GNU bug report logs -
#25003
Bug in SPLIT utility
Previous Next
To add a comment to this bug, you must first unarchive it, by sending
a message to control AT debbugs.gnu.org, with unarchive 25003 in the body.
You can then email your comments to 25003 AT debbugs.gnu.org in the normal way.
Toggle the display of automated, internal messages from the tracker.
Report forwarded
to
bug-coreutils <at> gnu.org:
bug#25003; Package
coreutils.
(Wed, 23 Nov 2016 16:30:02 GMT)
Full text and
rfc822 format available.
Acknowledgement sent
to
Marcel Böhme <boehme.marcel <at> gmail.com>:
New bug report received and forwarded. Copy sent to
bug-coreutils <at> gnu.org.
(Wed, 23 Nov 2016 16:30:02 GMT)
Full text and
rfc822 format available.
Message #5 received at submit <at> debbugs.gnu.org (full text, mbox):
Dear all,
We are running small 1h fuzzing sessions with AFLFast, a fork of AFL.
We’ll be reporting each found bug separately.
On Coreutils v8.25 and trunk, the following input crashes.
Option -n was introduced with v8.8.
$ ./split -n7/75 7
Segmentation fault
ASAN says:
=================================================================
==53143==ERROR: AddressSanitizer: negative-size-param: (size=-6)
#0 0x7f8820eb9a10 in memmove (/usr/lib/x86_64-linux-gnu/libasan.so.3+0x62a10)
#1 0x404d12 in memmove /usr/include/x86_64-linux-gnu/bits/string3.h:57
#2 0x404d12 in bytes_chunk_extract ../src/split.c:987
#3 0x404d12 in main ../src/split.c:1625
#4 0x7f881fd9cf44 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x21f44)
#5 0x4064a9 (/home/ubuntu/subjects/coreutils/obj-asan/src/split+0x4064a9)
0x7f8821f9a006 is located 2054 bytes inside of 135168-byte region [0x7f8821f99800,0x7f8821fba800)
allocated by thread T0 here:
#0 0x7f8820f193a8 in __interceptor_malloc (/usr/lib/x86_64-linux-gnu/libasan.so.3+0xc23a8)
#1 0x40ec88 in xmalloc ../lib/xmalloc.c:41
SUMMARY: AddressSanitizer: negative-size-param (/usr/lib/x86_64-linux-gnu/libasan.so.3+0x62a10) in memmove
Best regards,
- Marcel
Information forwarded
to
bug-coreutils <at> gnu.org:
bug#25003; Package
coreutils.
(Wed, 23 Nov 2016 17:32:01 GMT)
Full text and
rfc822 format available.
Message #8 received at 25003 <at> debbugs.gnu.org (full text, mbox):
On Wed, Nov 23, 2016 at 5:22 AM, Marcel Böhme <boehme.marcel <at> gmail.com> wrote:
> Dear all,
>
> We are running small 1h fuzzing sessions with AFLFast, a fork of AFL.
> We’ll be reporting each found bug separately.
>
> On Coreutils v8.25 and trunk, the following input crashes.
> Option -n was introduced with v8.8.
>
> $ ./split -n7/75 7
> Segmentation fault
>
> ASAN says:
> =================================================================
> ==53143==ERROR: AddressSanitizer: negative-size-param: (size=-6)
> #0 0x7f8820eb9a10 in memmove (/usr/lib/x86_64-linux-gnu/libasan.so.3+0x62a10)
> #1 0x404d12 in memmove /usr/include/x86_64-linux-gnu/bits/string3.h:57
> #2 0x404d12 in bytes_chunk_extract ../src/split.c:987
> #3 0x404d12 in main ../src/split.c:1625
> #4 0x7f881fd9cf44 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x21f44)
> #5 0x4064a9 (/home/ubuntu/subjects/coreutils/obj-asan/src/split+0x4064a9)
>
> 0x7f8821f9a006 is located 2054 bytes inside of 135168-byte region [0x7f8821f99800,0x7f8821fba800)
> allocated by thread T0 here:
> #0 0x7f8820f193a8 in __interceptor_malloc (/usr/lib/x86_64-linux-gnu/libasan.so.3+0xc23a8)
> #1 0x40ec88 in xmalloc ../lib/xmalloc.c:41
>
> SUMMARY: AddressSanitizer: negative-size-param (/usr/lib/x86_64-linux-gnu/libasan.so.3+0x62a10) in memmove
Thank you for the report.
Would you please provide the contents of your file named "7"?
Information forwarded
to
bug-coreutils <at> gnu.org:
bug#25003; Package
coreutils.
(Wed, 23 Nov 2016 22:17:03 GMT)
Full text and
rfc822 format available.
Message #11 received at 25003 <at> debbugs.gnu.org (full text, mbox):
On 23/11/16 17:30, Jim Meyering wrote:
> On Wed, Nov 23, 2016 at 5:22 AM, Marcel Böhme <boehme.marcel <at> gmail.com> wrote:
>> Dear all,
>>
>> We are running small 1h fuzzing sessions with AFLFast, a fork of AFL.
>> We’ll be reporting each found bug separately.
>>
>> On Coreutils v8.25 and trunk, the following input crashes.
>> Option -n was introduced with v8.8.
>>
>> $ ./split -n7/75 7
>> Segmentation fault
>>
>> ASAN says:
>> =================================================================
>> ==53143==ERROR: AddressSanitizer: negative-size-param: (size=-6)
>> #0 0x7f8820eb9a10 in memmove (/usr/lib/x86_64-linux-gnu/libasan.so.3+0x62a10)
>> #1 0x404d12 in memmove /usr/include/x86_64-linux-gnu/bits/string3.h:57
>> #2 0x404d12 in bytes_chunk_extract ../src/split.c:987
>> #3 0x404d12 in main ../src/split.c:1625
>> #4 0x7f881fd9cf44 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x21f44)
>> #5 0x4064a9 (/home/ubuntu/subjects/coreutils/obj-asan/src/split+0x4064a9)
>>
>> 0x7f8821f9a006 is located 2054 bytes inside of 135168-byte region [0x7f8821f99800,0x7f8821fba800)
>> allocated by thread T0 here:
>> #0 0x7f8820f193a8 in __interceptor_malloc (/usr/lib/x86_64-linux-gnu/libasan.so.3+0xc23a8)
>> #1 0x40ec88 in xmalloc ../lib/xmalloc.c:41
>>
>> SUMMARY: AddressSanitizer: negative-size-param (/usr/lib/x86_64-linux-gnu/libasan.so.3+0x62a10) in memmove
>
> Thank you for the report.
> Would you please provide the contents of your file named "7"?
That's immaterial I think. I can reproduce with:
src/split -n2/3 /dev/null
I'll dig into these
Reply sent
to
Pádraig Brady <P <at> draigBrady.com>:
You have taken responsibility.
(Thu, 24 Nov 2016 00:22:01 GMT)
Full text and
rfc822 format available.
Notification sent
to
Marcel Böhme <boehme.marcel <at> gmail.com>:
bug acknowledged by developer.
(Thu, 24 Nov 2016 00:22:02 GMT)
Full text and
rfc822 format available.
Message #16 received at 25003-done <at> debbugs.gnu.org (full text, mbox):
[Message part 1 (text/plain, inline)]
On 23/11/16 22:16, Pádraig Brady wrote:
> On 23/11/16 17:30, Jim Meyering wrote:
>> On Wed, Nov 23, 2016 at 5:22 AM, Marcel Böhme <boehme.marcel <at> gmail.com> wrote:
>>> Dear all,
>>>
>>> We are running small 1h fuzzing sessions with AFLFast, a fork of AFL.
>>> We’ll be reporting each found bug separately.
>>>
>>> On Coreutils v8.25 and trunk, the following input crashes.
>>> Option -n was introduced with v8.8.
>>>
>>> $ ./split -n7/75 7
>>> Segmentation fault
>>>
>>> ASAN says:
>>> =================================================================
>>> ==53143==ERROR: AddressSanitizer: negative-size-param: (size=-6)
>>> #0 0x7f8820eb9a10 in memmove (/usr/lib/x86_64-linux-gnu/libasan.so.3+0x62a10)
>>> #1 0x404d12 in memmove /usr/include/x86_64-linux-gnu/bits/string3.h:57
>>> #2 0x404d12 in bytes_chunk_extract ../src/split.c:987
>>> #3 0x404d12 in main ../src/split.c:1625
>>> #4 0x7f881fd9cf44 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x21f44)
>>> #5 0x4064a9 (/home/ubuntu/subjects/coreutils/obj-asan/src/split+0x4064a9)
>>>
>>> 0x7f8821f9a006 is located 2054 bytes inside of 135168-byte region [0x7f8821f99800,0x7f8821fba800)
>>> allocated by thread T0 here:
>>> #0 0x7f8820f193a8 in __interceptor_malloc (/usr/lib/x86_64-linux-gnu/libasan.so.3+0xc23a8)
>>> #1 0x40ec88 in xmalloc ../lib/xmalloc.c:41
>>>
>>> SUMMARY: AddressSanitizer: negative-size-param (/usr/lib/x86_64-linux-gnu/libasan.so.3+0x62a10) in memmove
>>
>> Thank you for the report.
>> Would you please provide the contents of your file named "7"?
>
> That's immaterial I think. I can reproduce with:
> src/split -n2/3 /dev/null
> I'll dig into these
Patch attached.
thanks!
Pádraig
[split-n-corruption.patch (text/x-patch, attachment)]
Information forwarded
to
bug-coreutils <at> gnu.org:
bug#25003; Package
coreutils.
(Thu, 24 Nov 2016 01:35:01 GMT)
Full text and
rfc822 format available.
Message #19 received at 25003-done <at> debbugs.gnu.org (full text, mbox):
On Wed, Nov 23, 2016 at 4:21 PM, Pádraig Brady <P <at> draigbrady.com> wrote:
> On 23/11/16 22:16, Pádraig Brady wrote:
>> On 23/11/16 17:30, Jim Meyering wrote:
>>> On Wed, Nov 23, 2016 at 5:22 AM, Marcel Böhme <boehme.marcel <at> gmail.com> wrote:
>>>> Dear all,
>>>>
>>>> We are running small 1h fuzzing sessions with AFLFast, a fork of AFL.
>>>> We’ll be reporting each found bug separately.
>>>>
>>>> On Coreutils v8.25 and trunk, the following input crashes.
>>>> Option -n was introduced with v8.8.
>>>>
>>>> $ ./split -n7/75 7
>>>> Segmentation fault
>>>>
>>>> ASAN says:
>>>> =================================================================
>>>> ==53143==ERROR: AddressSanitizer: negative-size-param: (size=-6)
>>>> #0 0x7f8820eb9a10 in memmove (/usr/lib/x86_64-linux-gnu/libasan.so.3+0x62a10)
>>>> #1 0x404d12 in memmove /usr/include/x86_64-linux-gnu/bits/string3.h:57
>>>> #2 0x404d12 in bytes_chunk_extract ../src/split.c:987
>>>> #3 0x404d12 in main ../src/split.c:1625
>>>> #4 0x7f881fd9cf44 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x21f44)
>>>> #5 0x4064a9 (/home/ubuntu/subjects/coreutils/obj-asan/src/split+0x4064a9)
>>>>
>>>> 0x7f8821f9a006 is located 2054 bytes inside of 135168-byte region [0x7f8821f99800,0x7f8821fba800)
>>>> allocated by thread T0 here:
>>>> #0 0x7f8820f193a8 in __interceptor_malloc (/usr/lib/x86_64-linux-gnu/libasan.so.3+0xc23a8)
>>>> #1 0x40ec88 in xmalloc ../lib/xmalloc.c:41
>>>>
>>>> SUMMARY: AddressSanitizer: negative-size-param (/usr/lib/x86_64-linux-gnu/libasan.so.3+0x62a10) in memmove
>>>
>>> Thank you for the report.
>>> Would you please provide the contents of your file named "7"?
>>
>> That's immaterial I think. I can reproduce with:
>> src/split -n2/3 /dev/null
>> I'll dig into these
Looks perfect.
Thanks!
bug archived.
Request was from
Debbugs Internal Request <help-debbugs <at> gnu.org>
to
internal_control <at> debbugs.gnu.org.
(Thu, 22 Dec 2016 12:24:03 GMT)
Full text and
rfc822 format available.
This bug report was last modified 7 years and 124 days ago.
Previous Next
GNU bug tracking system
Copyright (C) 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson.