Bug 1482429

Summary:

There is an illegal address access in function output_hex() of libpspp.

Product:

[Fedora] Fedora

Reporter:

owl337 <v.owl337>

Component:

pspp

Assignee:

Peter Lemenkov <lemenkov>

Status:

CLOSED ERRATA

QA Contact:

Fedora Extras Quality Assurance <extras-qa>

Severity:

unspecified

Docs Contact:

Priority:

unspecified

Version:

rawhide

CC:

amello, lemenkov

Target Milestone:

---

Target Release:

---

Hardware:

Unspecified

OS:

Unspecified

Whiteboard:

Fixed In Version:

pspp-1.0.1-2.fc26 pspp-1.0.1-2.fc27

Doc Type:

If docs needed, set a value

Doc Text:

Story Points:

---

Clone Of:

Environment:

Last Closed:

2017-10-25 23:09:44 UTC

Type:

Bug

Regression:

---

Mount Type:

---

Documentation:

---

CRM:

Verified Versions:

Category:

---

oVirt Team:

---

RHEL 7.3 requirements from Atomic Host:

Cloudforms Team:

---

Target Upstream Version:

Embargoed:

Attachments:

Description	Flags
Triggered by "./pspp-convert POC3 -O csv /dev/null"	none

Description owl337 2017-08-17 09:06:17 UTC

Created attachment 1314599 [details]
Triggered by "./pspp-convert POC3 -O csv /dev/null"

Description of problem:

There is an illegal address access in function output_hex() of libpspp.

Version-Release number of selected component (if applicable):

<= latest version

How reproducible:

$./pspp-convert POC3 -O csv /dev/null

Steps to Reproduce:


Normal output:

$./pspp-convert POC3 -O csv /dev/null
Segmentation fault

The ASAN && GDB debugging information is as follows:

(gdb) r
The program being debugged has been started already.
...
Breakpoint 1, output_AHEX (input=<optimized out>, format=<optimized out>, output=0x60300000ed70 '\276' <repeats 17 times>)
    at src/data/data-out.c:618
618	  output_hex (value_str (input, format->w), format->w / 2, output);
(gdb) s
output_hex (bytes=8, output=<optimized out>, data_=<optimized out>) at src/data/data-out.c:1167
1167	      *output++ = hex_digits[data[i] >> 4];
(gdb) 
output_AHEX (input=<optimized out>, format=<optimized out>, output=0x60300000ed70 '\276' <repeats 17 times>) at src/data/data-out.c:618
618	  output_hex (value_str (input, format->w), format->w / 2, output);
(gdb) 
output_hex (bytes=8, output=<optimized out>, data_=<optimized out>) at src/data/data-out.c:1167
1167	      *output++ = hex_digits[data[i] >> 4];
(gdb) s

Program received signal SIGSEGV, Segmentation fault.
0x00007ffff7885bee in output_hex (bytes=8, output=<optimized out>, data_=<optimized out>) at src/data/data-out.c:1167
1167	      *output++ = hex_digits[data[i] >> 4];
(gdb) bt
#0  0x00007ffff7885bee in output_hex (bytes=8, output=<optimized out>, data_=<optimized out>) at src/data/data-out.c:1167
#1  output_AHEX (input=<optimized out>, format=<optimized out>, output=0x60300000ed70 '\276' <repeats 17 times>) at src/data/data-out.c:618
#2  0x00007ffff787b9a4 in data_out_pool (input=<optimized out>, encoding=<optimized out>, format=0x60c00000bcc8, pool=<optimized out>)
    at src/data/data-out.c:191
#3  0x00007ffff786ef05 in csv_output_format (w=0x60600000caa0, cv=<optimized out>, value=0x60300000edb8) at src/data/csv-file-writer.c:241
#4  0x00007ffff786df0d in csv_write_var__ (w=<optimized out>, cv=0x60c00000bcc0, value=0x60300000edb8) at src/data/csv-file-writer.c:367
#5  0x00007ffff786d177 in csv_write_var (value=0x60300000edb8, w=<optimized out>, cv=<optimized out>) at src/data/csv-file-writer.c:391
#6  csv_write_case (c=0x60300000eda0, w=<optimized out>) at src/data/csv-file-writer.c:405
#7  csv_file_casewriter_write (writer=<optimized out>, w_=<optimized out>, c=<optimized out>) at src/data/csv-file-writer.c:424
#8  0x00000000004dd855 in main (argc=<optimized out>, argv=<optimized out>) at utilities/pspp-convert.c:215
(gdb) c
Continuing.
ASAN:SIGSEGV
=================================================================
==61484==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc 0x7ffff7885bee bp 0x7ffff7ae12e0 sp 0x7fffffffd940 T0)
    #0 0x7ffff7885bed  (/home/icy/secreal/pspp-0.11.0-asan/install/lib/pspp/libpspp-core-0.11.0.so+0xd6bed)
    #1 0x7ffff787b9a3  (/home/icy/secreal/pspp-0.11.0-asan/install/lib/pspp/libpspp-core-0.11.0.so+0xcc9a3)
    #2 0x7ffff786ef04  (/home/icy/secreal/pspp-0.11.0-asan/install/lib/pspp/libpspp-core-0.11.0.so+0xbff04)
    #3 0x7ffff786df0c  (/home/icy/secreal/pspp-0.11.0-asan/install/lib/pspp/libpspp-core-0.11.0.so+0xbef0c)
    #4 0x7ffff786d176  (/home/icy/secreal/pspp-0.11.0-asan/install/lib/pspp/libpspp-core-0.11.0.so+0xbe176)
    #5 0x4dd854  (/home/icy/secreal/pspp-0.11.0-asan/install/bin/pspp-convert+0x4dd854)
    #6 0x7ffff621eabf  (/lib/x86_64-linux-gnu/libc.so.6+0x20abf)
    #7 0x436028  (/home/icy/secreal/pspp-0.11.0-asan/install/bin/pspp-convert+0x436028)

AddressSanitizer can not provide additional info.
==61484==ABORTING
[Inferior 1 (process 61484) exited with code 01]
(gdb) 

The vulnerability was triggered in function:
output_hex (bytes=8, output=<optimized out>, data_=<optimized out>) at src/data/data-out.c:1167
1167	      *output++ = hex_digits[data[i] >> 4];



Actual results:

crash

Expected results:

crash


Additional info:

Credits:

This vulnerability is detected by team OWL337, with our custom fuzzer collAFL. Please contact ganshuitao   and chaoz.cn if you need more info about the team, the tool or the vulnerability.

Comment 1 Fedora Update System 2017-10-09 16:38:41 UTC

pspp-1.0.1-2.fc27 has been submitted as an update to Fedora 27. https://bodhi.fedoraproject.org/updates/FEDORA-2017-b221468e6e

Comment 2 Fedora Update System 2017-10-09 16:39:06 UTC

pspp-1.0.1-2.fc26 has been submitted as an update to Fedora 26. https://bodhi.fedoraproject.org/updates/FEDORA-2017-4f5447d2c8

Comment 3 Fedora Update System 2017-10-11 02:53:51 UTC

pspp-1.0.1-2.fc26 has been pushed to the Fedora 26 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2017-4f5447d2c8

Comment 4 Fedora Update System 2017-10-11 06:28:13 UTC

pspp-1.0.1-2.fc27 has been pushed to the Fedora 27 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2017-b221468e6e

Comment 5 Fedora Update System 2017-10-25 23:09:44 UTC

pspp-1.0.1-2.fc26 has been pushed to the Fedora 26 stable repository. If problems still persist, please make note of it in this bug report.

Comment 6 Fedora Update System 2017-11-11 02:50:45 UTC

pspp-1.0.1-2.fc27 has been pushed to the Fedora 27 stable repository. If problems still persist, please make note of it in this bug report.