[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: PSPP-BUG: heap-buffer-overflow bug at src/language/commands/matrix.c
|
From: |
Ben Pfaff |
|
Subject: |
Re: PSPP-BUG: heap-buffer-overflow bug at src/language/commands/matrix.c:3276 in function matrix_expr_evaluate_elementwise |
|
Date: |
Sat, 22 Apr 2023 18:09:56 -0700 |
Thanks for the report! I fixed this with commit 505a04fe4cf5 ("Fix
checks for valid integer range subset of 'double'.").
On Tue, Apr 4, 2023 at 1:04 AM Youngseok Choi <youngseok.main@gmail.com> wrote:
>
> Hello,
>
> We are developing a new fuzzer, and it found new heap overflow bug in the
> latest pspp executable.
>
> Command Input
> pspp poc_file
>
> poc_file is attached.
>
> Output
> /home/youngseok/data/230327/asan_inter_30_30_shrink5_1_230308/pspp/4_id:000272/poc_file:1.2:
> error: Bad character U+0000 in input.
> 1 |
>
> /home/youngseok/data/230327/asan_inter_30_30_shrink5_1_230308/pspp/4_id:000272/poc_file:1.2:
> error: Bad character U+0000 in input.
> 1 |
>
> /home/youngseok/data/230327/asan_inter_30_30_shrink5_1_230308/pspp/4_id:000272/poc_file:1.2:
> error: Unknown command `@'.
> 1 |
>
> /home/youngseok/data/230327/asan_inter_30_30_shrink5_1_230308/pspp/4_id:000272/poc_file:1.3-1.4:
> error: Bad character U+FFFD in input.
> 1 |
>
> /home/youngseok/data/230327/asan_inter_30_30_shrink5_1_230308/pspp/4_id:000272/poc_file:1.16:
> error: Bad character U+0002 in input.
> 1 |
>
> /home/youngseok/data/230327/asan_inter_30_30_shrink5_1_230308/pspp/4_id:000272/poc_file:1.16:
> error: Bad character U+0000 in input.
> 1 |
>
> /home/youngseok/data/230327/asan_inter_30_30_shrink5_1_230308/pspp/4_id:000272/poc_file:6.1:
> error: Bad character U+0005 in input.
> 6 | U'e staff wee slo
>
> /home/youngseok/data/230327/asan_inter_30_30_shrink5_1_230308/pspp/4_id:000272/poc_file:6.1:
> error: Bad character U+001A in input.
> 6 | U'e staff wee slo
>
> /home/youngseok/data/230327/asan_inter_30_30_shrink5_1_230308/pspp/4_id:000272/poc_file:6.1-6.50:
> error: Unterminated string constant.
> 6 | U'e staff wee slo
>
> Sanitizer Dump
> ==16118==ERROR: AddressSanitizer: heap-buffer-overflow on address
> 0x6110000035b8 at pc 0x7ffff6a2a520 bp 0x7fffffffd9f0 sp 0x7fffffffd9e0
> READ of size 8 at 0x6110000035b8 thread T0
> #0 0x7ffff6a2a51f in matrix_expr_evaluate_elementwise
> src/language/commands/matrix.c:3276
> #1 0x7ffff6a3667b in matrix_expr_evaluate
> src/language/commands/matrix.c:4569
> #2 0x7ffff6a39550 in matrix_compute_execute
> src/language/commands/matrix.c:5291
> #3 0x7ffff6a53ab5 in matrix_command_execute
> src/language/commands/matrix.c:8843
> #4 0x7ffff6a55065 in cmd_matrix src/language/commands/matrix.c:9144
> #5 0x7ffff690d361 in do_parse_command src/language/command.c:243
> #6 0x7ffff690cd09 in cmd_parse_in_state src/language/command.c:149
> #7 0x7ffff690cdd9 in cmd_parse src/language/command.c:164
> #8 0x555555559e7a in main src/ui/terminal/main.c:139
> #9 0x7ffff56adc86 in __libc_start_main
> (/lib/x86_64-linux-gnu/libc.so.6+0x21c86)
> #10 0x5555555598c9 in _start
> (/home/youngseok/subjects/latest_asan_install/pspp/bin/pspp+0x58c9)
>
> Environment
> OS: Ubuntu 18.04
> gcc: 7.5.0
> pspp: 1.6.2 (master branch - git commit id
> eb1521cd226e0b8cafab7c72d860b21eda71662)
>
> Note that pspp is built with address sanitizer and several options:
> CFLAGS="-fsanitize=address -g -O0" CXXFLAGS="-fsanitize=address -g -O0" \
> ./configure --prefix=`pwd`/install_main --without-perl-module --without-gui
>
> Thank you.
> Youngseok Choi
> _______________________________________________
> Bug-gnu-pspp mailing list
> Bug-gnu-pspp@gnu.org
> https://lists.gnu.org/mailman/listinfo/bug-gnu-pspp