Floating Point Exception in User Input
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
crasm (Ubuntu) |
Confirmed
|
Undecided
|
Unassigned |
Bug Description
# Floating Point Exception
## Overview
As a result of invalid input validation (CWE-233: Improper Handling of Parameters), specific files passed to the command line application, `crasm`, can lead to a divide by zero fault (CWE-369: Divide By Zero) in the function `opdiv`.
## About
`crasm` is a command line utility available on the Ubuntu package manager and [GitHub]
## Vulnerability
The parameter `presult` and it's members are not checked prior to a division operation. As a result a floating point exception will occur with `value` is zero and subsequently divided by itself.
```C
void opdiv(struct result* presult, struct result* parg)
{
presult->flags |= parg->flags;
checktype(
checktype(parg, L_ABSOLUTE);
presult->value /= parg->value;
}
```
### Affected versions
- 1.8-3 (as of writing, the current version) available on the Ubuntu package manager.
- Versions compiled from commit `932f3293f96f36
### Minimum Viable Patch
A patch was submitted to the maintainer and merged into the source repository with [merge request #7][crasm-pr] containing the patch below. The version installed with Ubuntu (22.10 and 22.04) remain vulnerable as of writing.
```c
diff --git a/src/operator.c b/src/operator.c
index a28ac88..e589756 100644
--- a/src/operator.c
+++ b/src/operator.c
@@ -412,7 +412,10 @@ void opdiv(struct result* presult, struct result* parg)
presult->flags |= parg->flags;
checktype(
checktype(parg, L_ABSOLUTE);
- presult->value /= parg->value;
+ if (parg->value != 0)
+ {
+ presult->value /= parg->value;
+ }
}
void oprlist(struct result* presult, struct result* parg)
```
### Recommended Common Vulnerability Score
- Overall: 1.6
- CVSS Base Score: 1.7
- Impact Subscore: 1.4
- Exploitability Subscore: 0.3
## Validation:
To validate the existence of the floating point exception, use the include test case to cause a fault. The file is passed in as the first argument to the program.
```shell
$ lsb_release -rd
Description: Ubuntu 22.04.1 LTS
Release: 22.04
# Using apt
$ apt update
$ apt install crasm
$ apt list | grep crasm
crasm/jammy,now 1.8-3 amd64 [installed]
$ crasm /517d1b402d585f
Pass #1
Floating point exception
# Using git
$ apt install git make clang
$ git clone https:/
$ cd crasm
$ git checkout 932f3293f96f36b
$ CC=clang make
8 warnings generated.
clang -O -Wall -c -o cpuz80.o cpuz80.c
clang -O -Wall -o crasm crasm.o stdvocabulary.o pseudos.o macro.o label.o parse.o filter.o operator.o output.o xref.o scode.o cpulist.o cpu6800.o cpu6502.o cpuz80.o -lm
done
make[1]: Leaving directory '/crasm/src'
./src/crasm /517d1b402d585f
Pass #1
Floating point exception
```
### Backtrace
Observe the exception with `lldb`'s backtrace.
```text
$ lldb -- ./crasm ./517d1b402d585
(lldb) target create "./crasm"
Current executable set to '/crasm/src/crasm' (x86_64).
(lldb) settings set -- target.run-args "./517d1b402d58
(lldb) r
Process 2564 launched: '/crasm/src/crasm' (x86_64)
Pass #1
Process 2564 stopped
* thread #1, queue = 'com.apple.
frame #0: 0x00000001000078f4 crasm`opdiv(
412 presult->flags |= parg->flags;
413 checktype(presult, L_ABSOLUTE);
414 checktype(parg, L_ABSOLUTE);
-> 415 presult->value /= parg->value;
416 }
417
418 void oprlist(struct result* presult, struct result* parg)
Target 0: (crasm) stopped.
(lldb) bt
* thread #1, queue = 'com.apple.
* frame #0: 0x00000001000078f4 crasm`opdiv(
frame #1: 0x0000000100006455 crasm`parse2(
frame #2: 0x00000001000062b4 crasm`parse(
frame #3: 0x0000000100009357 crasm`findmode(
frame #4: 0x0000000100009214 crasm`standard(
frame #5: 0x0000000100002d3c crasm`asmline(
frame #6: 0x0000000100002781 crasm`pass(n=1) at crasm.c:274:9
frame #7: 0x0000000100002460 crasm`crasm(
frame #8: 0x0000000100002262 crasm`main(argc=0, argv=0x00007ff7
frame #9: 0x00007ff812381310 dyld`start + 2432
```
[crasm-ubuntu]: https:/
[crasm-github]: https:/
[5471a9f]: https:/
information type: | Private Security → Public Security |
Changed in crasm (Ubuntu): | |
status: | New → Confirmed |
Patch included; author merged this into the original source here: https:/ /github. com/colinbouras sa/crasm/ pull/7