ARGUSBug Variable truncation in ArgusGenerateRecordStruct leads to divide-by-zero
Carter Bullard via Argus-info
argus-info at lists.andrew.cmu.edu
Sat Sep 3 09:58:29 EDT 2016
Hey Chris,
Thanks !!! I’ve incorporated a fix for this in the main repository which will be in the next release.
Again THANKS for bug reports !!!!
Carter
> On Aug 31, 2016, at 6:51 PM, Chris Benedict via Argus-info <argus-info at lists.andrew.cmu.edu> wrote:
>
> >Description:
> This issue was discovered with AFL (http://lcamtuf.coredump.cx/afl/ <http://lcamtuf.coredump.cx/afl/>).
>
> There is divide-by-zero error in common/argus_client.c at line 3174. The bug
> is caused by the typecasting at line 3173 where canon->metric.dst.pkts is
> casted to an int. In the example attached, the value 0x0010F0FA00000000 is
> stored in canon->metric.dst.pkts which satisfies the condition at line
> 31726. However, when the long long is casted to an int pkts is truncated to
> 0x00000000 which causes the divide-by-zero exception.
>
> The issue also appears to exist at lines 3161-3162 of common/argus_client.c
>
> >How-To-Repeat:
> See sample file attached. Execute ra with:
>
> ra -r sample
>
> >Fix:
> Change the pkts (int) variable type to match the type of canon->metric.dst.pkts
> (long long) at lines 3165 and 3177.
>
> >Originator: Chris Benedict, Aurelien Delaitre, NIST SAMATE Project,
> https://samate.nist.gov <https://samate.nist.gov/>
> >Organization:
> National Institute of Standards and Technology
> >ARGUS support: none
> >Release: argus-3.0
> >Product: ra
> >Synopsis: Variable truncation in ArgusGenerateRecordStruct leads to
> divide-by-zero
> >Class: sw-bug
> >Severity: non-critical
> >Priority: medium
>
> >Environment:
>
> System: Linux 4.7.2-1-ARCH #1 SMP PREEMPT Sat Aug 20 23:02:56 CEST 2016 x86_64 GNU/Linux
>
>
> Paths: /usr/local/sbin/argus /usr/local/bin/ra /usr/bin/make /usr/bin/gcc /usr/bin/cc
>
> ARGUS: Argus Version 3.0.8.2
> RA: Ra Version 3.0.8.2
>
>
> GCC: Using built-in specs.
> COLLECT_GCC=/usr/bin/gcc
> COLLECT_LTO_WRAPPER=/usr/lib/gcc/x86_64-pc-linux-gnu/6.1.1/lto-wrapper
> Target: x86_64-pc-linux-gnu
> Configured with: /build/gcc-multilib/src/gcc/configure --prefix=/usr --libdir=/usr/lib --libexecdir=/usr/lib --mandir=/usr/share/man --infodir=/usr/share/info --with-bugurl=https://bugs.archlinux.org/ <https://bugs.archlinux.org/> --enable-languages=c,c++,ada,fortran,go,lto,objc,obj-c++ --enable-shared --enable-threads=posix --enable-libmpx --with-system-zlib --with-isl --enable-__cxa_atexit --disable-libunwind -exceptions --enable-clocale=gnu --disable-libstdcxx-pch --disable-libssp --enable-gnu-unique-object --enable-linker-build-id --enable-lto --enable-plugin --enable-install-libiberty --with-linker-hash-style=gnu --enable-gnu-indirect-function --enable-multilib --disable-werror --enable-checking=release
> Thread model: posix
> gcc version 6.1.1 20160802 (GCC)
>
> LIBC:
> -rw-r--r-- 1 root root 4769020 Aug 6 07:17 /lib/libc.a
> -rw-r--r-- 1 root root 255 Aug 6 07:16 /lib/libc.so
> lrwxrwxrwx 1 root root 12 Aug 6 07:17 /lib/libc.so.6 -> libc-2.24.so <http://libc-2.24.so/>
> -rwxr-xr-x 1 root root 1951744 Aug 6 07:17 /lib/libc-2.24.so <http://libc-2.24.so/>
> -rw-r--r-- 1 root root 4769020 Aug 6 07:17 /usr/lib/libc.a
> -rw-r--r-- 1 root root 255 Aug 6 07:16 /usr/lib/libc.so
> lrwxrwxrwx 1 root root 12 Aug 6 07:17 /usr/lib/libc.so.6 -> libc-2.24.so <http://libc-2.24.so/>
> -rwxr-xr-x 1 root root 1951744 Aug 6 07:17 /usr/lib/libc-2.24.so <http://libc-2.24.so/><sample>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://pairlist1.pair.net/pipermail/argus/attachments/20160903/9c024327/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 6285 bytes
Desc: not available
URL: <https://pairlist1.pair.net/pipermail/argus/attachments/20160903/9c024327/attachment.bin>
More information about the argus
mailing list