bug-gnu-pspp
[Top][All Lists]
Advanced
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

PSPP-BUG: [bug #62986] heap-buffer-overflow in text_parse_counted_string

From: han zheng
Subject: PSPP-BUG: [bug #62986] heap-buffer-overflow in text_parse_counted_string
Date: Tue, 30 Aug 2022 03:04:18 -0400 (EDT) 
URL:
  <https://savannah.gnu.org/bugs/?62986>

                 Summary: heap-buffer-overflow in text_parse_counted_string 
                 Project: PSPP
               Submitter: kdsj
               Submitted: Tue 30 Aug 2022 07:04:17 AM UTC
                Category: None
                Severity: 5 - Average
                  Status: None
             Assigned to: None
             Open/Closed: Open
                 Release: None
         Discussion Lock: Any
                  Effort: 0.00


    _______________________________________________________

Follow-up Comments:


-------------------------------------------------------
Date: Tue 30 Aug 2022 07:04:17 AM UTC By: han zheng <kdsj>
## short summary
Hello, I was testing my fuzzer and find a heap buffer overflow in 
text_parse_counted_string, pspp-1.6.2

## Environment
Ubuntu 21.10
gcc 11.2.0
pspp-1.6.2

## step to reproduce
./configure --disable-shared --without-gui && make -j$(nproc)
./pspp-dump-sav $POC

## ASan output

=================================================================
==2331314==ERROR: AddressSanitizer: heap-buffer-overflow on address
0x60200000021d at pc 0x0000004d775a bp 0x7fff3eb16760 sp 0x7fff3eb16758
READ of size 1 at 0x60200000021d thread T0
    #0 0x4d7759 in text_parse_counted_string
/home/kdsj/workspace/fuzz/verify/pspp-1.6.2/utilities/pspp-dump-sav.c:1467:10
    #1 0x4d2adb in read_mrsets
/home/kdsj/workspace/fuzz/verify/pspp-1.6.2/utilities/pspp-dump-sav.c:824:21
    #2 0x4d2adb in read_extension_record
/home/kdsj/workspace/fuzz/verify/pspp-1.6.2/utilities/pspp-dump-sav.c:617:7
    #3 0x4d2adb in main
/home/kdsj/workspace/fuzz/verify/pspp-1.6.2/utilities/pspp-dump-sav.c:219:15
    #4 0x7f88a8decfcf in __libc_start_call_main
csu/../sysdeps/nptl/libc_start_call_main.h:58:16
    #5 0x7f88a8ded07c in __libc_start_main csu/../csu/libc-start.c:409:3
    #6 0x41f384 in _start
(/home/kdsj/workspace/fuzz/verify/pspp-1.6.2/utilities/pspp-dump-sav+0x41f384)

0x60200000021d is located 0 bytes to the right of 13-byte region
[0x602000000210,0x60200000021d)
allocated by thread T0 here:
    #0 0x49a24d in malloc
/home/kdsj/workspace/llvm-project/compiler-rt/lib/asan/asan_malloc_linux.cpp:145:3
    #1 0x4d9b05 in xmalloc
/home/kdsj/workspace/fuzz/verify/pspp-1.6.2/gl/xmalloc.c:44:19
    #2 0x7f88a8decfcf in __libc_start_call_main
csu/../sysdeps/nptl/libc_start_call_main.h:58:16

SUMMARY: AddressSanitizer: heap-buffer-overflow
/home/kdsj/workspace/fuzz/verify/pspp-1.6.2/utilities/pspp-dump-sav.c:1467:10
in text_parse_counted_string
Shadow bytes around the buggy address:
  0x0c047fff7ff0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c047fff8000: fa fa fd fa fa fa fd fd fa fa fd fd fa fa fd fa
  0x0c047fff8010: fa fa fd fa fa fa fd fd fa fa fd fd fa fa fd fa
  0x0c047fff8020: fa fa fd fa fa fa fd fd fa fa fd fd fa fa fd fa
  0x0c047fff8030: fa fa fd fa fa fa fd fd fa fa fd fd fa fa fd fa
=>0x0c047fff8040: fa fa 00[05]fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047fff8050: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047fff8060: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047fff8070: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047fff8080: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047fff8090: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
  Shadow gap:              cc
==2331314==ABORTING


## Credit
Han Zheng(NCNIPC of China, Hexhive)






    _______________________________________________________
File Attachments:


-------------------------------------------------------
Date: Tue 30 Aug 2022 07:04:17 AM UTC  Name: poc3.zip  Size: 632B   By: kdsj

<http://savannah.gnu.org/bugs/download.php?file_id=53635>

    _______________________________________________________

Reply to this item at:

  <https://savannah.gnu.org/bugs/?62986>

_______________________________________________
Message sent via Savannah
https://savannah.gnu.org/
reply via email to
[Prev in Thread] Current Thread [Next in Thread]