PSPP-BUG: [bug #58586] stack-buffer-overflow in lex_ellipsize_

bug-gnu-pspp

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

PSPP-BUG: [bug #58586] stack-buffer-overflow in lex_ellipsize__

From:	Andrea Fioraldi
Subject:	PSPP-BUG: [bug #58586] stack-buffer-overflow in lex_ellipsize__
Date:	Tue, 16 Jun 2020 15:15:25 -0400 (EDT)
User-agent:	Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:77.0) Gecko/20100101 Firefox/77.0

URL:
  <https://savannah.gnu.org/bugs/?58586>

                 Summary: stack-buffer-overflow in lex_ellipsize__
                 Project: PSPP
            Submitted by: andreafioraldi
            Submitted on: Tue 16 Jun 2020 07:15:23 PM UTC
                Category: Syntax Parser
                Severity: 5 - Average
                  Status: None
             Assigned to: None
             Open/Closed: Open
                 Release: None
         Discussion Lock: Any
                  Effort: 0.00

    _______________________________________________________

Details:

Hi, I found this stack overflow while fuzzing with AddressSanitizer.

Reproduce with ./pspp -O format=txt -o /dev/null -b stack_overflow_1


=================================================================
==54798==ERROR: AddressSanitizer: stack-buffer-overflow on address
0x7fffffffd910 at pc 0x000000485d1e bp 0x7fffffffd850 sp 0x7fffffffd010
WRITE of size 4 at 0x7fffffffd910 thread T0
    #0 0x485d1d in strcpy (/home/andreaf/real/pspp/pspp_afl+0x485d1d)
    #1 0x62dc4f in lex_ellipsize__
/home/andreaf/real/pspp/src/language/lexer/lexer.c:1251:3
    #2 0x62dc4f in lex_source_error_valist
/home/andreaf/real/pspp/src/language/lexer/lexer.c:1273:11
    #3 0x63e806 in lex_get_error
/home/andreaf/real/pspp/src/language/lexer/lexer.c:1309:3
    #4 0x62a1fb in lex_source_get__
/home/andreaf/real/pspp/src/language/lexer/lexer.c
    #5 0x62817f in lex_get
/home/andreaf/real/pspp/src/language/lexer/lexer.c:229:10
    #6 0x63c8f8 in lex_discard_rest_of_command
/home/andreaf/real/pspp/src/language/lexer/lexer.c:1114:5
    #7 0x4d0aac in do_parse_command
/home/andreaf/real/pspp/src/language/command.c:244:3
    #8 0x4d0aac in cmd_parse_in_state
/home/andreaf/real/pspp/src/language/command.c:148:12
    #9 0x4c9df6 in main /home/andreaf/real/pspp/src/ui/terminal/main.c:138:20
    #10 0x7ffff61a5b96 in __libc_start_main
/build/glibc-OTsEL5/glibc-2.27/csu/../csu/libc-start.c:310
    #11 0x421499 in _start (/home/andreaf/real/pspp/pspp_afl+0x421499)

Address 0x7fffffffd910 is located in stack of thread T0 at offset 176 in
frame
    #0 0x62d59f in lex_source_error_valist
/home/andreaf/real/pspp/src/language/lexer/lexer.c:1257

  This frame has 4 object(s):
    [32, 36) 'uc.i.i' (line 942)
    [48, 72) 's' (line 1259)
    [112, 176) 'syntax_cstr' (line 1271) <== Memory access at offset 176
overflows this variable
    [208, 264) 'm' (line 1287)
HINT: this may be a false positive if your program uses some custom stack
unwind mechanism, swapcontext or vfork
      (longjmp and C++ exceptions *are* supported)
SUMMARY: AddressSanitizer: stack-buffer-overflow
(/home/andreaf/real/pspp/pspp_afl+0x485d1d) in strcpy
Shadow bytes around the buggy address:
  0x10007fff7ad0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x10007fff7ae0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x10007fff7af0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x10007fff7b00: 00 00 00 00 00 00 00 00 00 00 00 00 f1 f1 f1 f1
  0x10007fff7b10: f8 f2 00 00 00 f2 f2 f2 f2 f2 00 00 00 00 00 00
=>0x10007fff7b20: 00 00[f2]f2 f2 f2 f8 f8 f8 f8 f8 f8 f8 f3 f3 f3
  0x10007fff7b30: f3 f3 f3 f3 00 00 00 00 00 00 00 00 00 00 00 00
  0x10007fff7b40: 00 00 00 00 00 00 00 00 00 00 00 00 f1 f1 f1 f1
  0x10007fff7b50: 00 00 00 f3 f3 f3 f3 f3 00 00 00 00 00 00 00 00
  0x10007fff7b60: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x10007fff7b70: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
  Shadow gap:              cc
==54798==ABORTING




    _______________________________________________________

File Attachments:


-------------------------------------------------------
Date: Tue 16 Jun 2020 07:15:23 PM UTC  Name: stack_overflow_1  Size: 1KiB  
By: andreafioraldi
bug repro testcase
<http://savannah.gnu.org/bugs/download.php?file_id=49280>

    _______________________________________________________

Reply to this item at:

  <https://savannah.gnu.org/bugs/?58586>

_______________________________________________
  Message sent via Savannah
  https://savannah.gnu.org/

[Prev in Thread]

Current Thread

[Next in Thread]

PSPP-BUG: [bug #58586] stack-buffer-overflow in lex_ellipsize__, Andrea Fioraldi <=
- PSPP-BUG: [bug #58586] stack-buffer-overflow in lex_ellipsize__, John Darrington, 2020/06/16
  - PSPP-BUG: [bug #58586] stack-buffer-overflow in lex_ellipsize__, John Darrington, 2020/06/20

Prev by Date: PSPP-BUG: [bug #58557] Subdialog in Recode in other variable has no effect
Next by Date: PSPP-BUG: [bug #58586] stack-buffer-overflow in lex_ellipsize__
Previous by thread: PSPP-BUG: [bug #58557] Subdialog in Recode in other variable has no effect
Next by thread: PSPP-BUG: [bug #58586] stack-buffer-overflow in lex_ellipsize__
Index(es):
- Date
- Thread