GNU bug report logs -
#16855
report a bug about shuf
Previous Next
Reported by: valiant xiao <s2exqx <at> gmail.com>
Date: Sun, 23 Feb 2014 18:59:03 UTC
Severity: normal
Done: Paul Eggert <eggert <at> cs.ucla.edu>
Bug is archived. No further changes may be made.
Full log
Message #5 received at submit <at> debbugs.gnu.org (full text, mbox):
[Message part 1 (text/plain, inline)]
Hi,
We have found a bug in shuf, and we think it may be result a security
problem.
we compile coreutils 8.22 which is download from
http://ftp.gnu.org/gnu/coreutils/, and run it on
my box that is ubuntu 12.04 x64. the bug details as follows.
### Bug overview
shuf -er or shuf -eer [ segment fault]
impact [coreutils 8.22 ]
```
[15:03:59]xqx <at> server:~/data/xqx/projects/coreutils-8.22$
./obj-gcov/src/shuf -er
Segmentation fault (core dumped)
```
### Analysis
when shuf execute -e without give the expected input lines, it will
assign n_lines to 0 in "write_random_lines" while the "repeat" (-r) be set.
and this var will be as the genmax parameter when "randint_genmax" function
called. the code as follows in shuf.c:
```
369 for (i = 0; i < count; i++)
370 {
371 const randint j = randint_choose (s, n_lines);
372 char *const *p = lines + j;
373 size_t len = p[1] - p[0];
374 if (fwrite (p[0], sizeof *p[0], len, stdout) != len)
375 return -1;
376 }
377
```
'j' will be a random number between 0-0xffffffffffffffff in my 64bit
ubuntu, and 'p' will be a unexpected point which will be access next. when
p point to an ilegal memory, it will be error when access it, which may be
result in a Segmentation fault.
if an attacker could control the random which gened by randint_choose,
it may be get the infomation without an legal authority. However, It may
be difficult.
yours
xqx
[Message part 2 (text/html, inline)]
This bug report was last modified 11 years and 109 days ago.
Previous Next
GNU bug tracking system
Copyright (C) 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson.