Re: Potential security bug: Buffer overflow in gsl_stats_quantile_from_sorted_data (of library Statistics)

[Patrick Alken]

Hi Zhoulai,

  I appreciate you following up on this, and for your patience. I have 
just committed a fix to the git repository which should address the 
issue. I added a check on the input parameter 'f' which returns an error 
if it is out of range.

Best regards,

Patrick

On 4/16/22 08:46, Zhoulai Fu wrote:
> I just found out that the buffer overflow issue I reported years ago (see
> below) remains in the recent version of GSL (just tested on the newest one
> on GitHub). Is this issue something we plan to fix? I am asking since
> now computing quantiles with GSL, or anything depending on it,  seems not
> secure.
>
> BR,
> Zhoulai
>
> On Thu, Dec 3, 2020 at 11:12 PM Zhoulai Fu@Gmail <zhoulai.fu@gmail.com>
> wrote:
>
> > Running the following code (also attached as a file) triggers a
> > segmentation error.
> >
> >
> >
> >
> >
> >
> >
> >
> >
> >
> >
> >
> >
> > *#include <stdio.h>#include <gsl/gsl_sort.h>#include
> > <gsl/gsl_statistics.h>int main(void){  double upperq;  double data[5] =
> > {17.2, 18.1, 16.5, 18.3, 12.6};  gsl_sort (data, 1, 5);  upperq =
> > gsl_stats_quantile_from_sorted_data (data, 1, 5, 675);  return 0;}// gcc
> > statsort_bug.c -lgsl -lgslcblas; ./a.out*
> >
> > The error points to statistics/quantiles_source.c:41:
> >
> >
> > *      result = (1 - delta) * sorted_data[lhs * stride] + delta *
> > sorted_data[(lhs + 1) * stride] ;*
> > The segmentation error is due to a stack buffer overflow (where
> > lhs=2700, strid=1 as shown in GDB). The bug could be exploited for
> > security attack, knowing that it occurs when the quantile "f" is
> > beyond the expected [0,1] range (f=675 in this case).
> >
> > BR,
> > Zhoulai