AddressSanitizer: SEGV in GC_malloc_atomic

[cx104906]

git clone https://github.com/tats/w3m.git
cd w3m
CC=gcc CXX=g++ CFLAGS="-fsanitize=address -fPIC -O2" CXXFLAGS="-fsanitize=address -fPIC -O2" ./configure
make
./w3m -dump input

AddressSanitizer:DEADLYSIGNAL

==20170==ERROR: AddressSanitizer: SEGV on unknown address 0x000012001400 (pc 0x7ffff6bfe743 bp 0x000000000011 sp 0x7fffffffd380 T0)
==20170==The signal is caused by a READ memory access.
#0 0x7ffff6bfe743 in GC_malloc_atomic (/usr/lib/x86_64-linux-gnu/libgc.so.1+0x1f743)
#1 0x5152c0 in growbuf_reserve (/home/cas/chenxu/cxfuzz2/fuzz/verify_cve/w3m/w3m+0x5152c0)
#2 0x515638 in growbuf_append (/home/cas/chenxu/cxfuzz2/fuzz/verify_cve/w3m/w3m+0x515638)
#3 0x50b694 in ISgets_to_growbuf (/home/cas/chenxu/cxfuzz2/fuzz/verify_cve/w3m/w3m+0x50b694)
#4 0x50c385 in StrISgets2 (/home/cas/chenxu/cxfuzz2/fuzz/verify_cve/w3m/w3m+0x50c385)
#5 0x445c30 in loadBuffer (/home/cas/chenxu/cxfuzz2/fuzz/verify_cve/w3m/w3m+0x445c30)
#6 0x46b700 in loadGeneralFile (/home/cas/chenxu/cxfuzz2/fuzz/verify_cve/w3m/w3m+0x46b700)
#7 0x406e38 in main (/home/cas/chenxu/cxfuzz2/fuzz/verify_cve/w3m/w3m+0x406e38)
#8 0x7ffff5c87c86 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x21c86)
#9 0x40a6b9 in _start (/home/cas/chenxu/cxfuzz2/fuzz/verify_cve/w3m/w3m+0x40a6b9)

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV (/usr/lib/x86_64-linux-gnu/libgc.so.1+0x1f743) in GC_malloc_atomic
==20170==ABORTING

./w3m -version
w3m version w3m/0.5.3+git20230718, options lang=en,m17n,image,color,ansi-color,mouse,gpm,menu,cookie,ssl,ssl-verify,external-uri-loader,w3mmailer,nntp,gopher,ipv6,alarm,mark

gcc --version
gcc (GCC) 11.2.0
Copyright © 2021 Free Software Foundation, Inc.

uname -a
Linux cas-PC 5.4.0-144-generic #161~18.04.1-Ubuntu SMP Fri Feb 10 15:55:22 UTC 2023 x86_64 GNU/Linux

input file url
https://github.com/cx104906/poc/tree/main/w3m

[rkta]

On Tue, Sep 10, 2024 at 08:30:30PM -0700, cx104906 wrote: git clone https://github.com/tats/w3m.git cd w3m CC=gcc CXX=g++ CFLAGS="-fsanitize=address -fPIC -O2" CXXFLAGS="-fsanitize=address -fPIC -O2" ./configure make ./w3m -dump input

% gmake OPTS='-O2 -fsanitize=address -fPIC' % ./w3m -dump /tmp/poc > /dev/null && echo works works Can't reproduce.

[cx104906]

On Tue, Sep 10, 2024 at 08:30:30PM -0700, cx104906 wrote: git clone https://github.com/tats/w3m.git cd w3m CC=gcc CXX=g++ CFLAGS="-fsanitize=address -fPIC -O2" CXXFLAGS="-fsanitize=address -fPIC -O2" ./configure make ./w3m -dump input
% gmake OPTS='-O2 -fsanitize=address -fPIC' % ./w3m -dump /tmp/poc > /dev/null && echo works works Can't reproduce.

I'm sorry you couldn't reproduce it. I tried to reproduce it in docker.

docker pull debian:11
docker run --name test -it --privileged=true --net=host debian:11
apt update
apt install git build-essential libgc-dev libncurses5-dev libncursesw5-dev -y
git clone https://github.com/tats/w3m.git
cd w3m
CC=gcc CXX=g++ CFLAGS="-fsanitize=address -fPIC -O2" CXXFLAGS="-fsanitize=address -fPIC -O2" ./configure
make
git clone https://github.com/cx104906/poc.git
./w3m -dump poc/w3m/input

And crash occurred.

[rkta]

On Wed, Sep 11, 2024 at 12:10:07AM -0700, cx104906 wrote: > On Tue, Sep 10, 2024 at 08:30:30PM -0700, cx104906 wrote: git clone https://github.com/tats/w3m.git cd w3m CC=gcc CXX=g++ CFLAGS="-fsanitize=address -fPIC -O2" CXXFLAGS="-fsanitize=address -fPIC -O2" ./configure make ./w3m -dump input > % gmake OPTS='-O2 -fsanitize=address -fPIC' % ./w3m -dump /tmp/poc > /dev/null && echo works works Can't reproduce. I'm sorry you couldn't reproduce it. I tried to reproduce it in docker.

Can reproduce in docker, but I get a different error then the one you reported. Also, could you provide some example input that is not 154259 Bytes. If you reduce the input to the bare minimum to produce a crash this will help significantly to debug this. Seems again to be related to backspaces in binary data.

[cx104906]

On Wed, Sep 11, 2024 at 12:10:07AM -0700, cx104906 wrote: > On Tue, Sep 10, 2024 at 08:30:30PM -0700, cx104906 wrote: git clone https://github.com/tats/w3m.git cd w3m CC=gcc CXX=g++ CFLAGS="-fsanitize=address -fPIC -O2" CXXFLAGS="-fsanitize=address -fPIC -O2" ./configure make ./w3m -dump input > % gmake OPTS='-O2 -fsanitize=address -fPIC' % ./w3m -dump /tmp/poc > /dev/null && echo works works Can't reproduce. I'm sorry you couldn't reproduce it. I tried to reproduce it in docker.
Can reproduce in docker, but I get a different error then the one you reported. Also, could you provide some example input that is not 154259 Bytes. If you reduce the input to the bare minimum to produce a crash this will help significantly to debug this. Seems again to be related to backspaces in binary data.

I used a tool to reduce the input file size from 151 KB to 50.1 KB. I can't reduce it any further.
The ASan (AddressSanitizer) crash outputs differ between Debian run in Docker and Ubuntu 18.04 run in server.
And, I can't reproduce this crash in Ubuntu 18.04 run in docker and run in Vmware.
poc-mini is the reduced file

docker pull debian:11
docker run --name test -it --privileged=true --net=host debian:11
apt update
apt install git build-essential libgc-dev libncurses5-dev libncursesw5-dev -y
git clone https://github.com/tats/w3m.git
cd w3m
CC=gcc CXX=g++ CFLAGS="-fsanitize=address -fPIC -O2" CXXFLAGS="-fsanitize=address -fPIC -O2" ./configure
make
git clone https://github.com/cx104906/poc.git
./w3m -dump poc/w3m/poc-mini