We read every piece of feedback, and take your input very seriously.
To see all available qualifiers, see our documentation.
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
When long path is given to API lou_setDataPath(), there will be a global-buffer-overflow.
lou_setDataPath()
Similar to #1291, because liblouis does not check the input length.
liblouis/liblouis/compileTranslationTable.c
Lines 58 to 62 in 63722f0
Ubuntu 16.04.3 LTS liblouis (master, 6223f21)
$ clang -g -fsanitize=address,fuzzer ./driver-API-6223f21-lou_setDataPath-BO.c ./bin_asan/lib/liblouis.a -I ./bin_asan/include/liblouis/ -o driver-API-6223f21-lou_setDataPath-BO
$ ./driver-API-6223f21-lou_setDataPath-BO poc-API-6223f21-lou_setDataPath-BO
$ ./driver-API-6223f21-lou_setDataPath-BO poc-API-6223f21-lou_setDataPath-BO Minimum size is 0 INFO: Running with entropic power schedule (0xFF, 100). INFO: Seed: 1537783897 INFO: Loaded 1 modules (2848 inline 8-bit counters): 2848 [0x80bf40, 0x80ca60), INFO: Loaded 1 PC tables (2848 PCs): 2848 [0x5b9668,0x5c4868), ./driver-API-6223f21-lou_setDataPath-BO: Running 1 inputs 1 time(s) each. Running: poc-API-6223f21-lou_setDataPath-BO ================================================================= ==29969==ERROR: AddressSanitizer: global-buffer-overflow on address 0x0000010e85a0 at pc 0x00000050dc38 bp 0x7ffed6135f90 sp 0x7ffed6135750 WRITE of size 4098 at 0x0000010e85a0 thread T0 #0 0x50dc37 in strcpy /local/mnt/workspace/bcain_clang_vm-bcain-aus_3184/final/llvm-project/compiler-rt/lib/asan/asan_interceptors.cpp:423:5 #1 0x553af6 in lou_setDataPath /opt/disk/marsman/liblouis/6223f21/build_asan/liblouis/../../code/liblouis/compileTranslationTable.c:62:2 #2 0x553674 in AFG_func /opt/disk/marsman/liblouis/6223f21/./driver-API-6223f21-lou_setDataPath-BO.c:16:2 #3 0x553890 in LLVMFuzzerTestOneInput /opt/disk/marsman/liblouis/6223f21/./driver-API-6223f21-lou_setDataPath-BO.c:43:2 #4 0x459951 in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, unsigned long) /local/mnt/workspace/bcain_clang_vm-bcain-aus_3184/final/llvm-project/compiler-rt/lib/fuzzer/FuzzerLoop.cpp:599:15 #5 0x443612 in fuzzer::RunOneTest(fuzzer::Fuzzer*, char const*, unsigned long) /local/mnt/workspace/bcain_clang_vm-bcain-aus_3184/final/llvm-project/compiler-rt/lib/fuzzer/FuzzerDriver.cpp:323:6 #6 0x449980 in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned char const*, unsigned long)) /local/mnt/workspace/bcain_clang_vm-bcain-aus_3184/final/llvm-project/compiler-rt/lib/fuzzer/FuzzerDriver.cpp:856:9 #7 0x473902 in main /local/mnt/workspace/bcain_clang_vm-bcain-aus_3184/final/llvm-project/compiler-rt/lib/fuzzer/FuzzerMain.cpp:20:10 #8 0x7fdb3926383f in __libc_start_main /build/glibc-S7Ft5T/glibc-2.23/csu/../csu/libc-start.c:291 #9 0x41e118 in _start (/opt/disk/marsman/liblouis/6223f21/driver-API-6223f21-lou_setDataPath-BO+0x41e118) 0x0000010e85a0 is located 0 bytes to the right of global variable 'dataPath' defined in '../../code/liblouis/compileTranslationTable.c:59:14' (0x10e7da0) of size 2048 SUMMARY: AddressSanitizer: global-buffer-overflow /local/mnt/workspace/bcain_clang_vm-bcain-aus_3184/final/llvm-project/compiler-rt/lib/asan/asan_interceptors.cpp:423:5 in strcpy Shadow bytes around the buggy address: 0x000080215060: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x000080215070: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x000080215080: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x000080215090: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0000802150a0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 =>0x0000802150b0: 00 00 00 00[f9]f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 0x0000802150c0: f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 0x0000802150d0: f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 0x0000802150e0: f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 0x0000802150f0: f9 f9 f9 f9 00 f9 f9 f9 f9 f9 f9 f9 04 f9 f9 f9 0x000080215100: f9 f9 f9 f9 00 00 00 00 00 00 00 00 00 00 00 00 Shadow byte legend (one shadow byte represents 8 application bytes): Addressable: 00 Partially addressable: 01 02 03 04 05 06 07 Heap left redzone: fa Freed heap region: fd Stack left redzone: f1 Stack mid redzone: f2 Stack right redzone: f3 Stack after return: f5 Stack use after scope: f8 Global redzone: f9 Global init order: f6 Poisoned by user: f7 Container overflow: fc Array cookie: ac Intra object redzone: bb ASan internal: fe Left alloca redzone: ca Right alloca redzone: cb Shadow gap: cc ==29969==ABORTING
The text was updated successfully, but these errors were encountered:
Thanks for the report. I think we should consider dropping lou_setDataPath as it seems redundant.
Sorry, something went wrong.
Check the length of path before copying into dataPath
34ab36a
See https://lwn.net/Articles/507319/ for more background on the security problems of strcpy. Fixes #1292
f432de3
Successfully merging a pull request may close this issue.
When long path is given to API
lou_setDataPath(), there will be a global-buffer-overflow.Similar to #1291, because liblouis does not check the input length.
liblouis/liblouis/compileTranslationTable.c
Lines 58 to 62 in 63722f0
Test Environment
Ubuntu 16.04.3 LTS
liblouis (master, 6223f21)
How to trigger
$ clang -g -fsanitize=address,fuzzer ./driver-API-6223f21-lou_setDataPath-BO.c ./bin_asan/lib/liblouis.a -I ./bin_asan/include/liblouis/ -o driver-API-6223f21-lou_setDataPath-BO$ ./driver-API-6223f21-lou_setDataPath-BO poc-API-6223f21-lou_setDataPath-BOASAN report
The text was updated successfully, but these errors were encountered: