Heap UAF in w3m
Opened this issue · 12 comments
w3m heap-use-after-free
Hello, w3m developers!
I found a heap-use-after-free in w3m.
Please confirm.
Thanks!
Test Environment
Ubuntu 20.04, 64 bit w3m (version: w3m-0.5.3-git20220429;)
How to trigger
Compile the program with AddressSanitizer
Run command $ ./w3m -dump_source -halfload http://127.0.0.1
Details
ASAN report
$./w3m -dump_source -halfload http://127.0.0.1
=================================================================
==638360==ERROR: AddressSanitizer: heap-use-after-free on address 0x606000001cd0 at pc 0x555555769584 bp 0x7fffffffd580 sp 0x7fffffffd570
READ of size 8 at 0x606000001cd0 thread T0
#0 0x555555769583 in ISclose /home/root/w3m/sourcecode/w3m-0.5.3-git20220429/istream.c:190
#1 0x555555649a65 in loadGeneralFile /home/root/w3m/sourcecode/w3m-0.5.3-git20220429/file.c:2288
#2 0x55555560ace2 in main /home/root/w3m/sourcecode/w3m-0.5.3-git20220429/main.c:1053
#3 0x7ffff6e4a082 in __libc_start_main ../csu/libc-start.c:308
#4 0x555555605e2d in _start (/home/root/w3m/sourcecode/w3m-0.5.3-git20220429/install/bin/w3m+0xb1e2d)
0x606000001cd0 is located 48 bytes inside of 56-byte region [0x606000001ca0,0x606000001cd8)
freed by thread T0 here:
#0 0x7ffff768240f in __interceptor_free ../../../../src/libsanitizer/asan/asan_malloc_linux.cc:122
#1 0x555555777766 in xfree /home/root/w3m/sourcecode/w3m-0.5.3-git20220429/indep.c:742
#2 0x5555557696a7 in ISclose /home/root/w3m/sourcecode/w3m-0.5.3-git20220429/istream.c:199
#3 0x555555678941 in file_feed /home/root/w3m/sourcecode/w3m-0.5.3-git20220429/file.c:6338
#4 0x555555677ce9 in HTMLlineproc2body /home/root/w3m/sourcecode/w3m-0.5.3-git20220429/file.c:5645
#5 0x555555678985 in HTMLlineproc3 /home/root/w3m/sourcecode/w3m-0.5.3-git20220429/file.c:6348
#6 0x555555680e1c in loadHTMLstream /home/root/w3m/sourcecode/w3m-0.5.3-git20220429/file.c:7316
#7 0x55555567df09 in loadHTMLBuffer /home/root/w3m/sourcecode/w3m-0.5.3-git20220429/file.c:6922
#8 0x5555556380b5 in loadSomething /home/root/w3m/sourcecode/w3m-0.5.3-git20220429/file.c:230
#9 0x555555649a1a in loadGeneralFile /home/root/w3m/sourcecode/w3m-0.5.3-git20220429/file.c:2286
#10 0x55555560ace2 in main /home/root/w3m/sourcecode/w3m-0.5.3-git20220429/main.c:1053
#11 0x7ffff6e4a082 in __libc_start_main ../csu/libc-start.c:308
previously allocated by thread T0 here:
#0 0x7ffff7682c3e in __interceptor_realloc ../../../../src/libsanitizer/asan/asan_malloc_linux.cc:163
#1 0x5555557776e6 in xrealloc /home/root/w3m/sourcecode/w3m-0.5.3-git20220429/indep.c:729
#2 0x555555768d4e in newInputStream /home/root/w3m/sourcecode/w3m-0.5.3-git20220429/istream.c:100
#3 0x555555734ecf in openURL /home/root/w3m/sourcecode/w3m-0.5.3-git20220429/url.c:2000
#4 0x555555644b0f in loadGeneralFile /home/root/w3m/sourcecode/w3m-0.5.3-git20220429/file.c:1752
#5 0x55555560ace2 in main /home/root/w3m/sourcecode/w3m-0.5.3-git20220429/main.c:1053
#6 0x7ffff6e4a082 in __libc_start_main ../csu/libc-start.c:308
SUMMARY: AddressSanitizer: heap-use-after-free /home/root/w3m/sourcecode/w3m-0.5.3-git20220429/istream.c:190 in ISclose
Shadow bytes around the buggy address:
0x0c0c7fff8340: fd fd fd fd fd fd fd fd fa fa fa fa fd fd fd fd
0x0c0c7fff8350: fd fd fd fa fa fa fa fa fd fd fd fd fd fd fd fd
0x0c0c7fff8360: fa fa fa fa fd fd fd fd fd fd fd fa fa fa fa fa
0x0c0c7fff8370: fd fd fd fd fd fd fd fa fa fa fa fa fd fd fd fd
0x0c0c7fff8380: fd fd fd fa fa fa fa fa fd fd fd fd fd fd fd fd
=>0x0c0c7fff8390: fa fa fa fa fd fd fd fd fd fd[fd]fa fa fa fa fa
0x0c0c7fff83a0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c0c7fff83b0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c0c7fff83c0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c0c7fff83d0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c0c7fff83e0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
Shadow gap: cc
==638360==ABORTING
Here is my compilation command.:
1、mkdir install
2、CC=gcc CXX=g++ CFLAGS="-g -fsanitize=address" CXXFLAGS="-g -fsanitize=address" ./configure --prefix=`pwd`/install
3、make
4、make install
I can reproduce the bug through the following command:
$ ./w3m -dump_source -halfload http://127.0.0.1
And I also reproduce the bug in the latest version : 0.5.3-git20210102-deb11u1
Please confirm.
Thanks!
I tried % ./w3m -dump_source -halfload http://localhost.
And I also can get the same bug.
Is it because we're compiling differently?
I just find the option from the source code. The option can assign "w3m_dump" and "w3m_halfload"
Could you reproduce the bug?
And if no, what’s your output?
Yes. I missed the detail of running locally.
Thank you for you reply!
We mentioned this missing option at #260.
We hope you can repair the help document or man page as well.
Thank you!
I get it.
Thank you for you timely reply!