這個url會使你的ubuntu wget崩潰 | 安全圈 | 专注于最新网络信息安全讯息新闻

今天有件有趣的事情發生在我身上，我在網上搜尋PDFs檔案的時候，我注意到我的Ubuntu 16.04wget命令的segfaulting，考慮到這些命令對輸入的測試有多好，這是一件非常罕見的事情。

在Ubuntu16.04上有一個wget版本1.17.1，

GNU Wget 1.17.1構建在linux GNU上。

GNU Wget 1.17.1 built on linux-gnu.

所以我從wget網站上獲取了調試/調查的資源，或者使用ASAN on快速運行它，因為我很懶…

在wget網站上有一個版本1.18，它不存在這個問題。所以我假設它是固定的或者程式碼是改變的。

不管怎樣，只要分享這個，因為我覺得它很有趣，很難得看到！

罪魁禍首的URL是：http://ia600208.us.archive.org/23/items/sarabia_20160316_0705/%d9%84%db%95%20%d8%aa%db%86%d9%be%d8%ae%d8%a7%d9%86%db%95%d9%88%db%95%20%d8%a8%db%86%20%d8%b9%db%95%d8%b1%d8%b9%db%95%d8%b1.pdf

http://ia600208.us.archive.org/23/items/sarabia_20160316_0705/%d9%84%db%95%20%d8%aa%db%86%d9%be%d8%ae%d8%a7%d9%86%db%95%d9%88%db%95%20%d8%a8%db%86%20%d8%b9%db%95%d8%b1%d8%b9%db%95%d8%b1.pdf

這是一個非常特殊的檔名，帶有阿拉伯字元。事實上，我甚至都沒有打開它，也看不到標題，如果有人知道標題的意思，告訴我，我只是從archive.org下載了一堆東西。

archive.org

➜  wget-1.17.1 ./src/wget http://ia600208.us.archive.org/23/items/sarabia_20160316_0705/%d9%84%db%95%20%d8%aa%db%86%d9%be%d8%ae%d8%a7%d9%86%db%95%d9%88%db%95%20%d8%a8%db%86%20%d8%b9%db%95%d8%b1%d8%b9%db%95%d8%b1.pdf
--2016-07-09 23:38:04--  http://ia600208.us.archive.org/23/items/sarabia_20160316_0705/%d9%84%db%95%20%d8%aa%db%86%d9%be%d8%ae%d8%a7%d9%86%db%95%d9%88%db%95%20%d8%a8%db%86%20%d8%b9%db%95%d8%b1%d8%b9%db%95%d8%b1.pdf
Resolving ia600208.us.archive.org (ia600208.us.archive.org)... 207.241.227.228
Connecting to ia600208.us.archive.org (ia600208.us.archive.org)|207.241.227.228|:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 444923 (434K) [application/pdf]
Saving to: ‘\331%84\333%95 ت\333%86پخا\331%86\333%95\331%88\333%95 ب\333%86 ع\333%95رع\333%95ر.pdf.2’

=================================================================
==42306==ERROR: AddressSanitizer: negative-size-param: (size=-4)
    #0 0x7fa89f7c8e72  (/usr/lib/x86_64-linux-gnu/libasan.so.3+0x47e72)
    #1 0x4c986f in memset /usr/include/x86_64-linux-gnu/bits/string3.h:90
    #2 0x4c986f in create_image /media/bob/e4109b52-3574-43a8-b95d-33b3494128de/misc/wget-1.17.1/src/progress.c:1167
    #3 0x4cbdb6 in bar_create /media/bob/e4109b52-3574-43a8-b95d-33b3494128de/misc/wget-1.17.1/src/progress.c:602
    #4 0x4dd0ae in fd_read_body /media/bob/e4109b52-3574-43a8-b95d-33b3494128de/misc/wget-1.17.1/src/retr.c:274
    #5 0x4826bc in read_response_body /media/bob/e4109b52-3574-43a8-b95d-33b3494128de/misc/wget-1.17.1/src/http.c:1682
    #6 0x49be1d in gethttp /media/bob/e4109b52-3574-43a8-b95d-33b3494128de/misc/wget-1.17.1/src/http.c:3753
    #7 0x4a1aaf in http_loop /media/bob/e4109b52-3574-43a8-b95d-33b3494128de/misc/wget-1.17.1/src/http.c:3971
    #8 0x4df57a in retrieve_url /media/bob/e4109b52-3574-43a8-b95d-33b3494128de/misc/wget-1.17.1/src/retr.c:817
    #9 0x40c142 in main /media/bob/e4109b52-3574-43a8-b95d-33b3494128de/misc/wget-1.17.1/src/main.c:1868
    #10 0x7fa89e7b582f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f)
    #11 0x40e948 in _start (/media/bob/e4109b52-3574-43a8-b95d-33b3494128de/misc/wget-1.17.1/src/wget+0x40e948)

0x61200000bb0f is located 207 bytes inside of 303-byte region [0x61200000ba40,0x61200000bb6f)
allocated by thread T0 here:
    #0 0x7fa89f847e18 in __interceptor_malloc (/usr/lib/x86_64-linux-gnu/libasan.so.3+0xc6e18)
    #1 0x543650 in xmalloc /media/bob/e4109b52-3574-43a8-b95d-33b3494128de/misc/wget-1.17.1/lib/xmalloc.c:41

SUMMARY: AddressSanitizer: negative-size-param (/usr/lib/x86_64-linux-gnu/libasan.so.3+0x47e72) 
==42306==ABORTING

所以長話短說，一個很大的參數被傳遞給了memset，它可以被捕獲，但是普通的memset很樂意接受它。。

Program received signal SIGSEGV, Segmentation fault.
__memset_avx2 () at ../sysdeps/x86_64/multiarch/memset-avx2.S:161
161	../sysdeps/x86_64/multiarch/memset-avx2.S: No such file or directory.
(gdb) bt
#0  __memset_avx2 () at ../sysdeps/x86_64/multiarch/memset-avx2.S:161
#1  0x0000555555582891 in ?? ()
#2  0x0000555555582e3e in ?? ()
#3  0x0000555555585f32 in ?? ()
#4  0x0000555555575e00 in ?? ()
#5  0x000055555557afac in ?? ()
#6  0x000055555557bd2a in ?? ()
#7  0x0000555555586b64 in ?? ()
#8  0x0000555555561d83 in ?? ()
#9  0x00007ffff6aa8830 in __libc_start_main (main=0x555555560700, argc=2, argv=0x7fffffffe128, init=<optimized out>, fini=<optimized out>, rtld_fini=<optimized out>, stack_end=0x7fffffffe118)
    at ../csu/libc-start.c:291
#10 0x0000555555562019 in ?? ()
(gdb) info registers
rax            0x20202020	538976288
rbx            0xfffffffffffffffc	-4
rcx            0xfffffffffffe876b	-96405
rdx            0xfffffffffffffffc	-4
rsi            0x5555557d776b	93824994867051
rdi            0x5555557ef000	93824994963456
rbp            0x5555557d74d0	0x5555557d74d0
rsp            0x7fffffffd4c8	0x7fffffffd4c8
r8             0x0	0
r9             0x5555557d76bb	93824994866875
r10            0x7fffffffd418	140737488344088
r11            0x0	0
r12            0x0	0
r13            0x71	113
r14            0x5555557cd8f0	93824994826480
r15            0x5555557d776f	93824994867055
rip            0x7ffff6bfa328	0x7ffff6bfa328 <__memset_avx2+392>
eflags         0x10287	[ CF PF SF IF RF ]
cs             0x33	51
ss             0x2b	43
ds             0x0	0
es             0x0	0
fs             0x0	0
gs             0x0	0