GNU bug report logs - #28860
Segmentation fault with out-of-bound read in 'b2sum'

Previous Next

Package: coreutils;

Reported by: Jaeseung Choi <jschoi17 <at> kaist.ac.kr>

Date: Mon, 16 Oct 2017 07:14:02 UTC

Severity: normal

Done: Pádraig Brady <P <at> draigBrady.com>

Bug is archived. No further changes may be made.

To add a comment to this bug, you must first unarchive it, by sending
a message to control AT debbugs.gnu.org, with unarchive 28860 in the body.
You can then email your comments to 28860 AT debbugs.gnu.org in the normal way.

Toggle the display of automated, internal messages from the tracker.

View this report as an mbox folder, status mbox, maintainer mbox


Report forwarded to bug-coreutils <at> gnu.org:
bug#28860; Package coreutils. (Mon, 16 Oct 2017 07:14:02 GMT) Full text and rfc822 format available.

Acknowledgement sent to Jaeseung Choi <jschoi17 <at> kaist.ac.kr>:
New bug report received and forwarded. Copy sent to bug-coreutils <at> gnu.org. (Mon, 16 Oct 2017 07:14:02 GMT) Full text and rfc822 format available.

Message #5 received at submit <at> debbugs.gnu.org (full text, mbox):

From: Jaeseung Choi <jschoi17 <at> kaist.ac.kr>
To: bug-coreutils <at> gnu.org
Subject: Segmentation fault with out-of-bound read in 'b2sum'
Date: Mon, 16 Oct 2017 10:04:20 +0900
Dear GNU team,

While testing coreutils for a research purpose, we found the following
segfault in 'b2sum'. Running b2sum with --check option, and simply
providing a string "BLAKE2" with no trailing character raises the
crash as below.

jason <at> ubuntu:~$ tar -xf coreutils-8.28.tar.xz
jason <at> ubuntu:~$ cd coreutils-8.28/
jason <at> ubuntu:~/coreutils-8.28$ mkdir obj
jason <at> ubuntu:~/coreutils-8.28$ cd obj
jason <at> ubuntu:~/coreutils-8.28/obj$ ../configure --disable-nls && make
...
jason <at> ubuntu:~/coreutils-8.28/obj$ gdb ./src/b2sum -q
Reading symbols from ./src/b2sum...done.
(gdb) run --check <<< BLAKE2
Starting program: /home/jason/coreutils-8.28/obj/src/b2sum --check <<< BLAKE2

Program received signal SIGSEGV, Segmentation fault.
split_3 (file_name=<synthetic pointer>, binary=<synthetic pointer>,
hex_digest=<synthetic pointer>, s_len=<optimized out>, s=0x60dfe0
"BLAKE2") at ../src/md5sum.c:433
433           while (! ISWHITE (s[i]) && s[i] != '-' && s[i] != '(')
(gdb) x/i $rip
=> 0x401d0e <main+1262>:        movzbl (%r12,%rbx,1),%ebp
(gdb) info reg r12 rbx
r12            0x60dfe0 6348768
rbx            0x20020  131104
(gdb)

We could reproduce the bug in coreutils from version 8.26 to 8.28.
Also, the bug was reproducible in both Ubuntu 16.04 and Debian 9.1,
but the b2sum program pre-built in Debian 9.1 did not crash with this
input. We assume it is due to a difference in the configuration before
build.

Please let us know if you have a problem in reproducing the bug.

Thank you.

Sincerely,
Jaeseung






Reply sent to Pádraig Brady <P <at> draigBrady.com>:
You have taken responsibility. (Mon, 16 Oct 2017 08:09:01 GMT) Full text and rfc822 format available.

Notification sent to Jaeseung Choi <jschoi17 <at> kaist.ac.kr>:
bug acknowledged by developer. (Mon, 16 Oct 2017 08:09:02 GMT) Full text and rfc822 format available.

Message #10 received at 28860-done <at> debbugs.gnu.org (full text, mbox):

From: Pádraig Brady <P <at> draigBrady.com>
To: Jaeseung Choi <jschoi17 <at> kaist.ac.kr>, 28860-done <at> debbugs.gnu.org
Subject: Re: bug#28860: Segmentation fault with out-of-bound read in 'b2sum'
Date: Mon, 16 Oct 2017 01:08:05 -0700
[Message part 1 (text/plain, inline)]
On 15/10/17 18:04, Jaeseung Choi wrote:
> Dear GNU team,
> 
> While testing coreutils for a research purpose, we found the following
> segfault in 'b2sum'. Running b2sum with --check option, and simply
> providing a string "BLAKE2" with no trailing character raises the
> crash as below.

Wow thanks! Were you fuzzing the inputs?
Can you give more details on your testing?

The attached should fix this case.

thanks!
Pádraig

[b2sum-crash.patch (text/x-patch, attachment)]

bug archived. Request was from Debbugs Internal Request <help-debbugs <at> gnu.org> to internal_control <at> debbugs.gnu.org. (Mon, 13 Nov 2017 12:24:05 GMT) Full text and rfc822 format available.

This bug report was last modified 6 years and 137 days ago.

Previous Next


GNU bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.