[Bug 2000021] [NEW] Floating Point Exception in User Input

[Launchpad Bug Tracker]

*** This bug is a security vulnerability ***

You have been subscribed to a public security bug by Seth Arnold (seth-arnold):

# Floating Point Exception

## Overview

As a result of invalid input validation (CWE-233: Improper Handling of
Parameters), specific files passed to the command line application,
`crasm`, can lead to a divide by zero fault (CWE-369: Divide By Zero) in
the function `opdiv`.

## About

`crasm` is a command line utility available on the Ubuntu package
manager and [GitHub][crasm-github] which assembles code for the 6800,
6801, 6803, 6502, 65C02, and Z80. At the time of writing, the current
version is 1.8-3 on Ubuntu and commit [5471a9f][5471a9f] on GitHub.

## Vulnerability

The parameter `presult` and it's members are not checked prior to a
division operation. As a result a floating point exception will occur
with `value` is zero and subsequently divided by itself.

```C
void opdiv(struct result* presult, struct result* parg)
{
  presult->flags |= parg->flags;
  checktype(presult, L_ABSOLUTE);
  checktype(parg, L_ABSOLUTE);
  presult->value /= parg->value;
}
```

### Affected versions

- 1.8-3 (as of writing, the current version) available on the Ubuntu package 
manager.
- Versions compiled from commit `932f3293f96f36bfe32f8d8d70a5ba693d3b3193` and 
below.

### Minimum Viable Patch

A patch was submitted to the maintainer and merged into the source
repository with [merge request #7][crasm-pr] containing the patch below.
The version installed with Ubuntu (22.10 and 22.04) remain vulnerable as
of writing.

```c
diff --git a/src/operator.c b/src/operator.c
index a28ac88..e589756 100644
--- a/src/operator.c
+++ b/src/operator.c
@@ -412,7 +412,10 @@ void opdiv(struct result* presult, struct result* parg)
   presult->flags |= parg->flags;
   checktype(presult, L_ABSOLUTE);
   checktype(parg, L_ABSOLUTE);
-  presult->value /= parg->value;
+  if (parg->value != 0)
+  {
+    presult->value /= parg->value;
+  }
 }

 void oprlist(struct result* presult, struct result* parg)
```

### Recommended Common Vulnerability Score

- Overall: 1.6
  - CVSS Base Score: 1.7
  - Impact Subscore: 1.4
  - Exploitability Subscore: 0.3

## Validation:

To validate the existence of the floating point exception, use the
include test case to cause a fault. The file is passed in as the first
argument to the program.

```shell
$ lsb_release -rd
Description:    Ubuntu 22.04.1 LTS
Release:        22.04

# Using apt
$ apt update
$ apt install crasm
$ apt list | grep crasm
crasm/jammy,now 1.8-3 amd64 [installed]

$ crasm /517d1b402d585fdb0458f96802a616419b9112bdc119a2393c35e034576a0c62
Pass #1
Floating point exception

# Using git
$ apt install git make clang
$ git clone https://github.com/colinbourassa/crasm.git
$ cd crasm
$ git checkout 932f3293f96f36bfe32f8d8d70a5ba693d3b3193
$ CC=clang make
8 warnings generated.
clang -O -Wall   -c -o cpuz80.o cpuz80.c
clang -O -Wall  -o crasm crasm.o stdvocabulary.o pseudos.o macro.o label.o 
parse.o filter.o operator.o output.o xref.o scode.o cpulist.o cpu6800.o 
cpu6502.o cpuz80.o -lm
done
make[1]: Leaving directory '/crasm/src'

./src/crasm /517d1b402d585fdb0458f96802a616419b9112bdc119a2393c35e034576a0c62
Pass #1
Floating point exception
```

### Backtrace

Observe the exception with `lldb`'s backtrace.

```text
$ lldb -- ./crasm 
./517d1b402d585fdb0458f96802a616419b9112bdc119a2393c35e034576a0c62
(lldb) target create "./crasm"
Current executable set to '/crasm/src/crasm' (x86_64).
(lldb) settings set -- target.run-args  
"./517d1b402d585fdb0458f96802a616419b9112bdc119a2393c35e034576a0c62"
(lldb) r
Process 2564 launched: '/crasm/src/crasm' (x86_64)
Pass #1
Process 2564 stopped
* thread #1, queue = 'com.apple.main-thread', stop reason = EXC_ARITHMETIC 
(code=EXC_I386_DIV, subcode=0x0)
    frame #0: 0x00000001000078f4 crasm`opdiv(presult=0x0000000100017468, 
parg=0x00007ff7bfefefa0) at operator.c:415:18
   412    presult->flags |= parg->flags;
   413    checktype(presult, L_ABSOLUTE);
   414    checktype(parg, L_ABSOLUTE);
-> 415    presult->value /= parg->value;
   416  }
   417
   418  void oprlist(struct result* presult, struct result* parg)
Target 0: (crasm) stopped.
(lldb) bt
* thread #1, queue = 'com.apple.main-thread', stop reason = EXC_ARITHMETIC 
(code=EXC_I386_DIV, subcode=0x0)
  * frame #0: 0x00000001000078f4 crasm`opdiv(presult=0x0000000100017468, 
parg=0x00007ff7bfefefa0) at operator.c:415:18
    frame #1: 0x0000000100006455 crasm`parse2(expr="ed/maica", 
presult=0x0000000100017468) at parse.c:152:7
    frame #2: 0x00000001000062b4 crasm`parse(expr="ed/maica") at parse.c:233:3
    frame #3: 0x0000000100009357 crasm`findmode(oper="aciam/de", 
pvalue=0x00007ff7bfeff068) at cpu6800.c:99:11
    frame #4: 0x0000000100009214 crasm`standard(code=202, 
label=0x0000000000000000, mnemo="orab", oper="aciam/de") at cpu6800.c:163:9
    frame #5: 0x0000000100002d3c crasm`asmline(s="orab aciam/de", status=3) at 
crasm.c:562:7
    frame #6: 0x0000000100002781 crasm`pass(n=1) at crasm.c:274:9
    frame #7: 0x0000000100002460 crasm`crasm(flag=138) at crasm.c:180:3
    frame #8: 0x0000000100002262 crasm`main(argc=0, argv=0x00007ff7bfeff440) at 
crasm.c:147:5
    frame #9: 0x00007ff812381310 dyld`start + 2432
```

[crasm-ubuntu]: https://packages.ubuntu.com/kinetic/crasm
[crasm-github]: https://github.com/colinbourassa/crasm
[5471a9f]: 
https://github.com/colinbourassa/crasm/commit/5471a9f991fa795a1e86568cf5b4433e6c169047

** Affects: crasm (Ubuntu)
     Importance: Undecided
         Status: New


** Tags: jammy kinetic
-- 
Floating Point Exception in User Input
https://bugs.launchpad.net/bugs/2000021
You received this bug notification because you are a member of Ubuntu Bugs, 
which is subscribed to the bug report.

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs