[BUG] Out of bound read in Strnew_size , Str.c:61
iskindar opened this issue · 11 comments
Hello, I found a out-of-bound read in w3m, function Strnew_size , Str.c:61 while testing my new fuzzer.
Steps to reproduce
export CC=gcc
export CFLAGS="-fsanitize=address -g"
./configure && make -j
./w3m -dump $POC
Dockerized reproduce steps (recommended)
docker pull debian:11 && docker run -it debian:11 bash
## now step into the container
apt update && apt install wget git unzip gcc g++ make libgc-dev libtinfo-dev -y
git clone https://github.com/tats/w3m && pushd w3m
export CC="gcc -fsanitize=address -g" && ./configure && make -j
wget https://github.com/tats/w3m/files/11905204/poc1.zip && unzip poc1.zip
./w3m -dump ./poc1
Platform
- OS: Debian 11
$ cat /etc/issue
Debian GNU/Linux 11 \n \l
- w3m latest commit 93ad5ee
$ ./w3m -version
w3m version w3m/0.5.3+git20230129, options lang=en,m17n,image,color,ansi-color,mouse,menu,cookie,external-uri-loader,w3mmailer,nntp,gopher,ipv6,alarm,mark
ASAN
AddressSanitizer:DEADLYSIGNAL
=================================================================
==85==ERROR: AddressSanitizer: SEGV on unknown address (pc 0x7f147749b742 bp 0x000000000080 sp 0x7ffddcd7c740 T0)
==85==The signal is caused by a READ memory access.
==85==Hint: this fault was caused by a dereference of a high value address (see register values below). Dissassemble the provided pc to learn which register was used.
#0 0x7f147749b742 in GC_malloc_kind_global (/usr/lib/x86_64-linux-gnu/libgc.so.1+0x19742)
#1 0x5639c506e050 in Strnew_size /w3m/Str.c:61
#2 0x5639c507a2fb in wc_conv_to_ces /w3m/libwc/conv.c:70
#3 0x5639c4fbde57 in _saveBuffer /w3m/file.c:7875
#4 0x5639c4f6cb97 in do_dump /w3m/main.c:1409
#5 0x5639c4f65a4d in main /w3m/main.c:1115
#6 0x7f14772a2d09 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x23d09)
#7 0x5639c4f69979 in _start (/w3m/w3m+0xb3979)
AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV (/usr/lib/x86_64-linux-gnu/libgc.so.1+0x19742) in GC_malloc_kind_global
==85==ABORTING
POC
Affected version :
- 0.5.3+git20230129
- 0.5.3+git20230121-1
- 0.5.3+git20230121-2
Not Affected version: < 0.5.3+git20220429-1
Is it read or write?
It is read. My fault.
Cannot reproduce.
Have you tried the dockerized reproduction steps? I tried it just now, and it worked.
I reduce the input file which is poc1_trim.zip
Maybe you can try it again? If you reproduce successfully, you may see similar output like below.
Pls told me if it's still not available.
I tried to reproduce it on Debian stable but also failed. It seems this bug only occurs on some specific OS systems with this PoC.
Sorry for not making it clear before.
I can reproduce it on Debian 11 with the following command.
docker pull debian:11 && docker run -it debian:11 bash
## now step into the container
...
./w3m -dump ./poc1
Since you said that your Debian version is Debian stable in other issues, I tried to reproduce it on Debian stable with the following command just now but failed.
docker pull debian:stable && docker run -it debian:stable bash
## now step into the container
...
./w3m -dump ./poc1
Actually, the Debian stable in docker images is Debian 12.
$ cat /etc/issue
Debian GNU/Linux 12 \n \l
So the bug is reproducible at Debian 11 not reproducible at Debian stable (12).
My test environment is Debian 11 as the initial report said.
Assigned CVE-2023-38252 for this issue. If you wish to dispute please open a ticket here:
https://access.redhat.com/security/team/contact
On Thu, Jul 13, 2023 at 09:31:40AM -0700, Pedro Sampaio wrote: Assigned CVE-2023-38252 for this issue. If you wish to dispute please open a ticket here: https://access.redhat.com/security/team/contact
This is a READ violation, not write as the CVE states.
Fixed, thanks.