PSPP-BUG: [bug #63000] heap-buffer-overflow in read

bug-gnu-pspp

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

PSPP-BUG: [bug #63000] heap-buffer-overflow in read_string

From:	han zheng
Subject:	PSPP-BUG: [bug #63000] heap-buffer-overflow in read_string
Date:	Fri, 2 Sep 2022 03:22:23 -0400 (EDT)

URL:
  <https://savannah.gnu.org/bugs/?63000>

                 Summary: heap-buffer-overflow in read_string
                 Project: PSPP
               Submitter: kdsj
               Submitted: Fri 02 Sep 2022 07:22:22 AM UTC
                Category: None
                Severity: 5 - Average
                  Status: None
             Assigned to: None
             Open/Closed: Open
                 Release: None
         Discussion Lock: Any
                  Effort: 0.00


    _______________________________________________________

Follow-up Comments:


-------------------------------------------------------
Date: Fri 02 Sep 2022 07:22:22 AM UTC By: han zheng <kdsj>
## short summary
Hello, I was testing my fuzzer and find a heap buffer overflow in
read_string, pspp-1.6.2

## Environment
Ubuntu 21.10
gcc 11.2.0
pspp-1.6.2

## step to reproduce
./configure --disable-shared --without-gui && make -j$(nproc)
./pspp-dump-sav $POC

## ASan output
=================================================================
==2607491==ERROR: AddressSanitizer: heap-buffer-overflow on address
0x602000000111 at pc 0x0000004d6a35 bp 0x7fffc66178b0 sp 0x7fffc66178a8
WRITE of size 1 at 0x602000000111 thread T0
    #0 0x4d6a34 in read_string
/home/kdsj/workspace/fuzz/verify/pspp-1.6.2/utilities/pspp-dump-sav.c:1661:20
    #1 0x4d6a34 in read_character_encoding
/home/kdsj/workspace/fuzz/verify/pspp-1.6.2/utilities/pspp-dump-sav.c:1020:3
    #2 0x4d6a34 in read_extension_record
/home/kdsj/workspace/fuzz/verify/pspp-1.6.2/utilities/pspp-dump-sav.c:649:7
    #3 0x4d6a34 in main
/home/kdsj/workspace/fuzz/verify/pspp-1.6.2/utilities/pspp-dump-sav.c:219:15
    #4 0x7f1baa451fcf in __libc_start_call_main
csu/../sysdeps/nptl/libc_start_call_main.h:58:16
    #5 0x7f1baa45207c in __libc_start_main csu/../csu/libc-start.c:409:3
    #6 0x41f384 in _start
(/home/kdsj/workspace/fuzz/verify/pspp-1.6.2/utilities/pspp-dump-sav+0x41f384)

0x602000000111 is located 0 bytes to the right of 1-byte region
[0x602000000110,0x602000000111)
allocated by thread T0 here:
    #0 0x49a3c2 in calloc
/home/kdsj/workspace/llvm-project/compiler-rt/lib/asan/asan_malloc_linux.cpp:154:3
    #1 0x4da045 in xcalloc
/home/kdsj/workspace/fuzz/verify/pspp-1.6.2/gl/xmalloc.c:297:19
    #2 0x7f1baa451fcf in __libc_start_call_main
csu/../sysdeps/nptl/libc_start_call_main.h:58:16

SUMMARY: AddressSanitizer: heap-buffer-overflow
/home/kdsj/workspace/fuzz/verify/pspp-1.6.2/utilities/pspp-dump-sav.c:1661:20
in read_string
Shadow bytes around the buggy address:
  0x0c047fff7fd0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c047fff7fe0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c047fff7ff0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c047fff8000: fa fa fd fa fa fa fd fd fa fa fd fd fa fa fd fa
  0x0c047fff8010: fa fa fd fa fa fa fd fd fa fa fd fd fa fa fd fa
=>0x0c047fff8020: fa fa[01]fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047fff8030: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047fff8040: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047fff8050: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047fff8060: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047fff8070: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
  Shadow gap:              cc
==2607491==ABORTING

## Credit
Han Zheng(NCNIPC of China, Hexhive)






    _______________________________________________________
File Attachments:


-------------------------------------------------------
Date: Fri 02 Sep 2022 07:22:22 AM UTC  Name: poc4.zip  Size: 653B   By: kdsj

<http://savannah.gnu.org/bugs/download.php?file_id=53649>

    _______________________________________________________

Reply to this item at:

  <https://savannah.gnu.org/bugs/?63000>

_______________________________________________
Message sent via Savannah
https://savannah.gnu.org/

[Prev in Thread]

Current Thread

[Next in Thread]

PSPP-BUG: [bug #63000] heap-buffer-overflow in read_string, han zheng <=
- PSPP-BUG: [bug #63000] heap-buffer-overflow in read_string, Ben Pfaff, 2022/09/19

Next by Date: PSPP-BUG: [bug #63020] Invalid font name "SansSerif" in html output
Next by thread: PSPP-BUG: [bug #63000] heap-buffer-overflow in read_string
Index(es):
- Date
- Thread