Bug 1484297 - There is an illegal address access in compileTranslationTable.c of liblouis.
Summary: There is an illegal address access in compileTranslationTable.c of liblouis.
Keywords:
Status: CLOSED WONTFIX
Alias: None
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: liblouis
Version: 7.5-Alt
Hardware: Unspecified
OS: Unspecified
unspecified
unspecified
Target Milestone: rc
: ---
Assignee: David King
QA Contact: Desktop QE
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2017-08-23 08:29 UTC by owl337
Modified: 2021-01-15 07:41 UTC (History)
1 user (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2021-01-15 07:41:22 UTC
Target Upstream Version:


Attachments (Terms of Use)
Triggered by " ./lou_checktable POC1 " (570 bytes, application/x-rar)
2017-08-23 08:29 UTC, owl337
no flags Details

Description owl337 2017-08-23 08:29:03 UTC
Created attachment 1316987 [details]
Triggered by " ./lou_checktable POC1 "

Description of problem:

There is an illegal address access in compileTranslationTable.c of liblouis.

Version-Release number of selected component (if applicable):

<= latest version

How reproducible:

./lou_checktable POC1

Steps to Reproduce:

Normal output:

$ ./lou_checktable POC1
fuzz/loucheck_out/crashes/POC1:2: error: opcode 'inglud\x00d5' not defined.
fuzz/loucheck_out/crashes/POC1:3: error: opcode ':se:' not defined.
fuzz/loucheck_out/crashes/POC1:5: error: opcode 't' not defined.
fuzz/loucheck_out/crashes/POC1:6: error: opcode 'i' not defined.
fuzz/loucheck_out/crashes/POC1:7: error: opcode 'ronk' not defined.
fuzz/loucheck_out/crashes/POC1:8: error: opcode 'includet' not defined.
fuzz/loucheck_out/crashes/POC1:9: error: opcode 'd' not defined.
fuzz/loucheck_out/crashes/POC1:13: error: opcode 'nclu' not defined.
fuzz/loucheck_out/crashes/POC1:15: error: opcode '\x00f0' not defined.
fuzz/loucheck_out/crashes/POC1:22: error: opcode 'd' not defined.
fuzz/loucheck_out/crashes/POC1:33: error: opcode 'pi.Ktb' not defined.
fuzz/loucheck_out/crashes/POC1:34: error: include file name not specified.
fuzz/loucheck_out/crashes/POC1:39: error: opcode '\x00f6' not defined.
fuzz/loucheck_out/crashes/POC1:50: error: opcode '\x00fb' not defined.
fuzz/loucheck_out/crashes/POC1:52: error: opcode 'L' not defined.
fuzz/loucheck_out/crashes/POC1:64: error: opcode '+iel' not defined.
fuzz/loucheck_out/crashes/POC1:65: error: opcode 'in^lude' not defined.
fuzz/loucheck_out/crashes/POC1:66: error: opcode 'includet' not defined.
fuzz/loucheck_out/crashes/POC1:75: error: opcode '+iel' not defined.
fuzz/loucheck_out/crashes/POC1:76: error: opcode 'in^lude' not defined.
fuzz/loucheck_out/crashes/POC1:77: error: opcode 'tttttttttttttttttttttttttttttttttttttttt' not defined.
fuzz/loucheck_out/crashes/POC1:79: error: opcode '\x00ee' not defined.
fuzz/loucheck_out/crashes/POC1:93: error: opcode 'd' not defined.
Segmentation fault

The GDB debugging information is as follows:

(gdb) r
...
gdb-peda$ r
...
Breakpoint 1, compileFile (fileName=<optimized out>, characterClasses=<optimized out>, 
    characterClassAttribute=<optimized out>, opcodeLengths=<optimized out>, newRuleOffset=<optimized out>, 
    newRule=<optimized out>, ruleNames=<optimized out>) at compileTranslationTable.c:5207
5207	      while (_lou_getALine (&nested))
gdb-peda$ c 96 
Will ignore next 95 crossings of breakpoint 1.  Continuing.
fuzz/loucheck_out/crashes/POC1:2: error: opcode 'inglud\x00d5' not defined.
fuzz/loucheck_out/crashes/POC1:3: error: opcode ':se:' not defined.
fuzz/loucheck_out/crashes/POC1:5: error: opcode 't' not defined.
fuzz/loucheck_out/crashes/POC1:6: error: opcode 'i' not defined.
fuzz/loucheck_out/crashes/POC1:7: error: opcode 'ronk' not defined.
fuzz/loucheck_out/crashes/POC1:8: error: opcode 'includet' not defined.
fuzz/loucheck_out/crashes/POC1:9: error: opcode 'd' not defined.
fuzz/loucheck_out/crashes/POC1:13: error: opcode 'nclu' not defined.
fuzz/loucheck_out/crashes/POC1:15: error: opcode '\x00f0' not defined.
fuzz/loucheck_out/crashes/POC1:22: error: opcode 'd' not defined.
fuzz/loucheck_out/crashes/POC1:33: error: opcode 'pi.Ktb' not defined.
fuzz/loucheck_out/crashes/POC1:34: error: include file name not specified.
fuzz/loucheck_out/crashes/POC1:39: error: opcode '\x00f6' not defined.
fuzz/loucheck_out/crashes/POC1:50: error: opcode '\x00fb' not defined.
fuzz/loucheck_out/crashes/POC1:52: error: opcode 'L' not defined.
fuzz/loucheck_out/crashes/POC1:64: error: opcode '+iel' not defined.
fuzz/loucheck_out/crashes/POC1:65: error: opcode 'in^lude' not defined.
fuzz/loucheck_out/crashes/POC1:66: error: opcode 'includet' not defined.
fuzz/loucheck_out/crashes/POC1:75: error: opcode '+iel' not defined.
fuzz/loucheck_out/crashes/POC1:76: error: opcode 'in^lude' not defined.
fuzz/loucheck_out/crashes/POC1:77: error: opcode 'tttttttttttttttttttttttttttttttttttttttt' not defined.
fuzz/loucheck_out/crashes/POC1:79: error: opcode '\x00ee' not defined.
fuzz/loucheck_out/crashes/POC1:93: error: opcode 'd' not defined.

...
Breakpoint 1, compileFile (fileName=<optimized out>, characterClasses=<optimized out>, 
    characterClassAttribute=<optimized out>, opcodeLengths=<optimized out>, newRuleOffset=<optimized out>, 
    newRule=<optimized out>, ruleNames=<optimized out>) at compileTranslationTable.c:5207
5207	      while (_lou_getALine (&nested))
gdb-peda$ si
...
0x00007ffff7b9041b in _lou_getALine (nested=<optimized out>) at compileTranslationTable.c:346
346	  nested->line[nested->linelen] = 0;
...
gdb-peda$ si

Program received signal SIGSEGV, Segmentation fault.

[----------------------------------registers-----------------------------------]
RAX: 0xffffffffffff009b 
RBX: 0x604100 --> 0x604170 --> 0x0 
RCX: 0x2959 ('Y)')
RDX: 0x604170 --> 0x0 
RSI: 0x7ffff7fdc050 --> 0x1 
RDI: 0x7ffff7dd0878 --> 0x1 
RBP: 0xa ('\n')
RSP: 0x7fffffffc3c0 --> 0x0 
RIP: 0x7ffff7b9043e (<compileFile+286>:	mov    WORD PTR [rsp+rax*2+0x34],0x0)
R8 : 0x7ffff7fdb740 (0x00007ffff7fdb740)
R9 : 0x0 
R10: 0x64656e6966656420 (' defined')
R11: 0x246 
R12: 0x624400 --> 0x623bc0 ("fuzz/loucheck_out/crashes/POC1")
R13: 0x623bc0 ("fuzz/loucheck_out/crashes/POC1")
R14: 0x7fffffffc3c8 --> 0x623bc0 ("fuzz/loucheck_out/crashes/POC1")
R15: 0xfffffffffffffff8
EFLAGS: 0x10202 (carry parity adjust zero sign trap INTERRUPT direction overflow)
[-------------------------------------code-------------------------------------]
   0x7ffff7b90430 <compileFile+272>:	inc    BYTE PTR [rdx+rcx*1]
   0x7ffff7b90433 <compileFile+275>:	mov    DWORD PTR [rax],0x1708
   0x7ffff7b90439 <compileFile+281>:	movsxd rax,DWORD PTR [rsp+0x24]
=> 0x7ffff7b9043e <compileFile+286>:	mov    WORD PTR [rsp+rax*2+0x34],0x0
   0x7ffff7b90445 <compileFile+293>:	mov    DWORD PTR [rsp+0x28],0x0
   0x7ffff7b9044d <compileFile+301>:	inc    DWORD PTR [rsp+0x18]
   0x7ffff7b90451 <compileFile+305>:	mov    rdi,r14
   0x7ffff7b90454 <compileFile+308>:	call   0x7ffff7b6d630 <compileRule>
[------------------------------------stack-------------------------------------]
0000| 0x7fffffffc3c0 --> 0x0 
0008| 0x7fffffffc3c8 --> 0x623bc0 ("fuzz/loucheck_out/crashes/POC1")
0016| 0x7fffffffc3d0 --> 0x624420 --> 0xfbad2488 
0024| 0x7fffffffc3d8 --> 0x300000060 
0032| 0x7fffffffc3e0 --> 0xffff009b0000023f 
0040| 0x7fffffffc3e8 --> 0x2300000000 ('')
0048| 0x7fffffffc3f0 --> 0x63006e00000020 (' ')
0056| 0x7fffffffc3f8 --> 0x4c0020005c006c ('l')
[------------------------------------------------------------------------------]
Legend: code, data, rodata, value
Stopped reason: SIGSEGV
0x00007ffff7b9043e in _lou_getALine (nested=<optimized out>) at compileTranslationTable.c:346
346	  nested->line[nested->linelen] = 0;


The vulnerability was triggered in function:
	in _lou_getALine (nested=<optimized out>) at compileTranslationTable.c:346
	346	  nested->line[nested->linelen] = 0;

Actual results:

crash

Expected results:

crash

Additional info:


This vulnerability is detected by team OWL337, with our custom fuzzer collAFL. Please contact ganshuitao@gmail.com   and chaoz@tsinghua.edu.cn if you need more info about the team, the tool or the vulnerability.

Comment 4 RHEL Program Management 2021-01-15 07:41:22 UTC
After evaluating this issue, there are no plans to address it further or fix it in an upcoming release.  Therefore, it is being closed.  If plans change such that this issue will be fixed in an upcoming release, then the bug can be reopened.


Note You need to log in before you can comment on or make changes to this bug.