This service will be undergoing maintenance at 00:00 UTC, 2017-10-23 It is expected to last about 30 minutes
Bug 1470708 - There is a assertion abort in pspp-dump-sav.c of libpspp.
There is a assertion abort in pspp-dump-sav.c of libpspp.
Status: NEW
Product: Fedora
Classification: Fedora
Component: pspp (Show other bugs)
27
x86_64 Linux
unspecified Severity urgent
: ---
: ---
Assigned To: Peter Lemenkov
Fedora Extras Quality Assurance
: Reopened
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2017-07-13 09:48 EDT by owl337
Modified: 2017-08-15 05:10 EDT (History)
1 user (show)

See Also:
Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2017-07-25 10:21:19 EDT
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)
Triggered by "./pspp-dump-sav POC2" (327 bytes, application/x-rar)
2017-07-13 09:48 EDT, owl337
no flags Details

  None (edit)
Description owl337 2017-07-13 09:48:44 EDT
Created attachment 1297620 [details]
Triggered by  "./pspp-dump-sav POC2"

Description of problem:

There is a assertion abort  in pspp-dump-sav.c  of  libpspp.


Version-Release number of selected component (if applicable):

<= latest version

How reproducible:

./pspp-dump-sav POC2


Steps to Reproduce:

The information is as follows:

$./pspp-dump-sav POC2
File header record:
	     Product name: @(#) SPSS DATA FILE MS Windows Release 12.0 spss$o32.dll    
	      Layout code: 2
	       Compressed: 1 (simple compression)
	     Weight index: 2
	  Number of cases: 10
	 Compression bias: 100
	    Creation date: 30    
	    Creation time: 14:34:58
	       File label: ""
...
pspp-dump-sav: utilities/pspp-dump-sav.c:1645: void read_string(struct sfm_reader *, char *, size_t): Assertion `size > 0' failed.
Aborted

The GDB debugging information is as follows:

(gdb) set args POC2
(gdb) r
 ...
(gdb) s
read_string (r=<optimized out>, buffer=<optimized out>, size=<optimized out>) at utilities/pspp-dump-sav.c:1645
1645	  assert (size > 0);
(gdb) n
pspp-dump-sav: utilities/pspp-dump-sav.c:1645: void read_string(struct sfm_reader *, char *, size_t): Assertion `size > 0' failed.

Program received signal SIGABRT, Aborted.
0x00007ffff709e1c7 in __GI_raise (sig=sig@entry=6) at ../sysdeps/unix/sysv/linux/raise.c:55
55	../sysdeps/unix/sysv/linux/raise.c: No such file or directory.
(gdb) bt
#0  0x00007ffff709e1c7 in __GI_raise (sig=sig@entry=6) at ../sysdeps/unix/sysv/linux/raise.c:55
#1  0x00007ffff709fe2a in __GI_abort () at abort.c:89
#2  0x00007ffff70970bd in __assert_fail_base (fmt=0x7ffff71f8f78 "%s%s%s:%u: %s%sAssertion `%s' failed.\n%n", 
    assertion=assertion@entry=0x411fc9 "size > 0", file=file@entry=0x411fd2 "utilities/pspp-dump-sav.c", 
    line=line@entry=1645, function=function@entry=0x411fec "void read_string(struct sfm_reader *, char *, size_t)")
    at assert.c:92
#3  0x00007ffff7097172 in __GI___assert_fail (assertion=0x411fc9 "size > 0", file=0x411fd2 "utilities/pspp-dump-sav.c", 
    line=1645, function=0x411fec "void read_string(struct sfm_reader *, char *, size_t)") at assert.c:101
#4  0x000000000040c90d in read_string (r=<optimized out>, buffer=<optimized out>, size=<optimized out>)
    at utilities/pspp-dump-sav.c:1645
#5  read_variable_record (r=<optimized out>) at utilities/pspp-dump-sav.c:454
#6  main (argc=<optimized out>, argv=<optimized out>) at utilities/pspp-dump-sav.c:203


The vulnerability was triggered in read_string() at pspp-dump-sav.c:1645.

1643 read_string (struct sfm_reader *r, char *buffer, size_t size)
1644 {
1645   assert (size > 0);
1646   read_bytes (r, buffer, size - 1);
1647   buffer[size - 1] = '\0';
1648 }

Actual results:

crash

Expected results:

crash

Additional info:

This vulnerability is detected by team OWL337, with our custom fuzzer collAFL. Please contact ganshuitao@gmail.com   and chaoz@tsinghua.edu.cn if you need more info about the team, the tool or the vulnerability.
Comment 1 Andrej Nemec 2017-07-25 10:21:19 EDT
Please, report this issue to upstream. Thanks!
Comment 3 Jan Kurik 2017-08-15 05:10:53 EDT
This bug appears to have been reported against 'rawhide' during the Fedora 27 development cycle.
Changing version to '27'.

Note You need to log in before you can comment on or make changes to this bug.