1484306 – There is a Stack-buffer-overflow in liblouis which is triggered in function parseChars().

RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 1484306 - There is a Stack-buffer-overflow in liblouis which is triggered in function parseChars().

Summary: There is a Stack-buffer-overflow in liblouis which is triggered in function ...

Keywords:
Status:	CLOSED WONTFIX
Alias:	None
Product:	Red Hat Enterprise Linux 7
Classification:	Red Hat
Component:	liblouis
Sub Component:
Version:	7.5-Alt
Hardware:	Unspecified
OS:	Unspecified
Priority:	unspecified
Severity:	unspecified
Target Milestone:	rc
Target Release:	---
Assignee:	David King
QA Contact:	Desktop QE
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2017-08-23 08:40 UTC by owl337
Modified:	2021-01-15 07:41 UTC (History)
CC List:	1 user (show)
Fixed In Version:
Doc Type:	If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed:	2021-01-15 07:41:24 UTC
Target Upstream Version:
Embargoed:

Attachments	(Terms of Use)
Triggered by " ./lou_checktable POC3 " (510 bytes, application/x-rar) 2017-08-23 08:40 UTC, owl337	no flags	Details
View All

Description owl337 2017-08-23 08:40:09 UTC

Created attachment 1316992 [details]
Triggered by " ./lou_checktable POC3 "

Description of problem:

There is a Stack-buffer-overflow  in liblouis which is triggered in function parseChars().

Version-Release number of selected component (if applicable):

<= latest version

How reproducible:

./lou_checktable POC3

Steps to Reproduce:

Normal output:

$ ./lou_checktable POC3
POC4:17: warning: invalid UTF-8. Assuming Latin-1.
POC4:17: warning: invalid UTF-8. Assuming Latin-1.
POC4:17: warning: invalid UTF-8. Assuming Latin-1.
POC4:17: warning: invalid UTF-8. Assuming Latin-1.
POC4:17: warning: invalid UTF-8. Assuming Latin-1.
POC4:17: warning: invalid UTF-8. Assuming Latin-1.
*** Error in `./lou_checktable': double free or corruption (!prev): 0x00000000017cea20 ***
Aborted

The GDB && ASAN debugging information is as follows:
gdb-peda$ set args  POC3
gdb-peda$ r 
...
Breakpoint 9, parseChars (nested=<optimized out>, result=<optimized out>, token=<optimized out>)
    at compileTranslationTable.c:1467
1467		      result->chars[out++] = token->chars[lastIn];
gdb-peda$ c 511 
Will ignore next 510 crossings of breakpoint 9.  Continuing.
Cannot resolve table 'elxame:'
/home/icy/secreal/liblouis/install_asan/share/liblouis/tables/el.ctb:485: error: character class already defined.
/home/icy/secreal/liblouis/install_asan/share/liblouis/tables/el.ctb:489: error: character class already defined.
/home/icy/secreal/liblouis/install_asan/share/liblouis/tables/el.ctb:485: error: character class already defined.
/home/icy/secreal/liblouis/install_asan/share/liblouis/tables/el.ctb:489: error: character class already defined.
Cannot resolve table '.ctb'
...
Breakpoint 9, parseChars (nested=<optimized out>, result=<optimized out>, token=<optimized out>)
    at compileTranslationTable.c:1467
1467		      result->chars[out++] = token->chars[lastIn];
...
Legend: code, data, rodata, value
1467		      result->chars[out++] = token->chars[lastIn];
gdb-peda$ n
=================================================================
==61701==ERROR: AddressSanitizer: stack-buffer-overflow on address 0x7fffffff2492 at pc 0x7ffff7b15dcb bp 0x7ffffff7d730 sp 0x7ffffff7d728
WRITE of size 2 at 0x7fffffff2492 thread T0
    #0 0x7ffff7b15dca  (/home/icy/secreal/liblouis/install_asan/lib/liblouis.so.14+0x12dca)
    #1 0x7ffff7b23212  (/home/icy/secreal/liblouis/install_asan/lib/liblouis.so.14+0x20212)
    #2 0x7ffff7b5e547  (/home/icy/secreal/liblouis/install_asan/lib/liblouis.so.14+0x5b547)
    #3 0x7ffff7b1a80d  (/home/icy/secreal/liblouis/install_asan/lib/liblouis.so.14+0x1780d)
    #4 0x4dbcaf  (/home/icy/secreal/liblouis/install_asan/bin/lou_checktable+0x4dbcaf)
    #5 0x7ffff6c10abf  (/lib/x86_64-linux-gnu/libc.so.6+0x20abf)
    #6 0x435748  (/home/icy/secreal/liblouis/install_asan/bin/lou_checktable+0x435748)

Address 0x7fffffff2492 is located in stack of thread T0 at offset 478194 in frame
    #0 0x7ffff7b1d92f  (/home/icy/secreal/liblouis/install_asan/lib/liblouis.so.14+0x1a92f)

  This frame has 134 object(s):
    [32, 4130) 'token.i387'
    [4400, 8498) 'token.i384'
    [8768, 8772) 'offset.i47.i'
    [8784, 8788) 'offset.i26.i'
    [8800, 8804) 'offset.i3.i'
    [8816, 8820) 'offset.i.i338'
    [8832, 12930) 'token.i.i339'
    [13200, 17298) 'ruleChars.i340'
    [17568, 21666) 'ruleDots.i341'
    [21936, 26034) 'upperDots.i'
    [26304, 30402) 'lowerDots.i'
    [30672, 30676) 'offset.i18.i'
    [30688, 30692) 'offset.i10.i'
    [30704, 30708) 'offset.i2.i'
    [30720, 30724) 'offset.i.i'
    [30736, 34834) 'token.i.i'
    [35104, 39202) 'name.i322'
    [39472, 43570) 'groupChars.i'
    [43840, 47938) 'groupDots.i'
    [48208, 52306) 'dotsParsed.i'
    [52576, 56674) 'token.i319'
    [56944, 61042) 'token.i316'
    [61312, 65410) 'ruleChars.i'
    [65680, 69778) 'ruleDots.i'
    [70048, 74146) 'name.i'
    [74416, 78514) 'matches.i'
    [78784, 82882) 'replacements.i'
    [83152, 87250) 'token.i308'
    [87520, 87522) ''
    [87536, 91634) 'token.i281'
    [91904, 96000) 'wname.i'
    [96128, 100226) 'token.i266'
    [100496, 100500) 'offset.i255'
    [100512, 100516) 'offset.i'
    [100528, 104626) 'token.i249'
    [104896, 108994) 'token.i246'
    [109264, 113362) 'token.i243'
    [113632, 117730) 'token.i240'
    [118000, 122098) 'token.i237'
    [122368, 126466) 'token.i234'
    [126736, 130834) 'token.i231'
    [131104, 135202) 'token.i227'
    [135472, 139570) 'cells.i228'
    [139840, 143938) 'token.i223'
    [144208, 148306) 'cells.i224'
    [148576, 152674) 'token.i213'
    [152944, 157042) 'token.i210'
    [157312, 161410) 'token.i207'
    [161680, 165778) 'token.i197'
    [166048, 170146) 'token.i187'
    [170416, 174514) 'token.i177'
    [174784, 178882) 'token.i173'
    [179152, 183250) 'cells.i174'
    [183520, 187618) 'token.i163'
    [187888, 191986) 'token.i153'
    [192256, 196354) 'token.i147'
    [196624, 200722) 'token.i143'
    [200992, 205090) 'cells.i144'
    [205360, 209458) 'token.i140'
    [209728, 213826) 'token.i137'
    [214096, 218194) 'token.i134'
    [218464, 222562) 'token.i130'
    [222832, 226930) 'cells.i131'
    [227200, 231298) 'token.i119'
    [231568, 235666) 'token.i115'
    [235936, 240034) 'cells.i116'
    [240304, 244402) 'token.i111'
    [244672, 248770) 'cells.i112'
    [249040, 253138) 'token.i105'
    [253408, 257506) 'tmp.i106'
    [257776, 261874) 'token.i101'
    [262144, 266242) 'cells.i102'
    [266512, 270610) 'token.i97'
    [270880, 274978) 'cells.i98'
    [275248, 279346) 'token.i93'
    [279616, 283714) 'cells.i94'
    [283984, 288082) 'token.i89'
    [288352, 292450) 'cells.i90'
    [292720, 296818) 'token.i85'
    [297088, 301186) 'cells.i86'
    [301456, 305554) 'token.i81'
    [305824, 309922) 'cells.i82'
    [310192, 314290) 'token.i76'
    [314560, 318658) 'token.i72'
    [318928, 323026) 'cells.i73'
    [323296, 327394) 'token.i68'
    [327664, 331762) 'cells.i69'
    [332032, 336130) 'token.i64'
    [336400, 340498) 'cells.i65'
    [340768, 344866) 'token.i60'
    [345136, 349234) 'cells.i61'
    [349504, 353602) 'token.i56'
    [353872, 357970) 'cells.i57'
    [358240, 362338) 'token.i52'
    [362608, 366706) 'cells.i53'
    [366976, 371074) 'token.i48'
    [371344, 375442) 'cells.i49'
    [375712, 379810) 'token.i46'
    [380080, 384178) 'tmp.i'
    [384448, 388546) 'token.i42'
    [388816, 392914) 'cells.i43'
    [393184, 397282) 'token.i39'
    [397552, 401650) 'token.i36'
    [401920, 406018) 'token.i33'
    [406288, 410386) 'token.i30'
    [410656, 414754) 'token.i28'
    [415024, 419122) 'token.i25'
    [419392, 423490) 'token.i23'
    [423760, 427858) 'token.i21'
    [428128, 432226) 'token.i'
    [432496, 436594) 'cells.i'
    [436864, 436866) ''
    [436880, 440978) 'hyph.i'
    [441248, 445346) 'word.i'
    [445616, 447664) 'pattern.i'
    [447792, 447808) 'dict.i'
    [447824, 447828) 'holdOffset.i'
    [447840, 447844) 'lastToken'
    [447856, 451954) 'token'
    [452224, 456322) 'ruleChars'
    [456592, 460690) 'ruleDots'
    [460960, 465058) 'cells'
    [465328, 469426) 'scratchPad'
    [469696, 473794) 'emphClass'
    [474064, 474068) 'after'
    [474080, 474084) 'before'
    [474096, 478194) 'includedFile' <== Memory access at offset 478194 overflows this variable
    [478464, 482562) 'ptn_before'
    [482832, 486930) 'ptn_after'
    [487200, 487204) 'offset'
    [487216, 491314) 'ptn_before1'
    [491584, 495682) 'ptn_after2'
    [495952, 495956) 'offset3'
    [495968, 500066) 'characters'
HINT: this may be a false positive if your program uses some custom stack unwind mechanism or swapcontext
      (longjmp and C++ exceptions *are* supported)
Shadow bytes around the buggy address:
  0x10007fff6440: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x10007fff6450: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x10007fff6460: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x10007fff6470: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x10007fff6480: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x10007fff6490: 00 00[02]f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2
  0x10007fff64a0: f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2
  0x10007fff64b0: f2 f2 f2 f2 00 00 00 00 00 00 00 00 00 00 00 00
  0x10007fff64c0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x10007fff64d0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x10007fff64e0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Heap right redzone:      fb
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack partial redzone:   f4
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==61701==ABORTING
[Inferior 1 (process 61701) exited with code 01]
Warning: not running or target is remote
gdb-peda$ 


The vulnerability was triggered in function:
parseChars (nested=<optimized out>, result=<optimized out>, token=<optimized out>)
    at compileTranslationTable.c:1467
1462		  if (in >= MAXSTRING)
1463		    break;
1464		  if (token->chars[in] < 128 || (token->chars[in] & 0x0040))
1465		    {
1466		      compileWarning (nested, "invalid UTF-8. Assuming Latin-1.");
1467		      result->chars[out++] = token->chars[lastIn];
1468		      in = lastIn + 1;
1469		      continue;
1470		    }
1471		  utf32 = (utf32 << 6) + (token->chars[in++] & 0x3f);


Actual results:

crash

Expected results:

crash

Additional info:

Credits:

This vulnerability is detected by team OWL337, with our custom fuzzer collAFL. Please contact ganshuitao   and chaoz.cn if you need more info about the team, the tool or the vulnerability.

Comment 4 RHEL Program Management 2021-01-15 07:41:24 UTC

After evaluating this issue, there are no plans to address it further or fix it in an upcoming release.  Therefore, it is being closed.  If plans change such that this issue will be fixed in an upcoming release, then the bug can be reopened.

Note You need to log in before you can comment on or make changes to this bug.