Bug 1467004

Summary: There is an Integer overflow in the libpspp library
Product: [Fedora] Fedora Reporter: owl337 <v.owl337>
Component: psppAssignee: Peter Lemenkov <lemenkov>
Status: CLOSED ERRATA QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: urgent Docs Contact:
Priority: unspecified    
Version: rawhideCC: lemenkov
Target Milestone: ---Keywords: Reopened
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: pspp-0.10.2-5.fc26 Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2017-08-09 15:57:51 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Attachments:
Description Flags
Triggered by “./pspp-convert POC2 -O csv /dev/null” none

Description owl337 2017-07-01 12:58:56 UTC 
Created attachment 1293509 [details]
Triggered by “./pspp-convert POC2 -O csv /dev/null”

Description of problem:

There is an Integer overflow in hash_int function of the libpspp library 

Version-Release number of selected component (if applicable):
 <= latest version

How reproducible:

$./pspp-convert POC2 -O csv /dev/null


Steps to Reproduce:

The debugging information(with -fsanitize=undefined enable) is as follows :

$./pspp-convert POC2 -O csv /dev/null
 
src/libpspp/hash-functions.c:112:10: runtime error: left shift of negative value -65962946
SUMMARY: AddressSanitizer: undefined-behavior src/libpspp/hash-functions.c:112 
src/libpspp/hash-functions.c:113:10: runtime error: left shift of 1023852510 by 3 places cannot be represented in type 'int'
SUMMARY: AddressSanitizer: undefined-behavior src/libpspp/hash-functions.c:113 
src/libpspp/hash-functions.c:114:10: runtime error: left shift of 1422967022 by 10 places cannot be represented in type 'int'
SUMMARY: AddressSanitizer: undefined-behavior src/libpspp/hash-functions.c:114 
`fuzz/pspp-convert-out/crashes/id:000051,sig:06,src:001662,op:flip32,pos:472': This system file does not indicate its own character encoding.  Using default encoding UTF-8.  For best results, specify an encoding explicitly.  Use SYSFILE INFO with ENCODING="DETECT" to analyze the possible encodings.
=================================================================
==1036==ERROR: AddressSanitizer: negative-size-param: (size=-3)
    #0 0x4802be  (/home/icy/real/pspp-0.10.5-asan/pspp-0.10.5pre1/install/bin/pspp-convert+0x4802be)
    #1 0x7fbc96ea039b  (/home/icy/real/pspp-0.10.5-asan/pspp-0.10.5pre1/install/lib/pspp/libpspp-core-0.10.5pre1.so+0x47339b)
    #2 0x7fbc96e9cf0b  (/home/icy/real/pspp-0.10.5-asan/pspp-0.10.5pre1/install/lib/pspp/libpspp-core-0.10.5pre1.so+0x46ff0b)
    #3 0x7fbc96de1295  (/home/icy/real/pspp-0.10.5-asan/pspp-0.10.5pre1/install/lib/pspp/libpspp-core-0.10.5pre1.so+0x3b4295)
    #4 0x7fbc96c111df  (/home/icy/real/pspp-0.10.5-asan/pspp-0.10.5pre1/install/lib/pspp/libpspp-core-0.10.5pre1.so+0x1e41df)
    #5 0x7fbc96c1192f  (/home/icy/real/pspp-0.10.5-asan/pspp-0.10.5pre1/install/lib/pspp/libpspp-core-0.10.5pre1.so+0x1e492f)
    #6 0x4e29a3  (/home/icy/real/pspp-0.10.5-asan/pspp-0.10.5pre1/install/bin/pspp-convert+0x4e29a3)
    #7 0x7fbc9549cabf  (/lib/x86_64-linux-gnu/libc.so.6+0x20abf)
    #8 0x436e28  (/home/icy/real/pspp-0.10.5-asan/pspp-0.10.5pre1/install/bin/pspp-convert+0x436e28)

0x60d00000cee4 is located 68 bytes inside of 136-byte region [0x60d00000cea0,0x60d00000cf28)
allocated by thread T0 here:
    #0 0x4bddf2  (/home/icy/real/pspp-0.10.5-asan/pspp-0.10.5pre1/install/bin/pspp-convert+0x4bddf2)
    #1 0x7fbc9703ec0c  (/home/icy/real/pspp-0.10.5-asan/pspp-0.10.5pre1/install/lib/pspp/libpspp-core-0.10.5pre1.so+0x611c0c)
    #2 0x7fbc96e00a96  (/home/icy/real/pspp-0.10.5-asan/pspp-0.10.5pre1/install/lib/pspp/libpspp-core-0.10.5pre1.so+0x3d3a96)
    #3 0x7fbc96dcbbdb  (/home/icy/real/pspp-0.10.5-asan/pspp-0.10.5pre1/install/lib/pspp/libpspp-core-0.10.5pre1.so+0x39ebdb)
    #4 0x7fbc96c10c6e  (/home/icy/real/pspp-0.10.5-asan/pspp-0.10.5pre1/install/lib/pspp/libpspp-core-0.10.5pre1.so+0x1e3c6e)
    #5 0x7fbc96c118ec  (/home/icy/real/pspp-0.10.5-asan/pspp-0.10.5pre1/install/lib/pspp/libpspp-core-0.10.5pre1.so+0x1e48ec)

==1036==ABORTING
 
106 unsigned int
107 hash_int (int x, unsigned int basis)
108 {
109   x -= x << 6;
110   x ^= x >> 17;
111   x -= x << 9;
112   x ^= x << 4;
113   x -= x << 3;
114   x ^= x << 10;
115   x ^= x >> 15;
116   return x + basis;
117 }

Actual results:

crash

Expected results:

crash


Additional info:

Credits:

This vulnerability is detected by team OWL337, with the custom fuzzer collAFL by ganshuitao. If you need more info about the team, the tool or the vulnerability, please contact ganshuitao and chaoz.cn.
Comment 1 Andrej Nemec 2017-07-19 14:36:13 UTC 
Hi owl337,

Please report these issues to upstream pspp project, if you haven't already done so.

Thanks.
Comment 2 Fedora Update System 2017-07-29 07:55:17 UTC 
pspp-0.10.2-5.fc26 has been submitted as an update to Fedora 26. https://bodhi.fedoraproject.org/updates/FEDORA-2017-03893a3b58
Comment 3 Fedora Update System 2017-07-31 04:23:46 UTC 
pspp-0.10.2-5.fc26 has been pushed to the Fedora 26 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2017-03893a3b58
Comment 4 Fedora Update System 2017-08-09 15:57:51 UTC 
pspp-0.10.2-5.fc26 has been pushed to the Fedora 26 stable repository. If problems still persist, please make note of it in this bug report.