Bug 1467004 - There is an Integer overflow in the libpspp library
Summary: There is an Integer overflow in the libpspp library
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Fedora
Classification: Fedora
Component: pspp
Version: rawhide
Hardware: Unspecified
OS: Unspecified
unspecified
urgent
Target Milestone: ---
Assignee: Peter Lemenkov
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2017-07-01 12:58 UTC by owl337
Modified: 2017-08-09 15:57 UTC (History)
1 user (show)

Fixed In Version: pspp-0.10.2-5.fc26
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2017-08-09 15:57:51 UTC


Attachments (Terms of Use)
Triggered by “./pspp-convert POC2 -O csv /dev/null” (365 bytes, application/x-rar)
2017-07-01 12:58 UTC, owl337
no flags Details

Description owl337 2017-07-01 12:58:56 UTC
Created attachment 1293509 [details]
Triggered by “./pspp-convert POC2 -O csv /dev/null”

Description of problem:

There is an Integer overflow in hash_int function of the libpspp library 

Version-Release number of selected component (if applicable):
 <= latest version

How reproducible:

$./pspp-convert POC2 -O csv /dev/null


Steps to Reproduce:

The debugging information(with -fsanitize=undefined enable) is as follows :

$./pspp-convert POC2 -O csv /dev/null
 
src/libpspp/hash-functions.c:112:10: runtime error: left shift of negative value -65962946
SUMMARY: AddressSanitizer: undefined-behavior src/libpspp/hash-functions.c:112 
src/libpspp/hash-functions.c:113:10: runtime error: left shift of 1023852510 by 3 places cannot be represented in type 'int'
SUMMARY: AddressSanitizer: undefined-behavior src/libpspp/hash-functions.c:113 
src/libpspp/hash-functions.c:114:10: runtime error: left shift of 1422967022 by 10 places cannot be represented in type 'int'
SUMMARY: AddressSanitizer: undefined-behavior src/libpspp/hash-functions.c:114 
`fuzz/pspp-convert-out/crashes/id:000051,sig:06,src:001662,op:flip32,pos:472': This system file does not indicate its own character encoding.  Using default encoding UTF-8.  For best results, specify an encoding explicitly.  Use SYSFILE INFO with ENCODING="DETECT" to analyze the possible encodings.
=================================================================
==1036==ERROR: AddressSanitizer: negative-size-param: (size=-3)
    #0 0x4802be  (/home/icy/real/pspp-0.10.5-asan/pspp-0.10.5pre1/install/bin/pspp-convert+0x4802be)
    #1 0x7fbc96ea039b  (/home/icy/real/pspp-0.10.5-asan/pspp-0.10.5pre1/install/lib/pspp/libpspp-core-0.10.5pre1.so+0x47339b)
    #2 0x7fbc96e9cf0b  (/home/icy/real/pspp-0.10.5-asan/pspp-0.10.5pre1/install/lib/pspp/libpspp-core-0.10.5pre1.so+0x46ff0b)
    #3 0x7fbc96de1295  (/home/icy/real/pspp-0.10.5-asan/pspp-0.10.5pre1/install/lib/pspp/libpspp-core-0.10.5pre1.so+0x3b4295)
    #4 0x7fbc96c111df  (/home/icy/real/pspp-0.10.5-asan/pspp-0.10.5pre1/install/lib/pspp/libpspp-core-0.10.5pre1.so+0x1e41df)
    #5 0x7fbc96c1192f  (/home/icy/real/pspp-0.10.5-asan/pspp-0.10.5pre1/install/lib/pspp/libpspp-core-0.10.5pre1.so+0x1e492f)
    #6 0x4e29a3  (/home/icy/real/pspp-0.10.5-asan/pspp-0.10.5pre1/install/bin/pspp-convert+0x4e29a3)
    #7 0x7fbc9549cabf  (/lib/x86_64-linux-gnu/libc.so.6+0x20abf)
    #8 0x436e28  (/home/icy/real/pspp-0.10.5-asan/pspp-0.10.5pre1/install/bin/pspp-convert+0x436e28)

0x60d00000cee4 is located 68 bytes inside of 136-byte region [0x60d00000cea0,0x60d00000cf28)
allocated by thread T0 here:
    #0 0x4bddf2  (/home/icy/real/pspp-0.10.5-asan/pspp-0.10.5pre1/install/bin/pspp-convert+0x4bddf2)
    #1 0x7fbc9703ec0c  (/home/icy/real/pspp-0.10.5-asan/pspp-0.10.5pre1/install/lib/pspp/libpspp-core-0.10.5pre1.so+0x611c0c)
    #2 0x7fbc96e00a96  (/home/icy/real/pspp-0.10.5-asan/pspp-0.10.5pre1/install/lib/pspp/libpspp-core-0.10.5pre1.so+0x3d3a96)
    #3 0x7fbc96dcbbdb  (/home/icy/real/pspp-0.10.5-asan/pspp-0.10.5pre1/install/lib/pspp/libpspp-core-0.10.5pre1.so+0x39ebdb)
    #4 0x7fbc96c10c6e  (/home/icy/real/pspp-0.10.5-asan/pspp-0.10.5pre1/install/lib/pspp/libpspp-core-0.10.5pre1.so+0x1e3c6e)
    #5 0x7fbc96c118ec  (/home/icy/real/pspp-0.10.5-asan/pspp-0.10.5pre1/install/lib/pspp/libpspp-core-0.10.5pre1.so+0x1e48ec)

==1036==ABORTING
 
106 unsigned int
107 hash_int (int x, unsigned int basis)
108 {
109   x -= x << 6;
110   x ^= x >> 17;
111   x -= x << 9;
112   x ^= x << 4;
113   x -= x << 3;
114   x ^= x << 10;
115   x ^= x >> 15;
116   return x + basis;
117 }

Actual results:

crash

Expected results:

crash


Additional info:

Credits:

This vulnerability is detected by team OWL337, with the custom fuzzer collAFL by ganshuitao. If you need more info about the team, the tool or the vulnerability, please contact ganshuitao@gmail.com and chaoz@tsinghua.edu.cn.

Comment 1 Andrej Nemec 2017-07-19 14:36:13 UTC
Hi owl337,

Please report these issues to upstream pspp project, if you haven't already done so.

Thanks.

Comment 2 Fedora Update System 2017-07-29 07:55:17 UTC
pspp-0.10.2-5.fc26 has been submitted as an update to Fedora 26. https://bodhi.fedoraproject.org/updates/FEDORA-2017-03893a3b58

Comment 3 Fedora Update System 2017-07-31 04:23:46 UTC
pspp-0.10.2-5.fc26 has been pushed to the Fedora 26 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2017-03893a3b58

Comment 4 Fedora Update System 2017-08-09 15:57:51 UTC
pspp-0.10.2-5.fc26 has been pushed to the Fedora 26 stable repository. If problems still persist, please make note of it in this bug report.


Note You need to log in before you can comment on or make changes to this bug.