Bug 1467005
Summary: | There is a NULL Pointer Dereference in the libpspp library . | ||||||
---|---|---|---|---|---|---|---|
Product: | [Fedora] Fedora | Reporter: | owl337 <v.owl337> | ||||
Component: | pspp | Assignee: | Peter Lemenkov <lemenkov> | ||||
Status: | CLOSED ERRATA | QA Contact: | Fedora Extras Quality Assurance <extras-qa> | ||||
Severity: | urgent | Docs Contact: | |||||
Priority: | unspecified | ||||||
Version: | rawhide | CC: | lemenkov | ||||
Target Milestone: | --- | Keywords: | Reopened | ||||
Target Release: | --- | ||||||
Hardware: | Unspecified | ||||||
OS: | Unspecified | ||||||
Whiteboard: | |||||||
Fixed In Version: | pspp-0.10.2-5.fc26 | Doc Type: | If docs needed, set a value | ||||
Doc Text: | Story Points: | --- | |||||
Clone Of: | Environment: | ||||||
Last Closed: | 2017-08-09 15:57:49 UTC | Type: | Bug | ||||
Regression: | --- | Mount Type: | --- | ||||
Documentation: | --- | CRM: | |||||
Verified Versions: | Category: | --- | |||||
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||
Cloudforms Team: | --- | Target Upstream Version: | |||||
Embargoed: | |||||||
Attachments: |
|
pspp-0.10.2-5.fc26 has been submitted as an update to Fedora 26. https://bodhi.fedoraproject.org/updates/FEDORA-2017-03893a3b58 pspp-0.10.2-5.fc26 has been pushed to the Fedora 26 testing repository. If problems still persist, please make note of it in this bug report. See https://fedoraproject.org/wiki/QA:Updates_Testing for instructions on how to install test updates. You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2017-03893a3b58 pspp-0.10.2-5.fc26 has been pushed to the Fedora 26 stable repository. If problems still persist, please make note of it in this bug report. |
Created attachment 1293510 [details] It is triggered by "./pspp-convert POC1 -O csv /dev/null" Description of problem: There is a NULL Pointer Dereference in function ll_insert() of the libpspp library . Version-Release number of selected component (if applicable): <= latest How reproducible: ./pspp-convert POC1 -O csv /dev/null Steps to Reproduce: The information is as follows: $./pspp-convert POC1 -O csv /dev/null `POC1' near offset 0x1c0: Record type 7, subtype 18 has bad size 4 (expected 1). Segmentation fault The gdb debugging information is as follows: (gdb) s ll_insert (new_elem=<optimized out>, before=<optimized out>) at ./src/libpspp/ll.h:448 448 new_elem->next = before; (gdb) i r $rax rax 0x0 0 (gdb) x/3i $pc => 0x7ffff7a8ddfe <sfm_open+7358>: mov %r12,(%rax) 0x7ffff7a8de01 <sfm_open+7361>: mov %rcx,0x8(%rax) 0x7ffff7a8de05 <sfm_open+7365>: mov %rax,0x248(%r13) (gdb) si Program received signal SIGSEGV, Segmentation fault. ll_insert (new_elem=<optimized out>, before=<optimized out>) at ./src/libpspp/ll.h:448 448 new_elem->next = before; The vulnerability was triggered in function ll_insert() at ll.h:448. In assembly mode we can see that register rax has accessed 0x0. 445 ll_insert (struct ll *before, struct ll *new_elem) 446 { 447 struct ll *before_prev = ll_prev (before); 448 new_elem->next = before; 449 new_elem->prev = before_prev; 450 before_prev->next = before->prev = new_elem; 451 } Actual results: crash Expected results: crash Additional info: This vulnerability is detected by team OWL337, with our custom fuzzer collAFL. Please contact ganshuitao and chaoz.cn if you need more info about the team, the tool or the vulnerability.