Bug 1484297
| Summary: | There is an illegal address access in compileTranslationTable.c of liblouis. | ||||||
|---|---|---|---|---|---|---|---|
| Product: | Red Hat Enterprise Linux 7 | Reporter: | owl337 <v.owl337> | ||||
| Component: | liblouis | Assignee: | David King <dking> | ||||
| Status: | CLOSED WONTFIX | QA Contact: | Desktop QE <desktop-qa-list> | ||||
| Severity: | unspecified | Docs Contact: | |||||
| Priority: | unspecified | ||||||
| Version: | 7.5-Alt | CC: | mclasen | ||||
| Target Milestone: | rc | ||||||
| Target Release: | --- | ||||||
| Hardware: | Unspecified | ||||||
| OS: | Unspecified | ||||||
| Whiteboard: | |||||||
| Fixed In Version: | Doc Type: | If docs needed, set a value | |||||
| Doc Text: | Story Points: | --- | |||||
| Clone Of: | Environment: | ||||||
| Last Closed: | 2021-01-15 07:41:22 UTC | Type: | Bug | ||||
| Regression: | --- | Mount Type: | --- | ||||
| Documentation: | --- | CRM: | |||||
| Verified Versions: | Category: | --- | |||||
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||
| Cloudforms Team: | --- | Target Upstream Version: | |||||
| Embargoed: | |||||||
| Attachments: |
|
||||||
After evaluating this issue, there are no plans to address it further or fix it in an upcoming release. Therefore, it is being closed. If plans change such that this issue will be fixed in an upcoming release, then the bug can be reopened. |
Created attachment 1316987 [details] Triggered by " ./lou_checktable POC1 " Description of problem: There is an illegal address access in compileTranslationTable.c of liblouis. Version-Release number of selected component (if applicable): <= latest version How reproducible: ./lou_checktable POC1 Steps to Reproduce: Normal output: $ ./lou_checktable POC1 fuzz/loucheck_out/crashes/POC1:2: error: opcode 'inglud\x00d5' not defined. fuzz/loucheck_out/crashes/POC1:3: error: opcode ':se:' not defined. fuzz/loucheck_out/crashes/POC1:5: error: opcode 't' not defined. fuzz/loucheck_out/crashes/POC1:6: error: opcode 'i' not defined. fuzz/loucheck_out/crashes/POC1:7: error: opcode 'ronk' not defined. fuzz/loucheck_out/crashes/POC1:8: error: opcode 'includet' not defined. fuzz/loucheck_out/crashes/POC1:9: error: opcode 'd' not defined. fuzz/loucheck_out/crashes/POC1:13: error: opcode 'nclu' not defined. fuzz/loucheck_out/crashes/POC1:15: error: opcode '\x00f0' not defined. fuzz/loucheck_out/crashes/POC1:22: error: opcode 'd' not defined. fuzz/loucheck_out/crashes/POC1:33: error: opcode 'pi.Ktb' not defined. fuzz/loucheck_out/crashes/POC1:34: error: include file name not specified. fuzz/loucheck_out/crashes/POC1:39: error: opcode '\x00f6' not defined. fuzz/loucheck_out/crashes/POC1:50: error: opcode '\x00fb' not defined. fuzz/loucheck_out/crashes/POC1:52: error: opcode 'L' not defined. fuzz/loucheck_out/crashes/POC1:64: error: opcode '+iel' not defined. fuzz/loucheck_out/crashes/POC1:65: error: opcode 'in^lude' not defined. fuzz/loucheck_out/crashes/POC1:66: error: opcode 'includet' not defined. fuzz/loucheck_out/crashes/POC1:75: error: opcode '+iel' not defined. fuzz/loucheck_out/crashes/POC1:76: error: opcode 'in^lude' not defined. fuzz/loucheck_out/crashes/POC1:77: error: opcode 'tttttttttttttttttttttttttttttttttttttttt' not defined. fuzz/loucheck_out/crashes/POC1:79: error: opcode '\x00ee' not defined. fuzz/loucheck_out/crashes/POC1:93: error: opcode 'd' not defined. Segmentation fault The GDB debugging information is as follows: (gdb) r ... gdb-peda$ r ... Breakpoint 1, compileFile (fileName=<optimized out>, characterClasses=<optimized out>, characterClassAttribute=<optimized out>, opcodeLengths=<optimized out>, newRuleOffset=<optimized out>, newRule=<optimized out>, ruleNames=<optimized out>) at compileTranslationTable.c:5207 5207 while (_lou_getALine (&nested)) gdb-peda$ c 96 Will ignore next 95 crossings of breakpoint 1. Continuing. fuzz/loucheck_out/crashes/POC1:2: error: opcode 'inglud\x00d5' not defined. fuzz/loucheck_out/crashes/POC1:3: error: opcode ':se:' not defined. fuzz/loucheck_out/crashes/POC1:5: error: opcode 't' not defined. fuzz/loucheck_out/crashes/POC1:6: error: opcode 'i' not defined. fuzz/loucheck_out/crashes/POC1:7: error: opcode 'ronk' not defined. fuzz/loucheck_out/crashes/POC1:8: error: opcode 'includet' not defined. fuzz/loucheck_out/crashes/POC1:9: error: opcode 'd' not defined. fuzz/loucheck_out/crashes/POC1:13: error: opcode 'nclu' not defined. fuzz/loucheck_out/crashes/POC1:15: error: opcode '\x00f0' not defined. fuzz/loucheck_out/crashes/POC1:22: error: opcode 'd' not defined. fuzz/loucheck_out/crashes/POC1:33: error: opcode 'pi.Ktb' not defined. fuzz/loucheck_out/crashes/POC1:34: error: include file name not specified. fuzz/loucheck_out/crashes/POC1:39: error: opcode '\x00f6' not defined. fuzz/loucheck_out/crashes/POC1:50: error: opcode '\x00fb' not defined. fuzz/loucheck_out/crashes/POC1:52: error: opcode 'L' not defined. fuzz/loucheck_out/crashes/POC1:64: error: opcode '+iel' not defined. fuzz/loucheck_out/crashes/POC1:65: error: opcode 'in^lude' not defined. fuzz/loucheck_out/crashes/POC1:66: error: opcode 'includet' not defined. fuzz/loucheck_out/crashes/POC1:75: error: opcode '+iel' not defined. fuzz/loucheck_out/crashes/POC1:76: error: opcode 'in^lude' not defined. fuzz/loucheck_out/crashes/POC1:77: error: opcode 'tttttttttttttttttttttttttttttttttttttttt' not defined. fuzz/loucheck_out/crashes/POC1:79: error: opcode '\x00ee' not defined. fuzz/loucheck_out/crashes/POC1:93: error: opcode 'd' not defined. ... Breakpoint 1, compileFile (fileName=<optimized out>, characterClasses=<optimized out>, characterClassAttribute=<optimized out>, opcodeLengths=<optimized out>, newRuleOffset=<optimized out>, newRule=<optimized out>, ruleNames=<optimized out>) at compileTranslationTable.c:5207 5207 while (_lou_getALine (&nested)) gdb-peda$ si ... 0x00007ffff7b9041b in _lou_getALine (nested=<optimized out>) at compileTranslationTable.c:346 346 nested->line[nested->linelen] = 0; ... gdb-peda$ si Program received signal SIGSEGV, Segmentation fault. [----------------------------------registers-----------------------------------] RAX: 0xffffffffffff009b RBX: 0x604100 --> 0x604170 --> 0x0 RCX: 0x2959 ('Y)') RDX: 0x604170 --> 0x0 RSI: 0x7ffff7fdc050 --> 0x1 RDI: 0x7ffff7dd0878 --> 0x1 RBP: 0xa ('\n') RSP: 0x7fffffffc3c0 --> 0x0 RIP: 0x7ffff7b9043e (<compileFile+286>: mov WORD PTR [rsp+rax*2+0x34],0x0) R8 : 0x7ffff7fdb740 (0x00007ffff7fdb740) R9 : 0x0 R10: 0x64656e6966656420 (' defined') R11: 0x246 R12: 0x624400 --> 0x623bc0 ("fuzz/loucheck_out/crashes/POC1") R13: 0x623bc0 ("fuzz/loucheck_out/crashes/POC1") R14: 0x7fffffffc3c8 --> 0x623bc0 ("fuzz/loucheck_out/crashes/POC1") R15: 0xfffffffffffffff8 EFLAGS: 0x10202 (carry parity adjust zero sign trap INTERRUPT direction overflow) [-------------------------------------code-------------------------------------] 0x7ffff7b90430 <compileFile+272>: inc BYTE PTR [rdx+rcx*1] 0x7ffff7b90433 <compileFile+275>: mov DWORD PTR [rax],0x1708 0x7ffff7b90439 <compileFile+281>: movsxd rax,DWORD PTR [rsp+0x24] => 0x7ffff7b9043e <compileFile+286>: mov WORD PTR [rsp+rax*2+0x34],0x0 0x7ffff7b90445 <compileFile+293>: mov DWORD PTR [rsp+0x28],0x0 0x7ffff7b9044d <compileFile+301>: inc DWORD PTR [rsp+0x18] 0x7ffff7b90451 <compileFile+305>: mov rdi,r14 0x7ffff7b90454 <compileFile+308>: call 0x7ffff7b6d630 <compileRule> [------------------------------------stack-------------------------------------] 0000| 0x7fffffffc3c0 --> 0x0 0008| 0x7fffffffc3c8 --> 0x623bc0 ("fuzz/loucheck_out/crashes/POC1") 0016| 0x7fffffffc3d0 --> 0x624420 --> 0xfbad2488 0024| 0x7fffffffc3d8 --> 0x300000060 0032| 0x7fffffffc3e0 --> 0xffff009b0000023f 0040| 0x7fffffffc3e8 --> 0x2300000000 ('') 0048| 0x7fffffffc3f0 --> 0x63006e00000020 (' ') 0056| 0x7fffffffc3f8 --> 0x4c0020005c006c ('l') [------------------------------------------------------------------------------] Legend: code, data, rodata, value Stopped reason: SIGSEGV 0x00007ffff7b9043e in _lou_getALine (nested=<optimized out>) at compileTranslationTable.c:346 346 nested->line[nested->linelen] = 0; The vulnerability was triggered in function: in _lou_getALine (nested=<optimized out>) at compileTranslationTable.c:346 346 nested->line[nested->linelen] = 0; Actual results: crash Expected results: crash Additional info: This vulnerability is detected by team OWL337, with our custom fuzzer collAFL. Please contact ganshuitao and chaoz.cn if you need more info about the team, the tool or the vulnerability.