Bug 1489337 - There is a heap overflow in libwpd. This vulnerability has been triggered in libreoffice.
Summary: There is a heap overflow in libwpd. This vulnerability has been triggered in...
Status: ON_QA
Alias: None
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: libwpd
Version: 7.4
Hardware: All
OS: Unspecified
unspecified
urgent
Target Milestone: rc
: 7.5
Assignee: Caolan McNamara
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
Keywords: Security
Depends On:
Blocks: CVE-2017-14226
TreeView+ depends on / blocked
 
Reported: 2017-09-07 08:58 UTC by owl337
Modified: 2017-11-07 22:11 UTC (History)
8 users (show)

(edit)
Clone Of:
(edit)
Last Closed:


Attachments (Terms of Use)
Triggered by "./wpd2html POC1" (435 bytes, application/x-rar)
2017-09-07 08:58 UTC, owl337
no flags Details
extracted from rar (1.49 KB, application/vnd.wordperfect)
2017-09-07 11:02 UTC, Caolan McNamara
no flags Details
proposed fix (1.95 KB, patch)
2017-09-07 13:11 UTC, Caolan McNamara
no flags Details | Diff


External Trackers
Tracker ID Priority Status Summary Last Updated
Document Foundation 112269 None None None 2017-09-07 11:06 UTC

Description owl337 2017-09-07 08:58:29 UTC
Created attachment 1322984 [details]
Triggered by  "./wpd2html POC1"

Description of problem:

There is a heap overflow in libwpd. This vulnerability has been triggered in libreoffice. It may be exist in other office applications.

Version-Release number of selected component (if applicable):

<= latest version

How reproducible:

./wpd2html POC1

Steps to Reproduce:


=================================================================
==115429==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x60400000dc44 at pc 0x7ffff7ad9911 bp 0x7fffffffd270 sp 0x7fffffffd268
READ of size 4 at 0x60400000dc44 thread T0
    #0 0x7ffff7ad9910  (/home/icy/real/libwpd-0.10.1-asan/install/lib/libwpd-0.10.so.10+0xa5910)
    #1 0x7ffff7acfaaa  (/home/icy/real/libwpd-0.10.1-asan/install/lib/libwpd-0.10.so.10+0x9baaa)
    #2 0x7ffff7ad1ef2  (/home/icy/real/libwpd-0.10.1-asan/install/lib/libwpd-0.10.so.10+0x9def2)
    #3 0x7ffff7b37554  (/home/icy/real/libwpd-0.10.1-asan/install/lib/libwpd-0.10.so.10+0x103554)
    #4 0x7ffff7a86cf6  (/home/icy/real/libwpd-0.10.1-asan/install/lib/libwpd-0.10.so.10+0x52cf6)
    #5 0x7ffff7aa944f  (/home/icy/real/libwpd-0.10.1-asan/install/lib/libwpd-0.10.so.10+0x7544f)
    #6 0x7ffff7a975cb  (/home/icy/real/libwpd-0.10.1-asan/install/lib/libwpd-0.10.so.10+0x635cb)
    #7 0x7ffff7a9835e  (/home/icy/real/libwpd-0.10.1-asan/install/lib/libwpd-0.10.so.10+0x6435e)
    #8 0x7ffff7b3628c  (/home/icy/real/libwpd-0.10.1-asan/install/lib/libwpd-0.10.so.10+0x10228c)
    #9 0x4ee0d5  (/home/icy/real/libwpd-0.10.1-asan/install/bin/wpd2html+0x4ee0d5)
    #10 0x7ffff611682f  (/lib/x86_64-linux-gnu/libc.so.6+0x2082f)
    #11 0x4194d8  (/home/icy/real/libwpd-0.10.1-asan/install/bin/wpd2html+0x4194d8)

0x60400000dc44 is located 4 bytes to the right of 48-byte region [0x60400000dc10,0x60400000dc40)
allocated by thread T0 here:
    #0 0x4eabd0  (/home/icy/real/libwpd-0.10.1-asan/install/bin/wpd2html+0x4eabd0)
    #1 0x7ffff7b5de49  (/home/icy/real/libwpd-0.10.1-asan/install/lib/libwpd-0.10.so.10+0x129e49)
    #2 0x7ffff7b5a3e4  (/home/icy/real/libwpd-0.10.1-asan/install/lib/libwpd-0.10.so.10+0x1263e4)
    #3 0x7ffff7adb15b  (/home/icy/real/libwpd-0.10.1-asan/install/lib/libwpd-0.10.so.10+0xa715b)
    #4 0x7ffff7acf975  (/home/icy/real/libwpd-0.10.1-asan/install/lib/libwpd-0.10.so.10+0x9b975)

SUMMARY: AddressSanitizer: heap-buffer-overflow (/home/icy/real/libwpd-0.10.1-asan/install/lib/libwpd-0.10.so.10+0xa5910) 
Shadow bytes around the buggy address:
  0x0c087fff9b30: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c087fff9b40: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c087fff9b50: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c087fff9b60: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c087fff9b70: fa fa fd fd fd fd fd fa fa fa 00 00 00 00 00 00
=>0x0c087fff9b80: fa fa 00 00 00 00 00 00[fa]fa 00 00 00 00 00 00
  0x0c087fff9b90: fa fa fd fd fd fd fd fd fa fa fd fd fd fd fd fd
  0x0c087fff9ba0: fa fa fd fd fd fd fd fd fa fa fd fd fd fd fd fd
  0x0c087fff9bb0: fa fa fd fd fd fd fd fd fa fa fd fd fd fd fd fd
  0x0c087fff9bc0: fa fa fd fd fd fd fd fd fa fa fd fd fd fd fd fd
  0x0c087fff9bd0: fa fa fd fd fd fd fd fd fa fa fd fd fd fd fd fd
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Heap right redzone:      fb
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack partial redzone:   f4
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==115429==ABORTING
[Inferior 1 (process 115429) exited with code 01]


$./wpd2html POC1
Segmentation fault

The GDB debugging information is as follow:

(gdb)set args POC1
(gdb)r
(gdb) i b
Num     Type           Disp Enb Address            What
5       breakpoint     keep y   0x00007ffff7b87f37 in WPXTableList::WPXTableList(WPXTableList const&) 
                                                   at WPXTable.cpp:170
	breakpoint already hit 18 times
(gdb) p m_refCount 
$7 = (int *) 0x6e616d6f522077
(gdb) n

Program received signal SIGSEGV, Segmentation fault.
0x00007ffff7b87f5d in WPXTableList::WPXTableList (this=0x7fffffffdbf8, tableList=...) at WPXTable.cpp:170
170			(*m_refCount)++;
(gdb) bt
#0  0x00007ffff7b87f5d in WPXTableList::WPXTableList (this=0x7fffffffdbf8, tableList=...) at WPXTable.cpp:170
#1  0x00007ffff7b37b6f in WPXHeaderFooter::getTableList (this=<optimized out>) at ./WPXPageSpan.h:66
#2  WP5StylesListener::insertBreak (this=<optimized out>, breakType=<optimized out>) at WP5StylesListener.cpp:94
#3  0x00007ffff7b31a01 in WP5Parser::parseDocument (input=<optimized out>, encryption=<optimized out>, 
    listener=<optimized out>) at WP5Parser.cpp:102
#4  0x00007ffff7b332bd in WP5Parser::parseSubDocument (this=0x6284c0, documentInterface=0x7fffffffe420)
    at WP5Parser.cpp:234
#5  0x00007ffff7b6f5da in libwpd::WPDocument::parseSubDocument (input=0x6272c0, textInterface=0x7fffffffe420, 
    fileFormat=<optimized out>) at WPDocument.cpp:460
#6  0x00007ffff7b0492a in WP3ContentListener::insertWP51Table (this=0x7fffffffe1c8, height=<optimized out>, 
    width=<optimized out>, verticalOffset=<optimized out>, horizontalOffset=<optimized out>, 
    leftColumn=<optimized out>, rightColumn=<optimized out>, figureFlags=65535, subDocument=0x627280, caption=0x627320)
    at WP3ContentListener.cpp:867
#7  0x00007ffff7b19826 in WP3WindowGroup::parse (this=0x6287e0, listener=0x7fffffffe1c8) at WP3WindowGroup.cpp:144
#8  0x00007ffff7b0deee in WP3Parser::parseDocument (input=<optimized out>, listener=<optimized out>, 
    encryption=<optimized out>) at WP3Parser.cpp:107
#9  WP3Parser::parse (this=<optimized out>, input=<optimized out>, encryption=<optimized out>, listener=<optimized out>)
    at WP3Parser.cpp:76
#10 0x00007ffff7b0e742 in WP3Parser::parse (this=<optimized out>, textInterface=<optimized out>) at WP3Parser.cpp:153
#11 0x00007ffff7b6e6a1 in libwpd::WPDocument::parse (input=<optimized out>, textInterface=<optimized out>, password=0x0)
    at WPDocument.cpp:345
#12 0x00000000004018f2 in main (argc=<optimized out>, argv=<optimized out>) at wpd2html.cpp:116


There is a error memory access in the function WPXTableList::WPXTableList() at line WPXTable.cpp:170. 
165 WPXTableList::WPXTableList(const WPXTableList &tableList) :
166         m_tableList(tableList.get()),
167         m_refCount(tableList.getRef())
168 {
169         if (m_refCount)
170                 (*m_refCount)++;
171 }

Actual results:

crash

Expected results:

crash

Additional info:

This vulnerability is detected by team OWL337, with our custom fuzzer CollAFL. Please contact ganshuitao@gmail.com  and chaoz@tsinghua.edu.cn if you need more info about the team, the tool or the vulnerability.

Comment 1 Tuomo Soini 2017-09-07 09:42:40 UTC
libwpd is not epel package. Please move this to rhel.

Comment 3 Caolan McNamara 2017-09-07 11:02 UTC
Created attachment 1323059 [details]
extracted from rar

Comment 4 Caolan McNamara 2017-09-07 12:44:57 UTC
https://sourceforge.net/p/libwpd/tickets/14/

Comment 5 Caolan McNamara 2017-09-07 13:11 UTC
Created attachment 1323097 [details]
proposed fix

Comment 6 Fedora Update System 2017-09-07 13:31:34 UTC
libwpd-0.10.1-8.fc25 has been submitted as an update to Fedora 25. https://bodhi.fedoraproject.org/updates/FEDORA-2017-40a66b18c8

Comment 7 Fedora Update System 2017-09-07 13:31:42 UTC
libwpd-0.10.1-8.fc26 has been submitted as an update to Fedora 26. https://bodhi.fedoraproject.org/updates/FEDORA-2017-6314903eb9

Comment 8 Fedora Update System 2017-09-07 13:31:50 UTC
libwpd-0.10.1-8.fc27 has been submitted as an update to Fedora 27. https://bodhi.fedoraproject.org/updates/FEDORA-2017-7096a9fdca

Comment 9 Fedora Update System 2017-09-07 18:24:15 UTC
libwpd-0.10.1-8.fc27 has been pushed to the Fedora 27 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2017-7096a9fdca

Comment 10 Fedora Update System 2017-09-08 00:24:47 UTC
libwpd-0.10.1-8.fc26 has been pushed to the Fedora 26 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2017-6314903eb9

Comment 11 Fedora Update System 2017-09-08 01:22:01 UTC
libwpd-0.10.1-8.fc25 has been pushed to the Fedora 25 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2017-40a66b18c8

Comment 12 Fedora Update System 2017-09-13 10:57:50 UTC
libwpd-0.10.2-1.fc27 has been submitted as an update to Fedora 27. https://bodhi.fedoraproject.org/updates/FEDORA-2017-5128c8cfe2

Comment 13 Fedora Update System 2017-09-13 10:58:03 UTC
libwpd-0.10.2-1.fc26 has been submitted as an update to Fedora 26. https://bodhi.fedoraproject.org/updates/FEDORA-2017-63ff51c0dc

Comment 14 Fedora Update System 2017-09-13 10:58:21 UTC
libwpd-0.10.2-1.fc25 has been submitted as an update to Fedora 25. https://bodhi.fedoraproject.org/updates/FEDORA-2017-6e66393536

Comment 15 Fedora Update System 2017-09-13 19:24:34 UTC
libwpd-0.10.2-1.fc27 has been pushed to the Fedora 27 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2017-5128c8cfe2

Comment 16 Fedora Update System 2017-09-14 04:53:00 UTC
libwpd-0.10.2-1.fc26 has been pushed to the Fedora 26 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2017-63ff51c0dc

Comment 17 Fedora Update System 2017-09-14 05:50:16 UTC
libwpd-0.10.2-1.fc25 has been pushed to the Fedora 25 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2017-6e66393536


Note You need to log in before you can comment on or make changes to this bug.