Bug 1482432 - There is a reachable assertion abort in function dict_add_mrset() of libpspp.
Summary: There is a reachable assertion abort in function dict_add_mrset() of libpspp.
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Fedora
Classification: Fedora
Component: pspp
Version: rawhide
Hardware: Unspecified
OS: Unspecified
unspecified
unspecified
Target Milestone: ---
Assignee: Peter Lemenkov
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2017-08-17 09:13 UTC by owl337
Modified: 2017-11-11 02:50 UTC (History)
2 users (show)

Fixed In Version: pspp-1.0.1-2.fc26 pspp-1.0.1-2.fc27
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2017-10-25 23:09:41 UTC


Attachments (Terms of Use)
Triggered by "./pspp-convert POC4 -O csv /dev/null" (491 bytes, application/x-rar)
2017-08-17 09:13 UTC, owl337
no flags Details

Description owl337 2017-08-17 09:13:34 UTC
Created attachment 1314602 [details]
Triggered by "./pspp-convert POC4 -O csv /dev/null"

Description of problem:

There is an reachable assertion abort in  function dict_add_mrset()  of libpspp. 

Version-Release number of selected component (if applicable):

<= latest version

How reproducible:

./pspp-convert POC4 -O csv /dev/null


Steps to Reproduce:

Normal output:

$./pspp-convert POC4 -O csv /dev/null
`id:000079,sig:06,src:002419,op:havoc,rep:2' near offset 0x3b7: Record type 7, subtype 3 found here has the same type as the record found near offset 0x1c0.  For help, please send this file to bug-gnu-pspp@gnu.org and mention that you were using GNU PSPP 0.11.0.
`id:000079,sig:06,src:002419,op:havoc,rep:2' near offset 0x3e7: Record type 7, subtype 4 found here has the same type as the record found near offset 0x1f0.  For help, please send this file to bug-gnu-pspp@gnu.org and mention that you were using GNU PSPP 0.11.0.
`id:000079,sig:06,src:002419,op:havoc,rep:2' near offset 0x40f: Record type 7, subtype 11 found here has the same type as the record found near offset 0x218.  For help, please send this file to bug-gnu-pspp@gnu.org and mention that you were using GNU PSPP 0.11.0.
`id:000079,sig:06,src:002419,op:havoc,rep:2' near offset 0x44f: Missing new-line parsing variable names at offset 72 in MRSETS record.
`id:000079,sig:06,src:002419,op:havoc,rep:2' near offset 0x258: Missing new-line parsing variable names at offset 72 in MRSETS record.
`id:000079,sig:06,src:002419,op:havoc,rep:2': This system file does not indicate its own character encoding.  Using default encoding UTF-8.  For best results, specify an encoding explicitly.  Use SYSFILE INFO with ENCODING="DETECT" to analyze the possible encodings.
`id:000079,sig:06,src:002419,op:havoc,rep:2' near offset 0x104: Variable VAR00003 with width 0 has invalid write format 0x10802.
`id:000079,sig:06,src:002419,op:havoc,rep:2' near offset 0x120: Variable VAR00004 with width 0 has invalid print format 0x10100.
`id:000079,sig:06,src:002419,op:havoc,rep:2' near offset 0x124: Variable VAR00004 with width 0 has invalid write format 0x10100.
`id:000079,sig:06,src:002419,op:havoc,rep:2' near offset 0x2cb: Renaming variable with duplicate name `VAR00002' to `VAR001'.
`id:000079,sig:06,src:002419,op:havoc,rep:2' near offset 0x2d7: Variable VAR001 with width 8 has invalid print format 0x50802.
`id:000079,sig:06,src:002419,op:havoc,rep:2' near offset 0x2db: Variable VAR001 with width 8 has invalid write format 0x50802.
`id:000079,sig:06,src:002419,op:havoc,rep:2' near offset 0x2eb: Renaming variable with duplicate name `VAR00003' to `VAR002'.
`id:000079,sig:06,src:002419,op:havoc,rep:2' near offset 0x2fb: Variable VAR002 with width 0 has invalid write format 0x10802.
`id:000079,sig:06,src:002419,op:havoc,rep:2' near offset 0x30b: Renaming variable with duplicate name `VAR00004' to `VAR003'.
`id:000079,sig:06,src:002419,op:havoc,rep:2' near offset 0x317: Variable VAR003 with width 0 has invalid print format 0x10100.
`id:000079,sig:06,src:002419,op:havoc,rep:2' near offset 0x31b: Variable VAR003 with width 0 has invalid write format 0x10100.
`id:000079,sig:06,src:002419,op:havoc,rep:2': Suppressing further invalid format warnings.
`id:000079,sig:06,src:002419,op:havoc,rep:2' near offset 0x32b: Duplicate value label for 1 on VAR00002.
`id:000079,sig:06,src:002419,op:havoc,rep:2' near offset 0x32b: Duplicate value label for 2 on VAR00002.
`id:000079,sig:06,src:002419,op:havoc,rep:2' near offset 0x35f: Duplicate value label for 2 on VAR00003.
`id:000079,sig:06,src:002419,op:havoc,rep:2' near offset 0x35f: Duplicate value label for 3 on VAR00003.
`id:000079,sig:06,src:002419,op:havoc,rep:2' near offset 0x35f: Duplicate value label for 4 on VAR00003.
`id:000079,sig:06,src:002419,op:havoc,rep:2' near offset 0x218: Extension 11 has bad count 12 (for 8 variables).
`id:000079,sig:06,src:002419,op:havoc,rep:2': MRSET $FL00001 has only one variable.
pspp-convert: src/data/dictionary.c:1489: _Bool dict_add_mrset(struct dictionary *, struct mrset *): Assertion `mrset_ok (mrset, dict)' failed.
Aborted

The  GDB debugging information is as follows:

(gdb) r
...

Breakpoint 2, dict_add_mrset (dict=0x611000009500, mrset=0x60600000cce0) at src/data/dictionary.c:1489
1489	  assert (mrset_ok (mrset, dict));
(gdb) list 
1484	bool
1485	dict_add_mrset (struct dictionary *dict, struct mrset *mrset)
1486	{
1487	  size_t idx;
1488	
1489	  assert (mrset_ok (mrset, dict));
1490	
1491	  idx = dict_lookup_mrset_idx (dict, mrset->name);
1492	  if (idx == SIZE_MAX)
1493	    {
(gdb) bt
#0  dict_add_mrset (dict=0x611000009500, mrset=0x60600000cce0) at src/data/dictionary.c:1489
#1  0x00007ffff7918c43 in decode_mrsets (dict=<optimized out>, r=<optimized out>) at src/data/sys-file-reader.c:1917
#2  sfm_decode (r_=<optimized out>, encoding=<optimized out>, dictp=0x7fffffffe380, infop=0x0) at src/data/sys-file-reader.c:836
#3  0x00007ffff78480c1 in any_reader_decode (any_reader=0x61800000f880, encoding=0x0, dictp=0x7fffffffe380, info=0x0)
    at src/data/any-reader.c:147
#4  any_reader_open_and_decode (handle=<optimized out>, encoding=0x0, dictp=0x7fffffffe380, info=0x0) at src/data/any-reader.c:171
#5  0x00000000004dcc97 in main (argc=<optimized out>, argv=<optimized out>) at utilities/pspp-convert.c:174
(gdb) n
pspp-convert: src/data/dictionary.c:1489: _Bool dict_add_mrset(struct dictionary *, struct mrset *): Assertion `mrset_ok (mrset, dict)' failed.

Program received signal SIGABRT, Aborted.
0x00007ffff62331c7 in __GI_raise (sig=sig@entry=6) at ../sysdeps/unix/sysv/linux/raise.c:55
55	../sysdeps/unix/sysv/linux/raise.c: No such file or directory.
(gdb) 


The vulnerability was triggered in function:
dict_add_mrset (dict=0x611000009500, mrset=0x60600000cce0) at src/data/dictionary.c:1489
1489	  assert (mrset_ok (mrset, dict));


Actual results:

crash

Expected results:

crash

Additional info:

Credits:

This vulnerability is detected by team OWL337, with our custom fuzzer collAFL. Please contact ganshuitao@gmail.com   and chaoz@tsinghua.edu.cn if you need more info about the team, the tool or the vulnerability.

Comment 1 Fedora Update System 2017-10-09 16:38:35 UTC
pspp-1.0.1-2.fc27 has been submitted as an update to Fedora 27. https://bodhi.fedoraproject.org/updates/FEDORA-2017-b221468e6e

Comment 2 Fedora Update System 2017-10-09 16:39:02 UTC
pspp-1.0.1-2.fc26 has been submitted as an update to Fedora 26. https://bodhi.fedoraproject.org/updates/FEDORA-2017-4f5447d2c8

Comment 3 Fedora Update System 2017-10-11 02:53:48 UTC
pspp-1.0.1-2.fc26 has been pushed to the Fedora 26 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2017-4f5447d2c8

Comment 4 Fedora Update System 2017-10-11 06:28:10 UTC
pspp-1.0.1-2.fc27 has been pushed to the Fedora 27 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2017-b221468e6e

Comment 5 Fedora Update System 2017-10-25 23:09:41 UTC
pspp-1.0.1-2.fc26 has been pushed to the Fedora 26 stable repository. If problems still persist, please make note of it in this bug report.

Comment 6 Fedora Update System 2017-11-11 02:50:42 UTC
pspp-1.0.1-2.fc27 has been pushed to the Fedora 27 stable repository. If problems still persist, please make note of it in this bug report.


Note You need to log in before you can comment on or make changes to this bug.