Bug 1482436

Summary: There is an assertion abort in function parse_attributes() of libpspp
Product: [Fedora] Fedora Reporter: owl337 <v.owl337>
Component: psppAssignee: Peter Lemenkov <lemenkov>
Status: CLOSED ERRATA QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: rawhideCC: amello, lemenkov
Target Milestone: ---   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: pspp-1.0.1-2.fc26 pspp-1.0.1-2.fc27 Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2017-10-25 23:09:36 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Attachments:
Description Flags
Triggered by "./pspp-convert POC6 -O csv /dev/null" none

Description owl337 2017-08-17 09:21:03 UTC 
Created attachment 1314607 [details]
Triggered by "./pspp-convert POC6 -O csv /dev/null"

Description of problem:

There is an assertion abort in function parse_attributes() of libpspp

Version-Release number of selected component (if applicable):

<= latest version

How reproducible:

./pspp-convert POC6 -O csv /dev/null

Steps to Reproduce:


Normal output:

$./pspp-convert POC6 -O csv /dev/null
`id:000177,sig:06,src:001277,op:havoc,rep:2': This system file does not indicate its own character encoding.  Using default encoding UTF-8.  For best results, specify an encoding explicitly.  Use SYSFILE INFO with ENCODING="DETECT" to analyze the possible encodings.
`id:000177,sig:06,src:001277,op:havoc,rep:2' near offset 0x2a0: Attribute value ?AR[1] is not quoted: '001	VAR00002=VAR00002	VAR00003=VAR00003	VAR00.
`id:000177,sig:06,src:001277,op:havoc,rep:2' near offset 0x2a0: Error parsing attribute value ?AR[2].
`id:000177,sig:06,src:001277,op:havoc,rep:2' near offset 0x2f7: Error parsing attribute value ?AR[2].
pspp-convert: src/data/attributes.c:240: void attrset_add(struct attrset *, struct attribute *): Assertion `attrset_lookup (set, name) == ((void*)0)' failed.
Aborted


The  GDB debugging information is as follows:

(gdb) r
...

Breakpoint 7, parse_attributes (r=<optimized out>, text=<optimized out>, attrs=<optimized out>) at src/data/sys-file-reader.c:2344
2344	        attrset_add (attrs, attr);
(gdb) c
Continuing.
`id:000177,sig:06,src:001277,op:havoc,rep:2' near offset 0x2f7: Error parsing attribute value ?AR[2].

Breakpoint 7, parse_attributes (r=<optimized out>, text=<optimized out>, attrs=<optimized out>) at src/data/sys-file-reader.c:2344
2344	        attrset_add (attrs, attr);
(gdb) n
pspp-convert: src/data/attributes.c:240: void attrset_add(struct attrset *, struct attribute *): Assertion `attrset_lookup (set, name) == ((void*)0)' failed.

Program received signal SIGABRT, Aborted.
0x00007ffff62331c7 in __GI_raise (sig=sig@entry=6) at ../sysdeps/unix/sysv/linux/raise.c:55
55	../sysdeps/unix/sysv/linux/raise.c: No such file or directory.
(gdb) bt
#0  0x00007ffff62331c7 in __GI_raise (sig=sig@entry=6) at ../sysdeps/unix/sysv/linux/raise.c:55
#1  0x00007ffff6234e2a in __GI_abort () at abort.c:89
#2  0x00007ffff622c0bd in __assert_fail_base (fmt=0x7ffff638df78 "%s%s%s:%u: %s%sAssertion `%s' failed.\n%n", 
    assertion=assertion@entry=0x7ffff7adb140 <.str1> "attrset_lookup (set, name) == ((void*)0)", 
    file=file@entry=0x7ffff7adb1a0 <.str2> "src/data/attributes.c", line=line@entry=240, 
    function=function@entry=0x7ffff7adb1e0 <__PRETTY_FUNCTION__.attrset_add> "void attrset_add(struct attrset *, struct attribute *)")
    at assert.c:92
#3  0x00007ffff622c172 in __GI___assert_fail (assertion=0x7ffff7adb140 <.str1> "attrset_lookup (set, name) == ((void*)0)", 
    file=0x7ffff7adb1a0 <.str2> "src/data/attributes.c", line=240, 
    function=0x7ffff7adb1e0 <__PRETTY_FUNCTION__.attrset_add> "void attrset_add(struct attrset *, struct attribute *)") at assert.c:101
#4  0x00007ffff784b416 in attrset_add (set=<optimized out>, attr=<optimized out>) at src/data/attributes.c:240
#5  0x00007ffff7924965 in parse_attributes (r=<optimized out>, text=<optimized out>, attrs=<optimized out>) at src/data/sys-file-reader.c:2344
#6  0x00007ffff791a61b in parse_variable_attributes (record=<optimized out>, dict=<optimized out>, r=<optimized out>)
    at src/data/sys-file-reader.c:2375
#7  sfm_decode (r_=<optimized out>, encoding=<optimized out>, dictp=<optimized out>, infop=<optimized out>) at src/data/sys-file-reader.c:850
#8  0x00007ffff78480c1 in any_reader_decode (any_reader=0x61800000f880, encoding=0x0, dictp=0x7fffffffe380, info=0x0)
    at src/data/any-reader.c:147
#9  any_reader_open_and_decode (handle=<optimized out>, encoding=0x0, dictp=0x7fffffffe380, info=0x0) at src/data/any-reader.c:171
#10 0x00000000004dcc97 in main (argc=<optimized out>, argv=<optimized out>) at utilities/pspp-convert.c:174
(gdb) 

The vulnerability was triggered in function:
parse_attributes (r=<optimized out>, text=<optimized out>, attrs=<optimized out>) at src/data/sys-file-reader.c:2344
2344	        attrset_add (attrs, attr);



Actual results:

crash

Expected results:

crash

Additional info:

Credits:

This vulnerability is detected by team OWL337, with our custom fuzzer collAFL. Please contact ganshuitao   and chaoz.cn if you need more info about the team, the tool or the vulnerability.
Comment 1 Fedora Update System 2017-10-09 16:38:23 UTC 
pspp-1.0.1-2.fc27 has been submitted as an update to Fedora 27. https://bodhi.fedoraproject.org/updates/FEDORA-2017-b221468e6e
Comment 2 Fedora Update System 2017-10-09 16:38:56 UTC 
pspp-1.0.1-2.fc26 has been submitted as an update to Fedora 26. https://bodhi.fedoraproject.org/updates/FEDORA-2017-4f5447d2c8
Comment 3 Fedora Update System 2017-10-11 02:53:42 UTC 
pspp-1.0.1-2.fc26 has been pushed to the Fedora 26 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2017-4f5447d2c8
Comment 4 Fedora Update System 2017-10-11 06:28:06 UTC 
pspp-1.0.1-2.fc27 has been pushed to the Fedora 27 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2017-b221468e6e
Comment 5 Fedora Update System 2017-10-25 23:09:36 UTC 
pspp-1.0.1-2.fc26 has been pushed to the Fedora 26 stable repository. If problems still persist, please make note of it in this bug report.
Comment 6 Fedora Update System 2017-11-11 02:50:36 UTC 
pspp-1.0.1-2.fc27 has been pushed to the Fedora 27 stable repository. If problems still persist, please make note of it in this bug report.