Bug 1484299 - There is a heap overflow in liblouis which is triggered at function resolveSubtable().
Summary: There is a heap overflow in liblouis which is triggered at function resolveSu...
Status: NEW
Alias: None
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: liblouis
Version: 7.5-Alt
Hardware: Unspecified
OS: Unspecified
unspecified
unspecified
Target Milestone: rc
: ---
Assignee: Matthias Clasen
QA Contact: Desktop QE
URL:
Whiteboard:
Keywords:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2017-08-23 08:34 UTC by owl337
Modified: 2018-08-01 23:30 UTC (History)
0 users

(edit)
Clone Of:
(edit)
Last Closed:


Attachments (Terms of Use)
Triggered by " ./lou_checktable POC2 " (428 bytes, application/x-rar)
2017-08-23 08:34 UTC, owl337
no flags Details

Description owl337 2017-08-23 08:34:26 UTC
Created attachment 1316989 [details]
Triggered by "  ./lou_checktable POC2 "

Description of problem:

There is a heap overflow in liblouis which is triggered at function resolveSubtable(). 

Version-Release number of selected component (if applicable):

<= latest version

How reproducible:

./lou_checktable POC2

Steps to Reproduce:

Normal output:

$ ./lou_checktable POC2
POC2:2: error: opcode 'incJude' not defined.
Segmentation fault

The GDB && ASAN debugging information is as follows:

gdb-peda$ r
...
Breakpoint 2, resolveSubtable (base=0x60200000ef90 "POC7", searchPath=<optimized out>, table=<optimized out>)
    at compileTranslationTable.c:5030
5030		  sprintf (tableFile, "%s%c%s", dir, DIR_SEP, table);
gdb-peda$ p tableFile 
$3 = 0x61d00001d680 "brai", ';' <repeats 78 times>, 'd' <repeats 118 times>...
gdb-peda$ bt 
#0  resolveSubtable (base=0x60200000ef90 "POC2", searchPath=<optimized out>, table=<optimized out>)
    at compileTranslationTable.c:5030
#1  _lou_defaultTableResolver (tableList=<optimized out>, base=<optimized out>) at compileTranslationTable.c:5125
#2  0x00007ffff7b2cc42 in _lou_resolveTable (base=0x7ffff7fd9778 "a\036", tableList=<optimized out>)
    at compileTranslationTable.c:5169
#3  includeFile (nested=<optimized out>, includedFile=<optimized out>, characterClasses=<optimized out>, 
    characterClassAttribute=<optimized out>, opcodeLengths=<optimized out>, newRuleOffset=<optimized out>, 
    newRule=<optimized out>, ruleNames=<optimized out>) at compileTranslationTable.c:5250
#4  compileRule (nested=<optimized out>, characterClasses=<optimized out>, characterClassAttribute=<optimized out>, 
    opcodeLengths=<optimized out>, newRuleOffset=<optimized out>, newRule=<optimized out>, ruleNames=<optimized out>)
    at compileTranslationTable.c:3838
#5  0x00007ffff7b5e548 in compileFile (fileName=<optimized out>, characterClasses=<optimized out>, 
    characterClassAttribute=<optimized out>, opcodeLengths=<optimized out>, newRuleOffset=<optimized out>, 
    newRule=<optimized out>, ruleNames=<optimized out>) at compileTranslationTable.c:5208
#6  0x00007ffff7b1a80e in compileTranslationTable (tableList=<optimized out>, characterClasses=<optimized out>, 
    characterClassAttribute=<optimized out>, opcodeLengths=<optimized out>, newRuleOffset=<optimized out>, 
    newRule=<optimized out>, ruleNames=<optimized out>) at compileTranslationTable.c:5316
#7  lou_getTable (tableList=<optimized out>) at compileTranslationTable.c:5419
#8  0x00000000004dbcb0 in main (argc=<optimized out>, argv=<optimized out>, argv@entry=0x7fffffffe578)
    at lou_checktable.c:121
#9  0x00007ffff6c10ac0 in __libc_start_main (main=0x4dbb00 <main>, argc=0x2, argv=0x7fffffffe578, init=<optimized out>, 
    fini=<optimized out>, rtld_fini=<optimized out>, stack_end=0x7fffffffe568) at libc-start.c:289
#10 0x0000000000435749 in _start ()
gdb-peda$ n
=================================================================
==112580==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x61d00001de80 at pc 0x00000044aca8 bp 0x7ffffff7d620 sp 0x7ffffff7cdb0
WRITE of size 2102 at 0x61d00001de80 thread T0
    #0 0x44aca7  (/home/icy/secreal/liblouis/install_asan/bin/lou_checktable+0x44aca7)
    #1 0x44bffe  (/home/icy/secreal/liblouis/install_asan/bin/lou_checktable+0x44bffe)
    #2 0x7ffff7b17ce7  (/home/icy/secreal/liblouis/install_asan/lib/liblouis.so.14+0x14ce7)
    #3 0x7ffff7b2cc41  (/home/icy/secreal/liblouis/install_asan/lib/liblouis.so.14+0x29c41)
    #4 0x7ffff7b5e547  (/home/icy/secreal/liblouis/install_asan/lib/liblouis.so.14+0x5b547)
    #5 0x7ffff7b1a80d  (/home/icy/secreal/liblouis/install_asan/lib/liblouis.so.14+0x1780d)
    #6 0x4dbcaf  (/home/icy/secreal/liblouis/install_asan/bin/lou_checktable+0x4dbcaf)
    #7 0x7ffff6c10abf  (/lib/x86_64-linux-gnu/libc.so.6+0x20abf)
    #8 0x435748  (/home/icy/secreal/liblouis/install_asan/bin/lou_checktable+0x435748)

0x61d00001de80 is located 0 bytes to the right of 2048-byte region [0x61d00001d680,0x61d00001de80)
allocated by thread T0 here:
    #0 0x4bc712  (/home/icy/secreal/liblouis/install_asan/bin/lou_checktable+0x4bc712)
    #1 0x7ffff7b17883  (/home/icy/secreal/liblouis/install_asan/lib/liblouis.so.14+0x14883)

Shadow bytes around the buggy address:
  0x0c3a7fffbb80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c3a7fffbb90: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c3a7fffbba0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c3a7fffbbb0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c3a7fffbbc0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x0c3a7fffbbd0:[fa]fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c3a7fffbbe0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c3a7fffbbf0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c3a7fffbc00: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c3a7fffbc10: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c3a7fffbc20: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Heap right redzone:      fb
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack partial redzone:   f4
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==112580==ABORTING
[Inferior 1 (process 112580) exited with code 01]
Warning: not running or target is remote
gdb-peda$ 


The vulnerability was triggered in function:
resolveSubtable (base=0x60200000ef90 "POC7", searchPath=<optimized out>, table=<optimized out>)
    at compileTranslationTable.c:5030
5025		    ;
5026		  last = (*cp == '\0');
5027		  *cp = '\0';
5028		  if (dir == cp)
5029		    dir = ".";
5030		  sprintf (tableFile, "%s%c%s", dir, DIR_SEP, table);
5031		  if (stat (tableFile, &info) == 0 && !(info.st_mode & S_IFDIR)) 
5032			{
5033				_lou_logMessage(LOG_DEBUG, "found table %s", tableFile); 
5034				free(searchPath_copy);

Actual results:

crash

Expected results:

crash

Additional info:


Credits:

This vulnerability is detected by team OWL337, with our custom fuzzer collAFL. Please contact ganshuitao@gmail.com   and chaoz@tsinghua.edu.cn if you need more info about the team, the tool or the vulnerability.


Note You need to log in before you can comment on or make changes to this bug.