1484297 – There is an illegal address access in compileTranslationTable.c of liblouis.

RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 1484297 - There is an illegal address access in compileTranslationTable.c of liblouis.

Summary: There is an illegal address access in compileTranslationTable.c of liblouis.

Keywords:
Status:	CLOSED WONTFIX
Alias:	None
Product:	Red Hat Enterprise Linux 7
Classification:	Red Hat
Component:	liblouis
Sub Component:
Version:	7.5-Alt
Hardware:	Unspecified
OS:	Unspecified
Priority:	unspecified
Severity:	unspecified
Target Milestone:	rc
Target Release:	---
Assignee:	David King
QA Contact:	Desktop QE
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2017-08-23 08:29 UTC by owl337
Modified:	2021-01-15 07:41 UTC (History)
CC List:	1 user (show)
Fixed In Version:
Doc Type:	If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed:	2021-01-15 07:41:22 UTC
Target Upstream Version:
Embargoed:

Attachments	(Terms of Use)
Triggered by " ./lou_checktable POC1 " (570 bytes, application/x-rar) 2017-08-23 08:29 UTC, owl337	no flags	Details
View All

Description owl337 2017-08-23 08:29:03 UTC

Created attachment 1316987 [details]
Triggered by " ./lou_checktable POC1 "

Description of problem:

There is an illegal address access in compileTranslationTable.c of liblouis.

Version-Release number of selected component (if applicable):

<= latest version

How reproducible:

./lou_checktable POC1

Steps to Reproduce:

Normal output:

$ ./lou_checktable POC1
fuzz/loucheck_out/crashes/POC1:2: error: opcode 'inglud\x00d5' not defined.
fuzz/loucheck_out/crashes/POC1:3: error: opcode ':se:' not defined.
fuzz/loucheck_out/crashes/POC1:5: error: opcode 't' not defined.
fuzz/loucheck_out/crashes/POC1:6: error: opcode 'i' not defined.
fuzz/loucheck_out/crashes/POC1:7: error: opcode 'ronk' not defined.
fuzz/loucheck_out/crashes/POC1:8: error: opcode 'includet' not defined.
fuzz/loucheck_out/crashes/POC1:9: error: opcode 'd' not defined.
fuzz/loucheck_out/crashes/POC1:13: error: opcode 'nclu' not defined.
fuzz/loucheck_out/crashes/POC1:15: error: opcode '\x00f0' not defined.
fuzz/loucheck_out/crashes/POC1:22: error: opcode 'd' not defined.
fuzz/loucheck_out/crashes/POC1:33: error: opcode 'pi.Ktb' not defined.
fuzz/loucheck_out/crashes/POC1:34: error: include file name not specified.
fuzz/loucheck_out/crashes/POC1:39: error: opcode '\x00f6' not defined.
fuzz/loucheck_out/crashes/POC1:50: error: opcode '\x00fb' not defined.
fuzz/loucheck_out/crashes/POC1:52: error: opcode 'L' not defined.
fuzz/loucheck_out/crashes/POC1:64: error: opcode '+iel' not defined.
fuzz/loucheck_out/crashes/POC1:65: error: opcode 'in^lude' not defined.
fuzz/loucheck_out/crashes/POC1:66: error: opcode 'includet' not defined.
fuzz/loucheck_out/crashes/POC1:75: error: opcode '+iel' not defined.
fuzz/loucheck_out/crashes/POC1:76: error: opcode 'in^lude' not defined.
fuzz/loucheck_out/crashes/POC1:77: error: opcode 'tttttttttttttttttttttttttttttttttttttttt' not defined.
fuzz/loucheck_out/crashes/POC1:79: error: opcode '\x00ee' not defined.
fuzz/loucheck_out/crashes/POC1:93: error: opcode 'd' not defined.
Segmentation fault

The GDB debugging information is as follows:

(gdb) r
...
gdb-peda$ r
...
Breakpoint 1, compileFile (fileName=<optimized out>, characterClasses=<optimized out>, 
    characterClassAttribute=<optimized out>, opcodeLengths=<optimized out>, newRuleOffset=<optimized out>, 
    newRule=<optimized out>, ruleNames=<optimized out>) at compileTranslationTable.c:5207
5207	      while (_lou_getALine (&nested))
gdb-peda$ c 96 
Will ignore next 95 crossings of breakpoint 1.  Continuing.
fuzz/loucheck_out/crashes/POC1:2: error: opcode 'inglud\x00d5' not defined.
fuzz/loucheck_out/crashes/POC1:3: error: opcode ':se:' not defined.
fuzz/loucheck_out/crashes/POC1:5: error: opcode 't' not defined.
fuzz/loucheck_out/crashes/POC1:6: error: opcode 'i' not defined.
fuzz/loucheck_out/crashes/POC1:7: error: opcode 'ronk' not defined.
fuzz/loucheck_out/crashes/POC1:8: error: opcode 'includet' not defined.
fuzz/loucheck_out/crashes/POC1:9: error: opcode 'd' not defined.
fuzz/loucheck_out/crashes/POC1:13: error: opcode 'nclu' not defined.
fuzz/loucheck_out/crashes/POC1:15: error: opcode '\x00f0' not defined.
fuzz/loucheck_out/crashes/POC1:22: error: opcode 'd' not defined.
fuzz/loucheck_out/crashes/POC1:33: error: opcode 'pi.Ktb' not defined.
fuzz/loucheck_out/crashes/POC1:34: error: include file name not specified.
fuzz/loucheck_out/crashes/POC1:39: error: opcode '\x00f6' not defined.
fuzz/loucheck_out/crashes/POC1:50: error: opcode '\x00fb' not defined.
fuzz/loucheck_out/crashes/POC1:52: error: opcode 'L' not defined.
fuzz/loucheck_out/crashes/POC1:64: error: opcode '+iel' not defined.
fuzz/loucheck_out/crashes/POC1:65: error: opcode 'in^lude' not defined.
fuzz/loucheck_out/crashes/POC1:66: error: opcode 'includet' not defined.
fuzz/loucheck_out/crashes/POC1:75: error: opcode '+iel' not defined.
fuzz/loucheck_out/crashes/POC1:76: error: opcode 'in^lude' not defined.
fuzz/loucheck_out/crashes/POC1:77: error: opcode 'tttttttttttttttttttttttttttttttttttttttt' not defined.
fuzz/loucheck_out/crashes/POC1:79: error: opcode '\x00ee' not defined.
fuzz/loucheck_out/crashes/POC1:93: error: opcode 'd' not defined.

...
Breakpoint 1, compileFile (fileName=<optimized out>, characterClasses=<optimized out>, 
    characterClassAttribute=<optimized out>, opcodeLengths=<optimized out>, newRuleOffset=<optimized out>, 
    newRule=<optimized out>, ruleNames=<optimized out>) at compileTranslationTable.c:5207
5207	      while (_lou_getALine (&nested))
gdb-peda$ si
...
0x00007ffff7b9041b in _lou_getALine (nested=<optimized out>) at compileTranslationTable.c:346
346	  nested->line[nested->linelen] = 0;
...
gdb-peda$ si

Program received signal SIGSEGV, Segmentation fault.

[----------------------------------registers-----------------------------------]
RAX: 0xffffffffffff009b 
RBX: 0x604100 --> 0x604170 --> 0x0 
RCX: 0x2959 ('Y)')
RDX: 0x604170 --> 0x0 
RSI: 0x7ffff7fdc050 --> 0x1 
RDI: 0x7ffff7dd0878 --> 0x1 
RBP: 0xa ('\n')
RSP: 0x7fffffffc3c0 --> 0x0 
RIP: 0x7ffff7b9043e (<compileFile+286>:	mov    WORD PTR [rsp+rax*2+0x34],0x0)
R8 : 0x7ffff7fdb740 (0x00007ffff7fdb740)
R9 : 0x0 
R10: 0x64656e6966656420 (' defined')
R11: 0x246 
R12: 0x624400 --> 0x623bc0 ("fuzz/loucheck_out/crashes/POC1")
R13: 0x623bc0 ("fuzz/loucheck_out/crashes/POC1")
R14: 0x7fffffffc3c8 --> 0x623bc0 ("fuzz/loucheck_out/crashes/POC1")
R15: 0xfffffffffffffff8
EFLAGS: 0x10202 (carry parity adjust zero sign trap INTERRUPT direction overflow)
[-------------------------------------code-------------------------------------]
   0x7ffff7b90430 <compileFile+272>:	inc    BYTE PTR [rdx+rcx*1]
   0x7ffff7b90433 <compileFile+275>:	mov    DWORD PTR [rax],0x1708
   0x7ffff7b90439 <compileFile+281>:	movsxd rax,DWORD PTR [rsp+0x24]
=> 0x7ffff7b9043e <compileFile+286>:	mov    WORD PTR [rsp+rax*2+0x34],0x0
   0x7ffff7b90445 <compileFile+293>:	mov    DWORD PTR [rsp+0x28],0x0
   0x7ffff7b9044d <compileFile+301>:	inc    DWORD PTR [rsp+0x18]
   0x7ffff7b90451 <compileFile+305>:	mov    rdi,r14
   0x7ffff7b90454 <compileFile+308>:	call   0x7ffff7b6d630 <compileRule>
[------------------------------------stack-------------------------------------]
0000| 0x7fffffffc3c0 --> 0x0 
0008| 0x7fffffffc3c8 --> 0x623bc0 ("fuzz/loucheck_out/crashes/POC1")
0016| 0x7fffffffc3d0 --> 0x624420 --> 0xfbad2488 
0024| 0x7fffffffc3d8 --> 0x300000060 
0032| 0x7fffffffc3e0 --> 0xffff009b0000023f 
0040| 0x7fffffffc3e8 --> 0x2300000000 ('')
0048| 0x7fffffffc3f0 --> 0x63006e00000020 (' ')
0056| 0x7fffffffc3f8 --> 0x4c0020005c006c ('l')
[------------------------------------------------------------------------------]
Legend: code, data, rodata, value
Stopped reason: SIGSEGV
0x00007ffff7b9043e in _lou_getALine (nested=<optimized out>) at compileTranslationTable.c:346
346	  nested->line[nested->linelen] = 0;


The vulnerability was triggered in function:
	in _lou_getALine (nested=<optimized out>) at compileTranslationTable.c:346
	346	  nested->line[nested->linelen] = 0;

Actual results:

crash

Expected results:

crash

Additional info:


This vulnerability is detected by team OWL337, with our custom fuzzer collAFL. Please contact ganshuitao   and chaoz.cn if you need more info about the team, the tool or the vulnerability.

Comment 4 RHEL Program Management 2021-01-15 07:41:22 UTC

After evaluating this issue, there are no plans to address it further or fix it in an upcoming release.  Therefore, it is being closed.  If plans change such that this issue will be fixed in an upcoming release, then the bug can be reopened.

Note You need to log in before you can comment on or make changes to this bug.