Bug 1484338 - There is an illegal address access in function _lou_getALine() of liblouis.
Summary: There is an illegal address access in function _lou_getALine() of liblouis.
Keywords:
Status: NEW
Alias: None
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: liblouis
Version: 7.5-Alt
Hardware: Unspecified
OS: Unspecified
unspecified
unspecified
Target Milestone: rc
: ---
Assignee: Matthias Clasen
QA Contact: Desktop QE
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2017-08-23 09:46 UTC by owl337
Modified: 2019-08-01 18:04 UTC (History)
0 users

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed:


Attachments (Terms of Use)
Triggered by " ./lou_checktable POC7 " (574 bytes, application/x-rar)
2017-08-23 09:46 UTC, owl337
no flags Details

Description owl337 2017-08-23 09:46:02 UTC
Created attachment 1317032 [details]
Triggered by " ./lou_checktable POC7 "

Description of problem:

There is an illegal address access in function  _lou_getALine()  of liblouis.

Version-Release number of selected component (if applicable):

<= latest version

How reproducible:

./lou_checktable POC7 

Steps to Reproduce:

Normal output:

$ ./lou_checktable POC7
POC4:2: error: opcode 'inglud\x00d5' not defined.
POC4:3: error: opcode ':se:' not defined.
POC4:5: error: opcode 't' not defined.
POC4:6: error: opcode 'i' not defined.
POC4:7: error: opcode 'ronk' not defined.
POC4:8: error: opcode 'includet' not defined.
POC4:9: error: opcode 'd' not defined.
POC4:13: error: opcode 'nclu' not defined.
POC4:15: error: opcode '\x00f0' not defined.
POC4:22: error: opcode 'd' not defined.
POC4:25: error: opcode 'pi.Ktb' not defined.
POC4:26: error: include file name not specified.
POC4:31: error: opcode '\x00f6' not defined.
POC4:34: error: opcode '\x00fb' not defined.
Segmentation fault

The GDB debugging information is as follows:

gdb-peda$ r 
...
Breakpoint 3, _lou_getALine (nested=<optimized out>) at compileTranslationTable.c:343
343	      nested->line[nested->linelen++] = (widechar) ch;
gdb-peda$ c 327 
Will ignore next 326 crossings of breakpoint 3.  Continuing.
POC4:2: error: opcode 'inglud\x00d5' not defined.
POC4:3: error: opcode ':se:' not defined.
POC4:5: error: opcode 't' not defined.
POC4:6: error: opcode 'i' not defined.
POC4:7: error: opcode 'ronk' not defined.
POC4:8: error: opcode 'includet' not defined.
POC4:9: error: opcode 'd' not defined.
POC4:13: error: opcode 'nclu' not defined.
POC4:15: error: opcode '\x00f0' not defined.
POC4:22: error: opcode 'd' not defined.
POC4:25: error: opcode 'pi.Ktb' not defined.
POC4:26: error: include file name not specified.
POC4:31: error: opcode '\x00f6' not defined.
POC4:34: error: opcode '\x00fb' not defined.

Breakpoint 3, _lou_getALine (nested=<optimized out>) at compileTranslationTable.c:343
343	      nested->line[nested->linelen++] = (widechar) ch;
gdb-peda$ n

Program received signal SIGSEGV, Segmentation fault.

[----------------------------------registers-----------------------------------]
RAX: 0xffff008b 
RBX: 0x606178 --> 0x606de0 --> 0x0 
RCX: 0xcd84 
RDX: 0x606de0 --> 0x0 
RSI: 0x7ffff7fdc050 --> 0x1 
RDI: 0x7ffff7dd0878 --> 0x1 
RBP: 0x2b ('+')
RSP: 0x7fffffffbb30 --> 0x0 
RIP: 0x7ffff7b904ae (<compileFile+398>:	mov    WORD PTR [rsp+r15*2+0x34],bp)
R8 : 0x7ffff7fdb740 (0x00007ffff7fdb740)
R9 : 0x0 
R10: 0x202762663030785c ("\\x00fb' ")
R11: 0x246 
R12: 0x625bc0 --> 0x6263f0 --> 0x34434f50 ('POC4')
R13: 0x6263f0 --> 0x34434f50 ('POC4')
R14: 0x7fffffffbb38 --> 0x6263f0 --> 0x34434f50 ('POC4')
R15: 0xffffffffffff008a
EFLAGS: 0x10206 (carry PARITY adjust zero sign trap INTERRUPT direction overflow)
[-------------------------------------code-------------------------------------]
   0x7ffff7b904a0 <compileFile+384>:	mov    DWORD PTR [rax],0x6b4c
   0x7ffff7b904a6 <compileFile+390>:	lea    eax,[r15+0x1]
   0x7ffff7b904aa <compileFile+394>:	mov    DWORD PTR [rsp+0x24],eax
=> 0x7ffff7b904ae <compileFile+398>:	mov    WORD PTR [rsp+r15*2+0x34],bp
   0x7ffff7b904b4 <compileFile+404>:	data16 lea rdi,[rip+0x2403bc]        # 0x7ffff7dd0878
   0x7ffff7b904bc <compileFile+412>:	data16 data16 call 0x7ffff7b66930 <__tls_get_addr@plt>
   0x7ffff7b904c4 <compileFile+420>:	movsxd rcx,DWORD PTR [rax]
   0x7ffff7b904c7 <compileFile+423>:	mov    rdx,QWORD PTR [rbx]
[------------------------------------stack-------------------------------------]
0000| 0x7fffffffbb30 --> 0x0 
0008| 0x7fffffffbb38 --> 0x6263f0 --> 0x34434f50 ('POC4')
0016| 0x7fffffffbb40 --> 0x626410 --> 0xfbad2488 
0024| 0x7fffffffbb48 --> 0x300000023 
0032| 0x7fffffffbb50 --> 0xffff008b00040177 
0040| 0x7fffffffbb58 --> 0x2300000000 ('')
0048| 0x7fffffffbb60 --> 0xfb005c00000020 
0056| 0x7fffffffbb68 --> 0x63006f00730020 (' ')
[------------------------------------------------------------------------------]
Legend: code, data, rodata, value
Stopped reason: SIGSEGV
0x00007ffff7b904ae in _lou_getALine (nested=<optimized out>) at compileTranslationTable.c:343
343	      nested->line[nested->linelen++] = (widechar) ch;
gdb-peda$ 

The vulnerability was triggered in function:
	in _lou_getALine (nested=<optimized out>) at compileTranslationTable.c:343
338		  nested->linelen--;
339		  continue;
340		}
341	      if (ch == 10 || nested->linelen >= MAXSTRING-1)
342		break;
343	      nested->line[nested->linelen++] = (widechar) ch;
344	      pch = ch;
345	    }
346	  nested->line[nested->linelen] = 0;
347	  nested->linepos = 0;

Actual results:

crash

Expected results:

crash

Additional info:

Credits:

This vulnerability is detected by team OWL337, with our custom fuzzer collAFL. Please contact ganshuitao@gmail.com   and chaoz@tsinghua.edu.cn if you need more info about the team, the tool or the vulnerability.


Note You need to log in before you can comment on or make changes to this bug.