Note: This bug is displayed in read-only format because the product is no longer active in Red Hat Bugzilla.
RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 1484332

Summary: There is an use-after-free in function compileBrailleIndicator() of liblouis.
Product: Red Hat Enterprise Linux 7 Reporter: owl337 <v.owl337>
Component: liblouisAssignee: David King <dking>
Status: CLOSED WONTFIX QA Contact: Desktop QE <desktop-qa-list>
Severity: urgent Docs Contact:
Priority: unspecified    
Version: 7.5-AltCC: mclasen
Target Milestone: rc   
Target Release: ---   
Hardware: x86_64   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2021-01-15 07:41:25 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Attachments:
Description Flags
Triggered by " ./lou_checktable POC4 " none

Description owl337 2017-08-23 09:35:31 UTC 
Created attachment 1317016 [details]
Triggered by " ./lou_checktable POC4 "

Description of problem:

There is an use-after-free in function compileBrailleIndicator() of liblouis.

Version-Release number of selected component (if applicable):

<= latest version

How reproducible:

./lou_checktable POC4


Steps to Reproduce:


$ ./lou_checktable POC4
POC16:3: error: opcode 'cludigithub.ctamerctracpi1' not defined.
POC16:5: error: opcode ':' not defined.
POC16:6: warning: invalid UTF-8. Assuming Latin-1.
POC16:6: warning: invalid UTF-8. Assuming Latin-1.
POC16:6: warning: invalid UTF-8. Assuming Latin-1.
POC16:6: warning: invalid UTF-8. Assuming Latin-1.
POC16:6: warning: invalid UTF-8. Assuming Latin-1.
POC16:6: warning: invalid UTF-8. Assuming Latin-1.
Cannot resolve table 'bralllllllecontrctrac@'
POC16:7: error: opcode 'incrctracpi1' not defined.
POC16:9: error: opcode ':' not defined.
Cannot resolve table 'eesi]cLGection:'
POC16:17: error: opcode 'cludincluder-\x00ffame:' not defined.
POC16:18: error: Character 't' is not defined
POC16:18: error: Character 'o' is not defined
POC16:19: warning: invalid UTF-8. Assuming Latin-1.
POC16:19: warning: invalid UTF-8. Assuming Latin-1.
POC16:19: warning: invalid UTF-8. Assuming Latin-1.
POC16:19: warning: invalid UTF-8. Assuming Latin-1.
POC16:19: warning: invalid UTF-8. Assuming Latin-1.
POC16:19: warning: invalid UTF-8. Assuming Latin-1.
Cannot resolve table 'bralllllllecontrctracpion:sMiel'
POC16:20: error: opcode '\x0080nclude' not defined.
POC16:21: error: opcode 'Jub.cpi\x00aectb' not defined.
POC16:22: warning: invalid UTF-8. Assuming Latin-1.
POC16:22: warning: invalid UTF-8. Assuming Latin-1.
POC16:22: warning: invalid UTF-8. Assuming Latin-1.
POC16:22: warning: invalid UTF-8. Assuming Latin-1.
POC16:22: warning: invalid UTF-8. Assuming Latin-1.
POC16:22: warning: invalid UTF-8. Assuming Latin-1.
Cannot resolve table 'bralllllllecocluctracpion:sMiel'
Cannot resolve table 'eesi]t'
POC16:25: error: opcode 'Jnclude' not defined.
POC16:26: error: opcode 'iLGP\x00ffv2de:' not defined.
POC16:31: error: opcode 'cludincluder-\x00ffame:' not defined.
POC16:33: warning: invalid UTF-8. Assuming Latin-1.
POC16:33: warning: invalid UTF-8. Assuming Latin-1.
POC16:33: warning: invalid UTF-8. Assuming Latin-1.
POC16:33: warning: invalid UTF-8. Assuming Latin-1.
POC16:33: warning: invalid UTF-8. Assuming Latin-1.
POC16:33: warning: invalid UTF-8. Assuming Latin-1.
Cannot resolve table 'bralllllllecontrctracpion:sMiel'
POC16:34: error: opcode '\x0080nclude' not defined.
POC16:35: error: opcode 'Jub.cpi\x00aectb' not defined.
POC16:36: warning: invalid UTF-8. Assuming Latin-1.
POC16:36: warning: invalid UTF-8. Assuming Latin-1.
POC16:36: warning: invalid UTF-8. Assuming Latin-1.
POC16:36: warning: invalid UTF-8. Assuming Latin-1.
POC16:36: warning: invalid UTF-8. Assuming Latin-1.
POC16:36: warning: invalid UTF-8. Assuming Latin-1.
Cannot resolve table 'bralllllllecocluctracpion:sMiel'
Cannot resolve table 'eesi]t'
POC16:39: error: opcode 'Jnclude' not defined.
POC16:40: error: opcode 'iLGP\x00ffv2de:' not defined.
Cannot resolve table 'brabllecontr'
Cannot resolve table 'el6ave'
POC16:45: error: opcode 'xnclud\x00ff\x007fbraillecontractibrailleon:' not defined.
POC16:53: error: opcode 'cludincluder-\x00ffame:' not defined.
POC16:55: warning: invalid UTF-8. Assuming Latin-1.
POC16:55: warning: invalid UTF-8. Assuming Latin-1.
POC16:55: warning: invalid UTF-8. Assuming Latin-1.
POC16:55: warning: invalid UTF-8. Assuming Latin-1.
POC16:55: warning: invalid UTF-8. Assuming Latin-1.
POC16:55: warning: invalid UTF-8. Assuming Latin-1.
Cannot resolve table 'bralllllllecontrctracpion:s@iel'
POC16:56: error: opcode '\x0080nclude' not defined.
POC16:57: error: opcode 'Jub.cpi\x00aectb' not defined.
POC16:58: warning: invalid UTF-8. Assuming Latin-1.
POC16:58: warning: invalid UTF-8. Assuming Latin-1.
POC16:58: warning: invalid UTF-8. Assuming Latin-1.
POC16:58: warning: invalid UTF-8. Assuming Latin-1.
POC16:58: warning: invalid UTF-8. Assuming Latin-1.
POC16:58: warning: invalid UTF-8. Assuming Latin-1.
Cannot resolve table 'bralllllllecontrctracpion:sMiel'
Cannot resolve table 'pd.ctb'
Cannot resolve table 'eesi]t'
POC16:62: error: opcode 'Jnclude' not defined.
POC16:63: error: opcode 'iLGP\x00ffv2de:' not defined.
POC16:64: error: opcode 'includmee' not defined.
POC16:65: error: opcode 'incrctracpi1' not defined.
POC16:67: error: opcode ':' not defined.
POC16:68: error: opcode 'inc\x0085uccccccccccccccccccccccccccccccccccccccccccccccccccccce' not defined.
POC16:69: error: opcode 'iLGP\x00ffv2de:' not defined.
POC16:70: error: opcode 'includmee' not defined.
POC16:71: error: opcode 'incrctracpi1' not defined.
POC16:73: error: opcode ':' not defined.
POC16:74: error: opcode 'inc\x0085uccccccccccccccccccccccccccccccccccccccccccccccccccccccc\x00e3ccccccccccccccccccccccccccccccccccpi.ctb' not defined.
Cannot resolve table 'brabllecontr'
Cannot resolve table 'el6ave'
POC16:79: error: opcode 'xnclud\x00ff\x007fbraillecontractibrailleon:' not defined.
POC16:87: error: opcode 'cludincluder-\x00ffame:' not defined.
POC16:89: warning: invalid UTF-8. Assuming Latin-1.
POC16:89: warning: invalid UTF-8. Assuming Latin-1.
POC16:89: warning: invalid UTF-8. Assuming Latin-1.
POC16:89: warning: invalid UTF-8. Assuming Latin-1.
POC16:89: warning: invalid UTF-8. Assuming Latin-1.
POC16:89: warning: invalid UTF-8. Assuming Latin-1.
Cannot resolve table 'bralllllllecontrctracpion:s@iel'
POC16:90: error: opcode '\x0080nclude' not defined.
POC16:91: error: opcode 'Jub.cpi\x00aectb' not defined.
POC16:92: warning: invalid UTF-8. Assuming Latin-1.
POC16:92: warning: invalid UTF-8. Assuming Latin-1.
POC16:92: warning: invalid UTF-8. Assuming Latin-1.
POC16:92: warning: invalid UTF-8. Assuming Latin-1.
POC16:92: warning: invalid UTF-8. Assuming Latin-1.
POC16:92: warning: invalid UTF-8. Assuming Latin-1.
Cannot resolve table 'bralllllllecontrctracpion:sMiel'
Cannot resolve table 'pd.ctb'
Cannot resolve table 'eesi]t'
/home/icy/secreal/liblouis/install/share/liblouis/tables/el.ctb:485: error: character class already defined.
/home/icy/secreal/liblouis/install/share/liblouis/tables/el.ctb:489: error: character class already defined.
POC16:96: error: opcode 'Jnclude' not defined.
POC16:97: error: opcode 'iLGP\x00ffv2de:' not defined.
POC16:98: error: opcode 'includmee' not defined.
POC16:99: error: opcode 'incrctracpi1' not defined.
POC16:101: error: opcode ':' not defined.
POC16:102: error: opcode 'inc\x0085ucccccccccccccccccccccOccccccccccccccccccccccccccccccce' not defined.
POC16:103: error: opcode 'iLGP\x00ffv2de:' not defined.
POC16:104: error: opcode 'includmee' not defined.
POC16:105: error: opcode 'incrctracpi1' not defined.
POC16:107: error: opcode ':' not defined.
POC16:108: error: opcode 'inc\x0085uccccccccccccccccccccccccccccccccccccccccccccccccccccccc\x00e3ccccccccccccccccccccccccccccccccccccccccccc\x007f\x00ffcccccc\x00ffccccccccccc' not defined.
POC16:110: error: opcode 'cc\x00e3ccccccccccccccccccccccccccccccccccccccccccc\x007f\x00ffcccccc\x00ffccccccccccc' not defined.
POC16:114: error: opcode '\x0085thor-name:' not defined.
Cannot resolve table 'pi.ct'
Cannot resolve table 'el'
Segmentation fault


The GDB && ASAN debugging information is as follows:
gdb-peda$ set args  POC4
gdb-peda$ r 
...

Breakpoint 2, compileRule (nested=<optimized out>, characterClasses=<optimized out>, 
    characterClassAttribute=<optimized out>, opcodeLengths=<optimized out>, newRuleOffset=<optimized out>, 
    newRule=<optimized out>, ruleNames=<optimized out>) at compileTranslationTable.c:4016
4016					 CTO_CapsLetterRule, &table->emphRules[capsRule][letterOffset], &lastToken, newRuleOffset, newRule, noback, nofor);
gdb-peda$ c 2 
...
Breakpoint 2, compileRule (nested=<optimized out>, characterClasses=<optimized out>, 
    characterClassAttribute=<optimized out>, opcodeLengths=<optimized out>, newRuleOffset=<optimized out>, 
    newRule=<optimized out>, ruleNames=<optimized out>) at compileTranslationTable.c:4016
4016					 CTO_CapsLetterRule, &table->emphRules[capsRule][letterOffset], &lastToken, newRuleOffset, newRule, noback, nofor);
gdb-peda$ n

4015		compileBrailleIndicator (nested, "single letter capital sign",
gdb-peda$ n
4016					 CTO_CapsLetterRule, &table->emphRules[capsRule][letterOffset], &lastToken, newRuleOffset, newRule, noback, nofor);
gdb-peda$ n
4015		compileBrailleIndicator (nested, "single letter capital sign",
gdb-peda$ s 

[----------------------------------registers-----------------------------------]
RAX: 0x1 
RBX: 0x7ffff7f86aa4 --> 0x55f1000055e9 
RCX: 0x0 
RDX: 0x137a910 --> 0x0 
RSI: 0x7ffff7fd9778 --> 0x3cf2 
RDI: 0x7ffff7dc78d0 --> 0x1 
RBP: 0x7ffffff7c590 --> 0x7ffffff7d7b0 --> 0x7fffffff7b70 --> 0x7fffffff8d90 --> 0x7fffffffe450 --> 0x0 
RSP: 0x7ffffff021e0 --> 0x0 
RIP: 0x7ffff7b236ef (<compileRule+24015>:	data16 lea rdi,[rip+0x2a41d9]        # 0x7ffff7dc78d0)
R8 : 0x7ffff7fd9778 --> 0x3cf2 
R9 : 0xffffefff81018929 
R10: 0x23c 
R11: 0x23c 
R12: 0x7ffffff533c0 --> 0x3600340002 --> 0x0 
R13: 0x7ffffff544d0 --> 0x80280001 --> 0x0 
R14: 0xffffffe0458 --> 0x0 
R15: 0x705c30 --> 0x137a910 --> 0x0
EFLAGS: 0x202 (carry parity adjust zero sign trap INTERRUPT direction overflow)
[-------------------------------------code-------------------------------------]
   0x7ffff7b236de <compileRule+23998>:	je     0x7ffff7b23737 <compileRule+24087>
   0x7ffff7b236e0 <compileRule+24000>:	mov    rbx,QWORD PTR [rsp+0xd8]
   0x7ffff7b236e8 <compileRule+24008>:	add    rbx,0x2a4
=> 0x7ffff7b236ef <compileRule+24015>:	data16 lea rdi,[rip+0x2a41d9]        # 0x7ffff7dc78d0
   0x7ffff7b236f7 <compileRule+24023>:	data16 data16 call 0x7ffff7b12ce0 <__tls_get_addr@plt>
   0x7ffff7b236ff <compileRule+24031>:	movsxd rcx,DWORD PTR [rax]
   0x7ffff7b23702 <compileRule+24034>:	mov    rdx,QWORD PTR [r15]
   0x7ffff7b23705 <compileRule+24037>:	xor    rcx,0x3cf9
[------------------------------------stack-------------------------------------]
0000| 0x7ffffff021e0 --> 0x0 
0008| 0x7ffffff021e8 --> 0x0 
0016| 0x7ffffff021f0 --> 0x0 
0024| 0x7ffffff021f8 --> 0x0 
0032| 0x7ffffff02200 --> 0x0 
0040| 0x7ffffff02208 --> 0x0 
0048| 0x7ffffff02210 --> 0x0 
0056| 0x7ffffff02218 --> 0x0 
[------------------------------------------------------------------------------]
Legend: code, data, rodata, value
compileBrailleIndicator (nested=<optimized out>, ermsg=<optimized out>, opcode=<optimized out>, rule=<optimized out>, 
    lastToken=<optimized out>, newRuleOffset=<optimized out>, newRule=<optimized out>, noback=<optimized out>, 
    nofor=<optimized out>) at compileTranslationTable.c:3242
3242	  *rule = *newRuleOffset;
gdb-peda$ bt 
#1  0x00007ffff7b236ff in compileBrailleIndicator (nested=<optimized out>, ermsg=<optimized out>, 
    opcode=<optimized out>, rule=<optimized out>, lastToken=<optimized out>, newRuleOffset=<optimized out>, 
    newRule=<optimized out>, noback=<optimized out>, nofor=<optimized out>) at compileTranslationTable.c:3242
#2  compileRule (nested=<optimized out>, characterClasses=<optimized out>, characterClassAttribute=<optimized out>, 
    opcodeLengths=<optimized out>, newRuleOffset=<optimized out>, newRule=<optimized out>, ruleNames=<optimized out>)
    at compileTranslationTable.c:4015
#3  0x00007ffff7b5e548 in compileFile (fileName=<optimized out>, characterClasses=<optimized out>, 
    characterClassAttribute=<optimized out>, opcodeLengths=<optimized out>, newRuleOffset=<optimized out>, 
    newRule=<optimized out>, ruleNames=<optimized out>) at compileTranslationTable.c:5208
#4  0x00007ffff7b2fe3c in includeFile (nested=<optimized out>, includedFile=<optimized out>, 
    characterClasses=<optimized out>, characterClassAttribute=<optimized out>, opcodeLengths=<optimized out>, 
    newRuleOffset=<optimized out>, newRule=<optimized out>, ruleNames=<optimized out>) at compileTranslationTable.c:5263
#5  compileRule (nested=<optimized out>, characterClasses=<optimized out>, characterClassAttribute=<optimized out>, 
    opcodeLengths=<optimized out>, newRuleOffset=<optimized out>, newRule=<optimized out>, ruleNames=<optimized out>)
    at compileTranslationTable.c:3838
#6  0x00007ffff7b5e548 in compileFile (fileName=<optimized out>, characterClasses=<optimized out>, 
    characterClassAttribute=<optimized out>, opcodeLengths=<optimized out>, newRuleOffset=<optimized out>, 
    newRule=<optimized out>, ruleNames=<optimized out>) at compileTranslationTable.c:5208
#7  0x00007ffff7b1a80e in compileTranslationTable (tableList=<optimized out>, characterClasses=<optimized out>, 
    characterClassAttribute=<optimized out>, opcodeLengths=<optimized out>, newRuleOffset=<optimized out>, 
    newRule=<optimized out>, ruleNames=<optimized out>) at compileTranslationTable.c:5316
#8  lou_getTable (tableList=<optimized out>) at compileTranslationTable.c:5419
#9  0x00000000004dbcb0 in main (argc=<optimized out>, argv=<optimized out>, argv@entry=0x7fffffffe568)
    at lou_checktable.c:121
#10 0x00007ffff6c10ac0 in __libc_start_main (main=0x4dbb00 <main>, argc=0x2, argv=0x7fffffffe568, init=<optimized out>, 
    fini=<optimized out>, rtld_fini=<optimized out>, stack_end=0x7fffffffe558) at libc-start.c:289
#11 0x0000000000435749 in _start ()

gdb-peda$ n
=================================================================
==130310==ERROR: AddressSanitizer: heap-use-after-free on address 0x7ffff7f86aa4 at pc 0x7ffff7b36b2a bp 0x7ffffff021d0 sp 0x7ffffff021c8
WRITE of size 4 at 0x7ffff7f86aa4 thread T0
    #0 0x7ffff7b36b29  (/home/icy/secreal/liblouis/install_asan/lib/liblouis.so.14+0x33b29)
    #1 0x7ffff7b5e547  (/home/icy/secreal/liblouis/install_asan/lib/liblouis.so.14+0x5b547)
    #2 0x7ffff7b2fe3b  (/home/icy/secreal/liblouis/install_asan/lib/liblouis.so.14+0x2ce3b)
    #3 0x7ffff7b5e547  (/home/icy/secreal/liblouis/install_asan/lib/liblouis.so.14+0x5b547)
    #4 0x7ffff7b1a80d  (/home/icy/secreal/liblouis/install_asan/lib/liblouis.so.14+0x1780d)
    #5 0x4dbcaf  (/home/icy/secreal/liblouis/install_asan/bin/lou_checktable+0x4dbcaf)
    #6 0x7ffff6c10abf  (/lib/x86_64-linux-gnu/libc.so.6+0x20abf)
    #7 0x435748  (/home/icy/secreal/liblouis/install_asan/bin/lou_checktable+0x435748)

0x7ffff7f86aa4 is located 676 bytes inside of 147145-byte region [0x7ffff7f86800,0x7ffff7faa6c9)
freed by thread T0 here:
    #0 0x4bca55  (/home/icy/secreal/liblouis/install_asan/bin/lou_checktable+0x4bca55)
    #1 0x7ffff7b3d7ac  (/home/icy/secreal/liblouis/install_asan/lib/liblouis.so.14+0x3a7ac)
    #2 0x61600000d87f  (<unknown module>)

previously allocated by thread T0 here:
    #0 0x4bca55  (/home/icy/secreal/liblouis/install_asan/bin/lou_checktable+0x4bca55)
    #1 0x7ffff7b3d7ac  (/home/icy/secreal/liblouis/install_asan/lib/liblouis.so.14+0x3a7ac)
    #2 0x61600000e17f  (<unknown module>)

Shadow bytes around the buggy address:
  0x10007efe8d00: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x10007efe8d10: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x10007efe8d20: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x10007efe8d30: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x10007efe8d40: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
=>0x10007efe8d50: fd fd fd fd[fd]fd fd fd fd fd fd fd fd fd fd fd
  0x10007efe8d60: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x10007efe8d70: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x10007efe8d80: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x10007efe8d90: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x10007efe8da0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Heap right redzone:      fb
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack partial redzone:   f4
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==130310==ABORTING
[Inferior 1 (process 130310) exited with code 01]

The vulnerability was triggered in function:
compileBrailleIndicator (nested=<optimized out>, ermsg=<optimized out>, opcode=<optimized out>, rule=<optimized out>, 
    lastToken=<optimized out>, newRuleOffset=<optimized out>, newRule=<optimized out>, noback=<optimized out>, 
    nofor=<optimized out>) at compileTranslationTable.c:3242
3237	  CharsString cells;
3238	  if (getToken (nested, &token, ermsg, lastToken))
3239	    if (parseDots (nested, &cells, &token))
3240	      if (!addRule (nested, opcode, NULL, &cells, 0, 0, newRuleOffset, newRule, noback, nofor))
3241		return 0;
3242	  *rule = *newRuleOffset;
3243	  return 1;
3244	}
3245	
3246	static int


Actual results:

crash

Expected results:

crash

Additional info:

Credits:

This vulnerability is detected by team OWL337, with our custom fuzzer collAFL. Please contact ganshuitao   and chaoz.cn if you need more info about the team, the tool or the vulnerability.
Comment 4 RHEL Program Management 2021-01-15 07:41:25 UTC 
After evaluating this issue, there are no plans to address it further or fix it in an upcoming release.  Therefore, it is being closed.  If plans change such that this issue will be fixed in an upcoming release, then the bug can be reopened.