Bug 1484306 - There is a Stack-buffer-overflow in liblouis which is triggered in function parseChars().
Summary: There is a Stack-buffer-overflow in liblouis which is triggered in function ...
Keywords:
Status: NEW
Alias: None
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: liblouis
Version: 7.5-Alt
Hardware: Unspecified
OS: Unspecified
unspecified
unspecified
Target Milestone: rc
: ---
Assignee: Matthias Clasen
QA Contact: Desktop QE
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2017-08-23 08:40 UTC by owl337
Modified: 2019-08-01 18:04 UTC (History)
0 users

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed:


Attachments (Terms of Use)
Triggered by " ./lou_checktable POC3 " (510 bytes, application/x-rar)
2017-08-23 08:40 UTC, owl337
no flags Details

Description owl337 2017-08-23 08:40:09 UTC
Created attachment 1316992 [details]
Triggered by " ./lou_checktable POC3 "

Description of problem:

There is a Stack-buffer-overflow  in liblouis which is triggered in function parseChars().

Version-Release number of selected component (if applicable):

<= latest version

How reproducible:

./lou_checktable POC3

Steps to Reproduce:

Normal output:

$ ./lou_checktable POC3
POC4:17: warning: invalid UTF-8. Assuming Latin-1.
POC4:17: warning: invalid UTF-8. Assuming Latin-1.
POC4:17: warning: invalid UTF-8. Assuming Latin-1.
POC4:17: warning: invalid UTF-8. Assuming Latin-1.
POC4:17: warning: invalid UTF-8. Assuming Latin-1.
POC4:17: warning: invalid UTF-8. Assuming Latin-1.
*** Error in `./lou_checktable': double free or corruption (!prev): 0x00000000017cea20 ***
Aborted

The GDB && ASAN debugging information is as follows:
gdb-peda$ set args  POC3
gdb-peda$ r 
...
Breakpoint 9, parseChars (nested=<optimized out>, result=<optimized out>, token=<optimized out>)
    at compileTranslationTable.c:1467
1467		      result->chars[out++] = token->chars[lastIn];
gdb-peda$ c 511 
Will ignore next 510 crossings of breakpoint 9.  Continuing.
Cannot resolve table 'elxame:'
/home/icy/secreal/liblouis/install_asan/share/liblouis/tables/el.ctb:485: error: character class already defined.
/home/icy/secreal/liblouis/install_asan/share/liblouis/tables/el.ctb:489: error: character class already defined.
/home/icy/secreal/liblouis/install_asan/share/liblouis/tables/el.ctb:485: error: character class already defined.
/home/icy/secreal/liblouis/install_asan/share/liblouis/tables/el.ctb:489: error: character class already defined.
Cannot resolve table '.ctb'
...
Breakpoint 9, parseChars (nested=<optimized out>, result=<optimized out>, token=<optimized out>)
    at compileTranslationTable.c:1467
1467		      result->chars[out++] = token->chars[lastIn];
...
Legend: code, data, rodata, value
1467		      result->chars[out++] = token->chars[lastIn];
gdb-peda$ n
=================================================================
==61701==ERROR: AddressSanitizer: stack-buffer-overflow on address 0x7fffffff2492 at pc 0x7ffff7b15dcb bp 0x7ffffff7d730 sp 0x7ffffff7d728
WRITE of size 2 at 0x7fffffff2492 thread T0
    #0 0x7ffff7b15dca  (/home/icy/secreal/liblouis/install_asan/lib/liblouis.so.14+0x12dca)
    #1 0x7ffff7b23212  (/home/icy/secreal/liblouis/install_asan/lib/liblouis.so.14+0x20212)
    #2 0x7ffff7b5e547  (/home/icy/secreal/liblouis/install_asan/lib/liblouis.so.14+0x5b547)
    #3 0x7ffff7b1a80d  (/home/icy/secreal/liblouis/install_asan/lib/liblouis.so.14+0x1780d)
    #4 0x4dbcaf  (/home/icy/secreal/liblouis/install_asan/bin/lou_checktable+0x4dbcaf)
    #5 0x7ffff6c10abf  (/lib/x86_64-linux-gnu/libc.so.6+0x20abf)
    #6 0x435748  (/home/icy/secreal/liblouis/install_asan/bin/lou_checktable+0x435748)

Address 0x7fffffff2492 is located in stack of thread T0 at offset 478194 in frame
    #0 0x7ffff7b1d92f  (/home/icy/secreal/liblouis/install_asan/lib/liblouis.so.14+0x1a92f)

  This frame has 134 object(s):
    [32, 4130) 'token.i387'
    [4400, 8498) 'token.i384'
    [8768, 8772) 'offset.i47.i'
    [8784, 8788) 'offset.i26.i'
    [8800, 8804) 'offset.i3.i'
    [8816, 8820) 'offset.i.i338'
    [8832, 12930) 'token.i.i339'
    [13200, 17298) 'ruleChars.i340'
    [17568, 21666) 'ruleDots.i341'
    [21936, 26034) 'upperDots.i'
    [26304, 30402) 'lowerDots.i'
    [30672, 30676) 'offset.i18.i'
    [30688, 30692) 'offset.i10.i'
    [30704, 30708) 'offset.i2.i'
    [30720, 30724) 'offset.i.i'
    [30736, 34834) 'token.i.i'
    [35104, 39202) 'name.i322'
    [39472, 43570) 'groupChars.i'
    [43840, 47938) 'groupDots.i'
    [48208, 52306) 'dotsParsed.i'
    [52576, 56674) 'token.i319'
    [56944, 61042) 'token.i316'
    [61312, 65410) 'ruleChars.i'
    [65680, 69778) 'ruleDots.i'
    [70048, 74146) 'name.i'
    [74416, 78514) 'matches.i'
    [78784, 82882) 'replacements.i'
    [83152, 87250) 'token.i308'
    [87520, 87522) ''
    [87536, 91634) 'token.i281'
    [91904, 96000) 'wname.i'
    [96128, 100226) 'token.i266'
    [100496, 100500) 'offset.i255'
    [100512, 100516) 'offset.i'
    [100528, 104626) 'token.i249'
    [104896, 108994) 'token.i246'
    [109264, 113362) 'token.i243'
    [113632, 117730) 'token.i240'
    [118000, 122098) 'token.i237'
    [122368, 126466) 'token.i234'
    [126736, 130834) 'token.i231'
    [131104, 135202) 'token.i227'
    [135472, 139570) 'cells.i228'
    [139840, 143938) 'token.i223'
    [144208, 148306) 'cells.i224'
    [148576, 152674) 'token.i213'
    [152944, 157042) 'token.i210'
    [157312, 161410) 'token.i207'
    [161680, 165778) 'token.i197'
    [166048, 170146) 'token.i187'
    [170416, 174514) 'token.i177'
    [174784, 178882) 'token.i173'
    [179152, 183250) 'cells.i174'
    [183520, 187618) 'token.i163'
    [187888, 191986) 'token.i153'
    [192256, 196354) 'token.i147'
    [196624, 200722) 'token.i143'
    [200992, 205090) 'cells.i144'
    [205360, 209458) 'token.i140'
    [209728, 213826) 'token.i137'
    [214096, 218194) 'token.i134'
    [218464, 222562) 'token.i130'
    [222832, 226930) 'cells.i131'
    [227200, 231298) 'token.i119'
    [231568, 235666) 'token.i115'
    [235936, 240034) 'cells.i116'
    [240304, 244402) 'token.i111'
    [244672, 248770) 'cells.i112'
    [249040, 253138) 'token.i105'
    [253408, 257506) 'tmp.i106'
    [257776, 261874) 'token.i101'
    [262144, 266242) 'cells.i102'
    [266512, 270610) 'token.i97'
    [270880, 274978) 'cells.i98'
    [275248, 279346) 'token.i93'
    [279616, 283714) 'cells.i94'
    [283984, 288082) 'token.i89'
    [288352, 292450) 'cells.i90'
    [292720, 296818) 'token.i85'
    [297088, 301186) 'cells.i86'
    [301456, 305554) 'token.i81'
    [305824, 309922) 'cells.i82'
    [310192, 314290) 'token.i76'
    [314560, 318658) 'token.i72'
    [318928, 323026) 'cells.i73'
    [323296, 327394) 'token.i68'
    [327664, 331762) 'cells.i69'
    [332032, 336130) 'token.i64'
    [336400, 340498) 'cells.i65'
    [340768, 344866) 'token.i60'
    [345136, 349234) 'cells.i61'
    [349504, 353602) 'token.i56'
    [353872, 357970) 'cells.i57'
    [358240, 362338) 'token.i52'
    [362608, 366706) 'cells.i53'
    [366976, 371074) 'token.i48'
    [371344, 375442) 'cells.i49'
    [375712, 379810) 'token.i46'
    [380080, 384178) 'tmp.i'
    [384448, 388546) 'token.i42'
    [388816, 392914) 'cells.i43'
    [393184, 397282) 'token.i39'
    [397552, 401650) 'token.i36'
    [401920, 406018) 'token.i33'
    [406288, 410386) 'token.i30'
    [410656, 414754) 'token.i28'
    [415024, 419122) 'token.i25'
    [419392, 423490) 'token.i23'
    [423760, 427858) 'token.i21'
    [428128, 432226) 'token.i'
    [432496, 436594) 'cells.i'
    [436864, 436866) ''
    [436880, 440978) 'hyph.i'
    [441248, 445346) 'word.i'
    [445616, 447664) 'pattern.i'
    [447792, 447808) 'dict.i'
    [447824, 447828) 'holdOffset.i'
    [447840, 447844) 'lastToken'
    [447856, 451954) 'token'
    [452224, 456322) 'ruleChars'
    [456592, 460690) 'ruleDots'
    [460960, 465058) 'cells'
    [465328, 469426) 'scratchPad'
    [469696, 473794) 'emphClass'
    [474064, 474068) 'after'
    [474080, 474084) 'before'
    [474096, 478194) 'includedFile' <== Memory access at offset 478194 overflows this variable
    [478464, 482562) 'ptn_before'
    [482832, 486930) 'ptn_after'
    [487200, 487204) 'offset'
    [487216, 491314) 'ptn_before1'
    [491584, 495682) 'ptn_after2'
    [495952, 495956) 'offset3'
    [495968, 500066) 'characters'
HINT: this may be a false positive if your program uses some custom stack unwind mechanism or swapcontext
      (longjmp and C++ exceptions *are* supported)
Shadow bytes around the buggy address:
  0x10007fff6440: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x10007fff6450: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x10007fff6460: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x10007fff6470: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x10007fff6480: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x10007fff6490: 00 00[02]f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2
  0x10007fff64a0: f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2
  0x10007fff64b0: f2 f2 f2 f2 00 00 00 00 00 00 00 00 00 00 00 00
  0x10007fff64c0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x10007fff64d0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x10007fff64e0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Heap right redzone:      fb
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack partial redzone:   f4
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==61701==ABORTING
[Inferior 1 (process 61701) exited with code 01]
Warning: not running or target is remote
gdb-peda$ 


The vulnerability was triggered in function:
parseChars (nested=<optimized out>, result=<optimized out>, token=<optimized out>)
    at compileTranslationTable.c:1467
1462		  if (in >= MAXSTRING)
1463		    break;
1464		  if (token->chars[in] < 128 || (token->chars[in] & 0x0040))
1465		    {
1466		      compileWarning (nested, "invalid UTF-8. Assuming Latin-1.");
1467		      result->chars[out++] = token->chars[lastIn];
1468		      in = lastIn + 1;
1469		      continue;
1470		    }
1471		  utf32 = (utf32 << 6) + (token->chars[in++] & 0x3f);


Actual results:

crash

Expected results:

crash

Additional info:

Credits:

This vulnerability is detected by team OWL337, with our custom fuzzer collAFL. Please contact ganshuitao@gmail.com   and chaoz@tsinghua.edu.cn if you need more info about the team, the tool or the vulnerability.


Note You need to log in before you can comment on or make changes to this bug.