bug-gnu-pspp
[Top][All Lists]
Advanced

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

PSPP-BUG: heap-use-after-free in src/output/pivot-table.c:863:14


From: Suyue Guo
Subject: PSPP-BUG: heap-use-after-free in src/output/pivot-table.c:863:14
Date: Fri, 23 Aug 2024 20:35:54 +0800

Dear maintainers of pspp:

The poc to trigger this bug is in the attached file.

command to run:
pspp use_after_free_pspp


Console output:
./use_after_free_pspp:1.1-1.2: error: Bad character U+FFFD in input.
    1 | �seT

./use_after_free_pspp:1.5: error: SET: Bad character U+0000 in input.
    1 | �seT

./use_after_free_pspp:1.5-1.6: error: SET: Bad character U+FFFD in input.
    1 | �seT

./use_after_free_pspp:1.9: error: SET: Bad character U+007F in input.
    1 | �seT

./use_after_free_pspp:1.9-1.10: error: SET: Bad character U+FFFD in input.
    1 | �seT

./use_after_free_pspp:1.10: error: SET: Bad character U+0000 in input.
    1 | �seT

./use_after_free_pspp:2.1-2.3: error: SET: Unterminated string constant.
    2 | "󿽿
      | ^~~

./use_after_free_pspp:3.3-3.4: error: SET: Bad character U+FFFD in input.
    3 | ""�����&
      |   ^~

./use_after_free_pspp:3.4-3.5: error: SET: Bad character U+FFFD in input.
    3 | ""�����&
      |    ^~

./use_after_free_pspp:3.5-3.6: error: SET: Bad character U+FFFD in input.
    3 | ""�����&
      |     ^~

./use_after_free_pspp:3.6-3.7: error: SET: Bad character U+FFFD in input.
    3 | ""�����&
      |      ^~

./use_after_free_pspp:3.7-3.8: error: SET: Bad character U+FFFD in input.
    3 | ""�����&
      |       ^~

./use_after_free_pspp:3.8: error: SET: Syntax error expecting the name of a setting.
    3 | ""�����&
      |        ^

./use_after_free_pspp:4.1-4.15: error: SET: Unterminated string constant.
    4 | "��xxxxxxxxxxo
      | ^~~~~~~~~~~~~~~

./use_after_free_pspp:6.1: error: Bad character U+0005 in input.
    6 |
z��geT

./use_after_free_pspp:6.1: error: Unknown command `z'.
    6 |
z��geT

./use_after_free_pspp:6.2-6.3: error: Bad character U+FFFD in input.
    6 |
z��geT

./use_after_free_pspp:6.3-6.4: error: Bad character U+FFFD in input.
    6 |
z��geT

./use_after_free_pspp:6.7: error: Bad character U+0000 in input.
    6 |
z��geT

./use_after_free_pspp:6.7: error: Bad character U+0000 in input.
    6 |
z��geT

./use_after_free_pspp:6.15: error: Bad character U+0000 in input.
    6 |
z��geT

./use_after_free_pspp:6.15: error: Bad character U+0000 in input.
    6 |
z��geT

./use_after_free_pspp:6.26: error: Bad character U+0000 in input.
    6 |
z��geT

./use_after_free_pspp:6.26-6.27: error: Bad character U+FFFD in input.
    6 |
z��geT

./use_after_free_pspp:7.1: error: Bad character U+0005 in input.
    7 |
z��geA

./use_after_free_pspp:7.2-7.3: error: Bad character U+FFFD in input.
    7 |
z��geA

./use_after_free_pspp:7.3-7.4: error: Bad character U+FFFD in input.
    7 |
z��geA

./use_after_free_pspp:7.7: error: Bad character U+0000 in input.
    7 |
z��geA

./use_after_free_pspp:7.7: error: Bad character U+0000 in input.
    7 |
z��geA

./use_after_free_pspp:7.11-7.12: error: Bad character U+FFFD in input.
    7 |
z��geA

./use_after_free_pspp:9.1: error: Syntax error expecting command name.
    9 | _ el�N�r
      | ^

./use_after_free_pspp:9.5-9.6: error: Bad character U+FFFD in input.
    9 | _ el�N�r
      |     ^~

./use_after_free_pspp:9.7-9.8: error: Bad character U+FFFD in input.
    9 | _ el�N�r
      |       ^~

./use_after_free_pspp:9.8: error: Bad character U+0004 in input.
    9 | _ el�N�r
      |        ^

./use_after_free_pspp:10.4: error: SET: Bad character U+0000 in input.
   10 | SeT

./use_after_free_pspp:10.7-10.8: error: SET: Bad character U+FFFD in input.
   10 | SeT

./use_after_free_pspp:10.9-10.10: error: SET: Bad character U+FFFD in input.
   10 | SeT

./use_after_free_pspp:10.10: error: SET: Bad character U+0004 in input.
   10 | SeT

./use_after_free_pspp:10.4-10.8: warning: SET: CELLSBREAK is not yet implemented.
   10 | SeT

./use_after_free_pspp:10.10-10.12: error: SET: Syntax error expecting the name of a setting.
   10 | SeT

./use_after_free_pspp:10.13: error: SET: Bad character U+001B in input.
   10 | SeT

./use_after_free_pspp:10.13-10.14: error: SET: Bad character U+FFFD in input.
   10 | SeT

./use_after_free_pspp:11.1-11.2: error: SET: Bad character U+FFFD in input.
   11 | �N�r
      | ^~

./use_after_free_pspp:11.3-11.4: error: SET: Bad character U+FFFD in input.
   11 | �N�r
      |   ^~

./use_after_free_pspp:11.4: error: SET: Bad character U+0004 in input.
   11 | �N�r
      |    ^

./use_after_free_pspp:12.4: error: SET: Bad character U+0000 in input.
   12 | SeT

./use_after_free_pspp:12.7-12.8: error: SET: Bad character U+FFFD in input.
   12 | SeT

./use_after_free_pspp:12.9-12.10: error: SET: Bad character U+FFFD in input.
   12 | SeT

./use_after_free_pspp:12.10: error: SET: Bad character U+0004 in input.
   12 | SeT

./use_after_free_pspp:12.4-12.8: warning: SET: CELLSBREAK is not yet implemented.
   12 | SeT

./use_after_free_pspp:12.10-12.12: error: SET: Syntax error expecting the name of a setting.
   12 | SeT

./use_after_free_pspp:12.14-12.15: error: SET: Bad character U+FFFD in input.
   12 | SeT

./use_after_free_pspp:14.4: error: SET: Bad character U+0000 in input.
   14 | SeT

./use_after_free_pspp:14.7-14.8: error: SET: Bad character U+FFFD in input.
   14 | SeT

./use_after_free_pspp:14.9-14.10: error: SET: Bad character U+FFFD in input.
   14 | SeT

./use_after_free_pspp:14.10: error: SET: Bad character U+0004 in input.
   14 | SeT

./use_after_free_pspp:14.4-14.8: warning: SET: CELLSBREAK is not yet implemented.
   14 | SeT

./use_after_free_pspp:14.13: error: SET: Bad character U+0000 in input.
   14 | SeT

./use_after_free_pspp:14.16-14.17: error: SET: Bad character U+FFFD in input.
   14 | SeT

./use_after_free_pspp:14.17-14.18: error: SET: Bad character U+FFFD in input.
   14 | SeT

./use_after_free_pspp:14.18-14.19: error: SET: Unterminated string constant.
   14 | SeT
******************************************************
You have discovered a bug in PSPP.  Please report this
to bug-gnu-pspp@gnu.org.  Please include this entire
message, *plus* several lines of output just above it.
For the best chance at having the bug fixed, also
include the syntax file that triggered it and a sample
of any data file used for input.
proximate cause:     Assertion Failure/Abort
version:             GNU pspp 2.0.1
host_system:         x86_64-pc-linux-gnu
build_system:        x86_64-pc-linux-gnu
locale_dir:          /usr/local/share/locale
compiler version:    Ubuntu Clang 15.0.7
******************************************************
Aborted

ASAN output:

=================================================================
==2584585==ERROR: AddressSanitizer: heap-use-after-free on address 0x602000001e90 at pc 0x55c5f23199e6 bp 0x7ffe2f7ad7d0 sp 0x7ffe2f7ad7c8
READ of size 1 at 0x602000001e90 thread T0
    #0 0x55c5f23199e5 in summary_expansion /data/fuzz/fuzz-data/target/pspp/pspp-debug_clang/src/output/pivot-table.c:863:14
    #1 0x55c5f2319771 in pivot_table_create__ /data/fuzz/fuzz-data/target/pspp/pspp-debug_clang/src/output/pivot-table.c:967:14
    #2 0x55c5f230bd72 in text_item_to_table_item /data/fuzz/fuzz-data/target/pspp/pspp-debug_clang/src/output/output-item.c:711:31
    #3 0x55c5f23f541d in ascii_submit /data/fuzz/fuzz-data/target/pspp/pspp-debug_clang/src/output/ascii.c:640:12
    #4 0x55c5f22eeac8 in output_submit__ /data/fuzz/fuzz-data/target/pspp/pspp-debug_clang/src/output/driver.c:214:9
    #5 0x55c5f22ee57e in output_submit /data/fuzz/fuzz-data/target/pspp/pspp-debug_clang/src/output/driver.c:269:3
    #6 0x55c5f2307214 in output_item_submit /data/fuzz/fuzz-data/target/pspp/pspp-debug_clang/src/output/output-item.c:197:3
    #7 0x55c5f2073a2b in output_msg /data/fuzz/fuzz-data/target/pspp/pspp-debug_clang/src/ui/terminal/main.c:245:3
    #8 0x55c5f253094b in ship_message /data/fuzz/fuzz-data/target/pspp/pspp-debug_clang/src/libpspp/message.c:507:5
    #9 0x55c5f252f806 in process_msg /data/fuzz/fuzz-data/target/pspp/pspp-debug_clang/src/libpspp/message.c:536:3
    #10 0x55c5f252bd51 in msg_emit /data/fuzz/fuzz-data/target/pspp/pspp-debug_clang/src/libpspp/message.c:571:5
    #11 0x55c5f218451d in lex_source_msg_valist /data/fuzz/fuzz-data/target/pspp/pspp-debug_clang/src/language/lexer/lexer.c:2183:3
    #12 0x55c5f218195e in lex_ofs_msg_valist /data/fuzz/fuzz-data/target/pspp/pspp-debug_clang/src/language/lexer/lexer.c:682:3
    #13 0x55c5f2181d80 in lex_ofs_error /data/fuzz/fuzz-data/target/pspp/pspp-debug_clang/src/language/lexer/lexer.c:475:3
    #14 0x55c5f2078977 in parse_command_name /data/fuzz/fuzz-data/target/pspp/pspp-debug_clang/src/language/command.c:359:9
    #15 0x55c5f20774b2 in do_parse_command /data/fuzz/fuzz-data/target/pspp/pspp-debug_clang/src/language/command.c:198:13
    #16 0x55c5f20772cf in cmd_parse_in_state /data/fuzz/fuzz-data/target/pspp/pspp-debug_clang/src/language/command.c:150:12
    #17 0x55c5f2077b9a in cmd_parse /data/fuzz/fuzz-data/target/pspp/pspp-debug_clang/src/language/command.c:165:10
    #18 0x55c5f2073134 in main /data/fuzz/fuzz-data/target/pspp/pspp-debug_clang/src/ui/terminal/main.c:139:20
    #19 0x7f14fc474d8f  (/lib/x86_64-linux-gnu/libc.so.6+0x29d8f) (BuildId: 490fef8403240c91833978d494d39e537409b92e)
    #20 0x7f14fc474e3f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x29e3f) (BuildId: 490fef8403240c91833978d494d39e537409b92e)
    #21 0x55c5f1fb2fc4 in _start (/data/fuzz/fuzz-data/target/elf/debug/pspp+0x12bfc4) (BuildId: 619b7e08e1c594a88b8ce0ba10e95b223d1431e9)

0x602000001e90 is located 0 bytes inside of 1-byte region [0x602000001e90,0x602000001e91)
freed by thread T0 here:
    #0 0x55c5f2038742 in free (/data/fuzz/fuzz-data/target/elf/debug/pspp+0x1b1742) (BuildId: 619b7e08e1c594a88b8ce0ba10e95b223d1431e9)
    #1 0x55c5f2318acc in pivot_value_destroy /data/fuzz/fuzz-data/target/pspp/pspp-debug_clang/src/output/pivot-table.c:2718:11
    #2 0x55c5f231eb95 in pivot_table_delete_cell /data/fuzz/fuzz-data/target/pspp/pspp-debug_clang/src/output/pivot-table.c:1833:3
    #3 0x55c5f231ced6 in pivot_table_unref /data/fuzz/fuzz-data/target/pspp/pspp-debug_clang/src/output/pivot-table.c:1272:5
    #4 0x55c5f23062c3 in output_item_unref /data/fuzz/fuzz-data/target/pspp/pspp-debug_clang/src/output/output-item.c:105:11
    #5 0x55c5f23061c4 in output_item_unref /data/fuzz/fuzz-data/target/pspp/pspp-debug_clang/src/output/output-item.c:89:13
    #6 0x55c5f22eeaf8 in output_submit__ /data/fuzz/fuzz-data/target/pspp/pspp-debug_clang/src/output/driver.c:218:3
    #7 0x55c5f22ef18a in output_close_groups /data/fuzz/fuzz-data/target/pspp/pspp-debug_clang/src/output/driver.c:325:9
    #8 0x55c5f2077a63 in do_parse_command /data/fuzz/fuzz-data/target/pspp/pspp-debug_clang/src/language/command.c:257:5
    #9 0x55c5f20772cf in cmd_parse_in_state /data/fuzz/fuzz-data/target/pspp/pspp-debug_clang/src/language/command.c:150:12
    #10 0x55c5f2077b9a in cmd_parse /data/fuzz/fuzz-data/target/pspp/pspp-debug_clang/src/language/command.c:165:10
    #11 0x55c5f2073134 in main /data/fuzz/fuzz-data/target/pspp/pspp-debug_clang/src/ui/terminal/main.c:139:20
    #12 0x7f14fc474d8f  (/lib/x86_64-linux-gnu/libc.so.6+0x29d8f) (BuildId: 490fef8403240c91833978d494d39e537409b92e)

previously allocated by thread T0 here:
    #0 0x55c5f20389ee in malloc (/data/fuzz/fuzz-data/target/elf/debug/pspp+0x1b19ee) (BuildId: 619b7e08e1c594a88b8ce0ba10e95b223d1431e9)
    #1 0x55c5f25a03e4 in xmalloc /data/fuzz/fuzz-data/target/pspp/pspp-debug_clang/gl/xmalloc.c:45:19
    #2 0x55c5f25a09c8 in xmemdup /data/fuzz/fuzz-data/target/pspp/pspp-debug_clang/gl/xmalloc.c:314:18
    #3 0x55c5f25a0aec in xstrdup /data/fuzz/fuzz-data/target/pspp/pspp-debug_clang/gl/xmalloc.c:339:10
    #4 0x55c5f24d1dfb in settings_set_summary /data/fuzz/fuzz-data/target/pspp/pspp-debug_clang/src/data/settings.c:664:32
    #5 0x55c5f22a4098 in parse_SUMMARY /data/fuzz/fuzz-data/target/pspp/pspp-debug_clang/src/language/commands/set.c:960:3
    #6 0x55c5f22a05a9 in parse_setting /data/fuzz/fuzz-data/target/pspp/pspp-debug_clang/src/language/commands/set.c:1379:14
    #7 0x55c5f22a047d in cmd_set /data/fuzz/fuzz-data/target/pspp/pspp-debug_clang/src/language/commands/set.c:1394:12
    #8 0x55c5f2077995 in do_parse_command /data/fuzz/fuzz-data/target/pspp/pspp-debug_clang/src/language/command.c:244:16
    #9 0x55c5f20772cf in cmd_parse_in_state /data/fuzz/fuzz-data/target/pspp/pspp-debug_clang/src/language/command.c:150:12
    #10 0x55c5f2077b9a in cmd_parse /data/fuzz/fuzz-data/target/pspp/pspp-debug_clang/src/language/command.c:165:10
    #11 0x55c5f2073134 in main /data/fuzz/fuzz-data/target/pspp/pspp-debug_clang/src/ui/terminal/main.c:139:20
    #12 0x7f14fc474d8f  (/lib/x86_64-linux-gnu/libc.so.6+0x29d8f) (BuildId: 490fef8403240c91833978d494d39e537409b92e)

SUMMARY: AddressSanitizer: heap-use-after-free /data/fuzz/fuzz-data/target/pspp/pspp-debug_clang/src/output/pivot-table.c:863:14 in summary_expansion
Shadow bytes around the buggy address:
  0x0c047fff8380: fa fa fd fa fa fa fd fa fa fa fd fa fa fa fd fa
  0x0c047fff8390: fa fa fd fa fa fa fd fa fa fa fd fa fa fa fd fa
  0x0c047fff83a0: fa fa fd fa fa fa fd fa fa fa fd fa fa fa fd fa
  0x0c047fff83b0: fa fa fd fa fa fa fd fa fa fa fd fa fa fa fd fa
  0x0c047fff83c0: fa fa fd fa fa fa fd fa fa fa fd fa fa fa fd fa
=>0x0c047fff83d0: fa fa[fd]fa fa fa fd fa fa fa fd fa fa fa fd fa
  0x0c047fff83e0: fa fa fd fd fa fa fd fa fa fa fd fd fa fa fd fa
  0x0c047fff83f0: fa fa fd fd fa fa fd fa fa fa fd fa fa fa fd fa
  0x0c047fff8400: fa fa fd fa fa fa fd fa fa fa fd fa fa fa fd fd
  0x0c047fff8410: fa fa fd fa fa fa fd fa fa fa fd fa fa fa fd fa
  0x0c047fff8420: fa fa fd fa fa fa fd fa fa fa fd fa fa fa fd fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==2584585==ABORTING

Attachment: use_after_free_pspp.zip
Description: Zip compressed data


reply via email to

[Prev in Thread] Current Thread [Next in Thread]