GNU bug report logs - #25023
Bug PR utility with -S option

Previous Next

Package: coreutils;

Reported by: Marcel Böhme <boehme.marcel <at> gmail.com>

Date: Fri, 25 Nov 2016 02:38:01 UTC

Severity: normal

Done: Pádraig Brady <P <at> draigBrady.com>

Bug is archived. No further changes may be made.

To add a comment to this bug, you must first unarchive it, by sending
a message to control AT debbugs.gnu.org, with unarchive 25023 in the body.
You can then email your comments to 25023 AT debbugs.gnu.org in the normal way.

Toggle the display of automated, internal messages from the tracker.

View this report as an mbox folder, status mbox, maintainer mbox


Report forwarded to bug-coreutils <at> gnu.org:
bug#25023; Package coreutils. (Fri, 25 Nov 2016 02:38:01 GMT) Full text and rfc822 format available.

Acknowledgement sent to Marcel Böhme <boehme.marcel <at> gmail.com>:
New bug report received and forwarded. Copy sent to bug-coreutils <at> gnu.org. (Fri, 25 Nov 2016 02:38:02 GMT) Full text and rfc822 format available.

Message #5 received at submit <at> debbugs.gnu.org (full text, mbox):

From: Marcel Böhme <boehme.marcel <at> gmail.com>
To: bug-coreutils <at> gnu.org
Subject: Bug PR utility with -S option
Date: Fri, 25 Nov 2016 10:36:47 +0800
Dear all,

The following input to PR does not crash the program but ASAN reports a buffer overflow.
The bug was found with AFLFast, a fork of AFL. Thanks also to Van-Thuan Pham.

$ echo a > a
$ pr "-S$(printf "\t\t\t")" a -m a > /dev/null

=================================================================
==102438==ERROR: AddressSanitizer: global-buffer-overflow on address 0x00000041b622 at pc 0x00000040506b bp 0x7ffc95917160 sp 0x7ffc95917158
READ of size 1 at 0x00000041b622 thread T0
    #0 0x40506a in print_sep_string ../src/pr.c:2241
    #1 0x407ec4 in read_line ../src/pr.c:2493
    #2 0x40985c in print_page ../src/pr.c:1802
    #3 0x40985c in print_files ../src/pr.c:1618
    #4 0x4036e0 in main ../src/pr.c:1136
    #5 0x7ff29fa67f44 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x21f44)
    #6 0x404209  (/home/ubuntu/subjects/coreutils_fixed/obj-asan/src/pr+0x404209)

0x00000041b622 is located 62 bytes to the left of global variable '*.LC12' defined in '../src/pr.c' (0x41b660) of size 4
  '*.LC12' is ascii string '%*d'
0x00000041b622 is located 0 bytes to the right of global variable '*.LC11' defined in '../src/pr.c' (0x41b620) of size 2
  '*.LC11' is ascii string ' '
SUMMARY: AddressSanitizer: global-buffer-overflow ../src/pr.c:2241 in print_sep_string

Best regards,
- Marcel



Reply sent to Pádraig Brady <P <at> draigBrady.com>:
You have taken responsibility. (Fri, 25 Nov 2016 14:11:01 GMT) Full text and rfc822 format available.

Notification sent to Marcel Böhme <boehme.marcel <at> gmail.com>:
bug acknowledged by developer. (Fri, 25 Nov 2016 14:11:01 GMT) Full text and rfc822 format available.

Message #10 received at 25023-done <at> debbugs.gnu.org (full text, mbox):

From: Pádraig Brady <P <at> draigBrady.com>
To: Marcel Böhme <boehme.marcel <at> gmail.com>,
 25023-done <at> debbugs.gnu.org
Subject: Re: bug#25023: Bug PR utility with -S option
Date: Fri, 25 Nov 2016 14:10:21 +0000
[Message part 1 (text/plain, inline)]
On 25/11/16 02:36, Marcel Böhme wrote:
> Dear all,
> 
> The following input to PR does not crash the program but ASAN reports a buffer overflow.
> The bug was found with AFLFast, a fork of AFL. Thanks also to Van-Thuan Pham.
> 
> $ echo a > a
> $ pr "-S$(printf "\t\t\t")" a -m a > /dev/null
> 
> =================================================================
> ==102438==ERROR: AddressSanitizer: global-buffer-overflow on address 0x00000041b622 at pc 0x00000040506b bp 0x7ffc95917160 sp 0x7ffc95917158
> READ of size 1 at 0x00000041b622 thread T0
>     #0 0x40506a in print_sep_string ../src/pr.c:2241
>     #1 0x407ec4 in read_line ../src/pr.c:2493
>     #2 0x40985c in print_page ../src/pr.c:1802
>     #3 0x40985c in print_files ../src/pr.c:1618
>     #4 0x4036e0 in main ../src/pr.c:1136
>     #5 0x7ff29fa67f44 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x21f44)
>     #6 0x404209  (/home/ubuntu/subjects/coreutils_fixed/obj-asan/src/pr+0x404209)
> 
> 0x00000041b622 is located 62 bytes to the left of global variable '*.LC12' defined in '../src/pr.c' (0x41b660) of size 4
>   '*.LC12' is ascii string '%*d'
> 0x00000041b622 is located 0 bytes to the right of global variable '*.LC11' defined in '../src/pr.c' (0x41b620) of size 2
>   '*.LC11' is ascii string ' '
> SUMMARY: AddressSanitizer: global-buffer-overflow ../src/pr.c:2241 in print_sep_string

Fixed in that attached.

thanks!

[pr-S-error.patch (text/x-patch, attachment)]

bug archived. Request was from Debbugs Internal Request <help-debbugs <at> gnu.org> to internal_control <at> debbugs.gnu.org. (Sat, 24 Dec 2016 12:24:04 GMT) Full text and rfc822 format available.

This bug report was last modified 7 years and 96 days ago.

Previous Next


GNU bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.