Bug 1482432

Created attachment 1314602 [details]
Triggered by "./pspp-convert POC4 -O csv /dev/null"

Description of problem:

There is an reachable assertion abort in  function dict_add_mrset()  of libpspp. 

Version-Release number of selected component (if applicable):

<= latest version

How reproducible:

./pspp-convert POC4 -O csv /dev/null


Steps to Reproduce:

Normal output:

$./pspp-convert POC4 -O csv /dev/null
`id:000079,sig:06,src:002419,op:havoc,rep:2' near offset 0x3b7: Record type 7, subtype 3 found here has the same type as the record found near offset 0x1c0.  For help, please send this file to bug-gnu-pspp and mention that you were using GNU PSPP 0.11.0.
`id:000079,sig:06,src:002419,op:havoc,rep:2' near offset 0x3e7: Record type 7, subtype 4 found here has the same type as the record found near offset 0x1f0.  For help, please send this file to bug-gnu-pspp and mention that you were using GNU PSPP 0.11.0.
`id:000079,sig:06,src:002419,op:havoc,rep:2' near offset 0x40f: Record type 7, subtype 11 found here has the same type as the record found near offset 0x218.  For help, please send this file to bug-gnu-pspp and mention that you were using GNU PSPP 0.11.0.
`id:000079,sig:06,src:002419,op:havoc,rep:2' near offset 0x44f: Missing new-line parsing variable names at offset 72 in MRSETS record.
`id:000079,sig:06,src:002419,op:havoc,rep:2' near offset 0x258: Missing new-line parsing variable names at offset 72 in MRSETS record.
`id:000079,sig:06,src:002419,op:havoc,rep:2': This system file does not indicate its own character encoding.  Using default encoding UTF-8.  For best results, specify an encoding explicitly.  Use SYSFILE INFO with ENCODING="DETECT" to analyze the possible encodings.
`id:000079,sig:06,src:002419,op:havoc,rep:2' near offset 0x104: Variable VAR00003 with width 0 has invalid write format 0x10802.
`id:000079,sig:06,src:002419,op:havoc,rep:2' near offset 0x120: Variable VAR00004 with width 0 has invalid print format 0x10100.
`id:000079,sig:06,src:002419,op:havoc,rep:2' near offset 0x124: Variable VAR00004 with width 0 has invalid write format 0x10100.
`id:000079,sig:06,src:002419,op:havoc,rep:2' near offset 0x2cb: Renaming variable with duplicate name `VAR00002' to `VAR001'.
`id:000079,sig:06,src:002419,op:havoc,rep:2' near offset 0x2d7: Variable VAR001 with width 8 has invalid print format 0x50802.
`id:000079,sig:06,src:002419,op:havoc,rep:2' near offset 0x2db: Variable VAR001 with width 8 has invalid write format 0x50802.
`id:000079,sig:06,src:002419,op:havoc,rep:2' near offset 0x2eb: Renaming variable with duplicate name `VAR00003' to `VAR002'.
`id:000079,sig:06,src:002419,op:havoc,rep:2' near offset 0x2fb: Variable VAR002 with width 0 has invalid write format 0x10802.
`id:000079,sig:06,src:002419,op:havoc,rep:2' near offset 0x30b: Renaming variable with duplicate name `VAR00004' to `VAR003'.
`id:000079,sig:06,src:002419,op:havoc,rep:2' near offset 0x317: Variable VAR003 with width 0 has invalid print format 0x10100.
`id:000079,sig:06,src:002419,op:havoc,rep:2' near offset 0x31b: Variable VAR003 with width 0 has invalid write format 0x10100.
`id:000079,sig:06,src:002419,op:havoc,rep:2': Suppressing further invalid format warnings.
`id:000079,sig:06,src:002419,op:havoc,rep:2' near offset 0x32b: Duplicate value label for 1 on VAR00002.
`id:000079,sig:06,src:002419,op:havoc,rep:2' near offset 0x32b: Duplicate value label for 2 on VAR00002.
`id:000079,sig:06,src:002419,op:havoc,rep:2' near offset 0x35f: Duplicate value label for 2 on VAR00003.
`id:000079,sig:06,src:002419,op:havoc,rep:2' near offset 0x35f: Duplicate value label for 3 on VAR00003.
`id:000079,sig:06,src:002419,op:havoc,rep:2' near offset 0x35f: Duplicate value label for 4 on VAR00003.
`id:000079,sig:06,src:002419,op:havoc,rep:2' near offset 0x218: Extension 11 has bad count 12 (for 8 variables).
`id:000079,sig:06,src:002419,op:havoc,rep:2': MRSET $FL00001 has only one variable.
pspp-convert: src/data/dictionary.c:1489: _Bool dict_add_mrset(struct dictionary *, struct mrset *): Assertion `mrset_ok (mrset, dict)' failed.
Aborted

The  GDB debugging information is as follows:

(gdb) r
...

Breakpoint 2, dict_add_mrset (dict=0x611000009500, mrset=0x60600000cce0) at src/data/dictionary.c:1489
1489	  assert (mrset_ok (mrset, dict));
(gdb) list 
1484	bool
1485	dict_add_mrset (struct dictionary *dict, struct mrset *mrset)
1486	{
1487	  size_t idx;
1488	
1489	  assert (mrset_ok (mrset, dict));
1490	
1491	  idx = dict_lookup_mrset_idx (dict, mrset->name);
1492	  if (idx == SIZE_MAX)
1493	    {
(gdb) bt
#0  dict_add_mrset (dict=0x611000009500, mrset=0x60600000cce0) at src/data/dictionary.c:1489
#1  0x00007ffff7918c43 in decode_mrsets (dict=<optimized out>, r=<optimized out>) at src/data/sys-file-reader.c:1917
#2  sfm_decode (r_=<optimized out>, encoding=<optimized out>, dictp=0x7fffffffe380, infop=0x0) at src/data/sys-file-reader.c:836
#3  0x00007ffff78480c1 in any_reader_decode (any_reader=0x61800000f880, encoding=0x0, dictp=0x7fffffffe380, info=0x0)
    at src/data/any-reader.c:147
#4  any_reader_open_and_decode (handle=<optimized out>, encoding=0x0, dictp=0x7fffffffe380, info=0x0) at src/data/any-reader.c:171
#5  0x00000000004dcc97 in main (argc=<optimized out>, argv=<optimized out>) at utilities/pspp-convert.c:174
(gdb) n
pspp-convert: src/data/dictionary.c:1489: _Bool dict_add_mrset(struct dictionary *, struct mrset *): Assertion `mrset_ok (mrset, dict)' failed.

Program received signal SIGABRT, Aborted.
0x00007ffff62331c7 in __GI_raise (sig=sig@entry=6) at ../sysdeps/unix/sysv/linux/raise.c:55
55	../sysdeps/unix/sysv/linux/raise.c: No such file or directory.
(gdb) 


The vulnerability was triggered in function:
dict_add_mrset (dict=0x611000009500, mrset=0x60600000cce0) at src/data/dictionary.c:1489
1489	  assert (mrset_ok (mrset, dict));


Actual results:

crash

Expected results:

crash

Additional info:

Credits:

This vulnerability is detected by team OWL337, with our custom fuzzer collAFL. Please contact ganshuitao   and chaoz.cn if you need more info about the team, the tool or the vulnerability.