Bug 1470708
Summary: | There is a assertion abort in pspp-dump-sav.c of libpspp. | ||||||
---|---|---|---|---|---|---|---|
Product: | [Fedora] Fedora | Reporter: | owl337 <v.owl337> | ||||
Component: | pspp | Assignee: | Peter Lemenkov <lemenkov> | ||||
Status: | CLOSED RAWHIDE | QA Contact: | Fedora Extras Quality Assurance <extras-qa> | ||||
Severity: | urgent | Docs Contact: | |||||
Priority: | unspecified | ||||||
Version: | rawhide | CC: | lemenkov | ||||
Target Milestone: | --- | Keywords: | Reopened | ||||
Target Release: | --- | ||||||
Hardware: | x86_64 | ||||||
OS: | Linux | ||||||
Whiteboard: | |||||||
Fixed In Version: | pspp-1.0.1-6.fc30 | Doc Type: | If docs needed, set a value | ||||
Doc Text: | Story Points: | --- | |||||
Clone Of: | Environment: | ||||||
Last Closed: | 2018-09-27 11:33:09 UTC | Type: | Bug | ||||
Regression: | --- | Mount Type: | --- | ||||
Documentation: | --- | CRM: | |||||
Verified Versions: | Category: | --- | |||||
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||
Cloudforms Team: | --- | Target Upstream Version: | |||||
Embargoed: | |||||||
Attachments: |
|
Please, report this issue to upstream. Thanks! This bug appears to have been reported against 'rawhide' during the Fedora 27 development cycle. Changing version to '27'. This bug appears to have been reported against 'rawhide' during the Fedora 28 development cycle. Changing version to '28'. |
Created attachment 1297620 [details] Triggered by "./pspp-dump-sav POC2" Description of problem: There is a assertion abort in pspp-dump-sav.c of libpspp. Version-Release number of selected component (if applicable): <= latest version How reproducible: ./pspp-dump-sav POC2 Steps to Reproduce: The information is as follows: $./pspp-dump-sav POC2 File header record: Product name: @(#) SPSS DATA FILE MS Windows Release 12.0 spss$o32.dll Layout code: 2 Compressed: 1 (simple compression) Weight index: 2 Number of cases: 10 Compression bias: 100 Creation date: 30 Creation time: 14:34:58 File label: "" ... pspp-dump-sav: utilities/pspp-dump-sav.c:1645: void read_string(struct sfm_reader *, char *, size_t): Assertion `size > 0' failed. Aborted The GDB debugging information is as follows: (gdb) set args POC2 (gdb) r ... (gdb) s read_string (r=<optimized out>, buffer=<optimized out>, size=<optimized out>) at utilities/pspp-dump-sav.c:1645 1645 assert (size > 0); (gdb) n pspp-dump-sav: utilities/pspp-dump-sav.c:1645: void read_string(struct sfm_reader *, char *, size_t): Assertion `size > 0' failed. Program received signal SIGABRT, Aborted. 0x00007ffff709e1c7 in __GI_raise (sig=sig@entry=6) at ../sysdeps/unix/sysv/linux/raise.c:55 55 ../sysdeps/unix/sysv/linux/raise.c: No such file or directory. (gdb) bt #0 0x00007ffff709e1c7 in __GI_raise (sig=sig@entry=6) at ../sysdeps/unix/sysv/linux/raise.c:55 #1 0x00007ffff709fe2a in __GI_abort () at abort.c:89 #2 0x00007ffff70970bd in __assert_fail_base (fmt=0x7ffff71f8f78 "%s%s%s:%u: %s%sAssertion `%s' failed.\n%n", assertion=assertion@entry=0x411fc9 "size > 0", file=file@entry=0x411fd2 "utilities/pspp-dump-sav.c", line=line@entry=1645, function=function@entry=0x411fec "void read_string(struct sfm_reader *, char *, size_t)") at assert.c:92 #3 0x00007ffff7097172 in __GI___assert_fail (assertion=0x411fc9 "size > 0", file=0x411fd2 "utilities/pspp-dump-sav.c", line=1645, function=0x411fec "void read_string(struct sfm_reader *, char *, size_t)") at assert.c:101 #4 0x000000000040c90d in read_string (r=<optimized out>, buffer=<optimized out>, size=<optimized out>) at utilities/pspp-dump-sav.c:1645 #5 read_variable_record (r=<optimized out>) at utilities/pspp-dump-sav.c:454 #6 main (argc=<optimized out>, argv=<optimized out>) at utilities/pspp-dump-sav.c:203 The vulnerability was triggered in read_string() at pspp-dump-sav.c:1645. 1643 read_string (struct sfm_reader *r, char *buffer, size_t size) 1644 { 1645 assert (size > 0); 1646 read_bytes (r, buffer, size - 1); 1647 buffer[size - 1] = '\0'; 1648 } Actual results: crash Expected results: crash Additional info: This vulnerability is detected by team OWL337, with our custom fuzzer collAFL. Please contact ganshuitao and chaoz.cn if you need more info about the team, the tool or the vulnerability.