Bug 1482429 - There is an illegal address access in function output_hex() of libpspp.
Summary: There is an illegal address access in function output_hex() of libpspp.
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Fedora
Classification: Fedora
Component: pspp
Version: rawhide
Hardware: Unspecified
OS: Unspecified
unspecified
unspecified
Target Milestone: ---
Assignee: Peter Lemenkov
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2017-08-17 09:06 UTC by owl337
Modified: 2017-11-11 02:50 UTC (History)
2 users (show)

Fixed In Version: pspp-1.0.1-2.fc26 pspp-1.0.1-2.fc27
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2017-10-25 23:09:44 UTC


Attachments (Terms of Use)
Triggered by "./pspp-convert POC3 -O csv /dev/null" (403 bytes, application/x-rar)
2017-08-17 09:06 UTC, owl337
no flags Details

Description owl337 2017-08-17 09:06:17 UTC
Created attachment 1314599 [details]
Triggered by "./pspp-convert POC3 -O csv /dev/null"

Description of problem:

There is an illegal address access in function output_hex() of libpspp.

Version-Release number of selected component (if applicable):

<= latest version

How reproducible:

$./pspp-convert POC3 -O csv /dev/null

Steps to Reproduce:


Normal output:

$./pspp-convert POC3 -O csv /dev/null
Segmentation fault

The ASAN && GDB debugging information is as follows:

(gdb) r
The program being debugged has been started already.
...
Breakpoint 1, output_AHEX (input=<optimized out>, format=<optimized out>, output=0x60300000ed70 '\276' <repeats 17 times>)
    at src/data/data-out.c:618
618	  output_hex (value_str (input, format->w), format->w / 2, output);
(gdb) s
output_hex (bytes=8, output=<optimized out>, data_=<optimized out>) at src/data/data-out.c:1167
1167	      *output++ = hex_digits[data[i] >> 4];
(gdb) 
output_AHEX (input=<optimized out>, format=<optimized out>, output=0x60300000ed70 '\276' <repeats 17 times>) at src/data/data-out.c:618
618	  output_hex (value_str (input, format->w), format->w / 2, output);
(gdb) 
output_hex (bytes=8, output=<optimized out>, data_=<optimized out>) at src/data/data-out.c:1167
1167	      *output++ = hex_digits[data[i] >> 4];
(gdb) s

Program received signal SIGSEGV, Segmentation fault.
0x00007ffff7885bee in output_hex (bytes=8, output=<optimized out>, data_=<optimized out>) at src/data/data-out.c:1167
1167	      *output++ = hex_digits[data[i] >> 4];
(gdb) bt
#0  0x00007ffff7885bee in output_hex (bytes=8, output=<optimized out>, data_=<optimized out>) at src/data/data-out.c:1167
#1  output_AHEX (input=<optimized out>, format=<optimized out>, output=0x60300000ed70 '\276' <repeats 17 times>) at src/data/data-out.c:618
#2  0x00007ffff787b9a4 in data_out_pool (input=<optimized out>, encoding=<optimized out>, format=0x60c00000bcc8, pool=<optimized out>)
    at src/data/data-out.c:191
#3  0x00007ffff786ef05 in csv_output_format (w=0x60600000caa0, cv=<optimized out>, value=0x60300000edb8) at src/data/csv-file-writer.c:241
#4  0x00007ffff786df0d in csv_write_var__ (w=<optimized out>, cv=0x60c00000bcc0, value=0x60300000edb8) at src/data/csv-file-writer.c:367
#5  0x00007ffff786d177 in csv_write_var (value=0x60300000edb8, w=<optimized out>, cv=<optimized out>) at src/data/csv-file-writer.c:391
#6  csv_write_case (c=0x60300000eda0, w=<optimized out>) at src/data/csv-file-writer.c:405
#7  csv_file_casewriter_write (writer=<optimized out>, w_=<optimized out>, c=<optimized out>) at src/data/csv-file-writer.c:424
#8  0x00000000004dd855 in main (argc=<optimized out>, argv=<optimized out>) at utilities/pspp-convert.c:215
(gdb) c
Continuing.
ASAN:SIGSEGV
=================================================================
==61484==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc 0x7ffff7885bee bp 0x7ffff7ae12e0 sp 0x7fffffffd940 T0)
    #0 0x7ffff7885bed  (/home/icy/secreal/pspp-0.11.0-asan/install/lib/pspp/libpspp-core-0.11.0.so+0xd6bed)
    #1 0x7ffff787b9a3  (/home/icy/secreal/pspp-0.11.0-asan/install/lib/pspp/libpspp-core-0.11.0.so+0xcc9a3)
    #2 0x7ffff786ef04  (/home/icy/secreal/pspp-0.11.0-asan/install/lib/pspp/libpspp-core-0.11.0.so+0xbff04)
    #3 0x7ffff786df0c  (/home/icy/secreal/pspp-0.11.0-asan/install/lib/pspp/libpspp-core-0.11.0.so+0xbef0c)
    #4 0x7ffff786d176  (/home/icy/secreal/pspp-0.11.0-asan/install/lib/pspp/libpspp-core-0.11.0.so+0xbe176)
    #5 0x4dd854  (/home/icy/secreal/pspp-0.11.0-asan/install/bin/pspp-convert+0x4dd854)
    #6 0x7ffff621eabf  (/lib/x86_64-linux-gnu/libc.so.6+0x20abf)
    #7 0x436028  (/home/icy/secreal/pspp-0.11.0-asan/install/bin/pspp-convert+0x436028)

AddressSanitizer can not provide additional info.
==61484==ABORTING
[Inferior 1 (process 61484) exited with code 01]
(gdb) 

The vulnerability was triggered in function:
output_hex (bytes=8, output=<optimized out>, data_=<optimized out>) at src/data/data-out.c:1167
1167	      *output++ = hex_digits[data[i] >> 4];



Actual results:

crash

Expected results:

crash


Additional info:

Credits:

This vulnerability is detected by team OWL337, with our custom fuzzer collAFL. Please contact ganshuitao@gmail.com   and chaoz@tsinghua.edu.cn if you need more info about the team, the tool or the vulnerability.

Comment 1 Fedora Update System 2017-10-09 16:38:41 UTC
pspp-1.0.1-2.fc27 has been submitted as an update to Fedora 27. https://bodhi.fedoraproject.org/updates/FEDORA-2017-b221468e6e

Comment 2 Fedora Update System 2017-10-09 16:39:06 UTC
pspp-1.0.1-2.fc26 has been submitted as an update to Fedora 26. https://bodhi.fedoraproject.org/updates/FEDORA-2017-4f5447d2c8

Comment 3 Fedora Update System 2017-10-11 02:53:51 UTC
pspp-1.0.1-2.fc26 has been pushed to the Fedora 26 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2017-4f5447d2c8

Comment 4 Fedora Update System 2017-10-11 06:28:13 UTC
pspp-1.0.1-2.fc27 has been pushed to the Fedora 27 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2017-b221468e6e

Comment 5 Fedora Update System 2017-10-25 23:09:44 UTC
pspp-1.0.1-2.fc26 has been pushed to the Fedora 26 stable repository. If problems still persist, please make note of it in this bug report.

Comment 6 Fedora Update System 2017-11-11 02:50:45 UTC
pspp-1.0.1-2.fc27 has been pushed to the Fedora 27 stable repository. If problems still persist, please make note of it in this bug report.


Note You need to log in before you can comment on or make changes to this bug.