Created attachment 1297619 [details] Triggered by "./pspp-dump-sav $POC" Description of problem: The vulnerability was triggered in read_mrsets() at utilities/pspp-dump-sav.c:800. Line pspp-dump-sav.c:799 doesn't check the return value of pointer 'number' is empty or not. Version-Release number of selected component (if applicable): <= latest How reproducible: ./pspp-dump-sav POC1 Steps to Reproduce: The information is as follows: $./pspp-dump-sav POC1 File header record: Product name: @(#) SPSS DATA FILE MS Windows Release 12.0 spssio32.dll Layout code: 2 Compressed: 1 (simple compression) Weight index: 0 Number of cases: 10 Compression bias: 100 Creation date: 30 Jan 13 Creation time: 14:34:58 File label: " ??" ... 00000254: Record 7, subtype 7, size=1, count=0 00000260: multiple response sets 00000264: Record 7, subtype 19, size=1, count=71 00000270: multiple response sets Segmentation fault The gdb debugging information is as follows: (gdb) set args POC1 (gdb) r ... Breakpoint 1, read_mrsets (r=0x7fff0000000c, size=<optimized out>, count=<optimized out>) at utilities/pspp-dump-sav.c:800 800 if (!strcmp (number, "11")) (gdb) x/5i $pc => 0x4081ad <main+6093>: movzbl (%rdx),%eax 0x4081b0 <main+6096>: cmp $0x31,%eax 0x4081b3 <main+6099>: jne 0x408214 <main+6196> 0x4081b5 <main+6101>: movslq %fs:(%r12),%rax 0x4081ba <main+6106>: mov 0x20c287(%rip),%rsi # 0x614448 <__afl_area_ptr> (gdb) i r rdx rdx 0x0 0 (gdb) si Program received signal SIGSEGV, Segmentation fault. read_mrsets (r=0x7fff0000000c, size=<optimized out>, count=<optimized out>) at utilities/pspp-dump-sav.c:800 800 if (!strcmp (number, "11")) The vulnerability was triggered in read_mrsets() at utilities/pspp-dump-sav.c:800. Line pspp-dump-sav.c:799 doesn't detect whether the return value of pointer 'number' is empty. 731 read_extra_product_info (struct sfm_reader *r, 732 size_t size, size_t count) 733 { ... 785 else if (text_match (text, 'E')) 786 { 787 char *number; 788 789 type = MRSET_MD; 790 cat_label_from_counted_values = true; 791 ... 799 number = text_tokenize (text, ' '); 800 if (!strcmp (number, "11")) ... } Actual results: crash Expected results: crash Additional info: This vulnerability is detected by team OWL337, with our custom fuzzer collAFL. Please contact ganshuitao and chaoz.cn if you need more info about the team, the tool or the vulnerability.
Please, report this issue to upstream. Thanks!
pspp-0.10.2-5.fc26 has been submitted as an update to Fedora 26. https://bodhi.fedoraproject.org/updates/FEDORA-2017-03893a3b58
(In reply to Fedora Update System from comment #3) > pspp-0.10.2-5.fc26 has been submitted as an update to Fedora 26. > https://bodhi.fedoraproject.org/updates/FEDORA-2017-03893a3b58 Wrong ticket, sorry.
This bug appears to have been reported against 'rawhide' during the Fedora 27 development cycle. Changing version to '27'.
This bug appears to have been reported against 'rawhide' during the Fedora 28 development cycle. Changing version to '28'.