Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

global-buffer-overflow in lou_setDataPath() when long path is given #1292

Closed
Marsman1996 opened this issue Feb 4, 2023 · 1 comment · Fixed by #1297
Closed

global-buffer-overflow in lou_setDataPath() when long path is given #1292

Marsman1996 opened this issue Feb 4, 2023 · 1 comment · Fixed by #1297
Labels
bug Bug in the code (not in a table) memory error Buffer overflow, use after free, memory leak, ...

Comments

@Marsman1996
Copy link
Contributor

Marsman1996 commented Feb 4, 2023

When long path is given to API lou_setDataPath(), there will be a global-buffer-overflow.

Similar to #1291, because liblouis does not check the input length.

lou_setDataPath(const char *path) {
static char dataPath[MAXSTRING];
dataPathPtr = NULL;
if (path == NULL) return NULL;
strcpy(dataPath, path);

Test Environment

Ubuntu 16.04.3 LTS
liblouis (master, 6223f21)

How to trigger

  1. Compile liblouis with AddressSanitizer
  2. Compile the fuzz driver and poc file
  3. Compile the fuzz driver: $ clang -g -fsanitize=address,fuzzer ./driver-API-6223f21-lou_setDataPath-BO.c ./bin_asan/lib/liblouis.a -I ./bin_asan/include/liblouis/ -o driver-API-6223f21-lou_setDataPath-BO
  4. run the compiled driver: $ ./driver-API-6223f21-lou_setDataPath-BO poc-API-6223f21-lou_setDataPath-BO

ASAN report

$ ./driver-API-6223f21-lou_setDataPath-BO poc-API-6223f21-lou_setDataPath-BO
Minimum size is 0
INFO: Running with entropic power schedule (0xFF, 100).
INFO: Seed: 1537783897
INFO: Loaded 1 modules   (2848 inline 8-bit counters): 2848 [0x80bf40, 0x80ca60), 
INFO: Loaded 1 PC tables (2848 PCs): 2848 [0x5b9668,0x5c4868), 
./driver-API-6223f21-lou_setDataPath-BO: Running 1 inputs 1 time(s) each.
Running: poc-API-6223f21-lou_setDataPath-BO
=================================================================
==29969==ERROR: AddressSanitizer: global-buffer-overflow on address 0x0000010e85a0 at pc 0x00000050dc38 bp 0x7ffed6135f90 sp 0x7ffed6135750
WRITE of size 4098 at 0x0000010e85a0 thread T0
    #0 0x50dc37 in strcpy /local/mnt/workspace/bcain_clang_vm-bcain-aus_3184/final/llvm-project/compiler-rt/lib/asan/asan_interceptors.cpp:423:5
    #1 0x553af6 in lou_setDataPath /opt/disk/marsman/liblouis/6223f21/build_asan/liblouis/../../code/liblouis/compileTranslationTable.c:62:2
    #2 0x553674 in AFG_func /opt/disk/marsman/liblouis/6223f21/./driver-API-6223f21-lou_setDataPath-BO.c:16:2
    #3 0x553890 in LLVMFuzzerTestOneInput /opt/disk/marsman/liblouis/6223f21/./driver-API-6223f21-lou_setDataPath-BO.c:43:2
    #4 0x459951 in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, unsigned long) /local/mnt/workspace/bcain_clang_vm-bcain-aus_3184/final/llvm-project/compiler-rt/lib/fuzzer/FuzzerLoop.cpp:599:15
    #5 0x443612 in fuzzer::RunOneTest(fuzzer::Fuzzer*, char const*, unsigned long) /local/mnt/workspace/bcain_clang_vm-bcain-aus_3184/final/llvm-project/compiler-rt/lib/fuzzer/FuzzerDriver.cpp:323:6
    #6 0x449980 in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned char const*, unsigned long)) /local/mnt/workspace/bcain_clang_vm-bcain-aus_3184/final/llvm-project/compiler-rt/lib/fuzzer/FuzzerDriver.cpp:856:9
    #7 0x473902 in main /local/mnt/workspace/bcain_clang_vm-bcain-aus_3184/final/llvm-project/compiler-rt/lib/fuzzer/FuzzerMain.cpp:20:10
    #8 0x7fdb3926383f in __libc_start_main /build/glibc-S7Ft5T/glibc-2.23/csu/../csu/libc-start.c:291
    #9 0x41e118 in _start (/opt/disk/marsman/liblouis/6223f21/driver-API-6223f21-lou_setDataPath-BO+0x41e118)

0x0000010e85a0 is located 0 bytes to the right of global variable 'dataPath' defined in '../../code/liblouis/compileTranslationTable.c:59:14' (0x10e7da0) of size 2048
SUMMARY: AddressSanitizer: global-buffer-overflow /local/mnt/workspace/bcain_clang_vm-bcain-aus_3184/final/llvm-project/compiler-rt/lib/asan/asan_interceptors.cpp:423:5 in strcpy
Shadow bytes around the buggy address:
  0x000080215060: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x000080215070: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x000080215080: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x000080215090: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0000802150a0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x0000802150b0: 00 00 00 00[f9]f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9
  0x0000802150c0: f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9
  0x0000802150d0: f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9
  0x0000802150e0: f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9
  0x0000802150f0: f9 f9 f9 f9 00 f9 f9 f9 f9 f9 f9 f9 04 f9 f9 f9
  0x000080215100: f9 f9 f9 f9 00 00 00 00 00 00 00 00 00 00 00 00
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
  Shadow gap:              cc
==29969==ABORTING
@bertfrees
Copy link
Member

Thanks for the report. I think we should consider dropping lou_setDataPath as it seems redundant.

@egli egli added bug Bug in the code (not in a table) memory error Buffer overflow, use after free, memory leak, ... labels Feb 8, 2023
egli added a commit that referenced this issue Feb 8, 2023
See https://lwn.net/Articles/507319/ for more background on the
security problems of strcpy.

Fixes #1292
egli added a commit that referenced this issue Feb 8, 2023
See https://lwn.net/Articles/507319/ for more background on the
security problems of strcpy.

Fixes #1292
@egli egli closed this as completed in #1297 Feb 8, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
bug Bug in the code (not in a table) memory error Buffer overflow, use after free, memory leak, ...
Projects
None yet
3 participants