Bug: A global-buffer-overflow in infotocap of ncurses-6.1

[乐泰]

Reporter: Tai

Version: ncurses-6.1

Command: infotocap PoC

Environment: Ubuntu 16.04 x86-64

Detail Information: we have found a global-buffer-overflow bug in the function _nc_find_entry of ncurses-6.1 by fuzzing. We compile the ncurses-6.1 by AddressSanitizer in x86-64 format and print the information by executing infotocap PoC as below. The PoC file is in attachment.

==4064==ERROR: AddressSanitizer: global-buffer-overflow on address 0x0000005bf7be at pc 0x000000537e97 bp 0x7ffdfccb24d0 sp 0x7ffdfccb24c8

READ of size 2 at 0x0000005bf7be thread T0

    #0 0x537e96 in _nc_find_entry /home/ubuntu/kxd_ncurses-6.1/build/ncurses/../../ncurses/tinfo/comp_hash.c:66:9

    #1 0x5263eb in nametrans /home/ubuntu/kxd_ncurses-6.1/build/progs/../../progs/dump_entry.c:174:15

    #2 0x510850 in put_translate /home/ubuntu/kxd_ncurses-6.1/build/progs/../../progs/tic.c:338:16

    #3 0x50b664 in main /home/ubuntu/kxd_ncurses-6.1/build/progs/../../progs/tic.c:1030:5

    #4 0x7f047d28ab96 in __libc_start_main /build/glibc-2ORdQG/glibc-2.27/csu/../csu/libc-start.c:310

    #5 0x41a029 in _start (/home/ubuntu/kxd_ncurses-6.1/ncurses-install/bin/tic+0x41a029)

0x0000005bf7be is located 2 bytes to the left of global variable '_nc_info_hash_table' defined in '../ncurses/comp_captab.c:585:24' (0x5bf7c0) of size 1990

0x0000005bf7be is located 504 bytes to the right of global variable '_nc_cap_hash_table' defined in '../ncurses/comp_captab.c:2145:24' (0x5bee00) of size 1990

SUMMARY: AddressSanitizer: global-buffer-overflow /home/ubuntu/kxd_ncurses-6.1/build/ncurses/../../ncurses/tinfo/comp_hash.c:66:9 in _nc_find_entry

Shadow bytes around the buggy address:

  0x0000800afea0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

  0x0000800afeb0: 00 00 00 00 00 00 00 00 06 f9 f9 f9 f9 f9 f9 f9

  0x0000800afec0: f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9

  0x0000800afed0: f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9

  0x0000800afee0: f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9

=>0x0000800afef0: f9 f9 f9 f9 f9 f9 f9[f9]00 00 00 00 00 00 00 00

  0x0000800aff00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

  0x0000800aff10: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

  0x0000800aff20: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

  0x0000800aff30: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

  0x0000800aff40: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

Shadow byte legend (one shadow byte represents 8 application bytes):

  Addressable:           00

  Partially addressable: 01 02 03 04 05 06 07 

  Heap left redzone:       fa

  Freed heap region:       fd

  Stack left redzone:      f1

  Stack mid redzone:       f2

  Stack right redzone:     f3

  Stack after return:      f5

  Stack use after scope:   f8

  Global redzone:          f9

  Global init order:       f6

  Poisoned by user:        f7

  Container overflow:      fc

  Array cookie:            ac

  Intra object redzone:    bb

  ASan internal:           fe

  Left alloca redzone:     ca

  Right alloca redzone:    cb

==4064==ABORTING

id:000005,sig:11,src:002798,op:havoc,rep:128
Description: Binary data