Bug 1484306 - There is a Stack-buffer-overflow in liblouis which is triggered in function parseChars().
Summary: There is a Stack-buffer-overflow in liblouis which is triggered in function ...
Keywords:
Status: CLOSED WONTFIX
Alias: None
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: liblouis
Version: 7.5-Alt
Hardware: Unspecified
OS: Unspecified
unspecified
unspecified
Target Milestone: rc
: ---
Assignee: David King
QA Contact: Desktop QE
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2017-08-23 08:40 UTC by owl337
Modified: 2021-01-15 07:41 UTC (History)
1 user (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2021-01-15 07:41:24 UTC
Target Upstream Version:


Attachments (Terms of Use)
Triggered by " ./lou_checktable POC3 " (510 bytes, application/x-rar)
2017-08-23 08:40 UTC, owl337
no flags Details

Description owl337 2017-08-23 08:40:09 UTC
Created attachment 1316992 [details]
Triggered by " ./lou_checktable POC3 "

Description of problem:

There is a Stack-buffer-overflow  in liblouis which is triggered in function parseChars().

Version-Release number of selected component (if applicable):

<= latest version

How reproducible:

./lou_checktable POC3

Steps to Reproduce:

Normal output:

$ ./lou_checktable POC3
POC4:17: warning: invalid UTF-8. Assuming Latin-1.
POC4:17: warning: invalid UTF-8. Assuming Latin-1.
POC4:17: warning: invalid UTF-8. Assuming Latin-1.
POC4:17: warning: invalid UTF-8. Assuming Latin-1.
POC4:17: warning: invalid UTF-8. Assuming Latin-1.
POC4:17: warning: invalid UTF-8. Assuming Latin-1.
*** Error in `./lou_checktable': double free or corruption (!prev): 0x00000000017cea20 ***
Aborted

The GDB && ASAN debugging information is as follows:
gdb-peda$ set args  POC3
gdb-peda$ r 
...
Breakpoint 9, parseChars (nested=<optimized out>, result=<optimized out>, token=<optimized out>)
    at compileTranslationTable.c:1467
1467		      result->chars[out++] = token->chars[lastIn];
gdb-peda$ c 511 
Will ignore next 510 crossings of breakpoint 9.  Continuing.
Cannot resolve table 'elxame:'
/home/icy/secreal/liblouis/install_asan/share/liblouis/tables/el.ctb:485: error: character class already defined.
/home/icy/secreal/liblouis/install_asan/share/liblouis/tables/el.ctb:489: error: character class already defined.
/home/icy/secreal/liblouis/install_asan/share/liblouis/tables/el.ctb:485: error: character class already defined.
/home/icy/secreal/liblouis/install_asan/share/liblouis/tables/el.ctb:489: error: character class already defined.
Cannot resolve table '.ctb'
...
Breakpoint 9, parseChars (nested=<optimized out>, result=<optimized out>, token=<optimized out>)
    at compileTranslationTable.c:1467
1467		      result->chars[out++] = token->chars[lastIn];
...
Legend: code, data, rodata, value
1467		      result->chars[out++] = token->chars[lastIn];
gdb-peda$ n
=================================================================
==61701==ERROR: AddressSanitizer: stack-buffer-overflow on address 0x7fffffff2492 at pc 0x7ffff7b15dcb bp 0x7ffffff7d730 sp 0x7ffffff7d728
WRITE of size 2 at 0x7fffffff2492 thread T0
    #0 0x7ffff7b15dca  (/home/icy/secreal/liblouis/install_asan/lib/liblouis.so.14+0x12dca)
    #1 0x7ffff7b23212  (/home/icy/secreal/liblouis/install_asan/lib/liblouis.so.14+0x20212)
    #2 0x7ffff7b5e547  (/home/icy/secreal/liblouis/install_asan/lib/liblouis.so.14+0x5b547)
    #3 0x7ffff7b1a80d  (/home/icy/secreal/liblouis/install_asan/lib/liblouis.so.14+0x1780d)
    #4 0x4dbcaf  (/home/icy/secreal/liblouis/install_asan/bin/lou_checktable+0x4dbcaf)
    #5 0x7ffff6c10abf  (/lib/x86_64-linux-gnu/libc.so.6+0x20abf)
    #6 0x435748  (/home/icy/secreal/liblouis/install_asan/bin/lou_checktable+0x435748)

Address 0x7fffffff2492 is located in stack of thread T0 at offset 478194 in frame
    #0 0x7ffff7b1d92f  (/home/icy/secreal/liblouis/install_asan/lib/liblouis.so.14+0x1a92f)

  This frame has 134 object(s):
    [32, 4130) 'token.i387'
    [4400, 8498) 'token.i384'
    [8768, 8772) 'offset.i47.i'
    [8784, 8788) 'offset.i26.i'
    [8800, 8804) 'offset.i3.i'
    [8816, 8820) 'offset.i.i338'
    [8832, 12930) 'token.i.i339'
    [13200, 17298) 'ruleChars.i340'
    [17568, 21666) 'ruleDots.i341'
    [21936, 26034) 'upperDots.i'
    [26304, 30402) 'lowerDots.i'
    [30672, 30676) 'offset.i18.i'
    [30688, 30692) 'offset.i10.i'
    [30704, 30708) 'offset.i2.i'
    [30720, 30724) 'offset.i.i'
    [30736, 34834) 'token.i.i'
    [35104, 39202) 'name.i322'
    [39472, 43570) 'groupChars.i'
    [43840, 47938) 'groupDots.i'
    [48208, 52306) 'dotsParsed.i'
    [52576, 56674) 'token.i319'
    [56944, 61042) 'token.i316'
    [61312, 65410) 'ruleChars.i'
    [65680, 69778) 'ruleDots.i'
    [70048, 74146) 'name.i'
    [74416, 78514) 'matches.i'
    [78784, 82882) 'replacements.i'
    [83152, 87250) 'token.i308'
    [87520, 87522) ''
    [87536, 91634) 'token.i281'
    [91904, 96000) 'wname.i'
    [96128, 100226) 'token.i266'
    [100496, 100500) 'offset.i255'
    [100512, 100516) 'offset.i'
    [100528, 104626) 'token.i249'
    [104896, 108994) 'token.i246'
    [109264, 113362) 'token.i243'
    [113632, 117730) 'token.i240'
    [118000, 122098) 'token.i237'
    [122368, 126466) 'token.i234'
    [126736, 130834) 'token.i231'
    [131104, 135202) 'token.i227'
    [135472, 139570) 'cells.i228'
    [139840, 143938) 'token.i223'
    [144208, 148306) 'cells.i224'
    [148576, 152674) 'token.i213'
    [152944, 157042) 'token.i210'
    [157312, 161410) 'token.i207'
    [161680, 165778) 'token.i197'
    [166048, 170146) 'token.i187'
    [170416, 174514) 'token.i177'
    [174784, 178882) 'token.i173'
    [179152, 183250) 'cells.i174'
    [183520, 187618) 'token.i163'
    [187888, 191986) 'token.i153'
    [192256, 196354) 'token.i147'
    [196624, 200722) 'token.i143'
    [200992, 205090) 'cells.i144'
    [205360, 209458) 'token.i140'
    [209728, 213826) 'token.i137'
    [214096, 218194) 'token.i134'
    [218464, 222562) 'token.i130'
    [222832, 226930) 'cells.i131'
    [227200, 231298) 'token.i119'
    [231568, 235666) 'token.i115'
    [235936, 240034) 'cells.i116'
    [240304, 244402) 'token.i111'
    [244672, 248770) 'cells.i112'
    [249040, 253138) 'token.i105'
    [253408, 257506) 'tmp.i106'
    [257776, 261874) 'token.i101'
    [262144, 266242) 'cells.i102'
    [266512, 270610) 'token.i97'
    [270880, 274978) 'cells.i98'
    [275248, 279346) 'token.i93'
    [279616, 283714) 'cells.i94'
    [283984, 288082) 'token.i89'
    [288352, 292450) 'cells.i90'
    [292720, 296818) 'token.i85'
    [297088, 301186) 'cells.i86'
    [301456, 305554) 'token.i81'
    [305824, 309922) 'cells.i82'
    [310192, 314290) 'token.i76'
    [314560, 318658) 'token.i72'
    [318928, 323026) 'cells.i73'
    [323296, 327394) 'token.i68'
    [327664, 331762) 'cells.i69'
    [332032, 336130) 'token.i64'
    [336400, 340498) 'cells.i65'
    [340768, 344866) 'token.i60'
    [345136, 349234) 'cells.i61'
    [349504, 353602) 'token.i56'
    [353872, 357970) 'cells.i57'
    [358240, 362338) 'token.i52'
    [362608, 366706) 'cells.i53'
    [366976, 371074) 'token.i48'
    [371344, 375442) 'cells.i49'
    [375712, 379810) 'token.i46'
    [380080, 384178) 'tmp.i'
    [384448, 388546) 'token.i42'
    [388816, 392914) 'cells.i43'
    [393184, 397282) 'token.i39'
    [397552, 401650) 'token.i36'
    [401920, 406018) 'token.i33'
    [406288, 410386) 'token.i30'
    [410656, 414754) 'token.i28'
    [415024, 419122) 'token.i25'
    [419392, 423490) 'token.i23'
    [423760, 427858) 'token.i21'
    [428128, 432226) 'token.i'
    [432496, 436594) 'cells.i'
    [436864, 436866) ''
    [436880, 440978) 'hyph.i'
    [441248, 445346) 'word.i'
    [445616, 447664) 'pattern.i'
    [447792, 447808) 'dict.i'
    [447824, 447828) 'holdOffset.i'
    [447840, 447844) 'lastToken'
    [447856, 451954) 'token'
    [452224, 456322) 'ruleChars'
    [456592, 460690) 'ruleDots'
    [460960, 465058) 'cells'
    [465328, 469426) 'scratchPad'
    [469696, 473794) 'emphClass'
    [474064, 474068) 'after'
    [474080, 474084) 'before'
    [474096, 478194) 'includedFile' <== Memory access at offset 478194 overflows this variable
    [478464, 482562) 'ptn_before'
    [482832, 486930) 'ptn_after'
    [487200, 487204) 'offset'
    [487216, 491314) 'ptn_before1'
    [491584, 495682) 'ptn_after2'
    [495952, 495956) 'offset3'
    [495968, 500066) 'characters'
HINT: this may be a false positive if your program uses some custom stack unwind mechanism or swapcontext
      (longjmp and C++ exceptions *are* supported)
Shadow bytes around the buggy address:
  0x10007fff6440: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x10007fff6450: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x10007fff6460: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x10007fff6470: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x10007fff6480: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x10007fff6490: 00 00[02]f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2
  0x10007fff64a0: f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2
  0x10007fff64b0: f2 f2 f2 f2 00 00 00 00 00 00 00 00 00 00 00 00
  0x10007fff64c0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x10007fff64d0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x10007fff64e0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Heap right redzone:      fb
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack partial redzone:   f4
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==61701==ABORTING
[Inferior 1 (process 61701) exited with code 01]
Warning: not running or target is remote
gdb-peda$ 


The vulnerability was triggered in function:
parseChars (nested=<optimized out>, result=<optimized out>, token=<optimized out>)
    at compileTranslationTable.c:1467
1462		  if (in >= MAXSTRING)
1463		    break;
1464		  if (token->chars[in] < 128 || (token->chars[in] & 0x0040))
1465		    {
1466		      compileWarning (nested, "invalid UTF-8. Assuming Latin-1.");
1467		      result->chars[out++] = token->chars[lastIn];
1468		      in = lastIn + 1;
1469		      continue;
1470		    }
1471		  utf32 = (utf32 << 6) + (token->chars[in++] & 0x3f);


Actual results:

crash

Expected results:

crash

Additional info:

Credits:

This vulnerability is detected by team OWL337, with our custom fuzzer collAFL. Please contact ganshuitao@gmail.com   and chaoz@tsinghua.edu.cn if you need more info about the team, the tool or the vulnerability.

Comment 4 RHEL Program Management 2021-01-15 07:41:24 UTC
After evaluating this issue, there are no plans to address it further or fix it in an upcoming release.  Therefore, it is being closed.  If plans change such that this issue will be fixed in an upcoming release, then the bug can be reopened.


Note You need to log in before you can comment on or make changes to this bug.