Bug 752081 – Stack-buffer overread in sheet.c:6293 on a fuzzed xls file

After an evaluation, GNOME has moved from Bugzilla to GitLab. Learn more about GitLab.
No new issues can be reported in GNOME Bugzilla anymore.
To report an issue in a GNOME project, go to GNOME GitLab.
Do not go to GNOME Gitlab for: Bluefish, Doxygen, GnuCash, GStreamer, java-gnome, LDTP, NetworkManager, Tomboy.

Bug 752081 - Stack-buffer overread in sheet.c:6293 on a fuzzed xls file


Summary:	Stack-buffer overread in sheet.c:6293 on a fuzzed xls file


Status:	RESOLVED FIXED

Product:	Gnumeric
Classification:	Applications
Component:	import/export MS Excel (tm)
Version:	git master
Hardware:	Other Linux

Importance:	Normal critical
Target Milestone:	---
Assigned To:	Jody Goldberg
QA Contact:	Jody Goldberg

URL:	http://jutaky.com/fuzzing/gnumeric_ca...
Whiteboard:

Depends on:
Blocks:

Reported:	2015-07-07 15:04 UTC by jutaky
Modified:	2015-07-07 15:49 UTC

See Also:
GNOME target:	---
GNOME version:	---

Description jutaky 2015-07-07 15:04:38 UTC

Git versions of glib, goffice, gnumeric, libgsf and libxml2.

Test case: http://jutaky.com/fuzzing/gnumeric_case_002-sheet.c.6293.xls

Valgrind doesn't pick this one up and the test case almost never segfaults on its own. But this cannot be a false positive because I did manage to segfault couple times on this one on a vanilla build without ASAN.

$ ssconvert gnumeric_case_002-sheet.c.6293.xls /tmp/out.gnumeric

==14252==ERROR: AddressSanitizer: stack-buffer-overflow on address 0x7ffc12987ffc at pc 0x7fbad921ebd5 bp 0x7ffc12987210 sp 0x7ffc12987208
READ of size 4 at 0x7ffc12987ffc thread T0
    #0 0x7fbad921ebd4 in gnm_sheet_get_size gnumeric/gnumeric/src/sheet.c:6293:6
    #1 0x7fbad92ab6ed in gnm_sheet_get_size2 gnumeric/gnumeric/src/sheet.c:6311:5
    #2 0x7fbad90d3ead in gnm_rangeref_normalize_pp gnumeric/gnumeric/src/position.c:578:7
    #3 0x7fbad90d479a in gnm_rangeref_normalize gnumeric/gnumeric/src/position.c:596:2
    #4 0x7fbad96bdedb in value_area_get_height gnumeric/gnumeric/src/value-sheet.c:115:3
    #5 0x7fbab0e31da6 in excel_parse_name gnumeric/gnumeric/plugins/excel/ms-excel-read.c:3715:13
    #6 0x7fbab0e129a1 in excel_read_NAME gnumeric/gnumeric/plugins/excel/ms-excel-read.c:4009:11
    #7 0x7fbab0dddd51 in excel_read_workbook gnumeric/gnumeric/plugins/excel/ms-excel-read.c:7284:22
    #8 0x7fbab0d51c97 in excel_enc_file_open gnumeric/gnumeric/plugins/excel/boot.c:170:4
    #9 0x7fbab0d537a4 in excel_file_open gnumeric/gnumeric/plugins/excel/boot.c:273:2
    #10 0x7fbad6f04333 in go_plugin_loader_module_func_file_open gnumeric/goffice/goffice/app/go-plugin-loader-module.c:282:3
    #11 0x7fbad6f1dd3f in go_plugin_file_opener_open gnumeric/goffice/goffice/app/go-plugin-service.c:685:2
    #12 0x7fbad6f2ed18 in go_file_opener_open gnumeric/goffice/goffice/app/file.c:417:2
    #13 0x7fbad9721fc5 in workbook_view_new_from_input gnumeric/gnumeric/src/workbook-view.c:1278:3
    #14 0x7fbad9722bb0 in workbook_view_new_from_uri gnumeric/gnumeric/src/workbook-view.c:1337:9
    #15 0x4e6f9f in convert gnumeric/gnumeric/src/ssconvert.c:720:9
    #16 0x4e49bc in main gnumeric/gnumeric/src/ssconvert.c:913:9
    #17 0x7fbad020178f in __libc_start_main (/usr/lib/libc.so.6+0x2078f)
    #18 0x438a48 in _start (apps/bin/ssconvert+0x438a48)

Address 0x7ffc12987ffc is located in stack of thread T0 at offset 444 in frame
    #0 0x7fbab0e309af in excel_parse_name gnumeric/gnumeric/plugins/excel/ms-excel-read.c:3656

  This frame has 21 object(s):
    [32, 40) ''
    [64, 72) ''
    [96, 104) ''
    [128, 136) ''
    [160, 168) ''
    [192, 196) ''
    [208, 212) ''
    [224, 228) ''
    [240, 248) ''
    [272, 296) 'pp'
    [336, 344) 'nexpr'
    [368, 376) 'texpr'
    [400, 408) 'err'
    [432, 440) 'tmp' <== Memory access at offset 444 overflows this variable
    [464, 472) 'val'
    [496, 528) 'ep'
    [560, 564) 'height'
    [576, 580) 'width'
    [592, 600) 'start_sheet'
    [624, 632) 'end_sheet'
    [656, 672) 'dest'
HINT: this may be a false positive if your program uses some custom stack unwind mechanism or swapcontext
      (longjmp and C++ exceptions *are* supported)
SUMMARY: AddressSanitizer: stack-buffer-overflow gnumeric/gnumeric/src/sheet.c:6293 gnm_sheet_get_size

--
Juha Kylmänen

Comment 1 Morten Welinder 2015-07-07 15:36:42 UTC

It's very persistent here.  Valgrind agrees with your trace:

==23124== Conditional jump or move depends on uninitialised value(s)
==23124==    at 0x4F772C3: parse_pos_init (position.c:254)
==23124==    by 0x4F77537: parse_pos_init_evalpos (position.c:316)
==23124==    by 0x4F78002: gnm_rangeref_normalize (position.c:595)
==23124==    by 0x4FFB416: value_area_get_height (value-sheet.c:115)
==23124==    by 0x14B19D34: excel_parse_name (ms-excel-read.c:3715)
==23124==    by 0x14B1AD90: excel_read_NAME (ms-excel-read.c:4009)
==23124==    by 0x14B2698C: excel_read_workbook (ms-excel-read.c:7284)
==23124==    by 0x14B04446: excel_enc_file_open (boot.c:170)
==23124==    by 0x14B048BD: excel_file_open (boot.c:273)
==23124==    by 0x548681A: go_plugin_file_opener_open (go-plugin-service.c:685)
==23124==    by 0x5003F08: workbook_view_new_from_input (workbook-view.c:1278)
==23124==    by 0x50040EA: workbook_view_new_from_uri (workbook-view.c:1337)
==23124==    by 0x404DB5: convert (ssconvert.c:715)
==23124==    by 0x40558C: main (ssconvert.c:903)
==23124==  Uninitialised value was created by a stack allocation
==23124==    at 0x14B19A79: excel_parse_name (ms-excel-read.c:3656)

Comment 2 Morten Welinder 2015-07-07 15:49:40 UTC

This problem has been fixed in our software repository. The fix will go into the next software release. Once that release is available, you may want to check for a software upgrade provided by your Linux distribution.