|
| From: | Yao Shuangjie |
| Subject: | Reporting Security Violations in Software Package |
| Date: | Wed, 12 Mar 2025 14:59:07 +0000 |
|
Dear maintainers, We are cybersecurity researchers from the Hong Kong University of Science and Technology. We found several security violations of undefined behaviors and memory leaks in GNU ncurses 6.5 using our novel symbolic execution technique several months ago. The details are shown below. ../../ncurses/tinfo/comp_scan.c:142:15: runtime error: unsigned integer overflow: 0 - 1 cannot be represented in type 'size_t' (aka 'unsigned long') #0 0x566de3 in last_char /root/projects/ncurses-6.5/obj-san/ncurses/../../ncurses/tinfo/comp_scan.c:142:15 #1 0x564f01 in _nc_get_token /root/projects/ncurses-6.5/obj-san/ncurses/../../ncurses/tinfo/comp_scan.c:511:27 #2 0x567faa in _nc_parse_entry /root/projects/ncurses-6.5/obj-san/ncurses/../../ncurses/tinfo/parse_entry.c:297:18 #3 0x55fa6b in _nc_read_entry_source /root/projects/ncurses-6.5/obj-san/ncurses/../../ncurses/tinfo/comp_parse.c:236:6 #4 0x4cf472 in main /root/projects/ncurses-6.5/obj-san/progs/../../progs/tic.c:983:5 #5 0x7f7273544d8f in __libc_start_call_main csu/../sysdeps/nptl/libc_start_call_main.h:58:16 #6 0x7f7273544e3f in __libc_start_main csu/../csu/libc-start.c:392:3 #7 0x41f474 in _start (/root/projects/ncurses-6.5/obj-san/progs/tic+0x41f474) ==2580471==ERROR: LeakSanitizer: detected memory leaks Direct leak of 3312 byte(s) in 1 object(s) allocated from: #0 0x49c35d in __interceptor_malloc (/root/projects/ncurses-6.5/obj-san/progs/tic+0x49c35d) #1 0x541e89 in _nc_init_termtype /root/projects/ncurses-6.5/obj-san/ncurses/../../ncurses/tinfo/read_entry.c:245:2 #2 0x59302a in _nc_init_entry /root/projects/ncurses-6.5/obj-san/ncurses/../../ncurses/tinfo/alloc_entry.c:81:5 #3 0x567fcc in _nc_parse_entry /root/projects/ncurses-6.5/obj-san/ncurses/../../ncurses/tinfo/parse_entry.c:304:5 #4 0x55fa6b in _nc_read_entry_source /root/projects/ncurses-6.5/obj-san/ncurses/../../ncurses/tinfo/comp_parse.c:236:6 #5 0x4cf472 in main /root/projects/ncurses-6.5/obj-san/progs/../../progs/tic.c:983:5 #6 0x7f7addc50d8f in __libc_start_call_main csu/../sysdeps/nptl/libc_start_call_main.h:58:16 Direct leak of 156 byte(s) in 1 object(s) allocated from: #0 0x49c35d in __interceptor_malloc (/root/projects/ncurses-6.5/obj-san/progs/tic+0x49c35d) #1 0x541dcc in _nc_init_termtype /root/projects/ncurses-6.5/obj-san/ncurses/../../ncurses/tinfo/read_entry.c:243:2 #2 0x59302a in _nc_init_entry /root/projects/ncurses-6.5/obj-san/ncurses/../../ncurses/tinfo/alloc_entry.c:81:5 #3 0x567fcc in _nc_parse_entry /root/projects/ncurses-6.5/obj-san/ncurses/../../ncurses/tinfo/parse_entry.c:304:5 #4 0x55fa6b in _nc_read_entry_source /root/projects/ncurses-6.5/obj-san/ncurses/../../ncurses/tinfo/comp_parse.c:236:6 #5 0x4cf472 in main /root/projects/ncurses-6.5/obj-san/progs/../../progs/tic.c:983:5 #6 0x7f7addc50d8f in __libc_start_call_main csu/../sysdeps/nptl/libc_start_call_main.h:58:16 Direct leak of 44 byte(s) in 1 object(s) allocated from: #0 0x49c35d in __interceptor_malloc (/root/projects/ncurses-6.5/obj-san/progs/tic+0x49c35d) #1 0x541d16 in _nc_init_termtype /root/projects/ncurses-6.5/obj-san/ncurses/../../ncurses/tinfo/read_entry.c:241:2 #2 0x59302a in _nc_init_entry /root/projects/ncurses-6.5/obj-san/ncurses/../../ncurses/tinfo/alloc_entry.c:81:5 #3 0x567fcc in _nc_parse_entry /root/projects/ncurses-6.5/obj-san/ncurses/../../ncurses/tinfo/parse_entry.c:304:5 #4 0x55fa6b in _nc_read_entry_source /root/projects/ncurses-6.5/obj-san/ncurses/../../ncurses/tinfo/comp_parse.c:236:6 #5 0x4cf472 in main /root/projects/ncurses-6.5/obj-san/progs/../../progs/tic.c:983:5 #6 0x7f7addc50d8f in __libc_start_call_main csu/../sysdeps/nptl/libc_start_call_main.h:58:16 ../../ncurses/tinfo/comp_scan.c:285:26: runtime error: unsigned integer overflow: 0 - 1 cannot be represented in type 'unsigned long' #0 0x56659d in next_char /root/projects/ncurses-6.5/obj-san/ncurses/../../ncurses/tinfo/comp_scan.c:285:26 #1 0x564184 in _nc_panic_mode /root/projects/ncurses-6.5/obj-san/ncurses/../../ncurses/tinfo/comp_scan.c:1044:10 #2 0x564184 in _nc_get_token /root/projects/ncurses-6.5/obj-san/ncurses/../../ncurses/tinfo/comp_scan.c:482:6 #3 0x56852f in _nc_parse_entry /root/projects/ncurses-6.5/obj-san/ncurses/../../ncurses/tinfo/parse_entry.c:366:23 #4 0x55fa6b in _nc_read_entry_source /root/projects/ncurses-6.5/obj-san/ncurses/../../ncurses/tinfo/comp_parse.c:236:6 #5 0x4cf472 in main /root/projects/ncurses-6.5/obj-san/progs/../../progs/tic.c:983:5 #6 0x7f5841b36d8f in __libc_start_call_main csu/../sysdeps/nptl/libc_start_call_main.h:58:16 #7 0x7f5841b36e3f in __libc_start_main csu/../csu/libc-start.c:392:3 #8 0x41f474 in _start (/root/projects/ncurses-6.5/obj-san/progs/tic+0x41f474) SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior ../../ncurses/tinfo/comp_scan.c:285:26 in
../../ncurses/tinfo/comp_scan.c:285:15: runtime error: addition of unsigned offset to 0x619000000082 overflowed to 0x619000000081 #0 0x5665b2 in next_char /root/projects/ncurses-6.5/obj-san/ncurses/../../ncurses/tinfo/comp_scan.c:285:15 #1 0x564184 in _nc_panic_mode /root/projects/ncurses-6.5/obj-san/ncurses/../../ncurses/tinfo/comp_scan.c:1044:10 #2 0x564184 in _nc_get_token /root/projects/ncurses-6.5/obj-san/ncurses/../../ncurses/tinfo/comp_scan.c:482:6 #3 0x56852f in _nc_parse_entry /root/projects/ncurses-6.5/obj-san/ncurses/../../ncurses/tinfo/parse_entry.c:366:23 #4 0x55fa6b in _nc_read_entry_source /root/projects/ncurses-6.5/obj-san/ncurses/../../ncurses/tinfo/comp_parse.c:236:6 #5 0x4cf472 in main /root/projects/ncurses-6.5/obj-san/progs/../../progs/tic.c:983:5 #6 0x7f5841b36d8f in __libc_start_call_main csu/../sysdeps/nptl/libc_start_call_main.h:58:16 #7 0x7f5841b36e3f in __libc_start_main csu/../csu/libc-start.c:392:3 #8 0x41f474 in _start (/root/projects/ncurses-6.5/obj-san/progs/tic+0x41f474) Best regards, Shuangjie |
| [Prev in Thread] | Current Thread | [Next in Thread] |