|
From: | 乐泰 |
Subject: | Bug: A heap-buffer-overflow in save_text of ncurses-6.1 |
Date: | Sat, 1 Aug 2020 13:01:50 +0800 (GMT+08:00) |
==12235==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x619000000000 at pc 0x00000044b4d4 bp 0x7ffcce3d9a90 sp 0x7ffcce3d9240
READ of size 5 at 0x619000000000 thread T0
#0 0x44b4d3 in __interceptor_strlen.part.30 /home/ubuntu/kxd/tools/llvm-4.0/llvm-4.0.0.src/projects/compiler-rt/lib/asan/../sanitizer_common/sanitizer_common_interceptors.inc:284
#1 0x548bcb in save_text /home/ubuntu/kxd_ncurses-6.1/build/ncurses/../../ncurses/tinfo/lib_tparm.c:139:20
#2 0x546526 in tparam_internal /home/ubuntu/kxd_ncurses-6.1/build/ncurses/../../ncurses/tinfo/lib_tparm.c:610:3
#3 0x5452fe in tparm /home/ubuntu/kxd_ncurses-6.1/build/ncurses/../../ncurses/tinfo/lib_tparm.c:849:14
#4 0x553846 in set_attribute_9 /home/ubuntu/kxd_ncurses-6.1/build/ncurses/../../ncurses/tinfo/trim_sgr0.c:54:13
#5 0x552e74 in _nc_trim_sgr0 /home/ubuntu/kxd_ncurses-6.1/build/ncurses/../../ncurses/tinfo/trim_sgr0.c:244:13
#6 0x529888 in fmt_entry /home/ubuntu/kxd_ncurses-6.1/build/progs/../../progs/dump_entry.c:1054:22
#7 0x52e827 in dump_entry /home/ubuntu/kxd_ncurses-6.1/build/progs/../../progs/dump_entry.c:1514:10
#8 0x50b6a9 in main /home/ubuntu/kxd_ncurses-6.1/build/progs/../../progs/tic.c:1035:7
#9 0x7fb3333e3b96 in __libc_start_main /build/glibc-2ORdQG/glibc-2.27/csu/../csu/libc-start.c:310
#10 0x41a029 in _start (/home/ubuntu/kxd_ncurses-6.1/ncurses-install/bin/tic+0x41a029)
0x619000000000 is located 128 bytes to the left of 1024-byte region [0x619000000080,0x619000000480)
freed by thread T0 here:
#0 0x4cfa95 in realloc /home/ubuntu/kxd/tools/llvm-4.0/llvm-4.0.0.src/projects/compiler-rt/lib/asan/asan_malloc_linux.cc:79
#1 0x53b297 in _nc_doalloc /home/ubuntu/kxd_ncurses-6.1/build/ncurses/../../ncurses/tinfo/doalloc.c:50:14
#2 0x5687ad in next_char /home/ubuntu/kxd_ncurses-6.1/build/ncurses/../../ncurses/tinfo/comp_scan.c:202:16
#3 0x566513 in _nc_get_token /home/ubuntu/kxd_ncurses-6.1/build/ncurses/../../ncurses/tinfo/comp_scan.c:396:18
#4 0x56cfe4 in _nc_parse_entry /home/ubuntu/kxd_ncurses-6.1/build/ncurses/../../ncurses/tinfo/parse_entry.c:302:16
#5 0x563942 in _nc_read_entry_source /home/ubuntu/kxd_ncurses-6.1/build/ncurses/../../ncurses/tinfo/comp_parse.c:225:6
#6 0x50ac8c in main /home/ubuntu/kxd_ncurses-6.1/build/progs/../../progs/tic.c:961:5
#7 0x7fb3333e3b96 in __libc_start_main /build/glibc-2ORdQG/glibc-2.27/csu/../csu/libc-start.c:310
previously allocated by thread T0 here:
#0 0x4cf670 in malloc /home/ubuntu/kxd/tools/llvm-4.0/llvm-4.0.0.src/projects/compiler-rt/lib/asan/asan_malloc_linux.cc:66
#1 0x53b30a in _nc_doalloc /home/ubuntu/kxd_ncurses-6.1/build/ncurses/../../ncurses/tinfo/doalloc.c:55:9
#2 0x5687ad in next_char /home/ubuntu/kxd_ncurses-6.1/build/ncurses/../../ncurses/tinfo/comp_scan.c:202:16
#3 0x566513 in _nc_get_token /home/ubuntu/kxd_ncurses-6.1/build/ncurses/../../ncurses/tinfo/comp_scan.c:396:18
#4 0x56a579 in _nc_parse_entry /home/ubuntu/kxd_ncurses-6.1/build/ncurses/../../ncurses/tinfo/parse_entry.c:231:18
#5 0x563942 in _nc_read_entry_source /home/ubuntu/kxd_ncurses-6.1/build/ncurses/../../ncurses/tinfo/comp_parse.c:225:6
#6 0x50ac8c in main /home/ubuntu/kxd_ncurses-6.1/build/progs/../../progs/tic.c:961:5
#7 0x7fb3333e3b96 in __libc_start_main /build/glibc-2ORdQG/glibc-2.27/csu/../csu/libc-start.c:310
SUMMARY: AddressSanitizer: heap-buffer-overflow /home/ubuntu/kxd/tools/llvm-4.0/llvm-4.0.0.src/projects/compiler-rt/lib/asan/../sanitizer_common/sanitizer_common_interceptors.inc:284 in __interceptor_strlen.part.30
Shadow bytes around the buggy address:
0x0c327fff7fb0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c327fff7fc0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c327fff7fd0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c327fff7fe0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c327fff7ff0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x0c327fff8000:[fa]fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c327fff8010: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x0c327fff8020: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x0c327fff8030: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x0c327fff8040: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x0c327fff8050: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
==12235==ABORTING
id:000332,sig:11,src:005647,op:havoc,rep:32
Description: Binary data
[Prev in Thread] | Current Thread | [Next in Thread] |