ARGUSBug Variable truncation in ArgusGenerateRecordStruct leads to divide-by-zero

Chris Benedict via Argus-info argus-info at lists.andrew.cmu.edu
Wed Aug 31 18:51:21 EDT 2016 

>Description:
   This issue was discovered with AFL (http://lcamtuf.coredump.cx/afl/).

   There is divide-by-zero error in common/argus_client.c at line 3174. The
bug
   is caused by the typecasting at line 3173 where canon->metric.dst.pkts is
   casted to an int. In the example attached, the value 0x0010F0FA00000000
is
   stored in canon->metric.dst.pkts which satisfies the condition at line
   31726. However, when the long long is casted to an int pkts is truncated
to
   0x00000000 which causes the divide-by-zero exception.

   The issue also appears to exist at lines 3161-3162 of
common/argus_client.c

>How-To-Repeat:
   See sample file attached. Execute ra with:

   ra -r sample

>Fix:
   Change the pkts (int) variable type to match the type of
canon->metric.dst.pkts
   (long long) at lines 3165 and 3177.

>Originator:    Chris Benedict, Aurelien Delaitre, NIST SAMATE Project,
                https://samate.nist.gov
>Organization:
 National Institute of Standards and Technology
>ARGUS support: none
>Release:       argus-3.0
>Product:       ra
>Synopsis:      Variable truncation in ArgusGenerateRecordStruct leads to
                divide-by-zero
>Class:         sw-bug
>Severity:      non-critical
>Priority:      medium

>Environment:

System:  Linux 4.7.2-1-ARCH #1 SMP PREEMPT Sat Aug 20 23:02:56 CEST 2016
x86_64 GNU/Linux


Paths:    /usr/local/sbin/argus /usr/local/bin/ra /usr/bin/make
/usr/bin/gcc /usr/bin/cc

ARGUS:   Argus Version 3.0.8.2
RA:      Ra Version 3.0.8.2


GCC:     Using built-in specs.
COLLECT_GCC=/usr/bin/gcc
COLLECT_LTO_WRAPPER=/usr/lib/gcc/x86_64-pc-linux-gnu/6.1.1/lto-wrapper
Target: x86_64-pc-linux-gnu
Configured with: /build/gcc-multilib/src/gcc/configure --prefix=/usr
--libdir=/usr/lib --libexecdir=/usr/lib --mandir=/usr/share/man
--infodir=/usr/share/info --with-bugurl=https://bugs.archlinux.org/
--enable-languages=c,c++,ada,fortran,go,lto,objc,obj-c++ --enable-shared
--enable-threads=posix --enable-libmpx --with-system-zlib --with-isl
--enable-__cxa_atexit --disable-libunwind -exceptions --enable-clocale=gnu
--disable-libstdcxx-pch --disable-libssp --enable-gnu-unique-object
--enable-linker-build-id --enable-lto --enable-plugin
--enable-install-libiberty --with-linker-hash-style=gnu
--enable-gnu-indirect-function --enable-multilib --disable-werror
--enable-checking=release
Thread model: posix
gcc version 6.1.1 20160802 (GCC)

LIBC:
-rw-r--r-- 1 root root 4769020 Aug  6 07:17 /lib/libc.a
-rw-r--r-- 1 root root 255 Aug  6 07:16 /lib/libc.so
lrwxrwxrwx 1 root root 12 Aug  6 07:17 /lib/libc.so.6 -> libc-2.24.so
-rwxr-xr-x 1 root root 1951744 Aug  6 07:17 /lib/libc-2.24.so
-rw-r--r-- 1 root root 4769020 Aug  6 07:17 /usr/lib/libc.a
-rw-r--r-- 1 root root 255 Aug  6 07:16 /usr/lib/libc.so
lrwxrwxrwx 1 root root 12 Aug  6 07:17 /usr/lib/libc.so.6 -> libc-2.24.so
-rwxr-xr-x 1 root root 1951744 Aug  6 07:17 /usr/lib/libc-2.24.so
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://pairlist1.pair.net/pipermail/argus/attachments/20160831/c763f6de/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: sample
Type: application/octet-stream
Size: 878 bytes
Desc: not available
URL: <https://pairlist1.pair.net/pipermail/argus/attachments/20160831/c763f6de/attachment.obj>

More information about the argus mailing list