Bug 1482433 - There is an assertion abort in function dict_rename_var() of libpspp.
Summary: There is an assertion abort in function dict_rename_var() of libpspp.
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Fedora
Classification: Fedora
Component: pspp
Version: rawhide
Hardware: Unspecified
OS: Unspecified
unspecified
unspecified
Target Milestone: ---
Assignee: Peter Lemenkov
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2017-08-17 09:17 UTC by owl337
Modified: 2017-11-11 02:50 UTC (History)
2 users (show)

Fixed In Version: pspp-1.0.1-2.fc26 pspp-1.0.1-2.fc27
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2017-10-25 23:09:38 UTC
Type: Bug
Embargoed:


Attachments (Terms of Use)
Triggered by "./pspp-convert POC5 -O csv /dev/null" (414 bytes, application/x-rar)
2017-08-17 09:17 UTC, owl337
no flags Details

Description owl337 2017-08-17 09:17:38 UTC
Created attachment 1314605 [details]
Triggered by "./pspp-convert POC5 -O csv /dev/null"

Description of problem:

There is an assertion abort in function dict_rename_var() of libpspp.

Version-Release number of selected component (if applicable):

<= latest version

How reproducible:

./pspp-convert POC5 -O csv /dev/null

Steps to Reproduce:

Normal output:

$./pspp-convert POC5 -O csv /dev/null
id:000018,sig:06,src:001331,op:arith8,pos:678,val:-1': This system file does not indicate its own character encoding.  Using default encoding UTF-8.  For best results, specify an encoding explicitly.  Use SYSFILE INFO with ENCODING="DETECT" to analyze the possible encodings.
`id:000018,sig:06,src:001331,op:arith8,pos:678,val:-1' near offset 0xd4: Renaming variable with duplicate name `VAR00003' to `VAR001'.
`id:000018,sig:06,src:001331,op:arith8,pos:678,val:-1' near offset 0xf4: Renaming variable with duplicate name `VAR00003' to `VAR002'.
pspp-convert: src/data/dictionary.c:768: void dict_rename_var(struct dictionary *, struct variable *, const char *): Assertion `!utf8_strcasecmp (var_get_name (v), new_name) || dict_lookup_var (d, new_name) == ((void*)0)' failed.
Aborted

The  GDB debugging information is as follows:

(gdb) r
...

Breakpoint 3, dict_rename_var (d=0x611000009a00, v=0x610000007240, new_name=0x60d00000cc79 "VAR00001") at src/data/dictionary.c:767
767	  assert (!utf8_strcasecmp (var_get_name (v), new_name)
(gdb) c 3 
Will ignore next 2 crossings of breakpoint 3.  Continuing.

Breakpoint 3, dict_rename_var (d=0x611000009a00, v=0x610000007e40, new_name=0x60d00000ccaf "VAR00003") at src/data/dictionary.c:767
767	  assert (!utf8_strcasecmp (var_get_name (v), new_name)
(gdb) n
pspp-convert: src/data/dictionary.c:768: void dict_rename_var(struct dictionary *, struct variable *, const char *): Assertion `!utf8_strcasecmp (var_get_name (v), new_name) || dict_lookup_var (d, new_name) == ((void*)0)' failed.

Program received signal SIGABRT, Aborted.
0x00007ffff62331c7 in __GI_raise (sig=sig@entry=6) at ../sysdeps/unix/sysv/linux/raise.c:55
55	../sysdeps/unix/sysv/linux/raise.c: No such file or directory.
(gdb) bt
#0  0x00007ffff62331c7 in __GI_raise (sig=sig@entry=6) at ../sysdeps/unix/sysv/linux/raise.c:55
#1  0x00007ffff6234e2a in __GI_abort () at abort.c:89
#2  0x00007ffff622c0bd in __assert_fail_base (fmt=0x7ffff638df78 "%s%s%s:%u: %s%sAssertion `%s' failed.\n%n", 
    assertion=assertion@entry=0x7ffff7ae4aa0 <.str16> "!utf8_strcasecmp (var_get_name (v), new_name) || dict_lookup_var (d, new_name) == ((void*)0)", file=file@entry=0x7ffff7ae4100 <.str2> "src/data/dictionary.c", line=line@entry=768, 
    function=function@entry=0x7ffff7ae4b20 <__PRETTY_FUNCTION__.dict_rename_var> "void dict_rename_var(struct dictionary *, struct variable *, const char *)") at assert.c:92
#3  0x00007ffff622c172 in __GI___assert_fail (
    assertion=0x7ffff7ae4aa0 <.str16> "!utf8_strcasecmp (var_get_name (v), new_name) || dict_lookup_var (d, new_name) == ((void*)0)", 
    file=0x7ffff7ae4100 <.str2> "src/data/dictionary.c", line=768, 
    function=0x7ffff7ae4b20 <__PRETTY_FUNCTION__.dict_rename_var> "void dict_rename_var(struct dictionary *, struct variable *, const char *)") at assert.c:101
#4  0x00007ffff78a2c3d in dict_rename_var (d=<optimized out>, v=<optimized out>, new_name=<optimized out>) at src/data/dictionary.c:767
#5  0x00007ffff792539f in rename_var_and_save_short_names (dict=0x611000009a00, var=0x610000007e40, new_name=0x60d00000ccaf "VAR00003")
    at src/data/sys-file-reader.c:2018
#6  0x00007ffff7919da7 in parse_long_var_name_map (record=<optimized out>, dict=<optimized out>, r=<optimized out>)
    at src/data/sys-file-reader.c:2086
#7  sfm_decode (r_=<optimized out>, encoding=<optimized out>, dictp=0x7fffffffe380, infop=0x0) at src/data/sys-file-reader.c:843
#8  0x00007ffff78480c1 in any_reader_decode (any_reader=0x61800000f880, encoding=0x0, dictp=0x7fffffffe380, info=0x0)
    at src/data/any-reader.c:147
#9  any_reader_open_and_decode (handle=<optimized out>, encoding=0x0, dictp=0x7fffffffe380, info=0x0) at src/data/any-reader.c:171
#10 0x00000000004dcc97 in main (argc=<optimized out>, argv=<optimized out>) at utilities/pspp-convert.c:174
(gdb) c
Continuing.

Program terminated with signal SIGABRT, Aborted.
The program no longer exists.


The vulnerability was triggered in function:
dict_rename_var (d=0x611000009a00, v=0x610000007240, new_name=0x60d00000cc79 "VAR00001") at src/data/dictionary.c:767
767	  assert (!utf8_strcasecmp (var_get_name (v), new_name)



Actual results:

crash

Expected results:

crash

Additional info:

Credits:

This vulnerability is detected by team OWL337, with our custom fuzzer collAFL. Please contact ganshuitao   and chaoz.cn if you need more info about the team, the tool or the vulnerability.

Comment 1 Fedora Update System 2017-10-09 16:38:29 UTC
pspp-1.0.1-2.fc27 has been submitted as an update to Fedora 27. https://bodhi.fedoraproject.org/updates/FEDORA-2017-b221468e6e

Comment 2 Fedora Update System 2017-10-09 16:38:59 UTC
pspp-1.0.1-2.fc26 has been submitted as an update to Fedora 26. https://bodhi.fedoraproject.org/updates/FEDORA-2017-4f5447d2c8

Comment 3 Fedora Update System 2017-10-11 02:53:45 UTC
pspp-1.0.1-2.fc26 has been pushed to the Fedora 26 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2017-4f5447d2c8

Comment 4 Fedora Update System 2017-10-11 06:28:08 UTC
pspp-1.0.1-2.fc27 has been pushed to the Fedora 27 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2017-b221468e6e

Comment 5 Fedora Update System 2017-10-25 23:09:38 UTC
pspp-1.0.1-2.fc26 has been pushed to the Fedora 26 stable repository. If problems still persist, please make note of it in this bug report.

Comment 6 Fedora Update System 2017-11-11 02:50:39 UTC
pspp-1.0.1-2.fc27 has been pushed to the Fedora 27 stable repository. If problems still persist, please make note of it in this bug report.


Note You need to log in before you can comment on or make changes to this bug.