Bug 1484334 - There is a stack overflow in liblouis which is triggered at function includeFile().
Summary: There is a stack overflow in liblouis which is triggered at function includeF...
Keywords:
Status: CLOSED WONTFIX
Alias: None
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: liblouis
Version: 7.5-Alt
Hardware: x86_64
OS: Linux
unspecified
urgent
Target Milestone: rc
: ---
Assignee: David King
QA Contact: Desktop QE
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2017-08-23 09:39 UTC by owl337
Modified: 2021-01-15 07:41 UTC (History)
1 user (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2021-01-15 07:41:26 UTC
Target Upstream Version:


Attachments (Terms of Use)
Triggered by "./lou_checktable POC5" (377 bytes, application/x-rar)
2017-08-23 09:39 UTC, owl337
no flags Details

Description owl337 2017-08-23 09:39:52 UTC
Created attachment 1317030 [details]
Triggered by "./lou_checktable POC5"

Description of problem:

There is a heap overflow in liblouis which is triggered at function includeFile().

Version-Release number of selected component (if applicable):

<= latest version

How reproducible:

./lou_checktable POC5

Steps to Reproduce:

Normal output:

$ ./lou_checktable POC5
POC8:8: warning: invalid UTF-8. Assuming Latin-1.
POC8:8: warning: invalid UTF-8. Assuming Latin-1.
POC8:8: warning: invalid UTF-8. Assuming Latin-1.
POC8:8: warning: invalid UTF-8. Assuming Latin-1.
POC8:8: warning: invalid UTF-8. Assuming Latin-1.
POC8:8: warning: invalid UTF-8. Assuming Latin-1.
POC8:8: warning: invalid UTF-8. Assuming Latin-1.
POC8:8: warning: invalid UTF-8. Assuming Latin-1.
POC8:8: warning: invalid UTF-8. Assuming Latin-1.
POC8:8: warning: invalid UTF-8. Assuming Latin-1.
POC8:8: warning: invalid UTF-8. Assuming Latin-1.
POC8:8: warning: invalid UTF-8. Assuming Latin-1.
*** Error in `./../../../lou_checktable': free(): invalid size: 0x00000000010ef6c0 ***
Aborted

The GDB && ASAN debugging information is as follows:

gdb-peda$ r
...
Breakpoint 6, parseChars (nested=<optimized out>, result=<optimized out>, token=<optimized out>)
    at compileTranslationTable.c:1446
1446		  result->chars[out++] = (widechar) ch;
gdb-peda$ c 2038 
...

gdb-peda$ c 
Continuing.

Breakpoint 9, compileRule (nested=<optimized out>, characterClasses=<optimized out>, 
    characterClassAttribute=<optimized out>, opcodeLengths=<optimized out>, newRuleOffset=<optimized out>, 
    newRule=<optimized out>, ruleNames=<optimized out>) at compileTranslationTable.c:3838
3838		    if (!includeFile (nested, &includedFile, characterClasses, characterClassAttribute, opcodeLengths, newRuleOffset, newRule, ruleNames))
gdb-peda$ s

includeFile (nested=<optimized out>, includedFile=<optimized out>, characterClasses=<optimized out>, 
    characterClassAttribute=<optimized out>, opcodeLengths=<optimized out>, newRuleOffset=<optimized out>, 
    newRule=<optimized out>, ruleNames=<optimized out>) at compileTranslationTable.c:5247
5247	  for (k = 0; k < includedFile->length; k++);
gdb-peda$ until  5249 

[----------------------------------registers-----------------------------------]
RAX: 0x7ffff7fd9778 --> 0x7b82 
RBX: 0x800 
RCX: 0x96c9 
RDX: 0x137a910 --> 0x0 
RSI: 0x7ffff7fd9778 --> 0x7b82 
RDI: 0x7ffff7dc78d0 --> 0x1 
RBP: 0x7fffffff7b70 --> 0x7fffffff8d90 --> 0x7fffffffe460 --> 0x0 
RSP: 0x7ffffff7d7c0 --> 0x0 
RIP: 0x7ffff7b2cbce (<compileRule+62126>:	data16 lea rdi,[rip+0x29acfa]        # 0x7ffff7dc78d0)
R8 : 0x7ffff7fd9778 --> 0x7b82 
R9 : 0x1e 
R10: 0x3 
R11: 0x246 
R12: 0x800 
R13: 0x800 
R14: 0xffffffefb14 --> 0x0 
R15: 0x705c30 --> 0x137a910 --> 0x0
EFLAGS: 0x216 (carry PARITY ADJUST zero sign trap INTERRUPT direction overflow)
[-------------------------------------code-------------------------------------]
   0x7ffff7b2cbc0 <compileRule+62112>:	mov    ebx,0x1
   0x7ffff7b2cbc5 <compileRule+62117>:	cmova  rbx,r13
   0x7ffff7b2cbc9 <compileRule+62121>:	mov    QWORD PTR [rsp+0x70],r14
=> 0x7ffff7b2cbce <compileRule+62126>:	data16 lea rdi,[rip+0x29acfa]        # 0x7ffff7dc78d0
   0x7ffff7b2cbd6 <compileRule+62134>:	data16 data16 call 0x7ffff7b12ce0 <__tls_get_addr@plt>
   0x7ffff7b2cbde <compileRule+62142>:	movsxd rcx,DWORD PTR [rax]
   0x7ffff7b2cbe1 <compileRule+62145>:	mov    rdx,QWORD PTR [r15]
   0x7ffff7b2cbe4 <compileRule+62148>:	mov    r12,r15
[------------------------------------stack-------------------------------------]
0000| 0x7ffffff7d7c0 --> 0x0 
0008| 0x7ffffff7d7c8 --> 0x0 
0016| 0x7ffffff7d7d0 --> 0x0 
0024| 0x7ffffff7d7d8 --> 0x0 
0032| 0x7ffffff7d7e0 --> 0x0 
0040| 0x7ffffff7d7e8 --> 0x0 
0048| 0x7ffffff7d7f0 --> 0x0 
0056| 0x7ffffff7d7f8 --> 0x0 
[------------------------------------------------------------------------------]
Legend: code, data, rodata, value
includeFile (nested=<optimized out>, includedFile=<optimized out>, characterClasses=<optimized out>, 
    characterClassAttribute=<optimized out>, opcodeLengths=<optimized out>, newRuleOffset=<optimized out>, 
    newRule=<optimized out>, ruleNames=<optimized out>) at compileTranslationTable.c:5249
5249	  includeThis[k] = 0;
gdb-peda$ bt 
#0  includeFile (nested=<optimized out>, includedFile=<optimized out>, characterClasses=<optimized out>, 
    characterClassAttribute=<optimized out>, opcodeLengths=<optimized out>, newRuleOffset=<optimized out>, 
    newRule=<optimized out>, ruleNames=<optimized out>) at compileTranslationTable.c:5249
#1  compileRule (nested=<optimized out>, characterClasses=<optimized out>, characterClassAttribute=<optimized out>, 
    opcodeLengths=<optimized out>, newRuleOffset=<optimized out>, newRule=<optimized out>, ruleNames=<optimized out>)
    at compileTranslationTable.c:3838
#2  0x00007ffff7b5e548 in compileFile (fileName=<optimized out>, characterClasses=<optimized out>, 
    characterClassAttribute=<optimized out>, opcodeLengths=<optimized out>, newRuleOffset=<optimized out>, 
    newRule=<optimized out>, ruleNames=<optimized out>) at compileTranslationTable.c:5208
#3  0x00007ffff7b1a80e in compileTranslationTable (tableList=<optimized out>, characterClasses=<optimized out>, 
    characterClassAttribute=<optimized out>, opcodeLengths=<optimized out>, newRuleOffset=<optimized out>, 
    newRule=<optimized out>, ruleNames=<optimized out>) at compileTranslationTable.c:5316
#4  lou_getTable (tableList=<optimized out>) at compileTranslationTable.c:5419
#5  0x00000000004dbcb0 in main (argc=<optimized out>, argv=<optimized out>, argv@entry=0x7fffffffe578)
    at lou_checktable.c:121
#6  0x00007ffff6c10ac0 in __libc_start_main (main=0x4dbb00 <main>, argc=0x2, argv=0x7fffffffe578, init=<optimized out>, 
    fini=<optimized out>, rtld_fini=<optimized out>, stack_end=0x7fffffffe568) at libc-start.c:289
#7  0x0000000000435749 in _start ()
gdb-peda$ n
=================================================================
==62267==ERROR: AddressSanitizer: stack-buffer-overflow on address 0x7ffffffead50 at pc 0x7ffff7b3711e bp 0x7ffffff7d7b0 sp 0x7ffffff7d7a8
WRITE of size 1 at 0x7ffffffead50 thread T0
    #0 0x7ffff7b3711d  (/home/icy/secreal/liblouis/install_asan/lib/liblouis.so.14+0x3411d)
    #1 0x7ffff7b5e547  (/home/icy/secreal/liblouis/install_asan/lib/liblouis.so.14+0x5b547)
    #2 0x7ffff7b1a80d  (/home/icy/secreal/liblouis/install_asan/lib/liblouis.so.14+0x1780d)
    #3 0x4dbcaf  (/home/icy/secreal/liblouis/install_asan/bin/lou_checktable+0x4dbcaf)
    #4 0x7ffff6c10abf  (/lib/x86_64-linux-gnu/libc.so.6+0x20abf)
    #5 0x435748  (/home/icy/secreal/liblouis/install_asan/bin/lou_checktable+0x435748)

Address 0x7ffffffead50 is located in stack of thread T0 at offset 447664 in frame
    #0 0x7ffff7b1d92f  (/home/icy/secreal/liblouis/install_asan/lib/liblouis.so.14+0x1a92f)

  This frame has 134 object(s):
    [32, 4130) 'token.i387'
    [4400, 8498) 'token.i384'
    [8768, 8772) 'offset.i47.i'
    [8784, 8788) 'offset.i26.i'
    [8800, 8804) 'offset.i3.i'
	...
HINT: this may be a false positive if your program uses some custom stack unwind mechanism or swapcontext
      (longjmp and C++ exceptions *are* supported)
Shadow bytes around the buggy address:
  0x10007fff5550: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x10007fff5560: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x10007fff5570: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x10007fff5580: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x10007fff5590: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x10007fff55a0: 00 00 00 00 00 00 00 00 00 00[f2]f2 f2 f2 f2 f2
  0x10007fff55b0: f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 00 00 f2 f2 04 f2
  0x10007fff55c0: 04 f2 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x10007fff55d0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x10007fff55e0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x10007fff55f0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Heap right redzone:      fb
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack partial redzone:   f4
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==62267==ABORTING
[Inferior 1 (process 62267) exited with code 01]
Warning: not running or target is remote

The vulnerability was triggered in function:
includeFile (nested=<optimized out>, includedFile=<optimized out>, characterClasses=<optimized out>, 
    characterClassAttribute=<optimized out>, opcodeLengths=<optimized out>, newRuleOffset=<optimized out>, 
    newRule=<optimized out>, ruleNames=<optimized out>) at compileTranslationTable.c:5249
gdb-peda$ list 
5242	{
5243	  int k;
5244	  char includeThis[MAXSTRING];
5245	  char **tableFiles;
5246	  int rv;
5247	  for (k = 0; k < includedFile->length; k++)
5248	    includeThis[k] = (char) includedFile->chars[k];
5249	  includeThis[k] = 0;
5250	  tableFiles = _lou_resolveTable (includeThis, nested->fileName);
5251	  if (tableFiles == NULL)


Actual results:

crash

Expected results:

crash

Additional info:

Credits:

This vulnerability is detected by team OWL337, with our custom fuzzer collAFL. Please contact ganshuitao@gmail.com   and chaoz@tsinghua.edu.cn if you need more info about the team, the tool or the vulnerability.

Comment 4 RHEL Program Management 2021-01-15 07:41:26 UTC
After evaluating this issue, there are no plans to address it further or fix it in an upcoming release.  Therefore, it is being closed.  If plans change such that this issue will be fixed in an upcoming release, then the bug can be reopened.


Note You need to log in before you can comment on or make changes to this bug.