[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
PSPP-BUG: [bug #54686] heap-buffer-overflow in csv driver of pspp-conver
|
From: |
Tianxiao Gu |
|
Subject: |
PSPP-BUG: [bug #54686] heap-buffer-overflow in csv driver of pspp-convert |
|
Date: |
Wed, 19 Sep 2018 00:19:30 -0400 (EDT) |
|
User-agent: |
Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:61.0) Gecko/20100101 Firefox/61.0 |
URL:
<https://savannah.gnu.org/bugs/?54686>
Summary: heap-buffer-overflow in csv driver of pspp-convert
Project: PSPP
Submitted by: tianxiaogu
Submitted on: Wed 19 Sep 2018 04:19:28 AM UTC
Category: Output Driver
Severity: 5 - Average
Status: None
Assigned to: None
Open/Closed: Open
Discussion Lock: Any
Release: None
Effort: 0.00
_______________________________________________________
Details:
Affected version: both git head and pspp-v1.0.1
Note that it seems to be a bug in gnulib.
Build:
~~~
export CFLAGS="-fsanitize=address -g -O0"
make -Smake # optional for git
./configure
make
~~~
Reproduce:
~~~
pspp-convert pspp-convert-000002 -O csv /dev/null
~~~
Output:
~~~
`pspp-convert-000002' near offset 0x654: Long variable mapping from GROUP to
invalid variable name `gr|up'.
=================================================================
==18286==ERROR: AddressSanitizer: heap-buffer-overflow on address
0x612000000d4e at pc 0x7f93e0f3bdd5 bp 0x7ffe1d6d0a20 sp 0x7ffe1d6d0a10
WRITE of size 1 at 0x612000000d4e thread T0
#0 0x7f93e0f3bdd4 in convert_to_decimal
/home/t/Projects/fuzzing/pspp-1.0.1/gl/vasnprintf.c:899
#1 0x7f93e0f3d8a4 in scale10_round_decimal_decoded
/home/t/Projects/fuzzing/pspp-1.0.1/gl/vasnprintf.c:1292
#2 0x7f93e0f3dc86 in scale10_round_decimal_double
/home/t/Projects/fuzzing/pspp-1.0.1/gl/vasnprintf.c:1328
#3 0x7f93e0f45630 in vasnprintf
/home/t/Projects/fuzzing/pspp-1.0.1/gl/vasnprintf.c:4119
#4 0x7f93e0f3888e in rpl_snprintf
/home/t/Projects/fuzzing/pspp-1.0.1/gl/snprintf.c:45
#5 0x7f93e0de674f in csv_write_var__ src/data/csv-file-writer.c:360
#6 0x7f93e0de6ae5 in csv_write_var src/data/csv-file-writer.c:391
#7 0x7f93e0de6c78 in csv_write_case src/data/csv-file-writer.c:405
#8 0x7f93e0de6d73 in csv_file_casewriter_write
src/data/csv-file-writer.c:424
#9 0x7f93e0de30f1 in casewriter_write src/data/casewriter.c:57
#10 0x55f1c78cd032 in main utilities/pspp-convert.c:217
#11 0x7f93e0987b96 in __libc_start_main
(/lib/x86_64-linux-gnu/libc.so.6+0x21b96)
#12 0x55f1c78cc579 in _start
(/home/t/Projects/fuzzing/pspp-1.0.1/utilities/.libs/pspp-convert+0x2579)
0x612000000d4e is located 0 bytes to the right of 270-byte region
[0x612000000c40,0x612000000d4e)
allocated by thread T0 here:
#0 0x7f93e1321b50 in __interceptor_malloc
(/usr/lib/x86_64-linux-gnu/libasan.so.4+0xdeb50)
#1 0x7f93e0f3baba in convert_to_decimal
/home/t/Projects/fuzzing/pspp-1.0.1/gl/vasnprintf.c:863
#2 0x7f93e0f3d8a4 in scale10_round_decimal_decoded
/home/t/Projects/fuzzing/pspp-1.0.1/gl/vasnprintf.c:1292
#3 0x7f93e0f3dc86 in scale10_round_decimal_double
/home/t/Projects/fuzzing/pspp-1.0.1/gl/vasnprintf.c:1328
#4 0x7f93e0f45630 in vasnprintf
/home/t/Projects/fuzzing/pspp-1.0.1/gl/vasnprintf.c:4119
#5 0x7f93e0f3888e in rpl_snprintf
/home/t/Projects/fuzzing/pspp-1.0.1/gl/snprintf.c:45
#6 0x7f93e0de674f in csv_write_var__ src/data/csv-file-writer.c:360
#7 0x7f93e0de6ae5 in csv_write_var src/data/csv-file-writer.c:391
#8 0x7f93e0de6c78 in csv_write_case src/data/csv-file-writer.c:405
#9 0x7f93e0de6d73 in csv_file_casewriter_write
src/data/csv-file-writer.c:424
#10 0x7f93e0de30f1 in casewriter_write src/data/casewriter.c:57
#11 0x55f1c78cd032 in main utilities/pspp-convert.c:217
#12 0x7f93e0987b96 in __libc_start_main
(/lib/x86_64-linux-gnu/libc.so.6+0x21b96)
SUMMARY: AddressSanitizer: heap-buffer-overflow
/home/t/Projects/fuzzing/pspp-1.0.1/gl/vasnprintf.c:899 in convert_to_decimal
Shadow bytes around the buggy address:
0x0c247fff8150: fa fa fa fa fa fa fa fa fd fd fd fd fd fd fd fd
0x0c247fff8160: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x0c247fff8170: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fa
0x0c247fff8180: fa fa fa fa fa fa fa fa 00 00 00 00 00 00 00 00
0x0c247fff8190: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x0c247fff81a0: 00 00 00 00 00 00 00 00 00[06]fa fa fa fa fa fa
0x0c247fff81b0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c247fff81c0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c247fff81d0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c247fff81e0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c247fff81f0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
==18286==ABORTING
~~~
_______________________________________________________
File Attachments:
-------------------------------------------------------
Date: Wed 19 Sep 2018 04:19:28 AM UTC Name: pspp-convert-000002 Size: 3KiB
By: tianxiaogu
<http://savannah.gnu.org/bugs/download.php?file_id=45045>
_______________________________________________________
Reply to this item at:
<https://savannah.gnu.org/bugs/?54686>
_______________________________________________
Message sent via Savannah
https://savannah.gnu.org/
- PSPP-BUG: [bug #54686] heap-buffer-overflow in csv driver of pspp-convert,
Tianxiao Gu <=