Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

ASAn stack-based buffer overflow in compileTranslationTable.c in line 4560 in includeFile #592

Closed
fgeek opened this Issue Jun 1, 2018 · 1 comment

Comments

Projects
None yet
3 participants
@fgeek
Copy link

fgeek commented Jun 1, 2018

8b587f82559d919cb75395ff4508c4e1d21fe9e6.ctb.zip
Tested commit: b381efd
Credit: Henri Salo
Tools: american fuzzy lop 2.52b, afl-utils
Thanks to Kapsi internet-käyttäjät ry for providing valuable fuzzing resources.

I am more than happy to continue fuzzing this software after fixes has been applied. Thanks!

./lou_checktable 8b587f82559d919cb75395ff4508c4e1d21fe9e6.ctb
<snip>
=================================================================
==1606==ERROR: AddressSanitizer: stack-buffer-overflow on address 0x7fff7fe53f40 at pc 0x7fe7a31fc7c9 bp 0x7fff7fe534d0 sp 0x7fff7fe534c8
WRITE of size 1 at 0x7fff7fe53f40 thread T0
    #0 0x7fe7a31fc7c8 in includeFile /home/hsalo/src/liblouis/liblouis/compileTranslationTable.c:4560
    #1 0x7fe7a31fc7c8 in compileRule /home/hsalo/src/liblouis/liblouis/compileTranslationTable.c:3196
    #2 0x7fe7a32024ca in compileFile /home/hsalo/src/liblouis/liblouis/compileTranslationTable.c:4522
    #3 0x7fe7a3203707 in compileTranslationTable /home/hsalo/src/liblouis/liblouis/compileTranslationTable.c:4627
    #4 0x7fe7a3203707 in lou_getTable /home/hsalo/src/liblouis/liblouis/compileTranslationTable.c:4712
    #5 0x564fd1060f33 in main /home/hsalo/src/liblouis/tools/lou_checktable.c:112
    #6 0x7fe7a2e192e0 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x202e0)
    #7 0x564fd1061199 in _start (/home/hsalo/builds/liblouis/b381efd3248902ed2f9a797a46f79dfa0690a9c4/bin/lou_checktable+0x2199)

Address 0x7fff7fe53f40 is located in stack of thread T0 at offset 2528 in frame
    #0 0x7fe7a31e3b9f in compileRule /home/hsalo/src/liblouis/liblouis/compileTranslationTable.c:3156

  This frame has 17 object(s):
    [32, 34) 'c'
    [96, 98) 'c'
    [160, 164) 'lastToken'
    [224, 228) 'after'
    [288, 292) 'before'
    [352, 356) 'holdOffset'
    [416, 432) 'dict'
    [480, 2528) 'includeThis' <== Memory access at offset 2528 overflows this variable
    [2560, 6658) 'token'
    [6720, 10818) 'ruleChars'
    [10880, 14978) 'ruleDots'
    [15040, 19138) 'name'
    [19200, 23298) 'ruleChars'
    [23360, 27458) 'ruleDots'
    [27520, 31618) 'upperDots'
    [31680, 35778) 'lowerDots'
    [35840, 39984) 'nested'
HINT: this may be a false positive if your program uses some custom stack unwind mechanism or swapcontext
      (longjmp and C++ exceptions *are* supported)
SUMMARY: AddressSanitizer: stack-buffer-overflow /home/hsalo/src/liblouis/liblouis/compileTranslationTable.c:4560 in includeFile
Shadow bytes around the buggy address:
  0x10006ffc2790: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x10006ffc27a0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x10006ffc27b0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x10006ffc27c0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x10006ffc27d0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x10006ffc27e0: 00 00 00 00 00 00 00 00[f2]f2 f2 f2 00 00 00 00
  0x10006ffc27f0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x10006ffc2800: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x10006ffc2810: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x10006ffc2820: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x10006ffc2830: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07
  Heap left redzone:       fa
  Heap right redzone:      fb
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack partial redzone:   f4
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==1606==ABORTING

@egli egli added the buffer overflow label Jun 4, 2018

@egli egli closed this in fb2bfce Jun 4, 2018

@egli egli added this to the 3.6 milestone Jun 4, 2018

@abergmann

This comment has been minimized.

Copy link

abergmann commented Jun 4, 2018

CVE-2018-11684 was assigned to this issue.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.