[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
PSPP-BUG: [bug #54724] Another NULL Pointer Dereference in pspp-dump-sav
|
From: |
Peter Lemenkov |
|
Subject: |
PSPP-BUG: [bug #54724] Another NULL Pointer Dereference in pspp-dump-sav.c |
|
Date: |
Tue, 25 Sep 2018 07:00:15 -0400 (EDT) |
|
User-agent: |
Mozilla/5.0 (X11; Fedora; Linux x86_64; rv:62.0) Gecko/20100101 Firefox/62.0 |
URL:
<https://savannah.gnu.org/bugs/?54724>
Summary: Another NULL Pointer Dereference in pspp-dump-sav.c
Project: PSPP
Submitted by: peter_lemenkov
Submitted on: Вт. 25 сент. 2018 11:00:12
Category: None
Severity: 5 - Average
Status: None
Assigned to: None
Open/Closed: Open
Discussion Lock: Any
Release: None
Effort: 0.00
_______________________________________________________
Details:
Description of problem:
The vulnerability was triggered in read_mrsets() at
utilities/pspp-dump-sav.c:800. Line pspp-dump-sav.c:799 doesn't check the
return value of pointer 'number' is empty or not.
Version-Release number of selected component (if applicable):
<= latest
How reproducible:
./pspp-dump-sav POC1
Steps to Reproduce:
The information is as follows:
$./pspp-dump-sav POC1
File header record:
Product name: @(#) SPSS DATA FILE MS Windows Release 12.0
spssio32.dll
Layout code: 2
Compressed: 1 (simple compression)
Weight index: 0
Number of cases: 10
Compression bias: 100
Creation date: 30 Jan 13
Creation time: 14:34:58
File label: " ??"
...
00000254: Record 7, subtype 7, size=1, count=0
00000260: multiple response sets
00000264: Record 7, subtype 19, size=1, count=71
00000270: multiple response sets
Segmentation fault
The gdb debugging information is as follows:
(gdb) set args POC1
(gdb) r
...
Breakpoint 1, read_mrsets (r=0x7fff0000000c, size=<optimized out>,
count=<optimized out>)
at utilities/pspp-dump-sav.c:800
800 if (!strcmp (number, "11"))
(gdb) x/5i $pc
=> 0x4081ad <main+6093>: movzbl (%rdx),%eax
0x4081b0 <main+6096>: cmp $0x31,%eax
0x4081b3 <main+6099>: jne 0x408214 <main+6196>
0x4081b5 <main+6101>: movslq %fs:(%r12),%rax
0x4081ba <main+6106>: mov 0x20c287(%rip),%rsi # 0x614448
<__afl_area_ptr>
(gdb) i r rdx
rdx 0x0 0
(gdb) si
Program received signal SIGSEGV, Segmentation fault.
read_mrsets (r=0x7fff0000000c, size=<optimized out>, count=<optimized out>) at
utilities/pspp-dump-sav.c:800
800 if (!strcmp (number, "11"))
The vulnerability was triggered in read_mrsets() at
utilities/pspp-dump-sav.c:800. Line pspp-dump-sav.c:799 doesn't detect whether
the return value of pointer 'number' is empty.
731 read_extra_product_info (struct sfm_reader *r,
732 size_t size, size_t count)
733 {
...
785 else if (text_match (text, 'E'))
786 {
787 char *number;
788
789 type = MRSET_MD;
790 cat_label_from_counted_values = true;
791
...
799 number = text_tokenize (text, ' ');
800 if (!strcmp (number, "11"))
...
}
Actual results:
crash
Expected results:
file contents dump
Additional info:
This vulnerability is detected by team OWL337, with our custom fuzzer collAFL.
Please contact address@hidden and address@hidden if you need
more info about the team, the tool or the vulnerability.
_______________________________________________________
File Attachments:
-------------------------------------------------------
Date: Вт. 25 сент. 2018 11:00:12 Name:
pspp-0001-Check-number-for-NULL.patch Size: 655Б By: peter_lemenkov
<http://savannah.gnu.org/bugs/download.php?file_id=45090>
-------------------------------------------------------
Date: Вт. 25 сент. 2018 11:00:12 Name: POC1 Size: 700Б By:
peter_lemenkov
<http://savannah.gnu.org/bugs/download.php?file_id=45091>
_______________________________________________________
Reply to this item at:
<https://savannah.gnu.org/bugs/?54724>
_______________________________________________
Сообщение отправлено по Savannah
https://savannah.gnu.org/
- PSPP-BUG: [bug #54724] Another NULL Pointer Dereference in pspp-dump-sav.c,
Peter Lemenkov <=