GNU bug report logs - #16855
report a bug about shuf

Previous Next

Full log

View this message in rfc822 format

From: help-debbugs <at> gnu.org (GNU bug Tracking System)
To: valiant xiao <s2exqx <at> gmail.com>
Subject: bug#16855: closed (Re: bug#16855: report a bug about shuf)
Date: Sun, 23 Feb 2014 23:38:03 +0000

[Message part 1 (text/plain, inline)]

Your bug report

#16855: report a bug about shuf

which was filed against the coreutils package, has been closed.

The explanation is attached below, along with your original report.
If you require more details, please reply to 16855 <at> debbugs.gnu.org.

-- 
16855: http://debbugs.gnu.org/cgi/bugreport.cgi?bug=16855
GNU Bug Tracking System
Contact help-debbugs <at> gnu.org with problems

[Message part 2 (message/rfc822, inline)]

From: Paul Eggert <eggert <at> cs.ucla.edu>
To: valiant xiao <s2exqx <at> gmail.com>, 16855-done <at> debbugs.gnu.org
Cc: xuyongjiande <at> sina.com, Yu Chen <chyyuu <at> gmail.com>
Subject: Re: bug#16855: report a bug about shuf
Date: Sun, 23 Feb 2014 15:37:41 -0800

[Message part 3 (text/plain, inline)]

Thanks for the bug report.  I've committed the attached patch.

[shuf.diff (text/plain, attachment)]

[Message part 5 (message/rfc822, inline)]

From: valiant xiao <s2exqx <at> gmail.com>
To: bug-coreutils <at> gnu.org
Cc: xuyongjiande <at> sina.com, Yu Chen <chyyuu <at> gmail.com>, bug-shuf <at> gnu.org
Subject: report a bug about shuf
Date: Sun, 23 Feb 2014 16:03:59 +0800

[Message part 6 (text/plain, inline)]

Hi,


We have found a bug in shuf, and we think it may be result a security
problem.
we compile coreutils 8.22 which is download from
http://ftp.gnu.org/gnu/coreutils/, and run it on
my box that is ubuntu 12.04 x64. the bug details as follows.

### Bug overview

    shuf -er or shuf -eer [ segment fault]
    impact [coreutils 8.22 ]

```
[15:03:59]xqx <at> server:~/data/xqx/projects/coreutils-8.22$
./obj-gcov/src/shuf -er
Segmentation fault (core dumped)

```

### Analysis

    when shuf execute -e without give the expected input lines, it will
assign n_lines to 0 in "write_random_lines" while the "repeat" (-r) be set.
and this var will be as the genmax parameter when "randint_genmax" function
called. the code as follows in shuf.c:

```
369   for (i = 0; i < count; i++)
370     {
371       const randint j = randint_choose (s, n_lines);
372       char *const *p = lines + j;
373       size_t len = p[1] - p[0];
374       if (fwrite (p[0], sizeof *p[0], len, stdout) != len)
375         return -1;
376     }
377

```

    'j' will be a random number between 0-0xffffffffffffffff in my 64bit
ubuntu, and 'p' will be a unexpected point which will be access next. when
p point to an ilegal memory, it will be error when access it, which may be
result in a Segmentation fault.

    if an attacker could control the random which gened by randint_choose,
it may be get the infomation without an legal authority.  However, It may
be difficult.



yours

xqx

[Message part 7 (text/html, inline)]

Previous Next

GNU bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.