Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

CVE-2018-11440: ASAn stack-based buffer overflow in compileTranslationTable.c parseChars #575

Closed
fgeek opened this Issue May 25, 2018 · 1 comment

Comments

Projects
None yet
3 participants
@fgeek
Copy link

fgeek commented May 25, 2018

5ce93fef85b68c5ecb4561bf1aedb52d1b1f368e.ctb.zip
Tested version 3.5.0 and commit ed6b00a
Might be related to: https://bugzilla.redhat.com/show_bug.cgi?id=1582024
Credit: Henri Salo
Tools: american fuzzy lop 2.52b, afl-utils
Thanks to Kapsi internet-käyttäjät ry for providing valuable fuzzing resources.

./lou_checktable 5ce93fef85b68c5ecb4561bf1aedb52d1b1f368e.ctb
5ce93fef85b68c5ecb4561bf1aedb52d1b1f368e.ctb:1: error: opcode '000' not defined.
5ce93fef85b68c5ecb4561bf1aedb52d1b1f368e.ctb:3: error: opcode '0' not defined.
5ce93fef85b68c5ecb4561bf1aedb52d1b1f368e.ctb:5: error: invalid dot number '0'.
5ce93fef85b68c5ecb4561bf1aedb52d1b1f368e.ctb:6: error: opcode '0000000000000' not defined.
5ce93fef85b68c5ecb4561bf1aedb52d1b1f368e.ctb:7: error: Exactly two Unicode characters and at least one cell are required.
5ce93fef85b68c5ecb4561bf1aedb52d1b1f368e.ctb:8: warning: invalid UTF-8. Assuming Latin-1.
5ce93fef85b68c5ecb4561bf1aedb52d1b1f368e.ctb:8: warning: invalid UTF-8. Assuming Latin-1.
5ce93fef85b68c5ecb4561bf1aedb52d1b1f368e.ctb:8: warning: invalid UTF-8. Assuming Latin-1.
5ce93fef85b68c5ecb4561bf1aedb52d1b1f368e.ctb:8: warning: invalid UTF-8. Assuming Latin-1.
5ce93fef85b68c5ecb4561bf1aedb52d1b1f368e.ctb:8: warning: invalid UTF-8. Assuming Latin-1.
5ce93fef85b68c5ecb4561bf1aedb52d1b1f368e.ctb:8: warning: invalid UTF-8. Assuming Latin-1.
5ce93fef85b68c5ecb4561bf1aedb52d1b1f368e.ctb:8: warning: invalid UTF-8. Assuming Latin-1.
5ce93fef85b68c5ecb4561bf1aedb52d1b1f368e.ctb:8: warning: invalid UTF-8. Assuming Latin-1.
5ce93fef85b68c5ecb4561bf1aedb52d1b1f368e.ctb:8: warning: invalid UTF-8. Assuming Latin-1.
5ce93fef85b68c5ecb4561bf1aedb52d1b1f368e.ctb:8: warning: invalid UTF-8. Assuming Latin-1.
5ce93fef85b68c5ecb4561bf1aedb52d1b1f368e.ctb:8: warning: invalid UTF-8. Assuming Latin-1.
5ce93fef85b68c5ecb4561bf1aedb52d1b1f368e.ctb:8: warning: invalid UTF-8. Assuming Latin-1.
5ce93fef85b68c5ecb4561bf1aedb52d1b1f368e.ctb:8: warning: invalid UTF-8. Assuming Latin-1.
5ce93fef85b68c5ecb4561bf1aedb52d1b1f368e.ctb:8: warning: invalid UTF-8. Assuming Latin-1.
=================================================================
==31674==ERROR: AddressSanitizer: stack-buffer-overflow on address 0x7ffc64214142 at pc 0x7fa79f9917b9 bp 0x7ffc6420d470 sp 0x7ffc6420d468
WRITE of size 2 at 0x7ffc64214142 thread T0
    #0 0x7fa79f9917b8 in parseChars /home/hsalo/src/liblouis-3.5.0/liblouis/compileTranslationTable.c:1146
    #1 0x7fa79f994170 in getRuleCharsText /home/hsalo/src/liblouis-3.5.0/liblouis/compileTranslationTable.c:1314
    #2 0x7fa79f9d2a45 in compileUplow /home/hsalo/src/liblouis-3.5.0/liblouis/compileTranslationTable.c:2779
    #3 0x7fa79f9d2a45 in compileRule /home/hsalo/src/liblouis-3.5.0/liblouis/compileTranslationTable.c:4166
    #4 0x7fa79f9e88a2 in compileFile /home/hsalo/src/liblouis-3.5.0/liblouis/compileTranslationTable.c:4501
    #5 0x7fa79f9e97c7 in compileTranslationTable /home/hsalo/src/liblouis-3.5.0/liblouis/compileTranslationTable.c:4606
    #6 0x7fa79f9e97c7 in lou_getTable /home/hsalo/src/liblouis-3.5.0/liblouis/compileTranslationTable.c:4691
    #7 0x5593eb49cf13 in main /home/hsalo/src/liblouis-3.5.0/tools/lou_checktable.c:112
    #8 0x7fa79f6002e0 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x202e0)
    #9 0x5593eb49d179 in _start (/home/hsalo/builds/liblouis/3.5.0/bin/lou_checktable+0x2179)

Address 0x7ffc64214142 is located in stack of thread T0 at offset 23298 in frame
    #0 0x7fa79f9caaff in compileRule /home/hsalo/src/liblouis-3.5.0/liblouis/compileTranslationTable.c:3138

  This frame has 17 object(s):
    [32, 34) 'c'
    [96, 98) 'c'
    [160, 164) 'lastToken'
    [224, 228) 'after'
    [288, 292) 'before'
    [352, 356) 'holdOffset'
    [416, 432) 'dict'
    [480, 2528) 'includeThis'
    [2560, 6658) 'token'
    [6720, 10818) 'ruleChars'
    [10880, 14978) 'ruleDots'
    [15040, 19138) 'name'
    [19200, 23298) 'ruleChars' <== Memory access at offset 23298 overflows this variable
    [23360, 27458) 'ruleDots'
    [27520, 31618) 'upperDots'
    [31680, 35778) 'lowerDots'
    [35840, 39984) 'nested'
HINT: this may be a false positive if your program uses some custom stack unwind mechanism or swapcontext
      (longjmp and C++ exceptions *are* supported)
SUMMARY: AddressSanitizer: stack-buffer-overflow /home/hsalo/src/liblouis-3.5.0/liblouis/compileTranslationTable.c:1146 in parseChars
Shadow bytes around the buggy address:
  0x10000c83a7d0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x10000c83a7e0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x10000c83a7f0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x10000c83a800: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x10000c83a810: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x10000c83a820: 00 00 00 00 00 00 00 00[02]f4 f4 f4 f2 f2 f2 f2
  0x10000c83a830: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x10000c83a840: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x10000c83a850: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x10000c83a860: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x10000c83a870: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07
  Heap left redzone:       fa
  Heap right redzone:      fb
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack partial redzone:   f4
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==31674==ABORTING

@egli egli added the bug label May 25, 2018

@carnil

This comment has been minimized.

Copy link

carnil commented May 25, 2018

@egli egli closed this in 4417bad May 30, 2018

@egli egli added this to the 3.6 milestone May 30, 2018

@fgeek fgeek changed the title ASAn stack-based buffer overflow in compileTranslationTable.c parseChars CVE-2018-11440: ASAn stack-based buffer overflow in compileTranslationTable.c parseChars Jun 2, 2018

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.