New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

ASAn stack-based buffer overflow in compileTranslationTable.c line 1157 in parseChars #591

Closed
fgeek opened this Issue Jun 1, 2018 · 3 comments

Comments

Projects
None yet
3 participants
@fgeek

fgeek commented Jun 1, 2018

14d235cfe68b9d1ed541da77a891465941afeb1c.ctb.zip
Tested commit: b381efd
Credit: Henri Salo
Tools: american fuzzy lop 2.52b, afl-utils
Thanks to Kapsi internet-käyttäjät ry for providing valuable fuzzing resources.

./lou_checktable 14d235cfe68b9d1ed541da77a891465941afeb1c.ctb
<snip>
================================================================
==20178==ERROR: AddressSanitizer: stack-buffer-overflow on address 0x7ffdcbb036f2 at pc 0x7fd352949811 bp 0x7ffdcbafaa30 sp 0x7ffdcbafaa28
WRITE of size 2 at 0x7ffdcbb036f2 thread T0
    #0 0x7fd352949810 in parseChars /home/hsalo/src/liblouis/liblouis/compileTranslationTable.c:1157
    #1 0x7fd35299b069 in compileRule /home/hsalo/src/liblouis/liblouis/compileTranslationTable.c:3195
    #2 0x7fd3529a14ca in compileFile /home/hsalo/src/liblouis/liblouis/compileTranslationTable.c:4522
    #3 0x7fd3529a2707 in compileTranslationTable /home/hsalo/src/liblouis/liblouis/compileTranslationTable.c:4627
    #4 0x7fd3529a2707 in lou_getTable /home/hsalo/src/liblouis/liblouis/compileTranslationTable.c:4712
    #5 0x55df04479f33 in main /home/hsalo/src/liblouis/tools/lou_checktable.c:112
    #6 0x7fd3525b82e0 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x202e0)
    #7 0x55df0447a199 in _start (/home/hsalo/builds/liblouis/b381efd3248902ed2f9a797a46f79dfa0690a9c4/bin/lou_checktable+0x2199)

Address 0x7ffdcbb036f2 is located in stack of thread T0 at offset 35778 in frame
    #0 0x7fd352982b9f in compileRule /home/hsalo/src/liblouis/liblouis/compileTranslationTable.c:3156

  This frame has 17 object(s):
    [32, 34) 'c'
    [96, 98) 'c'
    [160, 164) 'lastToken'
    [224, 228) 'after'
    [288, 292) 'before'
    [352, 356) 'holdOffset'
    [416, 432) 'dict'
    [480, 2528) 'includeThis'
    [2560, 6658) 'token'
    [6720, 10818) 'ruleChars'
    [10880, 14978) 'ruleDots'
    [15040, 19138) 'name'
    [19200, 23298) 'ruleChars'
    [23360, 27458) 'ruleDots'
    [27520, 31618) 'upperDots'
    [31680, 35778) 'lowerDots' <== Memory access at offset 35778 overflows this variable
    [35840, 39984) 'nested'
HINT: this may be a false positive if your program uses some custom stack unwind mechanism or swapcontext
      (longjmp and C++ exceptions *are* supported)
SUMMARY: AddressSanitizer: stack-buffer-overflow /home/hsalo/src/liblouis/liblouis/compileTranslationTable.c:1157 in parseChars
Shadow bytes around the buggy address:
  0x100039758680: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x100039758690: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x1000397586a0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x1000397586b0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x1000397586c0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x1000397586d0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00[02]f4
  0x1000397586e0: f4 f4 f2 f2 f2 f2 00 00 00 00 00 00 00 00 00 00
  0x1000397586f0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x100039758700: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x100039758710: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x100039758720: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07
  Heap left redzone:       fa
  Heap right redzone:      fb
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack partial redzone:   f4
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==20178==ABORTING
@fgeek

This comment has been minimized.

fgeek commented Jun 3, 2018

I can reproduce this issue (with bit different backtrace) using lou_translate binary. Not sure if this helps, but file and backtrace attached.
0714bc6a34727bab0cf86766c2c9919ca05ae5d7.zip

=================================================================
==3012==ERROR: AddressSanitizer: stack-buffer-overflow on address 0x7ffff0ff5442 at pc 0x7f865289b811 bp 0x7ffff0ff3360 sp 0x7ffff0ff3358
WRITE of size 2 at 0x7ffff0ff5442 thread T0
    #0 0x7f865289b810 in parseChars /home/hsalo/src/liblouis/liblouis/compileTranslationTable.c:1157
    #1 0x7f86528d16ec in _lou_extParseChars /home/hsalo/src/liblouis/liblouis/compileTranslationTable.c:1176
    #2 0x562b5b326f19 in translate_input /home/hsalo/src/liblouis/tools/lou_translate.c:73
    #3 0x562b5b32655d in main /home/hsalo/src/liblouis/tools/lou_translate.c:201
    #4 0x7f865250a2e0 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x202e0)
    #5 0x562b5b3267d9 in _start (/home/hsalo/builds/liblouis/b381efd3248902ed2f9a797a46f79dfa0690a9c4/bin/lou_translate+0x27d9)

Address 0x7ffff0ff5442 is located in stack of thread T0 at offset 8290 in frame
    #0 0x7f86528d123f in _lou_extParseChars /home/hsalo/src/liblouis/liblouis/compileTranslationTable.c:1168

  This frame has 2 object(s):
    [32, 4130) 'wideIn'
    [4192, 8290) 'result' <== Memory access at offset 8290 overflows this variable
HINT: this may be a false positive if your program uses some custom stack unwind mechanism or swapcontext
      (longjmp and C++ exceptions *are* supported)
SUMMARY: AddressSanitizer: stack-buffer-overflow /home/hsalo/src/liblouis/liblouis/compileTranslationTable.c:1157 in parseChars
Shadow bytes around the buggy address:
  0x10007e1f6a30: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x10007e1f6a40: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x10007e1f6a50: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x10007e1f6a60: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x10007e1f6a70: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x10007e1f6a80: 00 00 00 00 00 00 00 00[02]f4 f4 f4 f3 f3 f3 f3
  0x10007e1f6a90: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x10007e1f6aa0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x10007e1f6ab0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x10007e1f6ac0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x10007e1f6ad0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07
  Heap left redzone:       fa
  Heap right redzone:      fb
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack partial redzone:   f4
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==3012==ABORTING

@egli egli added the buffer overflow label Jun 4, 2018

@egli egli closed this in e7eee2b Jun 4, 2018

@egli egli added this to the 3.6 milestone Jun 4, 2018

egli added a commit that referenced this issue Jun 4, 2018

Use a standard buffer size for translating
I believe this fixes #591 (the second part of of it)
@egli

This comment has been minimized.

Member

egli commented Jun 4, 2018

I believe that both problems are fixed now.

@abergmann

This comment has been minimized.

abergmann commented Jun 4, 2018

CVE-2018-11683 was assigned to this issue.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment