GNU bug report logs - #16855
report a bug about shuf

Previous Next

Full log

View this message in rfc822 format

From: help-debbugs <at> gnu.org (GNU bug Tracking System)
To: Paul Eggert <eggert <at> cs.ucla.edu>
Cc: tracker <at> debbugs.gnu.org
Subject: bug#16855: closed (report a bug about shuf)
Date: Sun, 23 Feb 2014 23:38:02 +0000

[Message part 1 (text/plain, inline)]

Your message dated Sun, 23 Feb 2014 15:37:41 -0800
with message-id <530A8645.4050809 <at> cs.ucla.edu>
and subject line Re: bug#16855: report a bug about shuf
has caused the debbugs.gnu.org bug report #16855,
regarding report a bug about shuf
to be marked as done.

(If you believe you have received this mail in error, please contact
help-debbugs <at> gnu.org.)


-- 
16855: http://debbugs.gnu.org/cgi/bugreport.cgi?bug=16855
GNU Bug Tracking System
Contact help-debbugs <at> gnu.org with problems

[Message part 2 (message/rfc822, inline)]

From: valiant xiao <s2exqx <at> gmail.com>
To: bug-coreutils <at> gnu.org
Cc: xuyongjiande <at> sina.com, Yu Chen <chyyuu <at> gmail.com>, bug-shuf <at> gnu.org
Subject: report a bug about shuf
Date: Sun, 23 Feb 2014 16:03:59 +0800

[Message part 3 (text/plain, inline)]

Hi,


We have found a bug in shuf, and we think it may be result a security
problem.
we compile coreutils 8.22 which is download from
http://ftp.gnu.org/gnu/coreutils/, and run it on
my box that is ubuntu 12.04 x64. the bug details as follows.

### Bug overview

    shuf -er or shuf -eer [ segment fault]
    impact [coreutils 8.22 ]

```
[15:03:59]xqx <at> server:~/data/xqx/projects/coreutils-8.22$
./obj-gcov/src/shuf -er
Segmentation fault (core dumped)

```

### Analysis

    when shuf execute -e without give the expected input lines, it will
assign n_lines to 0 in "write_random_lines" while the "repeat" (-r) be set.
and this var will be as the genmax parameter when "randint_genmax" function
called. the code as follows in shuf.c:

```
369   for (i = 0; i < count; i++)
370     {
371       const randint j = randint_choose (s, n_lines);
372       char *const *p = lines + j;
373       size_t len = p[1] - p[0];
374       if (fwrite (p[0], sizeof *p[0], len, stdout) != len)
375         return -1;
376     }
377

```

    'j' will be a random number between 0-0xffffffffffffffff in my 64bit
ubuntu, and 'p' will be a unexpected point which will be access next. when
p point to an ilegal memory, it will be error when access it, which may be
result in a Segmentation fault.

    if an attacker could control the random which gened by randint_choose,
it may be get the infomation without an legal authority.  However, It may
be difficult.



yours

xqx

[Message part 4 (text/html, inline)]

[Message part 5 (message/rfc822, inline)]

From: Paul Eggert <eggert <at> cs.ucla.edu>
To: valiant xiao <s2exqx <at> gmail.com>, 16855-done <at> debbugs.gnu.org
Cc: xuyongjiande <at> sina.com, Yu Chen <chyyuu <at> gmail.com>
Subject: Re: bug#16855: report a bug about shuf
Date: Sun, 23 Feb 2014 15:37:41 -0800

[Message part 6 (text/plain, inline)]

Thanks for the bug report.  I've committed the attached patch.

[shuf.diff (text/plain, attachment)]

Previous Next

GNU bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.