Heap UAF in w3m

[randomssr]

w3m heap-use-after-free
Hello, w3m developers!

I found a heap-use-after-free in w3m.
Please confirm.
Thanks!

Test Environment
Ubuntu 20.04, 64 bit w3m (version: w3m-0.5.3-git20220429;)

How to trigger
Compile the program with AddressSanitizer
Run command $ ./w3m -dump_source -halfload http://127.0.0.1
Details
ASAN report
$./w3m -dump_source -halfload http://127.0.0.1

=================================================================
==638360==ERROR: AddressSanitizer: heap-use-after-free on address 0x606000001cd0 at pc 0x555555769584 bp 0x7fffffffd580 sp 0x7fffffffd570
READ of size 8 at 0x606000001cd0 thread T0
    #0 0x555555769583 in ISclose /home/root/w3m/sourcecode/w3m-0.5.3-git20220429/istream.c:190
    #1 0x555555649a65 in loadGeneralFile /home/root/w3m/sourcecode/w3m-0.5.3-git20220429/file.c:2288
    #2 0x55555560ace2 in main /home/root/w3m/sourcecode/w3m-0.5.3-git20220429/main.c:1053
    #3 0x7ffff6e4a082 in __libc_start_main ../csu/libc-start.c:308
    #4 0x555555605e2d in _start (/home/root/w3m/sourcecode/w3m-0.5.3-git20220429/install/bin/w3m+0xb1e2d)

0x606000001cd0 is located 48 bytes inside of 56-byte region [0x606000001ca0,0x606000001cd8)
freed by thread T0 here:
    #0 0x7ffff768240f in __interceptor_free ../../../../src/libsanitizer/asan/asan_malloc_linux.cc:122
    #1 0x555555777766 in xfree /home/root/w3m/sourcecode/w3m-0.5.3-git20220429/indep.c:742
    #2 0x5555557696a7 in ISclose /home/root/w3m/sourcecode/w3m-0.5.3-git20220429/istream.c:199
    #3 0x555555678941 in file_feed /home/root/w3m/sourcecode/w3m-0.5.3-git20220429/file.c:6338
    #4 0x555555677ce9 in HTMLlineproc2body /home/root/w3m/sourcecode/w3m-0.5.3-git20220429/file.c:5645
    #5 0x555555678985 in HTMLlineproc3 /home/root/w3m/sourcecode/w3m-0.5.3-git20220429/file.c:6348
    #6 0x555555680e1c in loadHTMLstream /home/root/w3m/sourcecode/w3m-0.5.3-git20220429/file.c:7316
    #7 0x55555567df09 in loadHTMLBuffer /home/root/w3m/sourcecode/w3m-0.5.3-git20220429/file.c:6922
    #8 0x5555556380b5 in loadSomething /home/root/w3m/sourcecode/w3m-0.5.3-git20220429/file.c:230
    #9 0x555555649a1a in loadGeneralFile /home/root/w3m/sourcecode/w3m-0.5.3-git20220429/file.c:2286
    #10 0x55555560ace2 in main /home/root/w3m/sourcecode/w3m-0.5.3-git20220429/main.c:1053
    #11 0x7ffff6e4a082 in __libc_start_main ../csu/libc-start.c:308

previously allocated by thread T0 here:
    #0 0x7ffff7682c3e in __interceptor_realloc ../../../../src/libsanitizer/asan/asan_malloc_linux.cc:163
    #1 0x5555557776e6 in xrealloc /home/root/w3m/sourcecode/w3m-0.5.3-git20220429/indep.c:729
    #2 0x555555768d4e in newInputStream /home/root/w3m/sourcecode/w3m-0.5.3-git20220429/istream.c:100
    #3 0x555555734ecf in openURL /home/root/w3m/sourcecode/w3m-0.5.3-git20220429/url.c:2000
    #4 0x555555644b0f in loadGeneralFile /home/root/w3m/sourcecode/w3m-0.5.3-git20220429/file.c:1752
    #5 0x55555560ace2 in main /home/root/w3m/sourcecode/w3m-0.5.3-git20220429/main.c:1053
    #6 0x7ffff6e4a082 in __libc_start_main ../csu/libc-start.c:308

SUMMARY: AddressSanitizer: heap-use-after-free /home/root/w3m/sourcecode/w3m-0.5.3-git20220429/istream.c:190 in ISclose
Shadow bytes around the buggy address:
  0x0c0c7fff8340: fd fd fd fd fd fd fd fd fa fa fa fa fd fd fd fd
  0x0c0c7fff8350: fd fd fd fa fa fa fa fa fd fd fd fd fd fd fd fd
  0x0c0c7fff8360: fa fa fa fa fd fd fd fd fd fd fd fa fa fa fa fa
  0x0c0c7fff8370: fd fd fd fd fd fd fd fa fa fa fa fa fd fd fd fd
  0x0c0c7fff8380: fd fd fd fa fa fa fa fa fd fd fd fd fd fd fd fd
=>0x0c0c7fff8390: fa fa fa fa fd fd fd fd fd fd[fd]fa fa fa fa fa
  0x0c0c7fff83a0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c0c7fff83b0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c0c7fff83c0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c0c7fff83d0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c0c7fff83e0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
  Shadow gap:              cc
==638360==ABORTING

[rkta]

On Sun, Jul 23, 2023 at 02:50:06AM -0700, randomssr wrote: w3m heap-use-after-free Hello, w3m developers! I found a heap-use-after-free in w3m. Please confirm.

Negative.

Thanks! Test Environment Ubuntu 20.04, 64 bit w3m (version: w3m-0.5.3-git20220429;) How to trigger Compile the program with AddressSanitizer Run command $ ./w3m -dump_source -halfload http://127.0.0.1

Can't reproduce.

[randomssr]

Here is my compilation command.:

1、mkdir install
2、CC=gcc CXX=g++ CFLAGS="-g -fsanitize=address" CXXFLAGS="-g -fsanitize=address" ./configure --prefix=`pwd`/install
3、make 
4、make install

I can reproduce the bug through the following command:

$ ./w3m -dump_source -halfload http://127.0.0.1 

And I also reproduce the bug in the latest version : 0.5.3-git20210102-deb11u1
Please confirm.
Thanks!

[rkta]

On Mon, Jul 24, 2023 at 12:18:04AM -0700, randomssr wrote: Here is my compilation command.: ``` 1、mkdir install 2、CC=gcc CXX=g++ CFLAGS="-g -fsanitize=address" CXXFLAGS="-g -fsanitize=address" ./configure --prefix=`pwd`/install 3、make 4、make install ``` I can reproduce the bug through the following command: ``` $ ./w3m -dump_source -halfload http://127.0.0.1 ``` And I also reproduce the bug in the latest version : 0.5.3-git20210102-deb11u1 Please confirm.

% ./w3m -dump_source -halfload http://localhost w3m: Can't load http://localhost.

[randomssr]

I tried % ./w3m -dump_source -halfload http://localhost.
And I also can get the same bug.
Is it because we're compiling differently?

[rkta]

On Mon, Jul 24, 2023 at 03:35:19AM -0700, randomssr wrote: I tried % ./w3m -dump_source -halfload http://localhost. And I also can get the same bug. Is it because we're compiling differently?

I followed your instructions. localhost is the same as 127.0.0.1. As you seem to be using it, what does -halfload do? It isn't documented.

[randomssr]

I just find the option from the source code. The option can assign "w3m_dump" and "w3m_halfload"
Could you reproduce the bug?
And if no, what’s your output？

[rkta]

On Mon, Jul 24, 2023 at 05:37:03AM -0700, randomssr wrote: I just find the option from the source code. The option can assign "w3m_dump" and "w3m_halfload" Could you reproduce the bug?

Yes. You missed to mention the little detail, that you are running a web server locally. To reproduce just connect to any web server using the halfload option. On Debian this reproduces without ASAN. The double free comes from the ISclose call in file.c:file_feed(). This seems to be borked from the beginning.

[randomssr]

Yes. I missed the detail of running locally.
Thank you for you reply!

[randomssr]

We mentioned this missing option at #260.
We hope you can repair the help document or man page as well.
Thank you！

[rkta]

On Mon, Jul 24, 2023 at 06:10:36AM -0700, randomssr wrote: We mentioned this missing option at #260. We hope you can repair the help document or man page as well. Thank you！

I have absolutely no idea what halfload is doing or what's the intended use-case - I can't fix the documentation.

[randomssr]

I get it.
Thank you for you timely reply!

[rkta]

On Mon, Jul 24, 2023 at 04:39:12PM +0200, Rene Kita wrote: On Mon, Jul 24, 2023 at 06:10:36AM -0700, randomssr wrote: > We mentioned this missing option at #260. > We hope you can repair the help document or man page as well. > Thank you！ I have absolutely no idea what halfload is doing or what's the intended use-case - I can't fix the documentation.

Now I have an idea. :) As can be seen in Changelog.1: 2002-02-05 Hironori Sakamoto ***@***.***> * [w3m-dev 02991] form support in w3m -halfdump foo.html|w3m -halfload The purpose of halfload is to read the output of halfdump. Looks like a debugging option for developers.