--- Begin Message ---
Subject: |
Out of bounds global read in shred / genpattern() |
Date: |
Tue, 7 Jul 2015 01:29:20 +0200 |
Hi,
There is an out of bounds read error in the function genpattern() in
shred (coreutils 8.23). This issue only appears randomly.
To test:
a) recompile coreutils 8.23 with address sanitizer: ./configure
CFLAGS="-fsanitize=address -g" LDFLAGS="-fsanitize=address"; make
b) create a test file: touch x
c) run shred multiple times on it with -n 20:
for i in $(seq 1 1000); do src/shred -n 20 x; done
You will see the errors. Here's the output from Address Sanitizer:
==25808==ERROR: AddressSanitizer: global-buffer-overflow on address
0x000000416628 at pc 0x4047a0 bp 0x7ffc99fee730 sp 0x7ffc99fee720
READ of size 4 at 0x000000416628 thread T0
#0 0x40479f in genpattern src/shred.c:782
#1 0x4050d9 in do_wipefd src/shred.c:921
#2 0x406203 in wipefile src/shred.c:1175
#3 0x406b84 in main src/shred.c:1316
#4 0x7f3454a1ef9f in __libc_start_main (/lib64/libc.so.6+0x1ff9f)
#5 0x4025d8 (/tmp/coreutils-8.23/src/shred+0x4025d8)
0x000000416628 is located 56 bytes to the left of global variable '*.LC49' from
'src/shred.c' (0x416660) of size 17
'*.LC49' is ascii string '%s: fstat failed'
0x000000416628 is located 12 bytes to the right of global variable 'patterns'
from 'src/shred.c' (0x416540) of size 220
SUMMARY: AddressSanitizer: global-buffer-overflow src/shred.c:782 genpattern
Shadow bytes around the buggy address:
0x00008007ac70: 01 f9 f9 f9 f9 f9 f9 f9 00 00 00 07 f9 f9 f9 f9
0x00008007ac80: 00 00 01 f9 f9 f9 f9 f9 00 00 03 f9 f9 f9 f9 f9
0x00008007ac90: 00 00 00 03 f9 f9 f9 f9 00 00 00 00 03 f9 f9 f9
0x00008007aca0: f9 f9 f9 f9 00 00 00 00 00 00 00 00 00 00 00 00
0x00008007acb0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x00008007acc0: 00 00 00 04 f9[f9]f9 f9 00 00 00 00 00 00 01 f9
0x00008007acd0: f9 f9 f9 f9 00 00 06 f9 f9 f9 f9 f9 00 00 00 03
0x00008007ace0: f9 f9 f9 f9 00 00 05 f9 f9 f9 f9 f9 00 00 01 f9
0x00008007acf0: f9 f9 f9 f9 00 00 00 00 00 05 f9 f9 f9 f9 f9 f9
0x00008007ad00: 00 00 00 00 00 00 00 00 01 f9 f9 f9 f9 f9 f9 f9
0x00008007ad10: 00 04 f9 f9 f9 f9 f9 f9 02 f9 f9 f9 f9 f9 f9 f9
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Heap right redzone: fb
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack partial redzone: f4
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Contiguous container OOB:fc
ASan internal: fe
==25808==ABORTING
--
Hanno Böck
http://hboeck.de/
mail/jabber: address@hidden
GPG: BBB51E42
pgpgTTytM1p9Z.pgp
Description: OpenPGP digital signature
--- End Message ---
--- Begin Message ---
Subject: |
Re: bug#20998: Out of bounds global read in shred / genpattern() |
Date: |
Tue, 07 Jul 2015 03:28:32 +0100 |
User-agent: |
Mozilla/5.0 (X11; Linux x86_64; rv:31.0) Gecko/20100101 Thunderbird/31.6.0 |
On 07/07/15 01:45, Pádraig Brady wrote:
> On 07/07/15 00:29, Hanno Böck wrote:
>> Hi,
>>
>> There is an out of bounds read error in the function genpattern() in
>> shred (coreutils 8.23). This issue only appears randomly.
>>
>> To test:
>> a) recompile coreutils 8.23 with address sanitizer
> Nice one!
>
> It looks like the restriction to the k patterns available
> was lost with v5.92-1462-g65533e1 and that this should
> fix it up.
>
> diff --git a/src/shred.c b/src/shred.c
> index 63bcd6f..74f7ad9 100644
> --- a/src/shred.c
> +++ b/src/shred.c
> @@ -785,6 +785,7 @@ genpattern (int *dest, size_t num, struct randint_source
> *s)
> n--;
> }
> p++;
> + k--;
> }
> while (n);
> break;
Attached is the full patch including a test.
Marking this as done.
thanks!
Pádraig.
shred-patterns.patch
Description: Text Data
--- End Message ---