Bug 1482429
Summary: | There is an illegal address access in function output_hex() of libpspp. | ||||||
---|---|---|---|---|---|---|---|
Product: | [Fedora] Fedora | Reporter: | owl337 <v.owl337> | ||||
Component: | pspp | Assignee: | Peter Lemenkov <lemenkov> | ||||
Status: | CLOSED ERRATA | QA Contact: | Fedora Extras Quality Assurance <extras-qa> | ||||
Severity: | unspecified | Docs Contact: | |||||
Priority: | unspecified | ||||||
Version: | rawhide | CC: | amello, lemenkov | ||||
Target Milestone: | --- | ||||||
Target Release: | --- | ||||||
Hardware: | Unspecified | ||||||
OS: | Unspecified | ||||||
Whiteboard: | |||||||
Fixed In Version: | pspp-1.0.1-2.fc26 pspp-1.0.1-2.fc27 | Doc Type: | If docs needed, set a value | ||||
Doc Text: | Story Points: | --- | |||||
Clone Of: | Environment: | ||||||
Last Closed: | 2017-10-25 23:09:44 UTC | Type: | Bug | ||||
Regression: | --- | Mount Type: | --- | ||||
Documentation: | --- | CRM: | |||||
Verified Versions: | Category: | --- | |||||
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||
Cloudforms Team: | --- | Target Upstream Version: | |||||
Embargoed: | |||||||
Attachments: |
|
pspp-1.0.1-2.fc27 has been submitted as an update to Fedora 27. https://bodhi.fedoraproject.org/updates/FEDORA-2017-b221468e6e pspp-1.0.1-2.fc26 has been submitted as an update to Fedora 26. https://bodhi.fedoraproject.org/updates/FEDORA-2017-4f5447d2c8 pspp-1.0.1-2.fc26 has been pushed to the Fedora 26 testing repository. If problems still persist, please make note of it in this bug report. See https://fedoraproject.org/wiki/QA:Updates_Testing for instructions on how to install test updates. You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2017-4f5447d2c8 pspp-1.0.1-2.fc27 has been pushed to the Fedora 27 testing repository. If problems still persist, please make note of it in this bug report. See https://fedoraproject.org/wiki/QA:Updates_Testing for instructions on how to install test updates. You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2017-b221468e6e pspp-1.0.1-2.fc26 has been pushed to the Fedora 26 stable repository. If problems still persist, please make note of it in this bug report. pspp-1.0.1-2.fc27 has been pushed to the Fedora 27 stable repository. If problems still persist, please make note of it in this bug report. |
Created attachment 1314599 [details] Triggered by "./pspp-convert POC3 -O csv /dev/null" Description of problem: There is an illegal address access in function output_hex() of libpspp. Version-Release number of selected component (if applicable): <= latest version How reproducible: $./pspp-convert POC3 -O csv /dev/null Steps to Reproduce: Normal output: $./pspp-convert POC3 -O csv /dev/null Segmentation fault The ASAN && GDB debugging information is as follows: (gdb) r The program being debugged has been started already. ... Breakpoint 1, output_AHEX (input=<optimized out>, format=<optimized out>, output=0x60300000ed70 '\276' <repeats 17 times>) at src/data/data-out.c:618 618 output_hex (value_str (input, format->w), format->w / 2, output); (gdb) s output_hex (bytes=8, output=<optimized out>, data_=<optimized out>) at src/data/data-out.c:1167 1167 *output++ = hex_digits[data[i] >> 4]; (gdb) output_AHEX (input=<optimized out>, format=<optimized out>, output=0x60300000ed70 '\276' <repeats 17 times>) at src/data/data-out.c:618 618 output_hex (value_str (input, format->w), format->w / 2, output); (gdb) output_hex (bytes=8, output=<optimized out>, data_=<optimized out>) at src/data/data-out.c:1167 1167 *output++ = hex_digits[data[i] >> 4]; (gdb) s Program received signal SIGSEGV, Segmentation fault. 0x00007ffff7885bee in output_hex (bytes=8, output=<optimized out>, data_=<optimized out>) at src/data/data-out.c:1167 1167 *output++ = hex_digits[data[i] >> 4]; (gdb) bt #0 0x00007ffff7885bee in output_hex (bytes=8, output=<optimized out>, data_=<optimized out>) at src/data/data-out.c:1167 #1 output_AHEX (input=<optimized out>, format=<optimized out>, output=0x60300000ed70 '\276' <repeats 17 times>) at src/data/data-out.c:618 #2 0x00007ffff787b9a4 in data_out_pool (input=<optimized out>, encoding=<optimized out>, format=0x60c00000bcc8, pool=<optimized out>) at src/data/data-out.c:191 #3 0x00007ffff786ef05 in csv_output_format (w=0x60600000caa0, cv=<optimized out>, value=0x60300000edb8) at src/data/csv-file-writer.c:241 #4 0x00007ffff786df0d in csv_write_var__ (w=<optimized out>, cv=0x60c00000bcc0, value=0x60300000edb8) at src/data/csv-file-writer.c:367 #5 0x00007ffff786d177 in csv_write_var (value=0x60300000edb8, w=<optimized out>, cv=<optimized out>) at src/data/csv-file-writer.c:391 #6 csv_write_case (c=0x60300000eda0, w=<optimized out>) at src/data/csv-file-writer.c:405 #7 csv_file_casewriter_write (writer=<optimized out>, w_=<optimized out>, c=<optimized out>) at src/data/csv-file-writer.c:424 #8 0x00000000004dd855 in main (argc=<optimized out>, argv=<optimized out>) at utilities/pspp-convert.c:215 (gdb) c Continuing. ASAN:SIGSEGV ================================================================= ==61484==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc 0x7ffff7885bee bp 0x7ffff7ae12e0 sp 0x7fffffffd940 T0) #0 0x7ffff7885bed (/home/icy/secreal/pspp-0.11.0-asan/install/lib/pspp/libpspp-core-0.11.0.so+0xd6bed) #1 0x7ffff787b9a3 (/home/icy/secreal/pspp-0.11.0-asan/install/lib/pspp/libpspp-core-0.11.0.so+0xcc9a3) #2 0x7ffff786ef04 (/home/icy/secreal/pspp-0.11.0-asan/install/lib/pspp/libpspp-core-0.11.0.so+0xbff04) #3 0x7ffff786df0c (/home/icy/secreal/pspp-0.11.0-asan/install/lib/pspp/libpspp-core-0.11.0.so+0xbef0c) #4 0x7ffff786d176 (/home/icy/secreal/pspp-0.11.0-asan/install/lib/pspp/libpspp-core-0.11.0.so+0xbe176) #5 0x4dd854 (/home/icy/secreal/pspp-0.11.0-asan/install/bin/pspp-convert+0x4dd854) #6 0x7ffff621eabf (/lib/x86_64-linux-gnu/libc.so.6+0x20abf) #7 0x436028 (/home/icy/secreal/pspp-0.11.0-asan/install/bin/pspp-convert+0x436028) AddressSanitizer can not provide additional info. ==61484==ABORTING [Inferior 1 (process 61484) exited with code 01] (gdb) The vulnerability was triggered in function: output_hex (bytes=8, output=<optimized out>, data_=<optimized out>) at src/data/data-out.c:1167 1167 *output++ = hex_digits[data[i] >> 4]; Actual results: crash Expected results: crash Additional info: Credits: This vulnerability is detected by team OWL337, with our custom fuzzer collAFL. Please contact ganshuitao and chaoz.cn if you need more info about the team, the tool or the vulnerability.