New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

ASAn stack-based buffer overflow in compileTranslationTable.c in 3038 in compileHyphenation #593

Closed
fgeek opened this Issue Jun 2, 2018 · 4 comments

Comments

Projects
None yet
4 participants
@fgeek

fgeek commented Jun 2, 2018

9da60dd470ed9a8e2dddc7fdecd14f5c12b5326d.ctb.zip
Tested commit: b381efd
Credit: Henri Salo
Tools: american fuzzy lop 2.52b, afl-utils
Thanks to Kapsi internet-käyttäjät ry for providing valuable fuzzing resources.

./lou_checktable 9da60dd470ed9a8e2dddc7fdecd14f5c12b5326d.ctb
=================================================================
==7998==ERROR: AddressSanitizer: stack-buffer-overflow on address 0x7ffe38b6b4a0 at pc 0x7f3e741d3049 bp 0x7ffe38b6aa30 sp 0x7ffe38b6aa28
WRITE of size 1 at 0x7ffe38b6b4a0 thread T0
    #0 0x7f3e741d3048 in compileHyphenation /home/hsalo/src/liblouis/liblouis/compileTranslationTable.c:3038
    #1 0x7f3e741d3048 in compileRule /home/hsalo/src/liblouis/liblouis/compileTranslationTable.c:3184
    #2 0x7f3e741df4ca in compileFile /home/hsalo/src/liblouis/liblouis/compileTranslationTable.c:4522
    #3 0x7f3e741e0707 in compileTranslationTable /home/hsalo/src/liblouis/liblouis/compileTranslationTable.c:4627
    #4 0x7f3e741e0707 in lou_getTable /home/hsalo/src/liblouis/liblouis/compileTranslationTable.c:4712
    #5 0x5589513a7f33 in main /home/hsalo/src/liblouis/tools/lou_checktable.c:112
    #6 0x7f3e73df62e0 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x202e0)
    #7 0x5589513a8199 in _start (/home/hsalo/builds/liblouis/b381efd3248902ed2f9a797a46f79dfa0690a9c4/bin/lou_checktable+0x2199)

Address 0x7ffe38b6b4a0 is located in stack of thread T0 at offset 2528 in frame
    #0 0x7f3e741c0b9f in compileRule /home/hsalo/src/liblouis/liblouis/compileTranslationTable.c:3156

  This frame has 17 object(s):
    [32, 34) 'c'
    [96, 98) 'c'
    [160, 164) 'lastToken'
    [224, 228) 'after'
    [288, 292) 'before'
    [352, 356) 'holdOffset'
    [416, 432) 'dict'
    [480, 2528) 'includeThis' <== Memory access at offset 2528 overflows this variable
    [2560, 6658) 'token'
    [6720, 10818) 'ruleChars'
    [10880, 14978) 'ruleDots'
    [15040, 19138) 'name'
    [19200, 23298) 'ruleChars'
    [23360, 27458) 'ruleDots'
    [27520, 31618) 'upperDots'
    [31680, 35778) 'lowerDots'
    [35840, 39984) 'nested'
HINT: this may be a false positive if your program uses some custom stack unwind mechanism or swapcontext
      (longjmp and C++ exceptions *are* supported)
SUMMARY: AddressSanitizer: stack-buffer-overflow /home/hsalo/src/liblouis/liblouis/compileTranslationTable.c:3038 in compileHyphenation
Shadow bytes around the buggy address:
  0x100047165640: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x100047165650: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x100047165660: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x100047165670: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x100047165680: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x100047165690: 00 00 00 00[f2]f2 f2 f2 00 00 00 00 00 00 00 00
  0x1000471656a0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x1000471656b0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x1000471656c0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x1000471656d0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x1000471656e0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07
  Heap left redzone:       fa
  Heap right redzone:      fb
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack partial redzone:   f4
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==7998==ABORTING
@fgeek

This comment has been minimized.

fgeek commented Jun 2, 2018

After 230 million AFL fuzzer executions and ~1922 crashes found I can only detect these three open issues currently when using lou_checktable binary. I can also check other binaries later.

Thank you again for your work to create good open-source software. Much appreciated.

@sthibaul

This comment has been minimized.

Contributor

sthibaul commented Jun 3, 2018

Well, it's good to check lou_checktable, but attackers usually control the text input, not the braille table, so it'd be more useful to try to run e.g.

lou_translate en-us-g2.ctb < fuzzy-input.txt

and even doing it for all .tbl, .ctb, and .utb files

@fgeek

This comment has been minimized.

fgeek commented Jun 3, 2018

@sthibaul I can do that next. Thanks

@egli egli added the buffer overflow label Jun 4, 2018

@egli egli closed this in b5049cb Jun 4, 2018

@egli egli added this to the 3.6 milestone Jun 4, 2018

@abergmann

This comment has been minimized.

abergmann commented Jun 4, 2018

CVE-2018-11685 was assigned to this issue.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment