Bug 1470704 - There is a NULL Pointer Dereference in pspp-dump-sav.c of libpspp
There is a NULL Pointer Dereference in pspp-dump-sav.c of libpspp
Status: NEW
Product: Fedora
Classification: Fedora
Component: pspp (Show other bugs)
27
x86_64 Linux
unspecified Severity urgent
: ---
: ---
Assigned To: Peter Lemenkov
Fedora Extras Quality Assurance
: Reopened
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2017-07-13 09:44 EDT by owl337
Modified: 2017-08-15 05:12 EDT (History)
1 user (show)

See Also:
Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2017-07-25 10:21:12 EDT
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)
Triggered by "./pspp-dump-sav $POC" (405 bytes, application/x-rar)
2017-07-13 09:44 EDT, owl337
no flags Details

  None (edit)
Description owl337 2017-07-13 09:44:28 EDT
Created attachment 1297619 [details]
Triggered by  "./pspp-dump-sav  $POC"

Description of problem:

The vulnerability was triggered in read_mrsets() at utilities/pspp-dump-sav.c:800. Line pspp-dump-sav.c:799 doesn't check the return value of pointer 'number' is empty or not.

Version-Release number of selected component (if applicable):
 
<= latest

How reproducible:

./pspp-dump-sav POC1


Steps to Reproduce:

The information is as follows:

$./pspp-dump-sav POC1
 
File header record:
	     Product name: @(#) SPSS DATA FILE MS Windows Release 12.0 spssio32.dll    
	      Layout code: 2
	       Compressed: 1 (simple compression)
	     Weight index: 0
	  Number of cases: 10
	 Compression bias: 100
	    Creation date: 30 Jan 13
	    Creation time: 14:34:58
	       File label: "                      ??"
...
00000254: Record 7, subtype 7, size=1, count=0
00000260: multiple response sets
00000264: Record 7, subtype 19, size=1, count=71
00000270: multiple response sets
Segmentation fault

The gdb debugging  information is as follows:
(gdb) set args POC1
(gdb) r
 ...

Breakpoint 1, read_mrsets (r=0x7fff0000000c, size=<optimized out>, count=<optimized out>)
    at utilities/pspp-dump-sav.c:800
800	          if (!strcmp (number, "11"))
(gdb) x/5i $pc
=> 0x4081ad <main+6093>:	movzbl (%rdx),%eax
   0x4081b0 <main+6096>:	cmp    $0x31,%eax
   0x4081b3 <main+6099>:	jne    0x408214 <main+6196>
   0x4081b5 <main+6101>:	movslq %fs:(%r12),%rax
   0x4081ba <main+6106>:	mov    0x20c287(%rip),%rsi        # 0x614448 <__afl_area_ptr>

(gdb) i r rdx
rdx            0x0	0
(gdb) si

Program received signal SIGSEGV, Segmentation fault.
read_mrsets (r=0x7fff0000000c, size=<optimized out>, count=<optimized out>) at utilities/pspp-dump-sav.c:800
800	          if (!strcmp (number, "11"))

The vulnerability was triggered in read_mrsets() at utilities/pspp-dump-sav.c:800. Line pspp-dump-sav.c:799 doesn't detect whether the return value of pointer 'number' is empty.
 731 read_extra_product_info (struct sfm_reader *r,
 732                          size_t size, size_t count)
 733 { 
 ...
 785       else if (text_match (text, 'E'))
 786         {
 787           char *number;
 788 
 789           type = MRSET_MD;
 790           cat_label_from_counted_values = true;
 791 
 ...
 799           number = text_tokenize (text, ' ');
 800           if (!strcmp (number, "11"))
 ...
     }


Actual results:

crash

Expected results:

crash

Additional info:

This vulnerability is detected by team OWL337, with our custom fuzzer collAFL. Please contact ganshuitao@gmail.com   and chaoz@tsinghua.edu.cn if you need more info about the team, the tool or the vulnerability.
Comment 1 Andrej Nemec 2017-07-25 10:21:12 EDT
Please, report this issue to upstream. Thanks!
Comment 3 Fedora Update System 2017-07-29 03:52:54 EDT
pspp-0.10.2-5.fc26 has been submitted as an update to Fedora 26. https://bodhi.fedoraproject.org/updates/FEDORA-2017-03893a3b58
Comment 4 Peter Lemenkov 2017-07-29 03:56:27 EDT
(In reply to Fedora Update System from comment #3)
> pspp-0.10.2-5.fc26 has been submitted as an update to Fedora 26.
> https://bodhi.fedoraproject.org/updates/FEDORA-2017-03893a3b58

Wrong ticket, sorry.
Comment 5 Jan Kurik 2017-08-15 05:12:04 EDT
This bug appears to have been reported against 'rawhide' during the Fedora 27 development cycle.
Changing version to '27'.

Note You need to log in before you can comment on or make changes to this bug.