Bug 112269 - There is a heap overflow in libwpd. This vulnerability can be triggered in libreoffice.
Summary: There is a heap overflow in libwpd. This vulnerability can be triggered in li...
Status: RESOLVED FIXED
Alias: None
Product: LibreOffice
Classification: Unclassified
Component: LibreOffice (show other bugs)
Version:
(earliest affected)
unspecified
Hardware: All All
: medium normal
Assignee: Caolán McNamara
URL:
Whiteboard: target:6.0.0 target:5.3.7 target:5.4.2
Keywords: security
Depends on:
Blocks:
 
Reported: 2017-09-07 09:08 UTC by owl337
Modified: 2017-09-07 18:22 UTC (History)
2 users (show)

See Also:
Crash report or crash signature:


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description owl337 2017-09-07 09:08:05 UTC
Description of problem:

There is a heap overflow in libwpd. This vulnerability has been triggered in libreoffice. It may be exist in other office applications.

Version-Release number of selected component (if applicable):

<= latest version

How reproducible:

./wpd2html POC1

Steps to Reproduce:


=================================================================
==115429==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x60400000dc44 at pc 0x7ffff7ad9911 bp 0x7fffffffd270 sp 0x7fffffffd268
READ of size 4 at 0x60400000dc44 thread T0
    #0 0x7ffff7ad9910  (/home/icy/real/libwpd-0.10.1-asan/install/lib/libwpd-0.10.so.10+0xa5910)
    #1 0x7ffff7acfaaa  (/home/icy/real/libwpd-0.10.1-asan/install/lib/libwpd-0.10.so.10+0x9baaa)
    #2 0x7ffff7ad1ef2  (/home/icy/real/libwpd-0.10.1-asan/install/lib/libwpd-0.10.so.10+0x9def2)
    #3 0x7ffff7b37554  (/home/icy/real/libwpd-0.10.1-asan/install/lib/libwpd-0.10.so.10+0x103554)
    #4 0x7ffff7a86cf6  (/home/icy/real/libwpd-0.10.1-asan/install/lib/libwpd-0.10.so.10+0x52cf6)
    #5 0x7ffff7aa944f  (/home/icy/real/libwpd-0.10.1-asan/install/lib/libwpd-0.10.so.10+0x7544f)
    #6 0x7ffff7a975cb  (/home/icy/real/libwpd-0.10.1-asan/install/lib/libwpd-0.10.so.10+0x635cb)
    #7 0x7ffff7a9835e  (/home/icy/real/libwpd-0.10.1-asan/install/lib/libwpd-0.10.so.10+0x6435e)
    #8 0x7ffff7b3628c  (/home/icy/real/libwpd-0.10.1-asan/install/lib/libwpd-0.10.so.10+0x10228c)
    #9 0x4ee0d5  (/home/icy/real/libwpd-0.10.1-asan/install/bin/wpd2html+0x4ee0d5)
    #10 0x7ffff611682f  (/lib/x86_64-linux-gnu/libc.so.6+0x2082f)
    #11 0x4194d8  (/home/icy/real/libwpd-0.10.1-asan/install/bin/wpd2html+0x4194d8)

0x60400000dc44 is located 4 bytes to the right of 48-byte region [0x60400000dc10,0x60400000dc40)
allocated by thread T0 here:
    #0 0x4eabd0  (/home/icy/real/libwpd-0.10.1-asan/install/bin/wpd2html+0x4eabd0)
    #1 0x7ffff7b5de49  (/home/icy/real/libwpd-0.10.1-asan/install/lib/libwpd-0.10.so.10+0x129e49)
    #2 0x7ffff7b5a3e4  (/home/icy/real/libwpd-0.10.1-asan/install/lib/libwpd-0.10.so.10+0x1263e4)
    #3 0x7ffff7adb15b  (/home/icy/real/libwpd-0.10.1-asan/install/lib/libwpd-0.10.so.10+0xa715b)
    #4 0x7ffff7acf975  (/home/icy/real/libwpd-0.10.1-asan/install/lib/libwpd-0.10.so.10+0x9b975)

SUMMARY: AddressSanitizer: heap-buffer-overflow (/home/icy/real/libwpd-0.10.1-asan/install/lib/libwpd-0.10.so.10+0xa5910) 
Shadow bytes around the buggy address:
  0x0c087fff9b30: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c087fff9b40: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c087fff9b50: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c087fff9b60: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c087fff9b70: fa fa fd fd fd fd fd fa fa fa 00 00 00 00 00 00
=>0x0c087fff9b80: fa fa 00 00 00 00 00 00[fa]fa 00 00 00 00 00 00
  0x0c087fff9b90: fa fa fd fd fd fd fd fd fa fa fd fd fd fd fd fd
  0x0c087fff9ba0: fa fa fd fd fd fd fd fd fa fa fd fd fd fd fd fd
  0x0c087fff9bb0: fa fa fd fd fd fd fd fd fa fa fd fd fd fd fd fd
  0x0c087fff9bc0: fa fa fd fd fd fd fd fd fa fa fd fd fd fd fd fd
  0x0c087fff9bd0: fa fa fd fd fd fd fd fd fa fa fd fd fd fd fd fd
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Heap right redzone:      fb
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack partial redzone:   f4
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==115429==ABORTING
[Inferior 1 (process 115429) exited with code 01]


$./wpd2html POC1
Segmentation fault

The GDB debugging information is as follow:

(gdb)set args POC1
(gdb)r
(gdb) i b
Num     Type           Disp Enb Address            What
5       breakpoint     keep y   0x00007ffff7b87f37 in WPXTableList::WPXTableList(WPXTableList const&) 
                                                   at WPXTable.cpp:170
	breakpoint already hit 18 times
(gdb) p m_refCount 
$7 = (int *) 0x6e616d6f522077
(gdb) n

Program received signal SIGSEGV, Segmentation fault.
0x00007ffff7b87f5d in WPXTableList::WPXTableList (this=0x7fffffffdbf8, tableList=...) at WPXTable.cpp:170
170			(*m_refCount)++;
(gdb) bt
#0  0x00007ffff7b87f5d in WPXTableList::WPXTableList (this=0x7fffffffdbf8, tableList=...) at WPXTable.cpp:170
#1  0x00007ffff7b37b6f in WPXHeaderFooter::getTableList (this=<optimized out>) at ./WPXPageSpan.h:66
#2  WP5StylesListener::insertBreak (this=<optimized out>, breakType=<optimized out>) at WP5StylesListener.cpp:94
#3  0x00007ffff7b31a01 in WP5Parser::parseDocument (input=<optimized out>, encryption=<optimized out>, 
    listener=<optimized out>) at WP5Parser.cpp:102
#4  0x00007ffff7b332bd in WP5Parser::parseSubDocument (this=0x6284c0, documentInterface=0x7fffffffe420)
    at WP5Parser.cpp:234
#5  0x00007ffff7b6f5da in libwpd::WPDocument::parseSubDocument (input=0x6272c0, textInterface=0x7fffffffe420, 
    fileFormat=<optimized out>) at WPDocument.cpp:460
#6  0x00007ffff7b0492a in WP3ContentListener::insertWP51Table (this=0x7fffffffe1c8, height=<optimized out>, 
    width=<optimized out>, verticalOffset=<optimized out>, horizontalOffset=<optimized out>, 
    leftColumn=<optimized out>, rightColumn=<optimized out>, figureFlags=65535, subDocument=0x627280, caption=0x627320)
    at WP3ContentListener.cpp:867
#7  0x00007ffff7b19826 in WP3WindowGroup::parse (this=0x6287e0, listener=0x7fffffffe1c8) at WP3WindowGroup.cpp:144
#8  0x00007ffff7b0deee in WP3Parser::parseDocument (input=<optimized out>, listener=<optimized out>, 
    encryption=<optimized out>) at WP3Parser.cpp:107
#9  WP3Parser::parse (this=<optimized out>, input=<optimized out>, encryption=<optimized out>, listener=<optimized out>)
    at WP3Parser.cpp:76
#10 0x00007ffff7b0e742 in WP3Parser::parse (this=<optimized out>, textInterface=<optimized out>) at WP3Parser.cpp:153
#11 0x00007ffff7b6e6a1 in libwpd::WPDocument::parse (input=<optimized out>, textInterface=<optimized out>, password=0x0)
    at WPDocument.cpp:345
#12 0x00000000004018f2 in main (argc=<optimized out>, argv=<optimized out>) at wpd2html.cpp:116


There is a error memory access in the function WPXTableList::WPXTableList() at line WPXTable.cpp:170. 
165 WPXTableList::WPXTableList(const WPXTableList &tableList) :
166         m_tableList(tableList.get()),
167         m_refCount(tableList.getRef())
168 {
169         if (m_refCount)
170                 (*m_refCount)++;
171 }

Actual results:

crash

Expected results:

crash

Additional info:

This vulnerability is detected by team OWL337, with our custom fuzzer CollAFL. Please contact ganshuitao@gmail.com  and chaoz@tsinghua.edu.cn if you need more info about the team, the tool or the vulnerability.
Comment 1 owl337 2017-09-07 09:13:25 UTC
We also report this vulnerability to "https://bugzilla.redhat.com/show_bug.cgi?id=1489337" because libwpd pays impact in other office applications.
Comment 2 Julien Nabet 2017-09-07 09:46:48 UTC
David: since it concerns libwpd, thought you might be interested in this one?
Comment 3 Caolán McNamara 2017-09-07 12:33:40 UTC
https://sourceforge.net/p/libwpd/tickets/14/
Comment 4 Commit Notification 2017-09-07 15:24:55 UTC
Caolán McNamara committed a patch related to this issue.
It has been pushed to "master":

http://cgit.freedesktop.org/libreoffice/core/commit/?id=dd89afa6ee8166b69e7a1e86f22616ca8fc122c9

Resolves: tdf#112269 libwpd fix

It will be available in 6.0.0.

The patch should be included in the daily builds available at
http://dev-builds.libreoffice.org/daily/ in the next 24-48 hours. More
information about daily builds can be found at:
http://wiki.documentfoundation.org/Testing_Daily_Builds

Affected users are encouraged to test the fix and report feedback.
Comment 5 Commit Notification 2017-09-07 18:22:33 UTC
Caolán McNamara committed a patch related to this issue.
It has been pushed to "libreoffice-5-3":

http://cgit.freedesktop.org/libreoffice/core/commit/?id=05da1c67e49a2d758799db735a826c4d292fea44&h=libreoffice-5-3

Resolves: tdf#112269 libwpd fix

It will be available in 5.3.7.

The patch should be included in the daily builds available at
http://dev-builds.libreoffice.org/daily/ in the next 24-48 hours. More
information about daily builds can be found at:
http://wiki.documentfoundation.org/Testing_Daily_Builds

Affected users are encouraged to test the fix and report feedback.
Comment 6 Commit Notification 2017-09-07 18:22:42 UTC
Caolán McNamara committed a patch related to this issue.
It has been pushed to "libreoffice-5-4":

http://cgit.freedesktop.org/libreoffice/core/commit/?id=c0d54f7080a22074cac7eeb78893116c36114871&h=libreoffice-5-4

Resolves: tdf#112269 libwpd fix

It will be available in 5.4.2.

The patch should be included in the daily builds available at
http://dev-builds.libreoffice.org/daily/ in the next 24-48 hours. More
information about daily builds can be found at:
http://wiki.documentfoundation.org/Testing_Daily_Builds

Affected users are encouraged to test the fix and report feedback.