GNU bug report logs -
#20998
Out of bounds global read in shred / genpattern()
Previous Next
Reported by: Hanno Böck <hanno <at> hboeck.de>
Date: Mon, 6 Jul 2015 23:43:02 UTC
Severity: normal
Done: Pádraig Brady <P <at> draigBrady.com>
Bug is archived. No further changes may be made.
To add a comment to this bug, you must first unarchive it, by sending
a message to control AT debbugs.gnu.org, with unarchive 20998 in the body.
You can then email your comments to 20998 AT debbugs.gnu.org in the normal way.
Toggle the display of automated, internal messages from the tracker.
Report forwarded
to
bug-coreutils <at> gnu.org:
bug#20998; Package
coreutils.
(Mon, 06 Jul 2015 23:43:02 GMT)
Full text and
rfc822 format available.
Acknowledgement sent
to
Hanno Böck <hanno <at> hboeck.de>:
New bug report received and forwarded. Copy sent to
bug-coreutils <at> gnu.org.
(Mon, 06 Jul 2015 23:43:02 GMT)
Full text and
rfc822 format available.
Message #5 received at submit <at> debbugs.gnu.org (full text, mbox):
[Message part 1 (text/plain, inline)]
Hi,
There is an out of bounds read error in the function genpattern() in
shred (coreutils 8.23). This issue only appears randomly.
To test:
a) recompile coreutils 8.23 with address sanitizer: ./configure
CFLAGS="-fsanitize=address -g" LDFLAGS="-fsanitize=address"; make
b) create a test file: touch x
c) run shred multiple times on it with -n 20:
for i in $(seq 1 1000); do src/shred -n 20 x; done
You will see the errors. Here's the output from Address Sanitizer:
==25808==ERROR: AddressSanitizer: global-buffer-overflow on address 0x000000416628 at pc 0x4047a0 bp 0x7ffc99fee730 sp 0x7ffc99fee720
READ of size 4 at 0x000000416628 thread T0
#0 0x40479f in genpattern src/shred.c:782
#1 0x4050d9 in do_wipefd src/shred.c:921
#2 0x406203 in wipefile src/shred.c:1175
#3 0x406b84 in main src/shred.c:1316
#4 0x7f3454a1ef9f in __libc_start_main (/lib64/libc.so.6+0x1ff9f)
#5 0x4025d8 (/tmp/coreutils-8.23/src/shred+0x4025d8)
0x000000416628 is located 56 bytes to the left of global variable '*.LC49' from 'src/shred.c' (0x416660) of size 17
'*.LC49' is ascii string '%s: fstat failed'
0x000000416628 is located 12 bytes to the right of global variable 'patterns' from 'src/shred.c' (0x416540) of size 220
SUMMARY: AddressSanitizer: global-buffer-overflow src/shred.c:782 genpattern
Shadow bytes around the buggy address:
0x00008007ac70: 01 f9 f9 f9 f9 f9 f9 f9 00 00 00 07 f9 f9 f9 f9
0x00008007ac80: 00 00 01 f9 f9 f9 f9 f9 00 00 03 f9 f9 f9 f9 f9
0x00008007ac90: 00 00 00 03 f9 f9 f9 f9 00 00 00 00 03 f9 f9 f9
0x00008007aca0: f9 f9 f9 f9 00 00 00 00 00 00 00 00 00 00 00 00
0x00008007acb0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x00008007acc0: 00 00 00 04 f9[f9]f9 f9 00 00 00 00 00 00 01 f9
0x00008007acd0: f9 f9 f9 f9 00 00 06 f9 f9 f9 f9 f9 00 00 00 03
0x00008007ace0: f9 f9 f9 f9 00 00 05 f9 f9 f9 f9 f9 00 00 01 f9
0x00008007acf0: f9 f9 f9 f9 00 00 00 00 00 05 f9 f9 f9 f9 f9 f9
0x00008007ad00: 00 00 00 00 00 00 00 00 01 f9 f9 f9 f9 f9 f9 f9
0x00008007ad10: 00 04 f9 f9 f9 f9 f9 f9 02 f9 f9 f9 f9 f9 f9 f9
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Heap right redzone: fb
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack partial redzone: f4
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Contiguous container OOB:fc
ASan internal: fe
==25808==ABORTING
--
Hanno Böck
http://hboeck.de/
mail/jabber: hanno <at> hboeck.de
GPG: BBB51E42
[Message part 2 (application/pgp-signature, inline)]
Information forwarded
to
bug-coreutils <at> gnu.org:
bug#20998; Package
coreutils.
(Tue, 07 Jul 2015 00:46:02 GMT)
Full text and
rfc822 format available.
Message #8 received at 20998 <at> debbugs.gnu.org (full text, mbox):
On 07/07/15 00:29, Hanno Böck wrote:
> Hi,
>
> There is an out of bounds read error in the function genpattern() in
> shred (coreutils 8.23). This issue only appears randomly.
>
> To test:
> a) recompile coreutils 8.23 with address sanitizer: ./configure
> CFLAGS="-fsanitize=address -g" LDFLAGS="-fsanitize=address"; make
> b) create a test file: touch x
> c) run shred multiple times on it with -n 20:
> for i in $(seq 1 1000); do src/shred -n 20 x; done
>
> You will see the errors. Here's the output from Address Sanitizer:
>
> ==25808==ERROR: AddressSanitizer: global-buffer-overflow on address 0x000000416628 at pc 0x4047a0 bp 0x7ffc99fee730 sp 0x7ffc99fee720
> READ of size 4 at 0x000000416628 thread T0
> #0 0x40479f in genpattern src/shred.c:782
> #1 0x4050d9 in do_wipefd src/shred.c:921
> #2 0x406203 in wipefile src/shred.c:1175
> #3 0x406b84 in main src/shred.c:1316
> #4 0x7f3454a1ef9f in __libc_start_main (/lib64/libc.so.6+0x1ff9f)
> #5 0x4025d8 (/tmp/coreutils-8.23/src/shred+0x4025d8)
>
> 0x000000416628 is located 56 bytes to the left of global variable '*.LC49' from 'src/shred.c' (0x416660) of size 17
> '*.LC49' is ascii string '%s: fstat failed'
> 0x000000416628 is located 12 bytes to the right of global variable 'patterns' from 'src/shred.c' (0x416540) of size 220
> SUMMARY: AddressSanitizer: global-buffer-overflow src/shred.c:782 genpattern
Nice one!
It looks like the restriction to the k patterns available
was lost with v5.92-1462-g65533e1 and that this should
fix it up.
diff --git a/src/shred.c b/src/shred.c
index 63bcd6f..74f7ad9 100644
--- a/src/shred.c
+++ b/src/shred.c
@@ -785,6 +785,7 @@ genpattern (int *dest, size_t num, struct randint_source *s)
n--;
}
p++;
+ k--;
}
while (n);
break;
thanks!
Pádraig.
Reply sent
to
Pádraig Brady <P <at> draigBrady.com>:
You have taken responsibility.
(Tue, 07 Jul 2015 02:30:06 GMT)
Full text and
rfc822 format available.
Notification sent
to
Hanno Böck <hanno <at> hboeck.de>:
bug acknowledged by developer.
(Tue, 07 Jul 2015 02:30:07 GMT)
Full text and
rfc822 format available.
Message #13 received at 20998-done <at> debbugs.gnu.org (full text, mbox):
[Message part 1 (text/plain, inline)]
On 07/07/15 01:45, Pádraig Brady wrote:
> On 07/07/15 00:29, Hanno Böck wrote:
>> Hi,
>>
>> There is an out of bounds read error in the function genpattern() in
>> shred (coreutils 8.23). This issue only appears randomly.
>>
>> To test:
>> a) recompile coreutils 8.23 with address sanitizer
> Nice one!
>
> It looks like the restriction to the k patterns available
> was lost with v5.92-1462-g65533e1 and that this should
> fix it up.
>
> diff --git a/src/shred.c b/src/shred.c
> index 63bcd6f..74f7ad9 100644
> --- a/src/shred.c
> +++ b/src/shred.c
> @@ -785,6 +785,7 @@ genpattern (int *dest, size_t num, struct randint_source *s)
> n--;
> }
> p++;
> + k--;
> }
> while (n);
> break;
Attached is the full patch including a test.
Marking this as done.
thanks!
Pádraig.
[shred-patterns.patch (text/x-patch, attachment)]
Information forwarded
to
bug-coreutils <at> gnu.org:
bug#20998; Package
coreutils.
(Tue, 07 Jul 2015 02:31:01 GMT)
Full text and
rfc822 format available.
Message #16 received at 20998 <at> debbugs.gnu.org (full text, mbox):
Pádraig Brady wrote:
> Nice one!
Yes, very nice.
> It looks like the restriction to the k patterns available
> was lost with v5.92-1462-g65533e1 and that this should
> fix it up.
And thanks for the fix; it looks good to me too.
Information forwarded
to
bug-coreutils <at> gnu.org:
bug#20998; Package
coreutils.
(Tue, 07 Jul 2015 02:57:01 GMT)
Full text and
rfc822 format available.
Message #19 received at 20998 <at> debbugs.gnu.org (full text, mbox):
On Mon, Jul 6, 2015 at 5:45 PM, Pádraig Brady <P <at> draigbrady.com> wrote:
> On 07/07/15 00:29, Hanno Böck wrote:
>> Hi,
>>
>> There is an out of bounds read error in the function genpattern() in
>> shred (coreutils 8.23). This issue only appears randomly.
>>
>> To test:
>> a) recompile coreutils 8.23 with address sanitizer: ./configure
>> CFLAGS="-fsanitize=address -g" LDFLAGS="-fsanitize=address"; make
>> b) create a test file: touch x
>> c) run shred multiple times on it with -n 20:
>> for i in $(seq 1 1000); do src/shred -n 20 x; done
>>
>> You will see the errors. Here's the output from Address Sanitizer:
>>
>> ==25808==ERROR: AddressSanitizer: global-buffer-overflow on address 0x000000416628 at pc 0x4047a0 bp 0x7ffc99fee730 sp 0x7ffc99fee720
>> READ of size 4 at 0x000000416628 thread T0
...
>> SUMMARY: AddressSanitizer: global-buffer-overflow src/shred.c:782 genpattern
>
>
> Nice one!
>
> It looks like the restriction to the k patterns available
> was lost with v5.92-1462-g65533e1 and that this should
> fix it up.
>
> diff --git a/src/shred.c b/src/shred.c
> index 63bcd6f..74f7ad9 100644
> --- a/src/shred.c
> +++ b/src/shred.c
> @@ -785,6 +785,7 @@ genpattern (int *dest, size_t num, struct randint_source *s)
> n--;
> }
> p++;
> + k--;
Nice one, indeed. Thanks to both of you!
bug archived.
Request was from
Debbugs Internal Request <help-debbugs <at> gnu.org>
to
internal_control <at> debbugs.gnu.org.
(Tue, 04 Aug 2015 11:24:05 GMT)
Full text and
rfc822 format available.
This bug report was last modified 8 years and 290 days ago.
Previous Next
GNU bug tracking system
Copyright (C) 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson.