Bug 1484334 - There is a stack overflow in liblouis which is triggered at function includeFile().
Summary: There is a stack overflow in liblouis which is triggered at function includeF...
Status: NEW
Alias: None
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: liblouis
Version: 7.5-Alt
Hardware: x86_64
OS: Linux
unspecified
urgent
Target Milestone: rc
: ---
Assignee: Matthias Clasen
QA Contact: Desktop QE
URL:
Whiteboard:
Keywords:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2017-08-23 09:39 UTC by owl337
Modified: 2018-08-01 23:30 UTC (History)
0 users

(edit)
Clone Of:
(edit)
Last Closed:


Attachments (Terms of Use)
Triggered by "./lou_checktable POC5" (377 bytes, application/x-rar)
2017-08-23 09:39 UTC, owl337
no flags Details

Description owl337 2017-08-23 09:39:52 UTC
Created attachment 1317030 [details]
Triggered by "./lou_checktable POC5"

Description of problem:

There is a heap overflow in liblouis which is triggered at function includeFile().

Version-Release number of selected component (if applicable):

<= latest version

How reproducible:

./lou_checktable POC5

Steps to Reproduce:

Normal output:

$ ./lou_checktable POC5
POC8:8: warning: invalid UTF-8. Assuming Latin-1.
POC8:8: warning: invalid UTF-8. Assuming Latin-1.
POC8:8: warning: invalid UTF-8. Assuming Latin-1.
POC8:8: warning: invalid UTF-8. Assuming Latin-1.
POC8:8: warning: invalid UTF-8. Assuming Latin-1.
POC8:8: warning: invalid UTF-8. Assuming Latin-1.
POC8:8: warning: invalid UTF-8. Assuming Latin-1.
POC8:8: warning: invalid UTF-8. Assuming Latin-1.
POC8:8: warning: invalid UTF-8. Assuming Latin-1.
POC8:8: warning: invalid UTF-8. Assuming Latin-1.
POC8:8: warning: invalid UTF-8. Assuming Latin-1.
POC8:8: warning: invalid UTF-8. Assuming Latin-1.
*** Error in `./../../../lou_checktable': free(): invalid size: 0x00000000010ef6c0 ***
Aborted

The GDB && ASAN debugging information is as follows:

gdb-peda$ r
...
Breakpoint 6, parseChars (nested=<optimized out>, result=<optimized out>, token=<optimized out>)
    at compileTranslationTable.c:1446
1446		  result->chars[out++] = (widechar) ch;
gdb-peda$ c 2038 
...

gdb-peda$ c 
Continuing.

Breakpoint 9, compileRule (nested=<optimized out>, characterClasses=<optimized out>, 
    characterClassAttribute=<optimized out>, opcodeLengths=<optimized out>, newRuleOffset=<optimized out>, 
    newRule=<optimized out>, ruleNames=<optimized out>) at compileTranslationTable.c:3838
3838		    if (!includeFile (nested, &includedFile, characterClasses, characterClassAttribute, opcodeLengths, newRuleOffset, newRule, ruleNames))
gdb-peda$ s

includeFile (nested=<optimized out>, includedFile=<optimized out>, characterClasses=<optimized out>, 
    characterClassAttribute=<optimized out>, opcodeLengths=<optimized out>, newRuleOffset=<optimized out>, 
    newRule=<optimized out>, ruleNames=<optimized out>) at compileTranslationTable.c:5247
5247	  for (k = 0; k < includedFile->length; k++);
gdb-peda$ until  5249 

[----------------------------------registers-----------------------------------]
RAX: 0x7ffff7fd9778 --> 0x7b82 
RBX: 0x800 
RCX: 0x96c9 
RDX: 0x137a910 --> 0x0 
RSI: 0x7ffff7fd9778 --> 0x7b82 
RDI: 0x7ffff7dc78d0 --> 0x1 
RBP: 0x7fffffff7b70 --> 0x7fffffff8d90 --> 0x7fffffffe460 --> 0x0 
RSP: 0x7ffffff7d7c0 --> 0x0 
RIP: 0x7ffff7b2cbce (<compileRule+62126>:	data16 lea rdi,[rip+0x29acfa]        # 0x7ffff7dc78d0)
R8 : 0x7ffff7fd9778 --> 0x7b82 
R9 : 0x1e 
R10: 0x3 
R11: 0x246 
R12: 0x800 
R13: 0x800 
R14: 0xffffffefb14 --> 0x0 
R15: 0x705c30 --> 0x137a910 --> 0x0
EFLAGS: 0x216 (carry PARITY ADJUST zero sign trap INTERRUPT direction overflow)
[-------------------------------------code-------------------------------------]
   0x7ffff7b2cbc0 <compileRule+62112>:	mov    ebx,0x1
   0x7ffff7b2cbc5 <compileRule+62117>:	cmova  rbx,r13
   0x7ffff7b2cbc9 <compileRule+62121>:	mov    QWORD PTR [rsp+0x70],r14
=> 0x7ffff7b2cbce <compileRule+62126>:	data16 lea rdi,[rip+0x29acfa]        # 0x7ffff7dc78d0
   0x7ffff7b2cbd6 <compileRule+62134>:	data16 data16 call 0x7ffff7b12ce0 <__tls_get_addr@plt>
   0x7ffff7b2cbde <compileRule+62142>:	movsxd rcx,DWORD PTR [rax]
   0x7ffff7b2cbe1 <compileRule+62145>:	mov    rdx,QWORD PTR [r15]
   0x7ffff7b2cbe4 <compileRule+62148>:	mov    r12,r15
[------------------------------------stack-------------------------------------]
0000| 0x7ffffff7d7c0 --> 0x0 
0008| 0x7ffffff7d7c8 --> 0x0 
0016| 0x7ffffff7d7d0 --> 0x0 
0024| 0x7ffffff7d7d8 --> 0x0 
0032| 0x7ffffff7d7e0 --> 0x0 
0040| 0x7ffffff7d7e8 --> 0x0 
0048| 0x7ffffff7d7f0 --> 0x0 
0056| 0x7ffffff7d7f8 --> 0x0 
[------------------------------------------------------------------------------]
Legend: code, data, rodata, value
includeFile (nested=<optimized out>, includedFile=<optimized out>, characterClasses=<optimized out>, 
    characterClassAttribute=<optimized out>, opcodeLengths=<optimized out>, newRuleOffset=<optimized out>, 
    newRule=<optimized out>, ruleNames=<optimized out>) at compileTranslationTable.c:5249
5249	  includeThis[k] = 0;
gdb-peda$ bt 
#0  includeFile (nested=<optimized out>, includedFile=<optimized out>, characterClasses=<optimized out>, 
    characterClassAttribute=<optimized out>, opcodeLengths=<optimized out>, newRuleOffset=<optimized out>, 
    newRule=<optimized out>, ruleNames=<optimized out>) at compileTranslationTable.c:5249
#1  compileRule (nested=<optimized out>, characterClasses=<optimized out>, characterClassAttribute=<optimized out>, 
    opcodeLengths=<optimized out>, newRuleOffset=<optimized out>, newRule=<optimized out>, ruleNames=<optimized out>)
    at compileTranslationTable.c:3838
#2  0x00007ffff7b5e548 in compileFile (fileName=<optimized out>, characterClasses=<optimized out>, 
    characterClassAttribute=<optimized out>, opcodeLengths=<optimized out>, newRuleOffset=<optimized out>, 
    newRule=<optimized out>, ruleNames=<optimized out>) at compileTranslationTable.c:5208
#3  0x00007ffff7b1a80e in compileTranslationTable (tableList=<optimized out>, characterClasses=<optimized out>, 
    characterClassAttribute=<optimized out>, opcodeLengths=<optimized out>, newRuleOffset=<optimized out>, 
    newRule=<optimized out>, ruleNames=<optimized out>) at compileTranslationTable.c:5316
#4  lou_getTable (tableList=<optimized out>) at compileTranslationTable.c:5419
#5  0x00000000004dbcb0 in main (argc=<optimized out>, argv=<optimized out>, argv@entry=0x7fffffffe578)
    at lou_checktable.c:121
#6  0x00007ffff6c10ac0 in __libc_start_main (main=0x4dbb00 <main>, argc=0x2, argv=0x7fffffffe578, init=<optimized out>, 
    fini=<optimized out>, rtld_fini=<optimized out>, stack_end=0x7fffffffe568) at libc-start.c:289
#7  0x0000000000435749 in _start ()
gdb-peda$ n
=================================================================
==62267==ERROR: AddressSanitizer: stack-buffer-overflow on address 0x7ffffffead50 at pc 0x7ffff7b3711e bp 0x7ffffff7d7b0 sp 0x7ffffff7d7a8
WRITE of size 1 at 0x7ffffffead50 thread T0
    #0 0x7ffff7b3711d  (/home/icy/secreal/liblouis/install_asan/lib/liblouis.so.14+0x3411d)
    #1 0x7ffff7b5e547  (/home/icy/secreal/liblouis/install_asan/lib/liblouis.so.14+0x5b547)
    #2 0x7ffff7b1a80d  (/home/icy/secreal/liblouis/install_asan/lib/liblouis.so.14+0x1780d)
    #3 0x4dbcaf  (/home/icy/secreal/liblouis/install_asan/bin/lou_checktable+0x4dbcaf)
    #4 0x7ffff6c10abf  (/lib/x86_64-linux-gnu/libc.so.6+0x20abf)
    #5 0x435748  (/home/icy/secreal/liblouis/install_asan/bin/lou_checktable+0x435748)

Address 0x7ffffffead50 is located in stack of thread T0 at offset 447664 in frame
    #0 0x7ffff7b1d92f  (/home/icy/secreal/liblouis/install_asan/lib/liblouis.so.14+0x1a92f)

  This frame has 134 object(s):
    [32, 4130) 'token.i387'
    [4400, 8498) 'token.i384'
    [8768, 8772) 'offset.i47.i'
    [8784, 8788) 'offset.i26.i'
    [8800, 8804) 'offset.i3.i'
	...
HINT: this may be a false positive if your program uses some custom stack unwind mechanism or swapcontext
      (longjmp and C++ exceptions *are* supported)
Shadow bytes around the buggy address:
  0x10007fff5550: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x10007fff5560: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x10007fff5570: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x10007fff5580: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x10007fff5590: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x10007fff55a0: 00 00 00 00 00 00 00 00 00 00[f2]f2 f2 f2 f2 f2
  0x10007fff55b0: f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 00 00 f2 f2 04 f2
  0x10007fff55c0: 04 f2 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x10007fff55d0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x10007fff55e0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x10007fff55f0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Heap right redzone:      fb
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack partial redzone:   f4
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==62267==ABORTING
[Inferior 1 (process 62267) exited with code 01]
Warning: not running or target is remote

The vulnerability was triggered in function:
includeFile (nested=<optimized out>, includedFile=<optimized out>, characterClasses=<optimized out>, 
    characterClassAttribute=<optimized out>, opcodeLengths=<optimized out>, newRuleOffset=<optimized out>, 
    newRule=<optimized out>, ruleNames=<optimized out>) at compileTranslationTable.c:5249
gdb-peda$ list 
5242	{
5243	  int k;
5244	  char includeThis[MAXSTRING];
5245	  char **tableFiles;
5246	  int rv;
5247	  for (k = 0; k < includedFile->length; k++)
5248	    includeThis[k] = (char) includedFile->chars[k];
5249	  includeThis[k] = 0;
5250	  tableFiles = _lou_resolveTable (includeThis, nested->fileName);
5251	  if (tableFiles == NULL)


Actual results:

crash

Expected results:

crash

Additional info:

Credits:

This vulnerability is detected by team OWL337, with our custom fuzzer collAFL. Please contact ganshuitao@gmail.com   and chaoz@tsinghua.edu.cn if you need more info about the team, the tool or the vulnerability.


Note You need to log in before you can comment on or make changes to this bug.