Created attachment 1314599 [details] Triggered by "./pspp-convert POC3 -O csv /dev/null" Description of problem: There is an illegal address access in function output_hex() of libpspp. Version-Release number of selected component (if applicable): <= latest version How reproducible: $./pspp-convert POC3 -O csv /dev/null Steps to Reproduce: Normal output: $./pspp-convert POC3 -O csv /dev/null Segmentation fault The ASAN && GDB debugging information is as follows: (gdb) r The program being debugged has been started already. ... Breakpoint 1, output_AHEX (input=<optimized out>, format=<optimized out>, output=0x60300000ed70 '\276' <repeats 17 times>) at src/data/data-out.c:618 618 output_hex (value_str (input, format->w), format->w / 2, output); (gdb) s output_hex (bytes=8, output=<optimized out>, data_=<optimized out>) at src/data/data-out.c:1167 1167 *output++ = hex_digits[data[i] >> 4]; (gdb) output_AHEX (input=<optimized out>, format=<optimized out>, output=0x60300000ed70 '\276' <repeats 17 times>) at src/data/data-out.c:618 618 output_hex (value_str (input, format->w), format->w / 2, output); (gdb) output_hex (bytes=8, output=<optimized out>, data_=<optimized out>) at src/data/data-out.c:1167 1167 *output++ = hex_digits[data[i] >> 4]; (gdb) s Program received signal SIGSEGV, Segmentation fault. 0x00007ffff7885bee in output_hex (bytes=8, output=<optimized out>, data_=<optimized out>) at src/data/data-out.c:1167 1167 *output++ = hex_digits[data[i] >> 4]; (gdb) bt #0 0x00007ffff7885bee in output_hex (bytes=8, output=<optimized out>, data_=<optimized out>) at src/data/data-out.c:1167 #1 output_AHEX (input=<optimized out>, format=<optimized out>, output=0x60300000ed70 '\276' <repeats 17 times>) at src/data/data-out.c:618 #2 0x00007ffff787b9a4 in data_out_pool (input=<optimized out>, encoding=<optimized out>, format=0x60c00000bcc8, pool=<optimized out>) at src/data/data-out.c:191 #3 0x00007ffff786ef05 in csv_output_format (w=0x60600000caa0, cv=<optimized out>, value=0x60300000edb8) at src/data/csv-file-writer.c:241 #4 0x00007ffff786df0d in csv_write_var__ (w=<optimized out>, cv=0x60c00000bcc0, value=0x60300000edb8) at src/data/csv-file-writer.c:367 #5 0x00007ffff786d177 in csv_write_var (value=0x60300000edb8, w=<optimized out>, cv=<optimized out>) at src/data/csv-file-writer.c:391 #6 csv_write_case (c=0x60300000eda0, w=<optimized out>) at src/data/csv-file-writer.c:405 #7 csv_file_casewriter_write (writer=<optimized out>, w_=<optimized out>, c=<optimized out>) at src/data/csv-file-writer.c:424 #8 0x00000000004dd855 in main (argc=<optimized out>, argv=<optimized out>) at utilities/pspp-convert.c:215 (gdb) c Continuing. ASAN:SIGSEGV ================================================================= ==61484==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc 0x7ffff7885bee bp 0x7ffff7ae12e0 sp 0x7fffffffd940 T0) #0 0x7ffff7885bed (/home/icy/secreal/pspp-0.11.0-asan/install/lib/pspp/libpspp-core-0.11.0.so+0xd6bed) #1 0x7ffff787b9a3 (/home/icy/secreal/pspp-0.11.0-asan/install/lib/pspp/libpspp-core-0.11.0.so+0xcc9a3) #2 0x7ffff786ef04 (/home/icy/secreal/pspp-0.11.0-asan/install/lib/pspp/libpspp-core-0.11.0.so+0xbff04) #3 0x7ffff786df0c (/home/icy/secreal/pspp-0.11.0-asan/install/lib/pspp/libpspp-core-0.11.0.so+0xbef0c) #4 0x7ffff786d176 (/home/icy/secreal/pspp-0.11.0-asan/install/lib/pspp/libpspp-core-0.11.0.so+0xbe176) #5 0x4dd854 (/home/icy/secreal/pspp-0.11.0-asan/install/bin/pspp-convert+0x4dd854) #6 0x7ffff621eabf (/lib/x86_64-linux-gnu/libc.so.6+0x20abf) #7 0x436028 (/home/icy/secreal/pspp-0.11.0-asan/install/bin/pspp-convert+0x436028) AddressSanitizer can not provide additional info. ==61484==ABORTING [Inferior 1 (process 61484) exited with code 01] (gdb) The vulnerability was triggered in function: output_hex (bytes=8, output=<optimized out>, data_=<optimized out>) at src/data/data-out.c:1167 1167 *output++ = hex_digits[data[i] >> 4]; Actual results: crash Expected results: crash Additional info: Credits: This vulnerability is detected by team OWL337, with our custom fuzzer collAFL. Please contact ganshuitao and chaoz.cn if you need more info about the team, the tool or the vulnerability.
pspp-1.0.1-2.fc27 has been submitted as an update to Fedora 27. https://bodhi.fedoraproject.org/updates/FEDORA-2017-b221468e6e
pspp-1.0.1-2.fc26 has been submitted as an update to Fedora 26. https://bodhi.fedoraproject.org/updates/FEDORA-2017-4f5447d2c8
pspp-1.0.1-2.fc26 has been pushed to the Fedora 26 testing repository. If problems still persist, please make note of it in this bug report. See https://fedoraproject.org/wiki/QA:Updates_Testing for instructions on how to install test updates. You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2017-4f5447d2c8
pspp-1.0.1-2.fc27 has been pushed to the Fedora 27 testing repository. If problems still persist, please make note of it in this bug report. See https://fedoraproject.org/wiki/QA:Updates_Testing for instructions on how to install test updates. You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2017-b221468e6e
pspp-1.0.1-2.fc26 has been pushed to the Fedora 26 stable repository. If problems still persist, please make note of it in this bug report.
pspp-1.0.1-2.fc27 has been pushed to the Fedora 27 stable repository. If problems still persist, please make note of it in this bug report.