Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[BUG] invalid memory writes in compileRule, liblouis/compileTranslationTable.c:3744 #1214

Closed
kdsjZh opened this issue May 21, 2022 · 4 comments · Fixed by #1217
Closed

[BUG] invalid memory writes in compileRule, liblouis/compileTranslationTable.c:3744 #1214

kdsjZh opened this issue May 21, 2022 · 4 comments · Fixed by #1217
Assignees
@egli
Labels
memory error Buffer overflow, use after free, memory leak, ...
Milestone
3.22

Comments

@kdsjZh
Copy link

kdsjZh commented May 21, 2022
edited

summary

Hello, I was testing my new fuzzer and found an invalid memory write in function compileRule, liblouis/compileTranslationTable.c:3744. Which can be triggered via lou_trace + ASan.

step to reproduce

export CFLAGS="-fsanitize=address -g"
./autogen.sh && ./configure  && make -j8
./tools/lou_trace  $POC

Environment

  • ubuntu 22.04 (docker image),
  • gcc 11.2.0
  • liblouis latest commit 83c9135

ASAN report

poc1:24: warning: invalid UTF-8. Assuming Latin-1.
...
poc1:145: error: invalid 4-digit hexadecimal number
AddressSanitizer:DEADLYSIGNAL
=================================================================
==3739596==ERROR: AddressSanitizer: SEGV on unknown address 0x630000015722 (pc 0x7f3962ff103a bp 0x7ffcbf6d48b0 sp 0x7ffcbf6c2180 T0)
==3739596==The signal is caused by a WRITE memory access.
    #0 0x7f3962ff103a in compileRule /benchmark/liblouis/liblouis/compileTranslationTable.c:3744
    #1 0x7f3962ff863a in compileFile /benchmark/liblouis/liblouis/compileTranslationTable.c:4660
    #2 0x7f3962ff92b3 in compileTable /benchmark/liblouis/liblouis/compileTranslationTable.c:4777
    #3 0x7f3962ffa6f2 in getTable /benchmark/liblouis/liblouis/compileTranslationTable.c:4949
    #4 0x7f3962ff99b4 in _lou_getTable /benchmark/liblouis/liblouis/compileTranslationTable.c:4858
    #5 0x7f3962ff9bf6 in lou_getTable /benchmark/liblouis/liblouis/compileTranslationTable.c:4870
    #6 0x55643186bfb5 in main /benchmark/liblouis/tools/lou_trace.c:392
    #7 0x7f3962dc3d8f in __libc_start_call_main ../sysdeps/nptl/libc_start_call_main.h:58
    #8 0x7f3962dc3e3f in __libc_start_main_impl ../csu/libc-start.c:392
    #9 0x556431868644 in _start (/benchmark/liblouis/tools/.libs/lou_trace+0x3644)

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV /benchmark/liblouis/liblouis/compileTranslationTable.c:3744 in compileRule
==3739596==ABORTING

Credit

Han Zheng
NCNIPC of China
Hexhive

POC

poc1.zip
@bertfrees bertfrees added the memory error Buffer overflow, use after free, memory leak, ... label May 25, 2022
@egli egli added this to the 3.22 milestone May 25, 2022
egli added a commit that referenced this issue May 25, 2022
@egli
Prevent an invalid memory writes in compileRule
ff747ec 
Thanks to Han Zheng for reporting it

Fixes #1214
@egli egli mentioned this issue May 25, 2022
Merged
@kdsjZh
Copy link
Author

kdsjZh commented May 26, 2022

Just verified and in my environment it's fixed now. Thanks!

@kdsjZh kdsjZh closed this as completed May 26, 2022
@bertfrees
Copy link
Member

Reopening as #1217 is not merged yet.

@kdsjZh kdsjZh reopened this May 27, 2022
egli added a commit that referenced this issue May 30, 2022
@egli
Prevent an invalid memory writes in compileRule
2e4772b 
Thanks to Han Zheng for reporting it

Fixes #1214
@risicle
Copy link
Contributor

risicle commented Jun 20, 2022

Did this get a CVE assigned to it? Looks like it should.

@kdsjZh
Copy link
Author

kdsjZh commented Jun 21, 2022

Yes, CVE-2022-31783.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@egli egli

Labels
memory error Buffer overflow, use after free, memory leak, ...
Projects
None yet
Milestone
3.22
Development

Successfully merging a pull request may close this issue.

Prevent an invalid memory writes in compileRule liblouis/liblouis
4 participants
@egli @risicle @bertfrees @kdsjZh