bug-gnu-pspp
[Top][All Lists]
Advanced
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

PSPP-BUG: [bug #62981] divide by zero in xtimes

From: han zheng
Subject: PSPP-BUG: [bug #62981] divide by zero in xtimes
Date: Mon, 29 Aug 2022 14:19:41 -0400 (EDT) 
URL:
  <https://savannah.gnu.org/bugs/?62981>

                 Summary: divide by zero in xtimes
                 Project: PSPP
               Submitter: kdsj
               Submitted: Mon 29 Aug 2022 06:19:40 PM UTC
                Category: None
                Severity: 5 - Average
                  Status: None
             Assigned to: None
             Open/Closed: Open
                 Release: None
         Discussion Lock: Any
                  Effort: 0.00


    _______________________________________________________

Follow-up Comments:


-------------------------------------------------------
Date: Mon 29 Aug 2022 06:19:40 PM UTC By: han zheng <kdsj>
## brief summary

hello, I was testing my fuzzer and find a possible divide by zero in xtimes,
gl/xsize.h. Unfortunately the poc cannot be reproduced, but I verified
manually and found bug might exisits.

## Bug description

in utilities/pspp-dump-sav.c, line 1404

```
  if (size_overflow_p (xsum (1, xtimes (size, count))))

```
it calls xtimes, which is defined in gl/xsize.h

```
#define xtimes(N, ELSIZE) \
  ((N) <= SIZE_MAX / (ELSIZE) ? (size_t) (N) * (ELSIZE) : SIZE_MAX)
```

xtimes try to perform an overflow check, however ELSIZE can be 0, which might
results in a divide by zero.

my poc can only prove that the ELSIZE can be zero in size_overflow_p , but it
cannot be reproduced in my environment. I guess the reason can be I use
clang's lto mode and gold linker to compile binary for fuzzing. But I believe
the problem do exists.

## gdb log

```
gdb-peda$ set args pspp-dump-sav.fpe
gdb-peda$ b utilities/pspp-dump-sav.c:1404
Breakpoint 1 at 0x4d215f: utilities/pspp-dump-sav.c:1404. (6 locations)
gdb-peda$ r
Starting program:
/home/kdsj/workspace/fuzz/verify/pspp-1.6.2/utilities/pspp-dump-sav
pspp-dump-sav.fpe
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1".
File header record:
             Product name: @(#) SPSS DATA FILE GNU psble0.13.1 -
x86_64-unknown-linux-g
              Layout code: 2
               Compressed: 1 (simple compression)
             Weight index: 0
          Number of cases: 40
         Compression bias: 100
            Creation date: 03 Sep 17
            Creation time: 09:57:13
               File label: ""
000000b4: variable record #1
        Width: 0 (numeric)
        Variable label: 1
        Missing values code: 0 (no missing values)
        Print format: 050800 (F8.0)
        Write format: 0508ff (F8.255)
        Name: SEX
        000000d0 Variable label: "Sex of subject  "
000000e8: variable record #2
        Width: 0 (numeric)
        Variable label: 1
        Missing values code: 0 (no missing values)
        Print format: 050800 (F8.0)
        Write format: 050800 (F8.0)
        Name: HEIGHT
        00000104 Variable label: "Height in millimeters   "
00000124: variable record #3
        Width: 0 (numeric)
        Variable label: 1
        Missing values code: 0 (no missing values)
        Print format: 58050801 (F8.1)
        Write format: 050801 (F8.1)
        Name: WEIGHT
        00000140 Variable label: "Weight in kilograms "
0000015c: variable record #4
        Width: 536870912 (string)
        Variable label: 1
        Missing values code: 0 (no missing values)
        Print format: 050802 (F8.2)
        Write format: 050802 (F8.2)
        Name: TEMPERAT
        00000178 Variable label: "Internal body temperature in degrees
Celcius"
000001ac: value labels record
        2.121995790965272e-314/"": "Male"
        1/"": "Female"
        000001d4: apply to variables #1
000001e0: document record
        4 lines of documents
        000001e4: line 0: "This data set contains two data entry errors."
        00000234: line 1: "variable "height", case 30; and                    
     "
        00000284: line 2: "variapp  "weight", case 38."
        000002d4: line 3: "   (Entered 29 Dec"
00000328: Record 7, subtype 3, size=4, count=8
00000334: machine integer info
        Version: 0.13.1
        Machine code: -1
        Floating point representation: 1 (IEEE 754)
        Compression code: 1
        Endianness: 2 (little)
        Character code: 65001
00000358: Record 7, subtype 4, size=8, count=3
00000364: machine float info
        sysmis: -1.797693134862316e+308 (-0x1.fffffffffffffp+1023)
        highest: 1.797693134862316e+308 (0x1.fffffffffffffp+1023)
        lowest: -1.797693134862316e+308 (-0x1.ffffffffffffep+1023)
00000380: Record 7, subtype 11, size=4, count=12
0000038c: variable display parameters
        Var #0: measure=3 (scale), width=2, align=1 (right)
        Var #1: measure=3 (scale), width=8, align=1 (right)
        Var #2: measure=3 (scale), width=8, align=1 (right)
        Var #3: measure=3 (scale), width=8, align=1 (right)
000003c0: Record 7, subtype 13, size=65470465, count=0
000003cc: long variable names (short => long)
[----------------------------------registers-----------------------------------]
RAX: 0x603000000310 --> 0xbebebebebebebebe
RBX: 0x7fffffffdea0 --> 0x7fffffffde60 --> 0x200000001 --> 0x0
RCX: 0x2e ('.')
RDX: 0x603000000300 --> 0x2000001102 --> 0x0
RSI: 0x0
RDI: 0x603000000310 --> 0xbebebebebebebebe
RBP: 0x7fffffffe0f0 --> 0x2
RSP: 0x7fffffffd600 --> 0x41b58ab3
RIP: 0x4d3a6f (<main+12031>:    mov    rax,r12)
R8 : 0x7ffff7fba000 --> 0x52c748 --> 0x4a6510
(<_ZN11__sanitizer17ThreadContextBase6OnDeadEv>:  ret)
R9 : 0x0
R10: 0x3
R11: 0x201
R12: 0x0
R13: 0x3e7000100000000
R14: 0x3e70001
R15: 0x603000000310 --> 0xbebebebebebebebe
EFLAGS: 0x206 (carry PARITY adjust zero sign trap INTERRUPT direction
overflow)
[-------------------------------------code-------------------------------------]
   0x4d3a65 <main+12021>:       mov    r15,rax
   0x4d3a68 <main+12024>:       mov    rsi,r12
   0x4d3a6b <main+12027>:       imul   rsi,r14
=> 0x4d3a6f <main+12031>:       mov    rax,r12
   0x4d3a72 <main+12034>:       mul    r14
   0x4d3a75 <main+12037>:       mov    rax,rsi
   0x4d3a78 <main+12040>:       mov    rcx,0xffffffffffffffff
   0x4d3a7f <main+12047>:       cmovo  rax,rcx
[------------------------------------stack-------------------------------------]
0000| 0x7fffffffd600 --> 0x41b58ab3
0008| 0x7fffffffd608 --> 0x50c2a0 ("16 32 8 16 raw_value.i:1237 64 1 25
n_missing_values.i.i:1098 80 81 10 line.i:580 208 1 15 label_len.i:532 224 256
11 label.i:534 544 9 12 string.i:494 576 1024 15 buffer.i.i:1670 1728 4 16
integer.i."...)
0016| 0x7fffffffd610 --> 0x4d0b70 (<main>:      push   rbp)
0024| 0x7fffffffd618 --> 0x5da440 --> 0x0
0032| 0x7fffffffd620 --> 0x2242b80000000000
0040| 0x7fffffffd628 --> 0x2
0048| 0x7fffffffd630 --> 0x2
0056| 0x7fffffffd638 --> 0x7fffffffd700 --> 0x499fe3
(<__interceptor_free()+163>:       mov    r14,rax)
[------------------------------------------------------------------------------]
Legend: code, data, rodata, value

Breakpoint 1, open_text_record (r=<optimized out>, size=0x3e70001, count=0x0)
at utilities/pspp-dump-sav.c:1404
1404      if (size_overflow_p (xsum (1, xtimes (size, count))))
gdb-peda$ display count
1: count = 0x0
```

## Credit

Han Zheng (NCNIPC of China, Hexhive)
 






    _______________________________________________________
File Attachments:


-------------------------------------------------------
Date: Mon 29 Aug 2022 06:19:40 PM UTC  Name: pspp-dump-sav.zip  Size: 684B  
By: kdsj

<http://savannah.gnu.org/bugs/download.php?file_id=53629>

    _______________________________________________________

Reply to this item at:

  <https://savannah.gnu.org/bugs/?62981>

_______________________________________________
Message sent via Savannah
https://savannah.gnu.org/
reply via email to
[Prev in Thread] Current Thread [Next in Thread]