From unknown Sat Jun 21 03:27:13 2025 X-Loop: help-debbugs@gnu.org Subject: bug#16855: report a bug about shuf Resent-From: valiant xiao Original-Sender: "Debbugs-submit" Resent-CC: bug-coreutils@gnu.org Resent-Date: Sun, 23 Feb 2014 18:59:03 +0000 Resent-Message-ID: Resent-Sender: help-debbugs@gnu.org X-GNU-PR-Message: report 16855 X-GNU-PR-Package: coreutils X-GNU-PR-Keywords: To: 16855@debbugs.gnu.org Cc: xuyongjiande@sina.com, Yu Chen , bug-shuf@gnu.org X-Debbugs-Original-To: bug-coreutils@gnu.org Received: via spool by submit@debbugs.gnu.org id=B.139318193622242 (code B ref -1); Sun, 23 Feb 2014 18:59:03 +0000 Received: (at submit) by debbugs.gnu.org; 23 Feb 2014 18:58:56 +0000 Received: from localhost ([127.0.0.1]:36903 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.80) (envelope-from ) id 1WHeGN-0005ma-9s for submit@debbugs.gnu.org; Sun, 23 Feb 2014 13:58:55 -0500 Received: from eggs.gnu.org ([208.118.235.92]:60959) by debbugs.gnu.org with esmtp (Exim 4.80) (envelope-from ) id 1WHU2k-0003W0-1o for submit@debbugs.gnu.org; Sun, 23 Feb 2014 03:04:10 -0500 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1WHU2d-0007ST-Iz for submit@debbugs.gnu.org; Sun, 23 Feb 2014 03:04:04 -0500 X-Spam-Checker-Version: SpamAssassin 3.3.2 (2011-06-06) on eggs.gnu.org X-Spam-Level: X-Spam-Status: No, score=0.8 required=5.0 tests=BAYES_50,FREEMAIL_FROM, HTML_MESSAGE,T_DKIM_INVALID autolearn=disabled version=3.3.2 Received: from lists.gnu.org ([2001:4830:134:3::11]:36195) by eggs.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1WHU2d-0007SP-Fu for submit@debbugs.gnu.org; Sun, 23 Feb 2014 03:04:03 -0500 Received: from eggs.gnu.org ([2001:4830:134:3::10]:34437) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1WHU2c-00005s-BO for bug-coreutils@gnu.org; Sun, 23 Feb 2014 03:04:03 -0500 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1WHU2b-0007SC-6h for bug-coreutils@gnu.org; Sun, 23 Feb 2014 03:04:02 -0500 Received: from mail-ie0-x241.google.com ([2607:f8b0:4001:c03::241]:49786) by eggs.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1WHU2b-0007S0-0S for bug-coreutils@gnu.org; Sun, 23 Feb 2014 03:04:01 -0500 Received: by mail-ie0-f193.google.com with SMTP id rl12so1369882iec.0 for ; Sun, 23 Feb 2014 00:04:00 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:date:message-id:subject:from:to:cc:content-type; bh=Vs42JQ2RtN9SVGBMmLnxAKYIozSaa9VoIHMoUZL2Qus=; b=hhK+0tkf/gCIr15Y62fWIbar5mOyLhV8DtWwwF79+pO7E7xoI8Y+1TE0f/WWjjKGRL hqry73qQoHndqXkyZj/a37Ju2hxCA3edenJRXdVyC9NkD03vdcds34z1bRc7IqhAJUmh Otc0hvkJEQZyDKRbDajNTxtM9WpMsyX26v3BjBZel3hwIjpGFpXZ4V+wF0ql88tTWIsa 1UqWPZ8k2qbctoLuO3f/dSWdF2/IntHfg5dNMRU01toZ30bhbNVLadhYvh5A38WxZkgb CD28ws4JBlhZPXWoOaehOrgSTJ/8D0xyWeFcg34MCUt2SVsJSobR30LEBehE14TgEieg JLPw== MIME-Version: 1.0 X-Received: by 10.50.253.194 with SMTP id ac2mr8064143igd.41.1393142639967; Sun, 23 Feb 2014 00:03:59 -0800 (PST) Received: by 10.50.111.164 with HTTP; Sun, 23 Feb 2014 00:03:59 -0800 (PST) Date: Sun, 23 Feb 2014 16:03:59 +0800 Message-ID: From: valiant xiao Content-Type: multipart/alternative; boundary=001a1134c0aa2d446a04f30e4cda X-detected-operating-system: by eggs.gnu.org: Error: Malformed IPv6 address (bad octet value). X-detected-operating-system: by eggs.gnu.org: Error: Malformed IPv6 address (bad octet value). X-Received-From: 2001:4830:134:3::11 X-Spam-Score: -4.0 (----) X-Mailman-Approved-At: Sun, 23 Feb 2014 13:58:52 -0500 X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -4.0 (----) --001a1134c0aa2d446a04f30e4cda Content-Type: text/plain; charset=ISO-8859-1 Hi, We have found a bug in shuf, and we think it may be result a security problem. we compile coreutils 8.22 which is download from http://ftp.gnu.org/gnu/coreutils/, and run it on my box that is ubuntu 12.04 x64. the bug details as follows. ### Bug overview shuf -er or shuf -eer [ segment fault] impact [coreutils 8.22 ] ``` [15:03:59]xqx@server:~/data/xqx/projects/coreutils-8.22$ ./obj-gcov/src/shuf -er Segmentation fault (core dumped) ``` ### Analysis when shuf execute -e without give the expected input lines, it will assign n_lines to 0 in "write_random_lines" while the "repeat" (-r) be set. and this var will be as the genmax parameter when "randint_genmax" function called. the code as follows in shuf.c: ``` 369 for (i = 0; i < count; i++) 370 { 371 const randint j = randint_choose (s, n_lines); 372 char *const *p = lines + j; 373 size_t len = p[1] - p[0]; 374 if (fwrite (p[0], sizeof *p[0], len, stdout) != len) 375 return -1; 376 } 377 ``` 'j' will be a random number between 0-0xffffffffffffffff in my 64bit ubuntu, and 'p' will be a unexpected point which will be access next. when p point to an ilegal memory, it will be error when access it, which may be result in a Segmentation fault. if an attacker could control the random which gened by randint_choose, it may be get the infomation without an legal authority. However, It may be difficult. yours xqx --001a1134c0aa2d446a04f30e4cda Content-Type: text/html; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable
Hi,


We have fou= nd a bug in shuf, and we think it may be result a security problem.
we compile coreutils 8.22 which is download from http://ftp.gnu.org/gnu/coreutils/, and run it on =
my box that is ubuntu 12.04 x64. the bug details as follows.
=

### Bug overview

=A0=A0=A0 shuf -er or shuf -eer [ seg= ment fault]
=A0=A0=A0 impact [coreutils 8.22 ]

```
[15:03:59]x= qx@server:~/data/xqx/projects/coreutils-8.22$ ./obj-gcov/src/shuf -er
Segmentation fault (core dumped)

```

### Analysis

=A0= =A0=A0 when shuf execute -e without give the expected input lines, it will = assign n_lines to 0 in "write_random_lines" while the "repea= t" (-r) be set. and this var will be as the genmax parameter when &quo= t;randint_genmax" function called. the code as follows in shuf.c:

```
369=A0=A0 for (i =3D 0; i < count; i++)
370=A0=A0=A0=A0 {<= br>371=A0=A0=A0=A0=A0=A0 const randint j =3D randint_choose (s, n_lines);372=A0=A0=A0=A0=A0=A0 char *const *p =3D lines + j;
373=A0=A0=A0=A0=A0= =A0 size_t len =3D p[1] - p[0];
374=A0=A0=A0=A0=A0=A0 if (fwrite (p[0], = sizeof *p[0], len, stdout) !=3D len)
375=A0=A0=A0=A0=A0=A0=A0=A0 return -1;
376=A0=A0=A0=A0 }=A0=A0=A0=A0 377

```

=A0=A0=A0 'j' will be a random number betwe= en 0-0xffffffffffffffff in my 64bit ubuntu, and 'p' will be a unexp= ected point which will be access next. when p point to an ilegal memory, it= will be error when access it, which may be result in a Segmentation fault.=

=A0=A0=A0 if an attacker could control the random which gened by randin= t_choose, it may be get the infomation without an legal authority.=A0 Howev= er, It may be difficult.
=A0=A0=A0


yours

xqx



--001a1134c0aa2d446a04f30e4cda-- From unknown Sat Jun 21 03:27:13 2025 MIME-Version: 1.0 X-Mailer: MIME-tools 5.503 (Entity 5.503) X-Loop: help-debbugs@gnu.org From: help-debbugs@gnu.org (GNU bug Tracking System) To: valiant xiao Subject: bug#16855: closed (Re: bug#16855: report a bug about shuf) Message-ID: References: <530A8645.4050809@cs.ucla.edu> X-Gnu-PR-Message: they-closed 16855 X-Gnu-PR-Package: coreutils Reply-To: 16855@debbugs.gnu.org Date: Sun, 23 Feb 2014 23:38:03 +0000 Content-Type: multipart/mixed; boundary="----------=_1393198683-19095-1" This is a multi-part message in MIME format... ------------=_1393198683-19095-1 Content-Disposition: inline Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="utf-8" Your bug report #16855: report a bug about shuf which was filed against the coreutils package, has been closed. The explanation is attached below, along with your original report. If you require more details, please reply to 16855@debbugs.gnu.org. --=20 16855: http://debbugs.gnu.org/cgi/bugreport.cgi?bug=3D16855 GNU Bug Tracking System Contact help-debbugs@gnu.org with problems ------------=_1393198683-19095-1 Content-Type: message/rfc822 Content-Disposition: inline Content-Transfer-Encoding: 7bit Received: (at 16855-done) by debbugs.gnu.org; 23 Feb 2014 23:37:53 +0000 Received: from localhost ([127.0.0.1]:37035 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.80) (envelope-from ) id 1WHicL-0004xa-8Y for submit@debbugs.gnu.org; Sun, 23 Feb 2014 18:37:53 -0500 Received: from smtp.cs.ucla.edu ([131.179.128.62]:38172) by debbugs.gnu.org with esmtp (Exim 4.80) (envelope-from ) id 1WHicH-0004xI-3T for 16855-done@debbugs.gnu.org; Sun, 23 Feb 2014 18:37:50 -0500 Received: from localhost (localhost.localdomain [127.0.0.1]) by smtp.cs.ucla.edu (Postfix) with ESMTP id EB14EA60001; Sun, 23 Feb 2014 15:37:42 -0800 (PST) X-Virus-Scanned: amavisd-new at smtp.cs.ucla.edu Received: from smtp.cs.ucla.edu ([127.0.0.1]) by localhost (smtp.cs.ucla.edu [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id lZWeb5kJXGqQ; Sun, 23 Feb 2014 15:37:42 -0800 (PST) Received: from [192.168.1.9] (pool-108-0-233-62.lsanca.fios.verizon.net [108.0.233.62]) by smtp.cs.ucla.edu (Postfix) with ESMTPSA id 1BDE439E8016; Sun, 23 Feb 2014 15:37:42 -0800 (PST) Message-ID: <530A8645.4050809@cs.ucla.edu> Date: Sun, 23 Feb 2014 15:37:41 -0800 From: Paul Eggert Organization: UCLA Computer Science Department User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:24.0) Gecko/20100101 Thunderbird/24.3.0 MIME-Version: 1.0 To: valiant xiao , 16855-done@debbugs.gnu.org Subject: Re: bug#16855: report a bug about shuf References: In-Reply-To: Content-Type: multipart/mixed; boundary="------------010204000507040003080200" X-Spam-Score: -2.8 (--) X-Debbugs-Envelope-To: 16855-done Cc: xuyongjiande@sina.com, Yu Chen X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -2.8 (--) This is a multi-part message in MIME format. --------------010204000507040003080200 Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 7bit Thanks for the bug report. I've committed the attached patch. --------------010204000507040003080200 Content-Type: text/plain; charset=UTF-8; name="shuf.diff" Content-Transfer-Encoding: base64 Content-Disposition: attachment; filename="shuf.diff" RnJvbSAyNGViMzk1NDcxMTc2ZTI0NzYyYjA4YmZjZWY3NTYyOTExNTM3NTA0IE1vbiBTZXAg MTcgMDA6MDA6MDAgMjAwMQpGcm9tOiBQYXVsIEVnZ2VydCA8ZWdnZXJ0QGNzLnVjbGEuZWR1 PgpEYXRlOiBTdW4sIDIzIEZlYiAyMDE0IDE1OjM0OjQ4IC0wODAwClN1YmplY3Q6IFtQQVRD SF0gc2h1Zjogd2l0aCAtciwgZG9uJ3QgZHVtcCBjb3JlIGlmIHRoZSBpbnB1dCBpcyBlbXB0 eQoKUHJvYmxlbSByZXBvcnRlZCBieSB2YWxpYW50IHhpYW8gaW4gPGh0dHA6Ly9idWdzLmdu dS5vcmcvMTY4NTU+LgoqIE5FV1M6IERvY3VtZW50IHRoaXMuCiogc3JjL3NodWYuYyAobWFp bik6IFdpdGggLXIsIHJlcG9ydCBhbiBlcnJvciBpZiB0aGUgaW5wdXQgaXMgZW1wdHkuCiog dGVzdHMvbWlzYy9zaHVmLnNoOiBUZXN0IGZvciB0aGUgYnVnLgotLS0KIE5FV1MgICAgICAg ICAgICAgICB8ICAzICsrKwogc3JjL3NodWYuYyAgICAgICAgIHwgMTUgKysrKysrKysrKyst LS0tCiB0ZXN0cy9taXNjL3NodWYuc2ggfCAgNCArKysrCiAzIGZpbGVzIGNoYW5nZWQsIDE4 IGluc2VydGlvbnMoKyksIDQgZGVsZXRpb25zKC0pCgpkaWZmIC0tZ2l0IGEvTkVXUyBiL05F V1MKaW5kZXggZTcyOTQyYi4uMmRmMjQ2ZCAxMDA2NDQKLS0tIGEvTkVXUworKysgYi9ORVdT CkBAIC0yMiw2ICsyMiw5IEBAIEdOVSBjb3JldXRpbHMgTkVXUyAgICAgICAgICAgICAgICAg ICAgICAgICAgICAgICAgICAgIC0qLSBvdXRsaW5lIC0qLQogICBpdCB3b3VsZCBkaXNwbGF5 IGFuIGVycm9yLCByZXF1aXJpbmcgLS1uby1kZXJlZmVyZW5jZSB0byBhdm9pZCB0aGUgaXNz dWUuCiAgIFtidWcgaW50cm9kdWNlZCBpbiBjb3JldXRpbHMtNS4zLjBdCiAKKyAgc2h1ZiAt ciBubyBsb25nZXIgZHVtcHMgY29yZSBpZiB0aGUgaW5wdXQgaXMgZW1wdHkuCisgIFtidWcg aW50cm9kdWNlZCBpbiBjb3JldXRpbHMtOC4yMl0KKwogKiogTmV3IGZlYXR1cmVzCiAKICAg b2QgYWNjZXB0cyBhIG5ldyBvcHRpb246IC0tZW5kaWFuPVRZUEUgdG8gaGFuZGxlIGlucHV0 cyB3aXRoIGRpZmZlcmVudCBieXRlCmRpZmYgLS1naXQgYS9zcmMvc2h1Zi5jIGIvc3JjL3No dWYuYwppbmRleCBkNDY0MWZlLi4yYTkxMDcyIDEwMDY0NAotLS0gYS9zcmMvc2h1Zi5jCisr KyBiL3NyYy9zaHVmLmMKQEAgLTU3NiwxMSArNTc2LDE4IEBAIG1haW4gKGludCBhcmdjLCBj aGFyICoqYXJndikKICAgLyogR2VuZXJhdGUgb3V0cHV0IGFjY29yZGluZyB0byByZXF1ZXN0 ZWQgbWV0aG9kICovCiAgIGlmIChyZXBlYXQpCiAgICAgewotICAgICAgaWYgKGlucHV0X3Jh bmdlKQotICAgICAgICBpID0gd3JpdGVfcmFuZG9tX251bWJlcnMgKHJhbmRpbnRfc291cmNl LCBoZWFkX2xpbmVzLAotICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGxvX2lu cHV0LCBoaV9pbnB1dCwgZW9sYnl0ZSk7CisgICAgICBpZiAoaGVhZF9saW5lcyA9PSAwKQor ICAgICAgICBpID0gMDsKICAgICAgIGVsc2UKLSAgICAgICAgaSA9IHdyaXRlX3JhbmRvbV9s aW5lcyAocmFuZGludF9zb3VyY2UsIGhlYWRfbGluZXMsIGxpbmUsIG5fbGluZXMpOworICAg ICAgICB7CisgICAgICAgICAgaWYgKG5fbGluZXMgPT0gMCkKKyAgICAgICAgICAgIGVycm9y IChFWElUX0ZBSUxVUkUsIDAsIF8oIk5vIGxpbmVzIHRvIHJlcGVhdCIpKTsKKyAgICAgICAg ICBpZiAoaW5wdXRfcmFuZ2UpCisgICAgICAgICAgICBpID0gd3JpdGVfcmFuZG9tX251bWJl cnMgKHJhbmRpbnRfc291cmNlLCBoZWFkX2xpbmVzLAorICAgICAgICAgICAgICAgICAgICAg ICAgICAgICAgICAgICAgICBsb19pbnB1dCwgaGlfaW5wdXQsIGVvbGJ5dGUpOworICAgICAg ICAgIGVsc2UKKyAgICAgICAgICAgIGkgPSB3cml0ZV9yYW5kb21fbGluZXMgKHJhbmRpbnRf c291cmNlLCBoZWFkX2xpbmVzLCBsaW5lLCBuX2xpbmVzKTsKKyAgICAgICAgfQogICAgIH0K ICAgZWxzZQogICAgIHsKZGlmZiAtLWdpdCBhL3Rlc3RzL21pc2Mvc2h1Zi5zaCBiL3Rlc3Rz L21pc2Mvc2h1Zi5zaAppbmRleCBkM2VhMWYyLi5kNzI1MWQxIDEwMDc1NQotLS0gYS90ZXN0 cy9taXNjL3NodWYuc2gKKysrIGIvdGVzdHMvbWlzYy9zaHVmLnNoCkBAIC00Myw2ICs0Mywx MCBAQCBjb21wYXJlIGluIG91dDEgfHwgeyBmYWlsPTE7IGVjaG8gIm5vdCBhIHBlcm11dGF0 aW9uIiAxPiYyOyB9CiB0PSQoc2h1ZiAtZSBhIGIgYyBkIGUgfCBzb3J0IHwgZm10KQogdGVz dCAiJHQiID0gJ2EgYiBjIGQgZScgfHwgeyBmYWlsPTE7IGVjaG8gIm5vdCBhIHBlcm11dGF0 aW9uIiAxPiYyOyB9CiAKKyMgY29yZXV0aWxzLTguMjIgZHVtcHMgY29yZS4KK3NodWYgLWVy Cit0ZXN0ICQ/IC1lcSAxIHx8IGZhaWw9MQorCiAjIEJlZm9yZSBjb3JldXRpbHMtNi4zLCB0 aGlzIHdvdWxkIGluZmxvb3AuCiAjICJzZXEgMTg2MCIgcHJvZHVjZXMgODE5MyAoOEsgKyAx KSBieXRlcyBvZiBvdXRwdXQuCiBzZXEgMTg2MCB8IHNodWYgPiAvZGV2L251bGwgfHwgZmFp bD0xCi0tIAoxLjguNS4zCgo= --------------010204000507040003080200-- ------------=_1393198683-19095-1 Content-Type: message/rfc822 Content-Disposition: inline Content-Transfer-Encoding: 7bit Received: (at submit) by debbugs.gnu.org; 23 Feb 2014 18:58:56 +0000 Received: from localhost ([127.0.0.1]:36903 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.80) (envelope-from ) id 1WHeGN-0005ma-9s for submit@debbugs.gnu.org; Sun, 23 Feb 2014 13:58:55 -0500 Received: from eggs.gnu.org ([208.118.235.92]:60959) by debbugs.gnu.org with esmtp (Exim 4.80) (envelope-from ) id 1WHU2k-0003W0-1o for submit@debbugs.gnu.org; Sun, 23 Feb 2014 03:04:10 -0500 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1WHU2d-0007ST-Iz for submit@debbugs.gnu.org; Sun, 23 Feb 2014 03:04:04 -0500 X-Spam-Checker-Version: SpamAssassin 3.3.2 (2011-06-06) on eggs.gnu.org X-Spam-Level: X-Spam-Status: No, score=0.8 required=5.0 tests=BAYES_50,FREEMAIL_FROM, HTML_MESSAGE,T_DKIM_INVALID autolearn=disabled version=3.3.2 Received: from lists.gnu.org ([2001:4830:134:3::11]:36195) by eggs.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1WHU2d-0007SP-Fu for submit@debbugs.gnu.org; Sun, 23 Feb 2014 03:04:03 -0500 Received: from eggs.gnu.org ([2001:4830:134:3::10]:34437) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1WHU2c-00005s-BO for bug-coreutils@gnu.org; Sun, 23 Feb 2014 03:04:03 -0500 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1WHU2b-0007SC-6h for bug-coreutils@gnu.org; Sun, 23 Feb 2014 03:04:02 -0500 Received: from mail-ie0-x241.google.com ([2607:f8b0:4001:c03::241]:49786) by eggs.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1WHU2b-0007S0-0S for bug-coreutils@gnu.org; Sun, 23 Feb 2014 03:04:01 -0500 Received: by mail-ie0-f193.google.com with SMTP id rl12so1369882iec.0 for ; Sun, 23 Feb 2014 00:04:00 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:date:message-id:subject:from:to:cc:content-type; bh=Vs42JQ2RtN9SVGBMmLnxAKYIozSaa9VoIHMoUZL2Qus=; b=hhK+0tkf/gCIr15Y62fWIbar5mOyLhV8DtWwwF79+pO7E7xoI8Y+1TE0f/WWjjKGRL hqry73qQoHndqXkyZj/a37Ju2hxCA3edenJRXdVyC9NkD03vdcds34z1bRc7IqhAJUmh Otc0hvkJEQZyDKRbDajNTxtM9WpMsyX26v3BjBZel3hwIjpGFpXZ4V+wF0ql88tTWIsa 1UqWPZ8k2qbctoLuO3f/dSWdF2/IntHfg5dNMRU01toZ30bhbNVLadhYvh5A38WxZkgb CD28ws4JBlhZPXWoOaehOrgSTJ/8D0xyWeFcg34MCUt2SVsJSobR30LEBehE14TgEieg JLPw== MIME-Version: 1.0 X-Received: by 10.50.253.194 with SMTP id ac2mr8064143igd.41.1393142639967; Sun, 23 Feb 2014 00:03:59 -0800 (PST) Received: by 10.50.111.164 with HTTP; Sun, 23 Feb 2014 00:03:59 -0800 (PST) Date: Sun, 23 Feb 2014 16:03:59 +0800 Message-ID: Subject: report a bug about shuf From: valiant xiao To: bug-coreutils@gnu.org Content-Type: multipart/alternative; boundary=001a1134c0aa2d446a04f30e4cda X-detected-operating-system: by eggs.gnu.org: Error: Malformed IPv6 address (bad octet value). X-detected-operating-system: by eggs.gnu.org: Error: Malformed IPv6 address (bad octet value). X-Received-From: 2001:4830:134:3::11 X-Spam-Score: -4.0 (----) X-Debbugs-Envelope-To: submit X-Mailman-Approved-At: Sun, 23 Feb 2014 13:58:52 -0500 Cc: xuyongjiande@sina.com, Yu Chen , bug-shuf@gnu.org X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -4.0 (----) --001a1134c0aa2d446a04f30e4cda Content-Type: text/plain; charset=ISO-8859-1 Hi, We have found a bug in shuf, and we think it may be result a security problem. we compile coreutils 8.22 which is download from http://ftp.gnu.org/gnu/coreutils/, and run it on my box that is ubuntu 12.04 x64. the bug details as follows. ### Bug overview shuf -er or shuf -eer [ segment fault] impact [coreutils 8.22 ] ``` [15:03:59]xqx@server:~/data/xqx/projects/coreutils-8.22$ ./obj-gcov/src/shuf -er Segmentation fault (core dumped) ``` ### Analysis when shuf execute -e without give the expected input lines, it will assign n_lines to 0 in "write_random_lines" while the "repeat" (-r) be set. and this var will be as the genmax parameter when "randint_genmax" function called. the code as follows in shuf.c: ``` 369 for (i = 0; i < count; i++) 370 { 371 const randint j = randint_choose (s, n_lines); 372 char *const *p = lines + j; 373 size_t len = p[1] - p[0]; 374 if (fwrite (p[0], sizeof *p[0], len, stdout) != len) 375 return -1; 376 } 377 ``` 'j' will be a random number between 0-0xffffffffffffffff in my 64bit ubuntu, and 'p' will be a unexpected point which will be access next. when p point to an ilegal memory, it will be error when access it, which may be result in a Segmentation fault. if an attacker could control the random which gened by randint_choose, it may be get the infomation without an legal authority. However, It may be difficult. yours xqx --001a1134c0aa2d446a04f30e4cda Content-Type: text/html; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable
Hi,


We have fou= nd a bug in shuf, and we think it may be result a security problem.
we compile coreutils 8.22 which is download from http://ftp.gnu.org/gnu/coreutils/, and run it on =
my box that is ubuntu 12.04 x64. the bug details as follows.
=

### Bug overview

=A0=A0=A0 shuf -er or shuf -eer [ seg= ment fault]
=A0=A0=A0 impact [coreutils 8.22 ]

```
[15:03:59]x= qx@server:~/data/xqx/projects/coreutils-8.22$ ./obj-gcov/src/shuf -er
Segmentation fault (core dumped)

```

### Analysis

=A0= =A0=A0 when shuf execute -e without give the expected input lines, it will = assign n_lines to 0 in "write_random_lines" while the "repea= t" (-r) be set. and this var will be as the genmax parameter when &quo= t;randint_genmax" function called. the code as follows in shuf.c:

```
369=A0=A0 for (i =3D 0; i < count; i++)
370=A0=A0=A0=A0 {<= br>371=A0=A0=A0=A0=A0=A0 const randint j =3D randint_choose (s, n_lines);372=A0=A0=A0=A0=A0=A0 char *const *p =3D lines + j;
373=A0=A0=A0=A0=A0= =A0 size_t len =3D p[1] - p[0];
374=A0=A0=A0=A0=A0=A0 if (fwrite (p[0], = sizeof *p[0], len, stdout) !=3D len)
375=A0=A0=A0=A0=A0=A0=A0=A0 return -1;
376=A0=A0=A0=A0 }=A0=A0=A0=A0 377

```

=A0=A0=A0 'j' will be a random number betwe= en 0-0xffffffffffffffff in my 64bit ubuntu, and 'p' will be a unexp= ected point which will be access next. when p point to an ilegal memory, it= will be error when access it, which may be result in a Segmentation fault.=

=A0=A0=A0 if an attacker could control the random which gened by randin= t_choose, it may be get the infomation without an legal authority.=A0 Howev= er, It may be difficult.
=A0=A0=A0


yours

xqx



--001a1134c0aa2d446a04f30e4cda-- ------------=_1393198683-19095-1-- From unknown Sat Jun 21 03:27:13 2025 X-Loop: help-debbugs@gnu.org Subject: bug#16855: report a bug about shuf Resent-From: =?UTF-8?Q?P=C3=A1draig?= Brady Original-Sender: "Debbugs-submit" Resent-CC: bug-coreutils@gnu.org Resent-Date: Mon, 24 Feb 2014 01:05:02 +0000 Resent-Message-ID: Resent-Sender: help-debbugs@gnu.org X-GNU-PR-Message: followup 16855 X-GNU-PR-Package: coreutils X-GNU-PR-Keywords: To: 16855@debbugs.gnu.org, eggert@cs.ucla.edu, s2exqx@gmail.com Received: via spool by 16855-submit@debbugs.gnu.org id=B16855.139320385228024 (code B ref 16855); Mon, 24 Feb 2014 01:05:02 +0000 Received: (at 16855) by debbugs.gnu.org; 24 Feb 2014 01:04:12 +0000 Received: from localhost ([127.0.0.1]:37069 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.80) (envelope-from ) id 1WHjxr-0007Hu-9E for submit@debbugs.gnu.org; Sun, 23 Feb 2014 20:04:11 -0500 Received: from mx1.redhat.com ([209.132.183.28]:2231) by debbugs.gnu.org with esmtp (Exim 4.80) (envelope-from ) id 1WHjxo-0007Hj-Nm for 16855@debbugs.gnu.org; Sun, 23 Feb 2014 20:04:09 -0500 Received: from int-mx02.intmail.prod.int.phx2.redhat.com (int-mx02.intmail.prod.int.phx2.redhat.com [10.5.11.12]) by mx1.redhat.com (8.14.4/8.14.4) with ESMTP id s1O1409Y029487 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=OK); Sun, 23 Feb 2014 20:04:00 -0500 Received: from [10.36.116.22] (ovpn-116-22.ams2.redhat.com [10.36.116.22]) by int-mx02.intmail.prod.int.phx2.redhat.com (8.13.8/8.13.8) with ESMTP id s1O13uM3027116 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Sun, 23 Feb 2014 20:03:57 -0500 Message-ID: <530A9A7B.9090901@draigBrady.com> Date: Mon, 24 Feb 2014 01:03:55 +0000 From: =?UTF-8?Q?P=C3=A1draig?= Brady User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:17.0) Gecko/20130110 Thunderbird/17.0.2 MIME-Version: 1.0 References: <530A8645.4050809@cs.ucla.edu> In-Reply-To: <530A8645.4050809@cs.ucla.edu> X-Enigmail-Version: 1.6 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit X-Scanned-By: MIMEDefang 2.67 on 10.5.11.12 X-Spam-Score: -5.0 (-----) X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -5.0 (-----) On 02/23/2014 11:37 PM, Paul Eggert wrote: > Thanks for the bug report. I've committed the attached patch. > > shuf.diff > > > From 24eb395471176e24762b08bfcef7562911537504 Mon Sep 17 00:00:00 2001 > From: Paul Eggert > Date: Sun, 23 Feb 2014 15:34:48 -0800 > Subject: [PATCH] shuf: with -r, don't dump core if the input is empty > > Problem reported by valiant xiao in . > * NEWS: Document this. > * src/shuf.c (main): With -r, report an error if the input is empty. > * tests/misc/shuf.sh: Test for the bug. > --- > NEWS | 3 +++ > src/shuf.c | 15 +++++++++++---- > tests/misc/shuf.sh | 4 ++++ > 3 files changed, 18 insertions(+), 4 deletions(-) > > diff --git a/NEWS b/NEWS > index e72942b..2df246d 100644 > --- a/NEWS > +++ b/NEWS > @@ -22,6 +22,9 @@ GNU coreutils NEWS -*- outline -*- > it would display an error, requiring --no-dereference to avoid the issue. > [bug introduced in coreutils-5.3.0] > > + shuf -r no longer dumps core if the input is empty. > + [bug introduced in coreutils-8.22] > + > ** New features > > od accepts a new option: --endian=TYPE to handle inputs with different byte > diff --git a/src/shuf.c b/src/shuf.c > index d4641fe..2a91072 100644 > --- a/src/shuf.c > +++ b/src/shuf.c > @@ -576,11 +576,18 @@ main (int argc, char **argv) > /* Generate output according to requested method */ > if (repeat) > { > - if (input_range) > - i = write_random_numbers (randint_source, head_lines, > - lo_input, hi_input, eolbyte); > + if (head_lines == 0) > + i = 0; > else > - i = write_random_lines (randint_source, head_lines, line, n_lines); > + { > + if (n_lines == 0) > + error (EXIT_FAILURE, 0, _("No lines to repeat")); Thanks for the quick fix. I was wondering if we do want to error if there is no input, rather than silently exit(0)? $ shuf -r -n1 /dev/null shuf: No lines to repeat I guess that makes sense since we can't fulfil the request to repeat forever, or with -n; at least up to n. I.E. rather than this being a transformation of the input, the input in insufficient to generate the requested output. thanks, Pádraig.