GNU bug report logs -
#28860
Segmentation fault with out-of-bound read in 'b2sum'
Previous Next
To add a comment to this bug, you must first unarchive it, by sending
a message to control AT debbugs.gnu.org, with unarchive 28860 in the body.
You can then email your comments to 28860 AT debbugs.gnu.org in the normal way.
Toggle the display of automated, internal messages from the tracker.
Report forwarded
to
bug-coreutils <at> gnu.org
:
bug#28860
; Package
coreutils
.
(Mon, 16 Oct 2017 07:14:02 GMT)
Full text and
rfc822 format available.
Acknowledgement sent
to
Jaeseung Choi <jschoi17 <at> kaist.ac.kr>
:
New bug report received and forwarded. Copy sent to
bug-coreutils <at> gnu.org
.
(Mon, 16 Oct 2017 07:14:02 GMT)
Full text and
rfc822 format available.
Message #5 received at submit <at> debbugs.gnu.org (full text, mbox):
Dear GNU team,
While testing coreutils for a research purpose, we found the following
segfault in 'b2sum'. Running b2sum with --check option, and simply
providing a string "BLAKE2" with no trailing character raises the
crash as below.
jason <at> ubuntu:~$ tar -xf coreutils-8.28.tar.xz
jason <at> ubuntu:~$ cd coreutils-8.28/
jason <at> ubuntu:~/coreutils-8.28$ mkdir obj
jason <at> ubuntu:~/coreutils-8.28$ cd obj
jason <at> ubuntu:~/coreutils-8.28/obj$ ../configure --disable-nls && make
...
jason <at> ubuntu:~/coreutils-8.28/obj$ gdb ./src/b2sum -q
Reading symbols from ./src/b2sum...done.
(gdb) run --check <<< BLAKE2
Starting program: /home/jason/coreutils-8.28/obj/src/b2sum --check <<< BLAKE2
Program received signal SIGSEGV, Segmentation fault.
split_3 (file_name=<synthetic pointer>, binary=<synthetic pointer>,
hex_digest=<synthetic pointer>, s_len=<optimized out>, s=0x60dfe0
"BLAKE2") at ../src/md5sum.c:433
433 while (! ISWHITE (s[i]) && s[i] != '-' && s[i] != '(')
(gdb) x/i $rip
=> 0x401d0e <main+1262>: movzbl (%r12,%rbx,1),%ebp
(gdb) info reg r12 rbx
r12 0x60dfe0 6348768
rbx 0x20020 131104
(gdb)
We could reproduce the bug in coreutils from version 8.26 to 8.28.
Also, the bug was reproducible in both Ubuntu 16.04 and Debian 9.1,
but the b2sum program pre-built in Debian 9.1 did not crash with this
input. We assume it is due to a difference in the configuration before
build.
Please let us know if you have a problem in reproducing the bug.
Thank you.
Sincerely,
Jaeseung
Reply sent
to
Pádraig Brady <P <at> draigBrady.com>
:
You have taken responsibility.
(Mon, 16 Oct 2017 08:09:01 GMT)
Full text and
rfc822 format available.
Notification sent
to
Jaeseung Choi <jschoi17 <at> kaist.ac.kr>
:
bug acknowledged by developer.
(Mon, 16 Oct 2017 08:09:02 GMT)
Full text and
rfc822 format available.
Message #10 received at 28860-done <at> debbugs.gnu.org (full text, mbox):
[Message part 1 (text/plain, inline)]
On 15/10/17 18:04, Jaeseung Choi wrote:
> Dear GNU team,
>
> While testing coreutils for a research purpose, we found the following
> segfault in 'b2sum'. Running b2sum with --check option, and simply
> providing a string "BLAKE2" with no trailing character raises the
> crash as below.
Wow thanks! Were you fuzzing the inputs?
Can you give more details on your testing?
The attached should fix this case.
thanks!
Pádraig
[b2sum-crash.patch (text/x-patch, attachment)]
bug archived.
Request was from
Debbugs Internal Request <help-debbugs <at> gnu.org>
to
internal_control <at> debbugs.gnu.org
.
(Mon, 13 Nov 2017 12:24:05 GMT)
Full text and
rfc822 format available.
This bug report was last modified 6 years and 137 days ago.
Previous Next
GNU bug tracking system
Copyright (C) 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson.