Bug 1660318
| Summary: | There is a buffer overflow at function read_bytes_internal in pspp 1.2.0. | ||||||
|---|---|---|---|---|---|---|---|
| Product: | [Fedora] Fedora | Reporter: | seri0us <teamseri0us360> | ||||
| Component: | pspp | Assignee: | Peter Lemenkov <lemenkov> | ||||
| Status: | CLOSED ERRATA | QA Contact: | Fedora Extras Quality Assurance <extras-qa> | ||||
| Severity: | unspecified | Docs Contact: | |||||
| Priority: | unspecified | ||||||
| Version: | rawhide | CC: | amello, lemenkov, nsl | ||||
| Target Milestone: | --- | ||||||
| Target Release: | --- | ||||||
| Hardware: | Unspecified | ||||||
| OS: | Unspecified | ||||||
| Whiteboard: | |||||||
| Fixed In Version: | pspp-1.2.0-2.fc30 pspp-1.2.0-2.fc29 | Doc Type: | If docs needed, set a value | ||||
| Doc Text: | Story Points: | --- | |||||
| Clone Of: | Environment: | ||||||
| Last Closed: | 2019-04-03 00:39:22 UTC | Type: | Bug | ||||
| Regression: | --- | Mount Type: | --- | ||||
| Documentation: | --- | CRM: | |||||
| Verified Versions: | Category: | --- | |||||
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||
| Cloudforms Team: | --- | Target Upstream Version: | |||||
| Embargoed: | |||||||
| Attachments: |
|
||||||
Created attachment 1515222 [details]
poc
This was assigned CVE-2018-20230. pspp-1.2.0-2.fc30 has been submitted as an update to Fedora 30. https://bodhi.fedoraproject.org/updates/FEDORA-2019-6dcb6b21de pspp-1.2.0-2.fc29 has been submitted as an update to Fedora 29. https://bodhi.fedoraproject.org/updates/FEDORA-2019-817ff2201f pspp-1.2.0-2.fc30 has been pushed to the Fedora 30 testing repository. If problems still persist, please make note of it in this bug report. See https://fedoraproject.org/wiki/QA:Updates_Testing for instructions on how to install test updates. You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2019-6dcb6b21de pspp-1.2.0-2.fc29 has been pushed to the Fedora 29 testing repository. If problems still persist, please make note of it in this bug report. See https://fedoraproject.org/wiki/QA:Updates_Testing for instructions on how to install test updates. You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2019-817ff2201f pspp-1.2.0-2.fc30 has been pushed to the Fedora 30 stable repository. If problems still persist, please make note of it in this bug report. pspp-1.2.0-2.fc29 has been pushed to the Fedora 29 stable repository. If problems still persist, please make note of it in this bug report. |
Description of problem: An issue was discovered in pspp 1.2.0. There is a buffer overflow at function read_bytes_internal, will leads to denial of service. Version-Release number of selected component (if applicable): pspp 1.2.0, pspp-dump-sav How reproducible: run in shell $ pspp-dump-sav poc Actual results: crash Additional info: asan report ``` ================================================================= ==6378==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x602000000011 at pc 0x00000049beec bp 0x7ffc260fd5f0 sp 0x7ffc260fcda0 WRITE of size 199 at 0x602000000011 thread T0 #0 0x49beeb in __interceptor_fread.part.47 /home/pwd/llvm_dev/llvm/projects/compiler-rt/lib/asan/../sanitizer_common/sanitizer_common_interceptors.inc:978 #1 0x52605c in read_bytes_internal /home/pwd/fuzz/fuzz-pspp/pspp-1.2.0/utilities/pspp-dump-sav.c:1585:23 #2 0x52605c in read_bytes /home/pwd/fuzz/fuzz-pspp/pspp-1.2.0/utilities/pspp-dump-sav.c:1601 #3 0x52605c in open_text_record /home/pwd/fuzz/fuzz-pspp/pspp-1.2.0/utilities/pspp-dump-sav.c:1399 #4 0x51f39d in read_long_var_name_map /home/pwd/fuzz/fuzz-pspp/pspp-1.2.0/utilities/pspp-dump-sav.c:912:10 #5 0x51f39d in read_extension_record /home/pwd/fuzz/fuzz-pspp/pspp-1.2.0/utilities/pspp-dump-sav.c:626 #6 0x51f39d in main /home/pwd/fuzz/fuzz-pspp/pspp-1.2.0/utilities/pspp-dump-sav.c:218 #7 0x7fc5a43a4b96 in __libc_start_main /build/glibc-OTsEL5/glibc-2.27/csu/../csu/libc-start.c:310 #8 0x41a4c9 in _start (/home/pwd/fuzz/fuzz-pspp/pspp-1.2.0/installed-asan/bin/pspp-dump-sav+0x41a4c9) 0x602000000011 is located 0 bytes to the right of 1-byte region [0x602000000010,0x602000000011) allocated by thread T0 here: #0 0x4da380 in malloc /home/pwd/llvm_dev/llvm/projects/compiler-rt/lib/asan/asan_malloc_linux.cc:88 #1 0x52bb7d in xmalloc /home/pwd/fuzz/fuzz-pspp/pspp-1.2.0/gl/xmalloc.c:41:13 #2 0x61600000007f (<unknown module>) SUMMARY: AddressSanitizer: heap-buffer-overflow /home/pwd/llvm_dev/llvm/projects/compiler-rt/lib/asan/../sanitizer_common/sanitizer_common_interceptors.inc:978 in __interceptor_fread.part.47 Shadow bytes around the buggy address: 0x0c047fff7fb0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0c047fff7fc0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0c047fff7fd0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0c047fff7fe0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0c047fff7ff0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 =>0x0c047fff8000: fa fa[01]fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c047fff8010: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c047fff8020: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c047fff8030: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c047fff8040: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c047fff8050: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa Shadow byte legend (one shadow byte represents 8 application bytes): Addressable: 00 Partially addressable: 01 02 03 04 05 06 07 Heap left redzone: fa Freed heap region: fd Stack left redzone: f1 Stack mid redzone: f2 Stack right redzone: f3 Stack after return: f5 Stack use after scope: f8 Global redzone: f9 Global init order: f6 Poisoned by user: f7 Container overflow: fc Array cookie: ac Intra object redzone: bb ASan internal: fe Left alloca redzone: ca Right alloca redzone: cb ==6378==ABORTING ``` gdb info ``` 1582 read_bytes_internal (struct sfm_reader *r, bool eof_is_ok, 1583 void *buf, size_t byte_cnt) 1584 { → 1585 size_t bytes_read = fread (buf, 1, byte_cnt, r->file); 1586 if (bytes_read == byte_cnt) 1587 return true; 1588 else if (ferror (r->file)) 1589 sys_error (r, "System error: %s.", strerror (errno)); 1590 else if (!eof_is_ok || bytes_read != 0) // buf=0x602000000010, byte_cnt=0xffffffffffffffff ```