Bug 1484297 - There is an illegal address access in compileTranslationTable.c of liblouis.
Summary: There is an illegal address access in compileTranslationTable.c of liblouis.
Keywords:
Status: NEW
Alias: None
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: liblouis
Version: 7.5-Alt
Hardware: Unspecified
OS: Unspecified
unspecified
unspecified
Target Milestone: rc
: ---
Assignee: Matthias Clasen
QA Contact: Desktop QE
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2017-08-23 08:29 UTC by owl337
Modified: 2019-08-01 18:04 UTC (History)
0 users

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed:


Attachments (Terms of Use)
Triggered by " ./lou_checktable POC1 " (570 bytes, application/x-rar)
2017-08-23 08:29 UTC, owl337
no flags Details

Description owl337 2017-08-23 08:29:03 UTC
Created attachment 1316987 [details]
Triggered by " ./lou_checktable POC1 "

Description of problem:

There is an illegal address access in compileTranslationTable.c of liblouis.

Version-Release number of selected component (if applicable):

<= latest version

How reproducible:

./lou_checktable POC1

Steps to Reproduce:

Normal output:

$ ./lou_checktable POC1
fuzz/loucheck_out/crashes/POC1:2: error: opcode 'inglud\x00d5' not defined.
fuzz/loucheck_out/crashes/POC1:3: error: opcode ':se:' not defined.
fuzz/loucheck_out/crashes/POC1:5: error: opcode 't' not defined.
fuzz/loucheck_out/crashes/POC1:6: error: opcode 'i' not defined.
fuzz/loucheck_out/crashes/POC1:7: error: opcode 'ronk' not defined.
fuzz/loucheck_out/crashes/POC1:8: error: opcode 'includet' not defined.
fuzz/loucheck_out/crashes/POC1:9: error: opcode 'd' not defined.
fuzz/loucheck_out/crashes/POC1:13: error: opcode 'nclu' not defined.
fuzz/loucheck_out/crashes/POC1:15: error: opcode '\x00f0' not defined.
fuzz/loucheck_out/crashes/POC1:22: error: opcode 'd' not defined.
fuzz/loucheck_out/crashes/POC1:33: error: opcode 'pi.Ktb' not defined.
fuzz/loucheck_out/crashes/POC1:34: error: include file name not specified.
fuzz/loucheck_out/crashes/POC1:39: error: opcode '\x00f6' not defined.
fuzz/loucheck_out/crashes/POC1:50: error: opcode '\x00fb' not defined.
fuzz/loucheck_out/crashes/POC1:52: error: opcode 'L' not defined.
fuzz/loucheck_out/crashes/POC1:64: error: opcode '+iel' not defined.
fuzz/loucheck_out/crashes/POC1:65: error: opcode 'in^lude' not defined.
fuzz/loucheck_out/crashes/POC1:66: error: opcode 'includet' not defined.
fuzz/loucheck_out/crashes/POC1:75: error: opcode '+iel' not defined.
fuzz/loucheck_out/crashes/POC1:76: error: opcode 'in^lude' not defined.
fuzz/loucheck_out/crashes/POC1:77: error: opcode 'tttttttttttttttttttttttttttttttttttttttt' not defined.
fuzz/loucheck_out/crashes/POC1:79: error: opcode '\x00ee' not defined.
fuzz/loucheck_out/crashes/POC1:93: error: opcode 'd' not defined.
Segmentation fault

The GDB debugging information is as follows:

(gdb) r
...
gdb-peda$ r
...
Breakpoint 1, compileFile (fileName=<optimized out>, characterClasses=<optimized out>, 
    characterClassAttribute=<optimized out>, opcodeLengths=<optimized out>, newRuleOffset=<optimized out>, 
    newRule=<optimized out>, ruleNames=<optimized out>) at compileTranslationTable.c:5207
5207	      while (_lou_getALine (&nested))
gdb-peda$ c 96 
Will ignore next 95 crossings of breakpoint 1.  Continuing.
fuzz/loucheck_out/crashes/POC1:2: error: opcode 'inglud\x00d5' not defined.
fuzz/loucheck_out/crashes/POC1:3: error: opcode ':se:' not defined.
fuzz/loucheck_out/crashes/POC1:5: error: opcode 't' not defined.
fuzz/loucheck_out/crashes/POC1:6: error: opcode 'i' not defined.
fuzz/loucheck_out/crashes/POC1:7: error: opcode 'ronk' not defined.
fuzz/loucheck_out/crashes/POC1:8: error: opcode 'includet' not defined.
fuzz/loucheck_out/crashes/POC1:9: error: opcode 'd' not defined.
fuzz/loucheck_out/crashes/POC1:13: error: opcode 'nclu' not defined.
fuzz/loucheck_out/crashes/POC1:15: error: opcode '\x00f0' not defined.
fuzz/loucheck_out/crashes/POC1:22: error: opcode 'd' not defined.
fuzz/loucheck_out/crashes/POC1:33: error: opcode 'pi.Ktb' not defined.
fuzz/loucheck_out/crashes/POC1:34: error: include file name not specified.
fuzz/loucheck_out/crashes/POC1:39: error: opcode '\x00f6' not defined.
fuzz/loucheck_out/crashes/POC1:50: error: opcode '\x00fb' not defined.
fuzz/loucheck_out/crashes/POC1:52: error: opcode 'L' not defined.
fuzz/loucheck_out/crashes/POC1:64: error: opcode '+iel' not defined.
fuzz/loucheck_out/crashes/POC1:65: error: opcode 'in^lude' not defined.
fuzz/loucheck_out/crashes/POC1:66: error: opcode 'includet' not defined.
fuzz/loucheck_out/crashes/POC1:75: error: opcode '+iel' not defined.
fuzz/loucheck_out/crashes/POC1:76: error: opcode 'in^lude' not defined.
fuzz/loucheck_out/crashes/POC1:77: error: opcode 'tttttttttttttttttttttttttttttttttttttttt' not defined.
fuzz/loucheck_out/crashes/POC1:79: error: opcode '\x00ee' not defined.
fuzz/loucheck_out/crashes/POC1:93: error: opcode 'd' not defined.

...
Breakpoint 1, compileFile (fileName=<optimized out>, characterClasses=<optimized out>, 
    characterClassAttribute=<optimized out>, opcodeLengths=<optimized out>, newRuleOffset=<optimized out>, 
    newRule=<optimized out>, ruleNames=<optimized out>) at compileTranslationTable.c:5207
5207	      while (_lou_getALine (&nested))
gdb-peda$ si
...
0x00007ffff7b9041b in _lou_getALine (nested=<optimized out>) at compileTranslationTable.c:346
346	  nested->line[nested->linelen] = 0;
...
gdb-peda$ si

Program received signal SIGSEGV, Segmentation fault.

[----------------------------------registers-----------------------------------]
RAX: 0xffffffffffff009b 
RBX: 0x604100 --> 0x604170 --> 0x0 
RCX: 0x2959 ('Y)')
RDX: 0x604170 --> 0x0 
RSI: 0x7ffff7fdc050 --> 0x1 
RDI: 0x7ffff7dd0878 --> 0x1 
RBP: 0xa ('\n')
RSP: 0x7fffffffc3c0 --> 0x0 
RIP: 0x7ffff7b9043e (<compileFile+286>:	mov    WORD PTR [rsp+rax*2+0x34],0x0)
R8 : 0x7ffff7fdb740 (0x00007ffff7fdb740)
R9 : 0x0 
R10: 0x64656e6966656420 (' defined')
R11: 0x246 
R12: 0x624400 --> 0x623bc0 ("fuzz/loucheck_out/crashes/POC1")
R13: 0x623bc0 ("fuzz/loucheck_out/crashes/POC1")
R14: 0x7fffffffc3c8 --> 0x623bc0 ("fuzz/loucheck_out/crashes/POC1")
R15: 0xfffffffffffffff8
EFLAGS: 0x10202 (carry parity adjust zero sign trap INTERRUPT direction overflow)
[-------------------------------------code-------------------------------------]
   0x7ffff7b90430 <compileFile+272>:	inc    BYTE PTR [rdx+rcx*1]
   0x7ffff7b90433 <compileFile+275>:	mov    DWORD PTR [rax],0x1708
   0x7ffff7b90439 <compileFile+281>:	movsxd rax,DWORD PTR [rsp+0x24]
=> 0x7ffff7b9043e <compileFile+286>:	mov    WORD PTR [rsp+rax*2+0x34],0x0
   0x7ffff7b90445 <compileFile+293>:	mov    DWORD PTR [rsp+0x28],0x0
   0x7ffff7b9044d <compileFile+301>:	inc    DWORD PTR [rsp+0x18]
   0x7ffff7b90451 <compileFile+305>:	mov    rdi,r14
   0x7ffff7b90454 <compileFile+308>:	call   0x7ffff7b6d630 <compileRule>
[------------------------------------stack-------------------------------------]
0000| 0x7fffffffc3c0 --> 0x0 
0008| 0x7fffffffc3c8 --> 0x623bc0 ("fuzz/loucheck_out/crashes/POC1")
0016| 0x7fffffffc3d0 --> 0x624420 --> 0xfbad2488 
0024| 0x7fffffffc3d8 --> 0x300000060 
0032| 0x7fffffffc3e0 --> 0xffff009b0000023f 
0040| 0x7fffffffc3e8 --> 0x2300000000 ('')
0048| 0x7fffffffc3f0 --> 0x63006e00000020 (' ')
0056| 0x7fffffffc3f8 --> 0x4c0020005c006c ('l')
[------------------------------------------------------------------------------]
Legend: code, data, rodata, value
Stopped reason: SIGSEGV
0x00007ffff7b9043e in _lou_getALine (nested=<optimized out>) at compileTranslationTable.c:346
346	  nested->line[nested->linelen] = 0;


The vulnerability was triggered in function:
	in _lou_getALine (nested=<optimized out>) at compileTranslationTable.c:346
	346	  nested->line[nested->linelen] = 0;

Actual results:

crash

Expected results:

crash

Additional info:


This vulnerability is detected by team OWL337, with our custom fuzzer collAFL. Please contact ganshuitao@gmail.com   and chaoz@tsinghua.edu.cn if you need more info about the team, the tool or the vulnerability.


Note You need to log in before you can comment on or make changes to this bug.