Bug 1467004

Summary: There is an Integer overflow in the libpspp library
Product: [Fedora] Fedora Reporter: owl337 <v.owl337>
Component: psppAssignee: Peter Lemenkov <lemenkov>
Status: CLOSED ERRATA QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: urgent Docs Contact:
Priority: unspecified    
Version: rawhideCC: lemenkov
Target Milestone: ---Keywords: Reopened
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: pspp-0.10.2-5.fc26 Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2017-08-09 15:57:51 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---
Attachments:
Description Flags
Triggered by “./pspp-convert POC2 -O csv /dev/null” none

Description owl337 2017-07-01 12:58:56 UTC
Created attachment 1293509 [details]
Triggered by “./pspp-convert POC2 -O csv /dev/null”

Description of problem:

There is an Integer overflow in hash_int function of the libpspp library 

Version-Release number of selected component (if applicable):
 <= latest version

How reproducible:

$./pspp-convert POC2 -O csv /dev/null


Steps to Reproduce:

The debugging information(with -fsanitize=undefined enable) is as follows :

$./pspp-convert POC2 -O csv /dev/null
 
src/libpspp/hash-functions.c:112:10: runtime error: left shift of negative value -65962946
SUMMARY: AddressSanitizer: undefined-behavior src/libpspp/hash-functions.c:112 
src/libpspp/hash-functions.c:113:10: runtime error: left shift of 1023852510 by 3 places cannot be represented in type 'int'
SUMMARY: AddressSanitizer: undefined-behavior src/libpspp/hash-functions.c:113 
src/libpspp/hash-functions.c:114:10: runtime error: left shift of 1422967022 by 10 places cannot be represented in type 'int'
SUMMARY: AddressSanitizer: undefined-behavior src/libpspp/hash-functions.c:114 
`fuzz/pspp-convert-out/crashes/id:000051,sig:06,src:001662,op:flip32,pos:472': This system file does not indicate its own character encoding.  Using default encoding UTF-8.  For best results, specify an encoding explicitly.  Use SYSFILE INFO with ENCODING="DETECT" to analyze the possible encodings.
=================================================================
==1036==ERROR: AddressSanitizer: negative-size-param: (size=-3)
    #0 0x4802be  (/home/icy/real/pspp-0.10.5-asan/pspp-0.10.5pre1/install/bin/pspp-convert+0x4802be)
    #1 0x7fbc96ea039b  (/home/icy/real/pspp-0.10.5-asan/pspp-0.10.5pre1/install/lib/pspp/libpspp-core-0.10.5pre1.so+0x47339b)
    #2 0x7fbc96e9cf0b  (/home/icy/real/pspp-0.10.5-asan/pspp-0.10.5pre1/install/lib/pspp/libpspp-core-0.10.5pre1.so+0x46ff0b)
    #3 0x7fbc96de1295  (/home/icy/real/pspp-0.10.5-asan/pspp-0.10.5pre1/install/lib/pspp/libpspp-core-0.10.5pre1.so+0x3b4295)
    #4 0x7fbc96c111df  (/home/icy/real/pspp-0.10.5-asan/pspp-0.10.5pre1/install/lib/pspp/libpspp-core-0.10.5pre1.so+0x1e41df)
    #5 0x7fbc96c1192f  (/home/icy/real/pspp-0.10.5-asan/pspp-0.10.5pre1/install/lib/pspp/libpspp-core-0.10.5pre1.so+0x1e492f)
    #6 0x4e29a3  (/home/icy/real/pspp-0.10.5-asan/pspp-0.10.5pre1/install/bin/pspp-convert+0x4e29a3)
    #7 0x7fbc9549cabf  (/lib/x86_64-linux-gnu/libc.so.6+0x20abf)
    #8 0x436e28  (/home/icy/real/pspp-0.10.5-asan/pspp-0.10.5pre1/install/bin/pspp-convert+0x436e28)

0x60d00000cee4 is located 68 bytes inside of 136-byte region [0x60d00000cea0,0x60d00000cf28)
allocated by thread T0 here:
    #0 0x4bddf2  (/home/icy/real/pspp-0.10.5-asan/pspp-0.10.5pre1/install/bin/pspp-convert+0x4bddf2)
    #1 0x7fbc9703ec0c  (/home/icy/real/pspp-0.10.5-asan/pspp-0.10.5pre1/install/lib/pspp/libpspp-core-0.10.5pre1.so+0x611c0c)
    #2 0x7fbc96e00a96  (/home/icy/real/pspp-0.10.5-asan/pspp-0.10.5pre1/install/lib/pspp/libpspp-core-0.10.5pre1.so+0x3d3a96)
    #3 0x7fbc96dcbbdb  (/home/icy/real/pspp-0.10.5-asan/pspp-0.10.5pre1/install/lib/pspp/libpspp-core-0.10.5pre1.so+0x39ebdb)
    #4 0x7fbc96c10c6e  (/home/icy/real/pspp-0.10.5-asan/pspp-0.10.5pre1/install/lib/pspp/libpspp-core-0.10.5pre1.so+0x1e3c6e)
    #5 0x7fbc96c118ec  (/home/icy/real/pspp-0.10.5-asan/pspp-0.10.5pre1/install/lib/pspp/libpspp-core-0.10.5pre1.so+0x1e48ec)

==1036==ABORTING
 
106 unsigned int
107 hash_int (int x, unsigned int basis)
108 {
109   x -= x << 6;
110   x ^= x >> 17;
111   x -= x << 9;
112   x ^= x << 4;
113   x -= x << 3;
114   x ^= x << 10;
115   x ^= x >> 15;
116   return x + basis;
117 }

Actual results:

crash

Expected results:

crash


Additional info:

Credits:

This vulnerability is detected by team OWL337, with the custom fuzzer collAFL by ganshuitao. If you need more info about the team, the tool or the vulnerability, please contact ganshuitao@gmail.com and chaoz@tsinghua.edu.cn.

Comment 1 Andrej Nemec 2017-07-19 14:36:13 UTC
Hi owl337,

Please report these issues to upstream pspp project, if you haven't already done so.

Thanks.

Comment 2 Fedora Update System 2017-07-29 07:55:17 UTC
pspp-0.10.2-5.fc26 has been submitted as an update to Fedora 26. https://bodhi.fedoraproject.org/updates/FEDORA-2017-03893a3b58

Comment 3 Fedora Update System 2017-07-31 04:23:46 UTC
pspp-0.10.2-5.fc26 has been pushed to the Fedora 26 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2017-03893a3b58

Comment 4 Fedora Update System 2017-08-09 15:57:51 UTC
pspp-0.10.2-5.fc26 has been pushed to the Fedora 26 stable repository. If problems still persist, please make note of it in this bug report.