Created attachment 1293509 [details] Triggered by “./pspp-convert POC2 -O csv /dev/null” Description of problem: There is an Integer overflow in hash_int function of the libpspp library Version-Release number of selected component (if applicable): <= latest version How reproducible: $./pspp-convert POC2 -O csv /dev/null Steps to Reproduce: The debugging information(with -fsanitize=undefined enable) is as follows : $./pspp-convert POC2 -O csv /dev/null src/libpspp/hash-functions.c:112:10: runtime error: left shift of negative value -65962946 SUMMARY: AddressSanitizer: undefined-behavior src/libpspp/hash-functions.c:112 src/libpspp/hash-functions.c:113:10: runtime error: left shift of 1023852510 by 3 places cannot be represented in type 'int' SUMMARY: AddressSanitizer: undefined-behavior src/libpspp/hash-functions.c:113 src/libpspp/hash-functions.c:114:10: runtime error: left shift of 1422967022 by 10 places cannot be represented in type 'int' SUMMARY: AddressSanitizer: undefined-behavior src/libpspp/hash-functions.c:114 `fuzz/pspp-convert-out/crashes/id:000051,sig:06,src:001662,op:flip32,pos:472': This system file does not indicate its own character encoding. Using default encoding UTF-8. For best results, specify an encoding explicitly. Use SYSFILE INFO with ENCODING="DETECT" to analyze the possible encodings. ================================================================= ==1036==ERROR: AddressSanitizer: negative-size-param: (size=-3) #0 0x4802be (/home/icy/real/pspp-0.10.5-asan/pspp-0.10.5pre1/install/bin/pspp-convert+0x4802be) #1 0x7fbc96ea039b (/home/icy/real/pspp-0.10.5-asan/pspp-0.10.5pre1/install/lib/pspp/libpspp-core-0.10.5pre1.so+0x47339b) #2 0x7fbc96e9cf0b (/home/icy/real/pspp-0.10.5-asan/pspp-0.10.5pre1/install/lib/pspp/libpspp-core-0.10.5pre1.so+0x46ff0b) #3 0x7fbc96de1295 (/home/icy/real/pspp-0.10.5-asan/pspp-0.10.5pre1/install/lib/pspp/libpspp-core-0.10.5pre1.so+0x3b4295) #4 0x7fbc96c111df (/home/icy/real/pspp-0.10.5-asan/pspp-0.10.5pre1/install/lib/pspp/libpspp-core-0.10.5pre1.so+0x1e41df) #5 0x7fbc96c1192f (/home/icy/real/pspp-0.10.5-asan/pspp-0.10.5pre1/install/lib/pspp/libpspp-core-0.10.5pre1.so+0x1e492f) #6 0x4e29a3 (/home/icy/real/pspp-0.10.5-asan/pspp-0.10.5pre1/install/bin/pspp-convert+0x4e29a3) #7 0x7fbc9549cabf (/lib/x86_64-linux-gnu/libc.so.6+0x20abf) #8 0x436e28 (/home/icy/real/pspp-0.10.5-asan/pspp-0.10.5pre1/install/bin/pspp-convert+0x436e28) 0x60d00000cee4 is located 68 bytes inside of 136-byte region [0x60d00000cea0,0x60d00000cf28) allocated by thread T0 here: #0 0x4bddf2 (/home/icy/real/pspp-0.10.5-asan/pspp-0.10.5pre1/install/bin/pspp-convert+0x4bddf2) #1 0x7fbc9703ec0c (/home/icy/real/pspp-0.10.5-asan/pspp-0.10.5pre1/install/lib/pspp/libpspp-core-0.10.5pre1.so+0x611c0c) #2 0x7fbc96e00a96 (/home/icy/real/pspp-0.10.5-asan/pspp-0.10.5pre1/install/lib/pspp/libpspp-core-0.10.5pre1.so+0x3d3a96) #3 0x7fbc96dcbbdb (/home/icy/real/pspp-0.10.5-asan/pspp-0.10.5pre1/install/lib/pspp/libpspp-core-0.10.5pre1.so+0x39ebdb) #4 0x7fbc96c10c6e (/home/icy/real/pspp-0.10.5-asan/pspp-0.10.5pre1/install/lib/pspp/libpspp-core-0.10.5pre1.so+0x1e3c6e) #5 0x7fbc96c118ec (/home/icy/real/pspp-0.10.5-asan/pspp-0.10.5pre1/install/lib/pspp/libpspp-core-0.10.5pre1.so+0x1e48ec) ==1036==ABORTING 106 unsigned int 107 hash_int (int x, unsigned int basis) 108 { 109 x -= x << 6; 110 x ^= x >> 17; 111 x -= x << 9; 112 x ^= x << 4; 113 x -= x << 3; 114 x ^= x << 10; 115 x ^= x >> 15; 116 return x + basis; 117 } Actual results: crash Expected results: crash Additional info: Credits: This vulnerability is detected by team OWL337, with the custom fuzzer collAFL by ganshuitao. If you need more info about the team, the tool or the vulnerability, please contact ganshuitao and chaoz.cn.
Hi owl337, Please report these issues to upstream pspp project, if you haven't already done so. Thanks.
pspp-0.10.2-5.fc26 has been submitted as an update to Fedora 26. https://bodhi.fedoraproject.org/updates/FEDORA-2017-03893a3b58
pspp-0.10.2-5.fc26 has been pushed to the Fedora 26 testing repository. If problems still persist, please make note of it in this bug report. See https://fedoraproject.org/wiki/QA:Updates_Testing for instructions on how to install test updates. You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2017-03893a3b58
pspp-0.10.2-5.fc26 has been pushed to the Fedora 26 stable repository. If problems still persist, please make note of it in this bug report.