Note: This bug is displayed in read-only format because the product is no longer active in Red Hat Bugzilla.
RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 1484338

Summary: There is an illegal address access in function _lou_getALine() of liblouis.
Product: Red Hat Enterprise Linux 7 Reporter: owl337 <v.owl337>
Component: liblouisAssignee: David King <dking>
Status: CLOSED WONTFIX QA Contact: Desktop QE <desktop-qa-list>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 7.5-AltCC: mclasen
Target Milestone: rc   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2021-01-15 07:41:28 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Attachments:
Description Flags
Triggered by " ./lou_checktable POC7 " none

Description owl337 2017-08-23 09:46:02 UTC 
Created attachment 1317032 [details]
Triggered by " ./lou_checktable POC7 "

Description of problem:

There is an illegal address access in function  _lou_getALine()  of liblouis.

Version-Release number of selected component (if applicable):

<= latest version

How reproducible:

./lou_checktable POC7 

Steps to Reproduce:

Normal output:

$ ./lou_checktable POC7
POC4:2: error: opcode 'inglud\x00d5' not defined.
POC4:3: error: opcode ':se:' not defined.
POC4:5: error: opcode 't' not defined.
POC4:6: error: opcode 'i' not defined.
POC4:7: error: opcode 'ronk' not defined.
POC4:8: error: opcode 'includet' not defined.
POC4:9: error: opcode 'd' not defined.
POC4:13: error: opcode 'nclu' not defined.
POC4:15: error: opcode '\x00f0' not defined.
POC4:22: error: opcode 'd' not defined.
POC4:25: error: opcode 'pi.Ktb' not defined.
POC4:26: error: include file name not specified.
POC4:31: error: opcode '\x00f6' not defined.
POC4:34: error: opcode '\x00fb' not defined.
Segmentation fault

The GDB debugging information is as follows:

gdb-peda$ r 
...
Breakpoint 3, _lou_getALine (nested=<optimized out>) at compileTranslationTable.c:343
343	      nested->line[nested->linelen++] = (widechar) ch;
gdb-peda$ c 327 
Will ignore next 326 crossings of breakpoint 3.  Continuing.
POC4:2: error: opcode 'inglud\x00d5' not defined.
POC4:3: error: opcode ':se:' not defined.
POC4:5: error: opcode 't' not defined.
POC4:6: error: opcode 'i' not defined.
POC4:7: error: opcode 'ronk' not defined.
POC4:8: error: opcode 'includet' not defined.
POC4:9: error: opcode 'd' not defined.
POC4:13: error: opcode 'nclu' not defined.
POC4:15: error: opcode '\x00f0' not defined.
POC4:22: error: opcode 'd' not defined.
POC4:25: error: opcode 'pi.Ktb' not defined.
POC4:26: error: include file name not specified.
POC4:31: error: opcode '\x00f6' not defined.
POC4:34: error: opcode '\x00fb' not defined.

Breakpoint 3, _lou_getALine (nested=<optimized out>) at compileTranslationTable.c:343
343	      nested->line[nested->linelen++] = (widechar) ch;
gdb-peda$ n

Program received signal SIGSEGV, Segmentation fault.

[----------------------------------registers-----------------------------------]
RAX: 0xffff008b 
RBX: 0x606178 --> 0x606de0 --> 0x0 
RCX: 0xcd84 
RDX: 0x606de0 --> 0x0 
RSI: 0x7ffff7fdc050 --> 0x1 
RDI: 0x7ffff7dd0878 --> 0x1 
RBP: 0x2b ('+')
RSP: 0x7fffffffbb30 --> 0x0 
RIP: 0x7ffff7b904ae (<compileFile+398>:	mov    WORD PTR [rsp+r15*2+0x34],bp)
R8 : 0x7ffff7fdb740 (0x00007ffff7fdb740)
R9 : 0x0 
R10: 0x202762663030785c ("\\x00fb' ")
R11: 0x246 
R12: 0x625bc0 --> 0x6263f0 --> 0x34434f50 ('POC4')
R13: 0x6263f0 --> 0x34434f50 ('POC4')
R14: 0x7fffffffbb38 --> 0x6263f0 --> 0x34434f50 ('POC4')
R15: 0xffffffffffff008a
EFLAGS: 0x10206 (carry PARITY adjust zero sign trap INTERRUPT direction overflow)
[-------------------------------------code-------------------------------------]
   0x7ffff7b904a0 <compileFile+384>:	mov    DWORD PTR [rax],0x6b4c
   0x7ffff7b904a6 <compileFile+390>:	lea    eax,[r15+0x1]
   0x7ffff7b904aa <compileFile+394>:	mov    DWORD PTR [rsp+0x24],eax
=> 0x7ffff7b904ae <compileFile+398>:	mov    WORD PTR [rsp+r15*2+0x34],bp
   0x7ffff7b904b4 <compileFile+404>:	data16 lea rdi,[rip+0x2403bc]        # 0x7ffff7dd0878
   0x7ffff7b904bc <compileFile+412>:	data16 data16 call 0x7ffff7b66930 <__tls_get_addr@plt>
   0x7ffff7b904c4 <compileFile+420>:	movsxd rcx,DWORD PTR [rax]
   0x7ffff7b904c7 <compileFile+423>:	mov    rdx,QWORD PTR [rbx]
[------------------------------------stack-------------------------------------]
0000| 0x7fffffffbb30 --> 0x0 
0008| 0x7fffffffbb38 --> 0x6263f0 --> 0x34434f50 ('POC4')
0016| 0x7fffffffbb40 --> 0x626410 --> 0xfbad2488 
0024| 0x7fffffffbb48 --> 0x300000023 
0032| 0x7fffffffbb50 --> 0xffff008b00040177 
0040| 0x7fffffffbb58 --> 0x2300000000 ('')
0048| 0x7fffffffbb60 --> 0xfb005c00000020 
0056| 0x7fffffffbb68 --> 0x63006f00730020 (' ')
[------------------------------------------------------------------------------]
Legend: code, data, rodata, value
Stopped reason: SIGSEGV
0x00007ffff7b904ae in _lou_getALine (nested=<optimized out>) at compileTranslationTable.c:343
343	      nested->line[nested->linelen++] = (widechar) ch;
gdb-peda$ 

The vulnerability was triggered in function:
	in _lou_getALine (nested=<optimized out>) at compileTranslationTable.c:343
338		  nested->linelen--;
339		  continue;
340		}
341	      if (ch == 10 || nested->linelen >= MAXSTRING-1)
342		break;
343	      nested->line[nested->linelen++] = (widechar) ch;
344	      pch = ch;
345	    }
346	  nested->line[nested->linelen] = 0;
347	  nested->linepos = 0;

Actual results:

crash

Expected results:

crash

Additional info:

Credits:

This vulnerability is detected by team OWL337, with our custom fuzzer collAFL. Please contact ganshuitao   and chaoz.cn if you need more info about the team, the tool or the vulnerability.
Comment 4 RHEL Program Management 2021-01-15 07:41:28 UTC 
After evaluating this issue, there are no plans to address it further or fix it in an upcoming release.  Therefore, it is being closed.  If plans change such that this issue will be fixed in an upcoming release, then the bug can be reopened.