bug-gnu-pspp
[Top][All Lists]
Advanced
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

PSPP-BUG: [bug #66486] Segmentation-violation at src/language/commands/m

From: frankz7
Subject: PSPP-BUG: [bug #66486] Segmentation-violation at src/language/commands/matrix.c:3505 in matrix_expr_evaluate_seq in pspp
Date: Wed, 27 Nov 2024 08:00:41 -0500 (EST) 
URL:
  <https://savannah.gnu.org/bugs/?66486>

                 Summary: Segmentation-violation at
src/language/commands/matrix.c:3505 in matrix_expr_evaluate_seq in pspp
                   Group: PSPP
               Submitter: frankz7
               Submitted: Wed 27 Nov 2024 01:00:37 PM UTC
                Category: None
                Severity: 5 - Average
                  Status: None
             Assigned to: None
             Open/Closed: Open
         Discussion Lock: Any
                 Release: None
                  Effort: 0.00


    _______________________________________________________

Follow-up Comments:


-------------------------------------------------------
Date: Wed 27 Nov 2024 01:00:37 PM UTC By: frankz7 <frankz7>
= Segmentation-violation at src/language/commands/matrix.c:3505 in
matrix_expr_evaluate_seq in pspp =

== Description ==

Dear developers, 

We found the following Segmentation-violation bug on pspp, please confirm.

This bug is triggered when we use psppwith the -b option.

The latest version v2.0.1 also has this vulnerability.

The function to_scalar doesn't validate its inputs. If start\_, end\_, or by\_
are NULL or invalid, gsl_matrix_alloc may return a null pointer if invalid
parameters are provided. The return value of gsl_matrix_alloc is not be
checked. If the allocation fails, it may cause a crash.

==== src/language/commands/matrix.c:3505: ====
3489   long int start = to_scalar (start_);
3490   long int end = to_scalar (end_);
3491   long int by = by_ ? to_scalar (by_) : 1;
3492
3493   if (!by)
3494     {
3495       msg_at (SE, matrix_expr_location (e->subs[2]),
3496               _("The increment operand to : must be nonzero."));
3497       return NULL;
3498     }
3499
3500   long int n = (end >= start && by > 0 ? (end - start + by) / by
3501                 : end <= start && by < 0 ? (start - end - by) / -by
3502                 : 0);
3503   gsl_matrix *m = gsl_matrix_alloc (1, n);
3504   for (long int i = 0; i < n; i++)
3505     gsl_matrix_set (m, 0, i, start + i * by);
3506   return m;
3507 }

== Version ==

# ./src/ui/terminal/pspp --version
pspp (GNU PSPP) 2.0.1
Copyright (C) 2023 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later
<https://gnu.org/licenses/gpl.html>.
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.

Written by Ben Pfaff, John Darrington, and Jason Stover.

== PoC ==

poc1pspp

== Reproduction ==

./src/ui/terminal/pspp -b --output=tmp.csv poc1pspp

==== use valgrind: ====

apt-get install texinfo
apt-get install valgrind
apt-get install gettext libcairo2-dev libpango1.0-dev libgtk-3-dev
libgtksourceview-4-dev libgsl-dev

tar -xvzf pspp-2.0.1.tar.gz
mv pspp-2.0.1 pspp
cd pspp
CFLAGS="-g -ggdb3" CXXFLAGS="-g -ggdb3" ./configure --disable-shared
--without-gui
make -j10

valgrind --leak-check=full --track-origins=yes ./src/ui/terminal/pspp -b
--output=tmp.csv poc1pspp

==== or use address sanitizer: ====

CFLAGS="-g -ggdb3 -fsanitize=address" CXXFLAGS="-g -ggdb3 -fsanitize=address"
./configure --disable-shared --without-gui
make -j3

./src/ui/terminal/pspp -b --output=tmp.csv poc1pspp

== Valgrind Log ==

# valgrind --leak-check=full --track-origins=yes
/afltest/tmp/pspp2/src/ui/terminal/pspp -b --output=tmp.csv poc2
==2416634== Memcheck, a memory error detector
==2416634== Copyright (C) 2002-2017, and GNU GPL'd, by Julian Seward et al.
==2416634== Using Valgrind-3.18.1 and LibVEX; rerun with -h for copyright
info
==2416634== Command: /afltest/tmp/pspp2/src/ui/terminal/pspp -b
--output=tmp.csv poc2
==2416634==
poc2:1.6: error: Bad character U+0007 in input.
    1 | Matri
      |      ^
==2416634== Invalid read of size 8
==2416634==    at 0x4D19671: gsl_matrix_set (in
/usr/lib/x86_64-linux-gnu/libgsl.so.27.0.0)
==2416634==    by 0x1C52D9: matrix_expr_evaluate_seq (matrix.c:3505)
==2416634==    by 0x1CB35E: matrix_expr_evaluate (matrix.c:4601)
==2416634==    by 0x1CDCD5: matrix_print_execute (matrix.c:5726)
==2416634==    by 0x1D8360: matrix_command_execute (matrix.c:8872)
==2416634==    by 0x1D8C95: cmd_matrix (matrix.c:9169)
==2416634==    by 0x13DD22: do_parse_command (command.c:244)
==2416634==    by 0x13D9C3: cmd_parse_in_state (command.c:150)
==2416634==    by 0x13DA9B: cmd_parse (command.c:165)
==2416634==    by 0x13C608: main (main.c:139)
==2416634==  Address 0x0 is not stack'd, malloc'd or (recently) free'd
==2416634==
******************************************************
You have discovered a bug in PSPP.  Please report this
to bug-gnu-pspp@gnu.org.  Please include this entire
message, *plus* several lines of output just above it.
For the best chance at having the bug fixed, also
include the syntax file that triggered it and a sample
of any data file used for input.
proximate cause:     Segmentation Violation
version:             GNU pspp 2.0.1
host_system:         x86_64-pc-linux-gnu
build_system:        x86_64-pc-linux-gnu
locale_dir:          /usr/local/share/locale
compiler version:    11.4.0
******************************************************
==2416634==
==2416634== Process terminating with default action of signal 11 (SIGSEGV):
dumping core
==2416634==    at 0x50A39FC: __pthread_kill_implementation
(pthread_kill.c:44)
==2416634==    by 0x50A39FC: __pthread_kill_internal (pthread_kill.c:78)
==2416634==    by 0x50A39FC: pthread_kill@@GLIBC_2.34 (pthread_kill.c:89)
==2416634==    by 0x504F475: raise (raise.c:26)
==2416634==    by 0x13C80B: bug_handler (main.c:222)
==2416634==    by 0x504F51F: ??? (in /usr/lib/x86_64-linux-gnu/libc.so.6)
==2416634==    by 0x4D19670: gsl_matrix_set (in
/usr/lib/x86_64-linux-gnu/libgsl.so.27.0.0)
==2416634==    by 0x1C52D9: matrix_expr_evaluate_seq (matrix.c:3505)
==2416634==    by 0x1CB35E: matrix_expr_evaluate (matrix.c:4601)
==2416634==    by 0x1CDCD5: matrix_print_execute (matrix.c:5726)
==2416634==    by 0x1D8360: matrix_command_execute (matrix.c:8872)
==2416634==    by 0x1D8C95: cmd_matrix (matrix.c:9169)
==2416634==    by 0x13DD22: do_parse_command (command.c:244)
==2416634==    by 0x13D9C3: cmd_parse_in_state (command.c:150)
==2416634==
==2416634== HEAP SUMMARY:
==2416634==     in use at exit: 239,563 bytes in 444 blocks
==2416634==   total heap usage: 827 allocs, 383 frees, 327,684 bytes
allocated
==2416634==
==2416634== 48 bytes in 1 blocks are definitely lost in loss record 211 of
386
==2416634==    at 0x4848899: malloc (in
/usr/libexec/valgrind/vgpreload_memcheck-amd64-linux.so)
==2416634==    by 0x4D1F927: gsl_matrix_alloc (in
/usr/lib/x86_64-linux-gnu/libgsl.so.27.0.0)
==2416634==    by 0x1C5290: matrix_expr_evaluate_seq (matrix.c:3503)
==2416634==    by 0x1CB35E: matrix_expr_evaluate (matrix.c:4601)
==2416634==    by 0x1CDCD5: matrix_print_execute (matrix.c:5726)
==2416634==    by 0x1D8360: matrix_command_execute (matrix.c:8872)
==2416634==    by 0x1D8C95: cmd_matrix (matrix.c:9169)
==2416634==    by 0x13DD22: do_parse_command (command.c:244)
==2416634==    by 0x13D9C3: cmd_parse_in_state (command.c:150)
==2416634==    by 0x13DA9B: cmd_parse (command.c:165)
==2416634==    by 0x13C608: main (main.c:139)
==2416634==
==2416634== LEAK SUMMARY:
==2416634==    definitely lost: 48 bytes in 1 blocks
==2416634==    indirectly lost: 0 bytes in 0 blocks
==2416634==      possibly lost: 0 bytes in 0 blocks
==2416634==    still reachable: 237,499 bytes in 422 blocks
==2416634==         suppressed: 0 bytes in 0 blocks
==2416634== Reachable blocks (those to which a pointer was found) are not
shown.
==2416634== To see them, rerun with: --leak-check=full --show-leak-kinds=all
==2416634==
==2416634== For lists of detected and suppressed errors, rerun with: -s
==2416634== ERROR SUMMARY: 2 errors from 2 contexts (suppressed: 0 from 0)
Segmentation fault

== ASAN Log ==

=================================================================
==4123934==ERROR: AddressSanitizer: requested allocation size 0x2d79883459e88
(0x2d7988345ae88 after adjustments for alignment, red zones etc.) exceeds
maximum supported size of 0x10000000000 (thread T0)
    #0 0x7f7694772887 in __interceptor_malloc
../../../../src/libsanitizer/asan/asan_malloc_linux.cpp:145
    #1 0x7f7693e6f4cc in gsl_block_alloc
(/lib/x86_64-linux-gnu/libgsl.so.27+0x5e4cc)

==4123934==HINT: if you don't care about these errors you may set
allocator_may_return_null=1
SUMMARY: AddressSanitizer: allocation-size-too-big
../../../../src/libsanitizer/asan/asan_malloc_linux.cpp:145 in
__interceptor_malloc
==4123934==ABORTING

== Reference ==

https://www.gnu.org/software/pspp/
https://savannah.gnu.org/projects/pspp/

== Environment ==

ubuntu:22.04
gcc version 11.4.0 (Ubuntu 11.4.0-1ubuntu1~22.04)
clang version 14.0.0-1ubuntu1.1
afl-fuzz++4.22a

*Thanks for your time!*






    _______________________________________________________
File Attachments:


-------------------------------------------------------
Name: poc1pspp  Size: 224B
<https://file.savannah.gnu.org/file/poc1pspp?file_id=56648>

    AGPL NOTICE

These attachments are served by Savane. You can download the corresponding
source code of Savane at
https://savannah.gnu.org/source/savane-50d9a9877282bd480069a8f78b05c0cac62c0e18.tar.gz

    _______________________________________________________

Reply to this item at:

  <https://savannah.gnu.org/bugs/?66486>

_______________________________________________
Message sent via Savannah
https://savannah.gnu.org/

Attachment: signature.asc
Description: PGP signature

reply via email to
[Prev in Thread] Current Thread [Next in Thread]