrohc commented 1 year ago

Assigned CVE-2023-38253 for this issue. If you wish to dispute please open a ticket here: https://access.redhat.com/security/team/contact

tats commented 1 year ago

Prevented with https://github.com/tats/w3m/pull/273