Note: This bug is displayed in read-only format because the product is no longer active in Red Hat Bugzilla.

RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 1484297

Summary:

There is an illegal address access in compileTranslationTable.c of liblouis.

Product:

Red Hat Enterprise Linux 7

Reporter:

owl337 <v.owl337>

Component:

liblouis

Assignee:

David King <dking>

Status:

CLOSED WONTFIX

QA Contact:

Desktop QE <desktop-qa-list>

Severity:

unspecified

Docs Contact:

Priority:

unspecified

Version:

7.5-Alt

CC:

mclasen

Target Milestone:

Target Release:

---

Hardware:

Unspecified

OS:

Unspecified

Whiteboard:

Fixed In Version:

Doc Type:

If docs needed, set a value

Doc Text:

Story Points:

---

Clone Of:

Environment:

Last Closed:

2021-01-15 07:41:22 UTC

Type:

Bug

Regression:

---

Mount Type:

---

Documentation:

---

CRM:

Verified Versions:

Category:

---

oVirt Team:

---

RHEL 7.3 requirements from Atomic Host:

Cloudforms Team:

---

Target Upstream Version:

Embargoed:

Attachments:

Description	Flags
Triggered by " ./lou_checktable POC1 "	none

Description owl337 2017-08-23 08:29:03 UTC

Created attachment 1316987 [details]
Triggered by " ./lou_checktable POC1 "

Description of problem:

There is an illegal address access in compileTranslationTable.c of liblouis.

Version-Release number of selected component (if applicable):

<= latest version

How reproducible:

./lou_checktable POC1

Steps to Reproduce:

Normal output:

$ ./lou_checktable POC1
fuzz/loucheck_out/crashes/POC1:2: error: opcode 'inglud\x00d5' not defined.
fuzz/loucheck_out/crashes/POC1:3: error: opcode ':se:' not defined.
fuzz/loucheck_out/crashes/POC1:5: error: opcode 't' not defined.
fuzz/loucheck_out/crashes/POC1:6: error: opcode 'i' not defined.
fuzz/loucheck_out/crashes/POC1:7: error: opcode 'ronk' not defined.
fuzz/loucheck_out/crashes/POC1:8: error: opcode 'includet' not defined.
fuzz/loucheck_out/crashes/POC1:9: error: opcode 'd' not defined.
fuzz/loucheck_out/crashes/POC1:13: error: opcode 'nclu' not defined.
fuzz/loucheck_out/crashes/POC1:15: error: opcode '\x00f0' not defined.
fuzz/loucheck_out/crashes/POC1:22: error: opcode 'd' not defined.
fuzz/loucheck_out/crashes/POC1:33: error: opcode 'pi.Ktb' not defined.
fuzz/loucheck_out/crashes/POC1:34: error: include file name not specified.
fuzz/loucheck_out/crashes/POC1:39: error: opcode '\x00f6' not defined.
fuzz/loucheck_out/crashes/POC1:50: error: opcode '\x00fb' not defined.
fuzz/loucheck_out/crashes/POC1:52: error: opcode 'L' not defined.
fuzz/loucheck_out/crashes/POC1:64: error: opcode '+iel' not defined.
fuzz/loucheck_out/crashes/POC1:65: error: opcode 'in^lude' not defined.
fuzz/loucheck_out/crashes/POC1:66: error: opcode 'includet' not defined.
fuzz/loucheck_out/crashes/POC1:75: error: opcode '+iel' not defined.
fuzz/loucheck_out/crashes/POC1:76: error: opcode 'in^lude' not defined.
fuzz/loucheck_out/crashes/POC1:77: error: opcode 'tttttttttttttttttttttttttttttttttttttttt' not defined.
fuzz/loucheck_out/crashes/POC1:79: error: opcode '\x00ee' not defined.
fuzz/loucheck_out/crashes/POC1:93: error: opcode 'd' not defined.
Segmentation fault

The GDB debugging information is as follows:

(gdb) r
...
gdb-peda$ r
...
Breakpoint 1, compileFile (fileName=<optimized out>, characterClasses=<optimized out>, 
    characterClassAttribute=<optimized out>, opcodeLengths=<optimized out>, newRuleOffset=<optimized out>, 
    newRule=<optimized out>, ruleNames=<optimized out>) at compileTranslationTable.c:5207
5207	      while (_lou_getALine (&nested))
gdb-peda$ c 96 
Will ignore next 95 crossings of breakpoint 1.  Continuing.
fuzz/loucheck_out/crashes/POC1:2: error: opcode 'inglud\x00d5' not defined.
fuzz/loucheck_out/crashes/POC1:3: error: opcode ':se:' not defined.
fuzz/loucheck_out/crashes/POC1:5: error: opcode 't' not defined.
fuzz/loucheck_out/crashes/POC1:6: error: opcode 'i' not defined.
fuzz/loucheck_out/crashes/POC1:7: error: opcode 'ronk' not defined.
fuzz/loucheck_out/crashes/POC1:8: error: opcode 'includet' not defined.
fuzz/loucheck_out/crashes/POC1:9: error: opcode 'd' not defined.
fuzz/loucheck_out/crashes/POC1:13: error: opcode 'nclu' not defined.
fuzz/loucheck_out/crashes/POC1:15: error: opcode '\x00f0' not defined.
fuzz/loucheck_out/crashes/POC1:22: error: opcode 'd' not defined.
fuzz/loucheck_out/crashes/POC1:33: error: opcode 'pi.Ktb' not defined.
fuzz/loucheck_out/crashes/POC1:34: error: include file name not specified.
fuzz/loucheck_out/crashes/POC1:39: error: opcode '\x00f6' not defined.
fuzz/loucheck_out/crashes/POC1:50: error: opcode '\x00fb' not defined.
fuzz/loucheck_out/crashes/POC1:52: error: opcode 'L' not defined.
fuzz/loucheck_out/crashes/POC1:64: error: opcode '+iel' not defined.
fuzz/loucheck_out/crashes/POC1:65: error: opcode 'in^lude' not defined.
fuzz/loucheck_out/crashes/POC1:66: error: opcode 'includet' not defined.
fuzz/loucheck_out/crashes/POC1:75: error: opcode '+iel' not defined.
fuzz/loucheck_out/crashes/POC1:76: error: opcode 'in^lude' not defined.
fuzz/loucheck_out/crashes/POC1:77: error: opcode 'tttttttttttttttttttttttttttttttttttttttt' not defined.
fuzz/loucheck_out/crashes/POC1:79: error: opcode '\x00ee' not defined.
fuzz/loucheck_out/crashes/POC1:93: error: opcode 'd' not defined.

...
Breakpoint 1, compileFile (fileName=<optimized out>, characterClasses=<optimized out>, 
    characterClassAttribute=<optimized out>, opcodeLengths=<optimized out>, newRuleOffset=<optimized out>, 
    newRule=<optimized out>, ruleNames=<optimized out>) at compileTranslationTable.c:5207
5207	      while (_lou_getALine (&nested))
gdb-peda$ si
...
0x00007ffff7b9041b in _lou_getALine (nested=<optimized out>) at compileTranslationTable.c:346
346	  nested->line[nested->linelen] = 0;
...
gdb-peda$ si

Program received signal SIGSEGV, Segmentation fault.

[----------------------------------registers-----------------------------------]
RAX: 0xffffffffffff009b 
RBX: 0x604100 --> 0x604170 --> 0x0 
RCX: 0x2959 ('Y)')
RDX: 0x604170 --> 0x0 
RSI: 0x7ffff7fdc050 --> 0x1 
RDI: 0x7ffff7dd0878 --> 0x1 
RBP: 0xa ('\n')
RSP: 0x7fffffffc3c0 --> 0x0 
RIP: 0x7ffff7b9043e (<compileFile+286>:	mov    WORD PTR [rsp+rax*2+0x34],0x0)
R8 : 0x7ffff7fdb740 (0x00007ffff7fdb740)
R9 : 0x0 
R10: 0x64656e6966656420 (' defined')
R11: 0x246 
R12: 0x624400 --> 0x623bc0 ("fuzz/loucheck_out/crashes/POC1")
R13: 0x623bc0 ("fuzz/loucheck_out/crashes/POC1")
R14: 0x7fffffffc3c8 --> 0x623bc0 ("fuzz/loucheck_out/crashes/POC1")
R15: 0xfffffffffffffff8
EFLAGS: 0x10202 (carry parity adjust zero sign trap INTERRUPT direction overflow)
[-------------------------------------code-------------------------------------]
   0x7ffff7b90430 <compileFile+272>:	inc    BYTE PTR [rdx+rcx*1]
   0x7ffff7b90433 <compileFile+275>:	mov    DWORD PTR [rax],0x1708
   0x7ffff7b90439 <compileFile+281>:	movsxd rax,DWORD PTR [rsp+0x24]
=> 0x7ffff7b9043e <compileFile+286>:	mov    WORD PTR [rsp+rax*2+0x34],0x0
   0x7ffff7b90445 <compileFile+293>:	mov    DWORD PTR [rsp+0x28],0x0
   0x7ffff7b9044d <compileFile+301>:	inc    DWORD PTR [rsp+0x18]
   0x7ffff7b90451 <compileFile+305>:	mov    rdi,r14
   0x7ffff7b90454 <compileFile+308>:	call   0x7ffff7b6d630 <compileRule>
[------------------------------------stack-------------------------------------]
0000| 0x7fffffffc3c0 --> 0x0 
0008| 0x7fffffffc3c8 --> 0x623bc0 ("fuzz/loucheck_out/crashes/POC1")
0016| 0x7fffffffc3d0 --> 0x624420 --> 0xfbad2488 
0024| 0x7fffffffc3d8 --> 0x300000060 
0032| 0x7fffffffc3e0 --> 0xffff009b0000023f 
0040| 0x7fffffffc3e8 --> 0x2300000000 ('')
0048| 0x7fffffffc3f0 --> 0x63006e00000020 (' ')
0056| 0x7fffffffc3f8 --> 0x4c0020005c006c ('l')
[------------------------------------------------------------------------------]
Legend: code, data, rodata, value
Stopped reason: SIGSEGV
0x00007ffff7b9043e in _lou_getALine (nested=<optimized out>) at compileTranslationTable.c:346
346	  nested->line[nested->linelen] = 0;


The vulnerability was triggered in function:
	in _lou_getALine (nested=<optimized out>) at compileTranslationTable.c:346
	346	  nested->line[nested->linelen] = 0;

Actual results:

crash

Expected results:

crash

Additional info:


This vulnerability is detected by team OWL337, with our custom fuzzer collAFL. Please contact ganshuitao   and chaoz.cn if you need more info about the team, the tool or the vulnerability.

Comment 4 RHEL Program Management 2021-01-15 07:41:22 UTC

After evaluating this issue, there are no plans to address it further or fix it in an upcoming release.  Therefore, it is being closed.  If plans change such that this issue will be fixed in an upcoming release, then the bug can be reopened.