heap-buffer-overflow in shiftAnchorPosition
kcwu opened this issue · 3 comments
kcwu commented
input (xxd cases/tats-w3m-200
)
00000000: 3c74 6162 6c65 3e30 3c62 7220 3c3e 303c <table>0<br <>0<
00000010: 786d 703e c8ab 3c64 6976 3e3c 696e 7465 xmp>..<div><inte
00000020: 526e 616c 3e3c 696e 7075 745f 616c 7420 Rnal><input_alt
00000030: 6669 643d 303e 3c64 6c3e 303c 646c 3e30 fid=0><dl>0<dl>0
00000040: 3c62 7574 746f 6e20 7661 6c75 653d 2722 <button value='"
00000050: 3e30 3030 3030 3030 3030 3030 3030 3030 >000000000000000
00000060: 3030 3030 3030 3030 3030 3030 3030 3030 0000000000000000
00000070: 3030 3030 3030 3030 30ff 3030 3027 3e3c 000000000.000'><
00000080: 4120 6873 6571 3d2d 3930 2068 7265 663d A hseq=-90 href=
00000090: 3e30 3c68 5220 616c 6967 6e3d 6d69 6464 >0<hR align=midd
000000a0: 6c65 3e le>
how to reproduce:
LD_LIBRARY_PATH=./notgc ASAN_OPTIONS=abort_on_error=1:detect_leaks=0 ./w3m-tats.asan -T text/html -dump cases/tats-w3m-200
stderr:
=================================================================
==91135==ERROR: AddressSanitizer: heap-use-after-free on address 0x6130000007ec at pc 0x0000006b8747 bp 0x7ffc85f91ca0 sp 0x7ffc85f91c98
READ of size 4 at 0x6130000007ec thread T0
#0 0x6b8746 in shiftAnchorPosition /fuzzing-w3m/targets/w3m-tats/anchor.c:555:38
#1 0x611e91 in formUpdateBuffer /fuzzing-w3m/targets/w3m-tats/form.c:502:3
#2 0x6130d5 in formResetBuffer /fuzzing-w3m/targets/w3m-tats/form.c:271:2
#3 0x5302d9 in loadHTMLBuffer /fuzzing-w3m/targets/w3m-tats/file.c:6928:2
#4 0x533654 in loadSomething /fuzzing-w3m/targets/w3m-tats/file.c:229:16
#5 0x524fb6 in loadGeneralFile /fuzzing-w3m/targets/w3m-tats/file.c:2286:6
#6 0x4cf6d6 in main /fuzzing-w3m/targets/w3m-tats/main.c:1048:12
#7 0x7f0d02f94d09 in __libc_start_main csu/../csu/libc-start.c:308:16
#8 0x420a89 in _start (/w3m-tats.asan+0x420a89)
0x6130000007ec is located 172 bytes inside of 382-byte region [0x613000000740,0x6130000008be)
freed by thread T0 here:
#0 0x49ae19 in realloc (/w3m-tats.asan+0x49ae19)
#1 0x5712e3 in HTMLlineproc2body /fuzzing-w3m/targets/w3m-tats/file.c:5675:6
#2 0x570a7e in HTMLlineproc2 /fuzzing-w3m/targets/w3m-tats/file.c:6336:5
#3 0x57f9f2 in loadHTMLstream /fuzzing-w3m/targets/w3m-tats/file.c:7431:5
#4 0x5300e8 in loadHTMLBuffer /fuzzing-w3m/targets/w3m-tats/file.c:6922:5
#5 0x533654 in loadSomething /fuzzing-w3m/targets/w3m-tats/file.c:229:16
#6 0x524fb6 in loadGeneralFile /fuzzing-w3m/targets/w3m-tats/file.c:2286:6
#7 0x4cf6d6 in main /fuzzing-w3m/targets/w3m-tats/main.c:1048:12
#8 0x7f0d02f94d09 in __libc_start_main csu/../csu/libc-start.c:308:16
previously allocated by thread T0 here:
#0 0x49ae19 in realloc (/w3m-tats.asan+0x49ae19)
#1 0x5712e3 in HTMLlineproc2body /fuzzing-w3m/targets/w3m-tats/file.c:5675:6
#2 0x570a7e in HTMLlineproc2 /fuzzing-w3m/targets/w3m-tats/file.c:6336:5
#3 0x57f9f2 in loadHTMLstream /fuzzing-w3m/targets/w3m-tats/file.c:7431:5
#4 0x5300e8 in loadHTMLBuffer /fuzzing-w3m/targets/w3m-tats/file.c:6922:5
#5 0x533654 in loadSomething /fuzzing-w3m/targets/w3m-tats/file.c:229:16
#6 0x524fb6 in loadGeneralFile /fuzzing-w3m/targets/w3m-tats/file.c:2286:6
#7 0x4cf6d6 in main /fuzzing-w3m/targets/w3m-tats/main.c:1048:12
#8 0x7f0d02f94d09 in __libc_start_main csu/../csu/libc-start.c:308:16
SUMMARY: AddressSanitizer: heap-use-after-free /fuzzing-w3m/targets/w3m-tats/anchor.c:555:38 in shiftAnchorPosition
Shadow bytes around the buggy address:
0x0c267fff80a0: 00 00 00 00 00 fa fa fa fa fa fa fa fa fa fa fa
0x0c267fff80b0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c267fff80c0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c267fff80d0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 fa fa
0x0c267fff80e0: fa fa fa fa fa fa fa fa fd fd fd fd fd fd fd fd
=>0x0c267fff80f0: fd fd fd fd fd fd fd fd fd fd fd fd fd[fd]fd fd
0x0c267fff8100: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x0c267fff8110: fd fd fd fd fd fd fd fd fa fa fa fa fa fa fa fa
0x0c267fff8120: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c267fff8130: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c267fff8140: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
Shadow gap: cc
==91135==ABORTING
This is detected with help of dummy libgc wrapper. See https://github.com/kcwu/fuzzing-w3m/tree/master/notgc for detail.
More detail to reproduce please see https://github.com/kcwu/fuzzing-w3m
For your convenience,
gdbline:
ASAN_OPTIONS=abort_on_error=1:detect_leaks=0 LD_LIBRARY_PATH=./notgc gdb --args ./w3m-tats.asan -T text/html -dump cases/tats-w3m-200
found by afl++
kcwu commented
this heap-buffer-overflow (wild pointer) is also in shiftAnchorPosition, probably related?
input (xxd cases/tats-w3m-200.2
)
00000000: 3c74 6162 6c65 3e30 3c62 7220 3c3e 303c <table>0<br <>0<
00000010: 786d 703e c8ab 3c64 6976 3e3c 696e 7465 xmp>..<div><inte
00000020: 526e 616c 3e3c 696e 7075 745f 616c 7420 Rnal><input_alt
00000030: 6669 643d 303e 3c64 6c3e 303c 646c 3e30 fid=0><dl>0<dl>0
00000040: 3c62 7574 746f 6e3e 3c41 2068 7365 713d <button><A hseq=
00000050: 2d39 3020 6872 6566 3d3e 30 -90 href=>0
rkta commented
On Wed, Oct 13, 2021 at 08:28:56PM -0700, Kuang-che Wu wrote:
input (`xxd cases/tats-w3m-200`)
```
00000000: 3c74 6162 6c65 3e30 3c62 7220 3c3e 303c <table>0<br <>0<
00000010: 786d 703e c8ab 3c64 6976 3e3c 696e 7465 xmp>..<div><inte
00000020: 526e 616c 3e3c 696e 7075 745f 616c 7420 Rnal><input_alt
00000030: 6669 643d 303e 3c64 6c3e 303c 646c 3e30 fid=0><dl>0<dl>0
00000040: 3c62 7574 746f 6e20 7661 6c75 653d 2722 <button value='"
00000050: 3e30 3030 3030 3030 3030 3030 3030 3030 >000000000000000
00000060: 3030 3030 3030 3030 3030 3030 3030 3030 0000000000000000
00000070: 3030 3030 3030 3030 30ff 3030 3027 3e3c 000000000.000'><
00000080: 4120 6873 6571 3d2d 3930 2068 7265 663d A hseq=-90 href=
00000090: 3e30 3c68 5220 616c 6967 6e3d 6d69 6464 >0<hR align=midd
000000a0: 6c65 3e le>
```
[...]
=================================================================
==91135==ERROR: AddressSanitizer: heap-use-after-free on address 0x6130000007ec at pc 0x0000006b8747 bp 0x7ffc85f91ca0 sp 0x7ffc85f91c98
READ of size 4 at 0x6130000007ec thread T0
#0 0x6b8746 in shiftAnchorPosition /btrfs2/z840-home-kcwu/fuzz/fuzzing-w3m/targets/w3m-tats/anchor.c:555:38
#1 0x611e91 in formUpdateBuffer /btrfs2/z840-home-kcwu/fuzz/fuzzing-w3m/targets/w3m-tats/form.c:502:3
#2 0x6130d5 in formResetBuffer /btrfs2/z840-home-kcwu/fuzz/fuzzing-w3m/targets/w3m-tats/form.c:271:2
#3 0x5302d9 in loadHTMLBuffer /btrfs2/z840-home-kcwu/fuzz/fuzzing-w3m/targets/w3m-tats/file.c:6928:2
#4 0x533654 in loadSomething /btrfs2/z840-home-kcwu/fuzz/fuzzing-w3m/targets/w3m-tats/file.c:229:16
#5 0x524fb6 in loadGeneralFile /btrfs2/z840-home-kcwu/fuzz/fuzzing-w3m/targets/w3m-tats/file.c:2286:6
#6 0x4cf6d6 in main /btrfs2/z840-home-kcwu/fuzz/fuzzing-w3m/targets/w3m-tats/main.c:1048:12
#7 0x7f0d02f94d09 in __libc_start_main csu/../csu/libc-start.c:308:16
#8 0x420a89 in _start (/w3m-tats.asan+0x420a89)
This is misleading. This is not a use-after-free but a out-of-bounds
read.
The 'hseq=-90' from the input ends as the value (89 actually) of
'a->hseq' in 'anchor.c:555'. Then 'hl->marks[a->hseq]' is out of bounds
as there are only 30 entries in this list.
Changing the input to something like 'hseq=-20' does not give any
errors.