*** This bug is a security vulnerability *** You have been subscribed to a public security bug by Seth Arnold (seth-arnold):
# Floating Point Exception ## Overview As a result of invalid input validation (CWE-233: Improper Handling of Parameters), specific files passed to the command line application, `crasm`, can lead to a divide by zero fault (CWE-369: Divide By Zero) in the function `opdiv`. ## About `crasm` is a command line utility available on the Ubuntu package manager and [GitHub][crasm-github] which assembles code for the 6800, 6801, 6803, 6502, 65C02, and Z80. At the time of writing, the current version is 1.8-3 on Ubuntu and commit [5471a9f][5471a9f] on GitHub. ## Vulnerability The parameter `presult` and it's members are not checked prior to a division operation. As a result a floating point exception will occur with `value` is zero and subsequently divided by itself. ```C void opdiv(struct result* presult, struct result* parg) { presult->flags |= parg->flags; checktype(presult, L_ABSOLUTE); checktype(parg, L_ABSOLUTE); presult->value /= parg->value; } ``` ### Affected versions - 1.8-3 (as of writing, the current version) available on the Ubuntu package manager. - Versions compiled from commit `932f3293f96f36bfe32f8d8d70a5ba693d3b3193` and below. ### Minimum Viable Patch A patch was submitted to the maintainer and merged into the source repository with [merge request #7][crasm-pr] containing the patch below. The version installed with Ubuntu (22.10 and 22.04) remain vulnerable as of writing. ```c diff --git a/src/operator.c b/src/operator.c index a28ac88..e589756 100644 --- a/src/operator.c +++ b/src/operator.c @@ -412,7 +412,10 @@ void opdiv(struct result* presult, struct result* parg) presult->flags |= parg->flags; checktype(presult, L_ABSOLUTE); checktype(parg, L_ABSOLUTE); - presult->value /= parg->value; + if (parg->value != 0) + { + presult->value /= parg->value; + } } void oprlist(struct result* presult, struct result* parg) ``` ### Recommended Common Vulnerability Score - Overall: 1.6 - CVSS Base Score: 1.7 - Impact Subscore: 1.4 - Exploitability Subscore: 0.3 ## Validation: To validate the existence of the floating point exception, use the include test case to cause a fault. The file is passed in as the first argument to the program. ```shell $ lsb_release -rd Description: Ubuntu 22.04.1 LTS Release: 22.04 # Using apt $ apt update $ apt install crasm $ apt list | grep crasm crasm/jammy,now 1.8-3 amd64 [installed] $ crasm /517d1b402d585fdb0458f96802a616419b9112bdc119a2393c35e034576a0c62 Pass #1 Floating point exception # Using git $ apt install git make clang $ git clone https://github.com/colinbourassa/crasm.git $ cd crasm $ git checkout 932f3293f96f36bfe32f8d8d70a5ba693d3b3193 $ CC=clang make 8 warnings generated. clang -O -Wall -c -o cpuz80.o cpuz80.c clang -O -Wall -o crasm crasm.o stdvocabulary.o pseudos.o macro.o label.o parse.o filter.o operator.o output.o xref.o scode.o cpulist.o cpu6800.o cpu6502.o cpuz80.o -lm done make[1]: Leaving directory '/crasm/src' ./src/crasm /517d1b402d585fdb0458f96802a616419b9112bdc119a2393c35e034576a0c62 Pass #1 Floating point exception ``` ### Backtrace Observe the exception with `lldb`'s backtrace. ```text $ lldb -- ./crasm ./517d1b402d585fdb0458f96802a616419b9112bdc119a2393c35e034576a0c62 (lldb) target create "./crasm" Current executable set to '/crasm/src/crasm' (x86_64). (lldb) settings set -- target.run-args "./517d1b402d585fdb0458f96802a616419b9112bdc119a2393c35e034576a0c62" (lldb) r Process 2564 launched: '/crasm/src/crasm' (x86_64) Pass #1 Process 2564 stopped * thread #1, queue = 'com.apple.main-thread', stop reason = EXC_ARITHMETIC (code=EXC_I386_DIV, subcode=0x0) frame #0: 0x00000001000078f4 crasm`opdiv(presult=0x0000000100017468, parg=0x00007ff7bfefefa0) at operator.c:415:18 412 presult->flags |= parg->flags; 413 checktype(presult, L_ABSOLUTE); 414 checktype(parg, L_ABSOLUTE); -> 415 presult->value /= parg->value; 416 } 417 418 void oprlist(struct result* presult, struct result* parg) Target 0: (crasm) stopped. (lldb) bt * thread #1, queue = 'com.apple.main-thread', stop reason = EXC_ARITHMETIC (code=EXC_I386_DIV, subcode=0x0) * frame #0: 0x00000001000078f4 crasm`opdiv(presult=0x0000000100017468, parg=0x00007ff7bfefefa0) at operator.c:415:18 frame #1: 0x0000000100006455 crasm`parse2(expr="ed/maica", presult=0x0000000100017468) at parse.c:152:7 frame #2: 0x00000001000062b4 crasm`parse(expr="ed/maica") at parse.c:233:3 frame #3: 0x0000000100009357 crasm`findmode(oper="aciam/de", pvalue=0x00007ff7bfeff068) at cpu6800.c:99:11 frame #4: 0x0000000100009214 crasm`standard(code=202, label=0x0000000000000000, mnemo="orab", oper="aciam/de") at cpu6800.c:163:9 frame #5: 0x0000000100002d3c crasm`asmline(s="orab aciam/de", status=3) at crasm.c:562:7 frame #6: 0x0000000100002781 crasm`pass(n=1) at crasm.c:274:9 frame #7: 0x0000000100002460 crasm`crasm(flag=138) at crasm.c:180:3 frame #8: 0x0000000100002262 crasm`main(argc=0, argv=0x00007ff7bfeff440) at crasm.c:147:5 frame #9: 0x00007ff812381310 dyld`start + 2432 ``` [crasm-ubuntu]: https://packages.ubuntu.com/kinetic/crasm [crasm-github]: https://github.com/colinbourassa/crasm [5471a9f]: https://github.com/colinbourassa/crasm/commit/5471a9f991fa795a1e86568cf5b4433e6c169047 ** Affects: crasm (Ubuntu) Importance: Undecided Status: New ** Tags: jammy kinetic -- Floating Point Exception in User Input https://bugs.launchpad.net/bugs/2000021 You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to the bug report. -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs