From unknown Sat Jun 14 19:13:56 2025 X-Loop: help-debbugs@gnu.org Subject: bug#18269: incorrect undossify_input prototype - possible integer overflow Resent-From: Vincent Lefevre Original-Sender: "Debbugs-submit" Resent-CC: bug-grep@gnu.org Resent-Date: Fri, 15 Aug 2014 00:57:01 +0000 Resent-Message-ID: Resent-Sender: help-debbugs@gnu.org X-GNU-PR-Message: report 18269 X-GNU-PR-Package: grep X-GNU-PR-Keywords: To: 18269@debbugs.gnu.org X-Debbugs-Original-To: bug-grep@gnu.org Received: via spool by submit@debbugs.gnu.org id=B.140806421723977 (code B ref -1); Fri, 15 Aug 2014 00:57:01 +0000 Received: (at submit) by debbugs.gnu.org; 15 Aug 2014 00:56:57 +0000 Received: from localhost ([127.0.0.1]:43730 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.80) (envelope-from ) id 1XI5pA-0006Ee-A3 for submit@debbugs.gnu.org; Thu, 14 Aug 2014 20:56:56 -0400 Received: from eggs.gnu.org ([208.118.235.92]:40574) by debbugs.gnu.org with esmtp (Exim 4.80) (envelope-from ) id 1XI5p6-0006EN-GJ for submit@debbugs.gnu.org; Thu, 14 Aug 2014 20:56:53 -0400 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1XI5ou-00040p-7h for submit@debbugs.gnu.org; Thu, 14 Aug 2014 20:56:47 -0400 X-Spam-Checker-Version: SpamAssassin 3.3.2 (2011-06-06) on eggs.gnu.org X-Spam-Level: X-Spam-Status: No, score=0.8 required=5.0 tests=BAYES_50 autolearn=disabled version=3.3.2 Received: from lists.gnu.org ([2001:4830:134:3::11]:37164) by eggs.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1XI5ou-00040l-4e for submit@debbugs.gnu.org; Thu, 14 Aug 2014 20:56:40 -0400 Received: from eggs.gnu.org ([2001:4830:134:3::10]:42277) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1XI5on-0007uj-VT for bug-grep@gnu.org; Thu, 14 Aug 2014 20:56:39 -0400 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1XI5oh-0003zJ-Sz for bug-grep@gnu.org; Thu, 14 Aug 2014 20:56:33 -0400 Received: from ioooi.vinc17.net ([92.243.22.117]:52824) by eggs.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1XI5oh-0003z3-Mw for bug-grep@gnu.org; Thu, 14 Aug 2014 20:56:27 -0400 Received: from smtp-xvii.vinc17.net (128.119.75.86.rev.sfr.net [86.75.119.128]) by ioooi.vinc17.net (Postfix) with ESMTPSA id EA28570A; Fri, 15 Aug 2014 02:56:19 +0200 (CEST) Received: by xvii.vinc17.org (Postfix, from userid 1000) id 9AFBD21A07C; Fri, 15 Aug 2014 02:56:19 +0200 (CEST) Date: Fri, 15 Aug 2014 02:56:19 +0200 From: Vincent Lefevre Message-ID: <20140815005619.GK5034@xvii.vinc17.org> MIME-Version: 1.0 Content-Type: text/plain; charset=iso-8859-1 Content-Disposition: inline X-Mailer-Info: http://www.vinc17.net/mutt/ User-Agent: Mutt/1.5.23-6361-vl-r59709 (2014-07-25) Content-Transfer-Encoding: quoted-printable X-detected-operating-system: by eggs.gnu.org: GNU/Linux 3.x X-detected-operating-system: by eggs.gnu.org: Error: Malformed IPv6 address (bad octet value). X-Received-From: 2001:4830:134:3::11 X-Spam-Score: -5.0 (-----) X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -5.0 (-----) In grep 2.20, grep.c contains: ssize_t fillsize; size_t readsize; [...] fillsize =3D safe_read (bufdesc, readbuf, readsize); if (fillsize < 0) fillsize =3D cc =3D 0; bufoffset +=3D fillsize; fillsize =3D undossify_input (readbuf, fillsize); In practice, readsize can be large on a 64-bit machine (more than 2 GB), so that the return value of safe_read(), fillsize, can also be large since a read() is called with readsize as the 3rd argument. But dosbuf.c has: static int undossify_input (char *buf, size_t buflen) { if (! O_BINARY) return buflen; [...] meaning that the potentially large buflen (> 2 GB) is returned as an int, whose usual size is 32 bits only, yielding an integer overflow. undossify_input should be rewritten in such a way that some int's are changed to size_t or ssize_t. Note: This bug is currently not visible under Linux due to a limitation in the kernel (breaking POSIX compliance, BTW): the read() return value is limited to 0x7ffff000. --=20 Vincent Lef=E8vre - Web: 100% accessible validated (X)HTML - Blog: Work: CR INRIA - computer arithmetic / AriC project (LIP, ENS-Lyon) From unknown Sat Jun 14 19:13:56 2025 MIME-Version: 1.0 X-Mailer: MIME-tools 5.503 (Entity 5.503) X-Loop: help-debbugs@gnu.org From: help-debbugs@gnu.org (GNU bug Tracking System) To: Vincent Lefevre Subject: bug#18269: closed (Re: bug#18269: incorrect undossify_input prototype - possible integer overflow) Message-ID: References: <53ED654C.4070004@cs.ucla.edu> <20140815005619.GK5034@xvii.vinc17.org> X-Gnu-PR-Message: they-closed 18269 X-Gnu-PR-Package: grep Reply-To: 18269@debbugs.gnu.org Date: Fri, 15 Aug 2014 01:42:03 +0000 Content-Type: multipart/mixed; boundary="----------=_1408066923-29076-1" This is a multi-part message in MIME format... ------------=_1408066923-29076-1 Content-Disposition: inline Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="utf-8" Your bug report #18269: incorrect undossify_input prototype - possible integer overflow which was filed against the grep package, has been closed. The explanation is attached below, along with your original report. If you require more details, please reply to 18269@debbugs.gnu.org. --=20 18269: http://debbugs.gnu.org/cgi/bugreport.cgi?bug=3D18269 GNU Bug Tracking System Contact help-debbugs@gnu.org with problems ------------=_1408066923-29076-1 Content-Type: message/rfc822 Content-Disposition: inline Content-Transfer-Encoding: 7bit Received: (at 18269-done) by debbugs.gnu.org; 15 Aug 2014 01:41:47 +0000 Received: from localhost ([127.0.0.1]:43739 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.80) (envelope-from ) id 1XI6WY-0007YM-BA for submit@debbugs.gnu.org; Thu, 14 Aug 2014 21:41:46 -0400 Received: from smtp.cs.ucla.edu ([131.179.128.62]:54658) by debbugs.gnu.org with esmtp (Exim 4.80) (envelope-from ) id 1XI6WV-0007Y8-A7 for 18269-done@debbugs.gnu.org; Thu, 14 Aug 2014 21:41:44 -0400 Received: from localhost (localhost.localdomain [127.0.0.1]) by smtp.cs.ucla.edu (Postfix) with ESMTP id 14EB1A6002D; Thu, 14 Aug 2014 18:41:37 -0700 (PDT) X-Virus-Scanned: amavisd-new at smtp.cs.ucla.edu Received: from smtp.cs.ucla.edu ([127.0.0.1]) by localhost (smtp.cs.ucla.edu [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id odoDY1mIeM54; Thu, 14 Aug 2014 18:41:32 -0700 (PDT) Received: from [192.168.1.9] (pool-71-177-17-123.lsanca.dsl-w.verizon.net [71.177.17.123]) by smtp.cs.ucla.edu (Postfix) with ESMTPSA id C0077A60015; Thu, 14 Aug 2014 18:41:32 -0700 (PDT) Message-ID: <53ED654C.4070004@cs.ucla.edu> Date: Thu, 14 Aug 2014 18:41:32 -0700 From: Paul Eggert Organization: UCLA Computer Science Department User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:31.0) Gecko/20100101 Thunderbird/31.0 MIME-Version: 1.0 To: Vincent Lefevre , 18269-done@debbugs.gnu.org Subject: Re: bug#18269: incorrect undossify_input prototype - possible integer overflow References: <20140815005619.GK5034@xvii.vinc17.org> In-Reply-To: <20140815005619.GK5034@xvii.vinc17.org> Content-Type: multipart/mixed; boundary="------------010107090006020309070205" X-Spam-Score: -3.0 (---) X-Debbugs-Envelope-To: 18269-done X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -3.0 (---) This is a multi-part message in MIME format. --------------010107090006020309070205 Content-Type: text/plain; charset=utf-8; format=flowed Content-Transfer-Encoding: 7bit Thanks for reporting that. Plus, there's a related bug in the use of safe_read. I fixed them both with the attached patch. --------------010107090006020309070205 Content-Type: text/plain; charset=UTF-8; name="0001-grep-fix-integer-width-bugs-in-undossify_input-etc.patch" Content-Transfer-Encoding: base64 Content-Disposition: attachment; filename*0="0001-grep-fix-integer-width-bugs-in-undossify_input-etc.patc"; filename*1="h" RnJvbSA5ZmRjZjJjY2YxZjliZGU5OTlmNjAyYTEwZDM3ZDg5ZGJlMzg0ZmFiIE1vbiBTZXAg MTcgMDA6MDA6MDAgMjAwMQpGcm9tOiBQYXVsIEVnZ2VydCA8ZWdnZXJ0QGNzLnVjbGEuZWR1 PgpEYXRlOiBUaHUsIDE0IEF1ZyAyMDE0IDE4OjM4OjQ5IC0wNzAwClN1YmplY3Q6IFtQQVRD SF0gZ3JlcDogZml4IGludGVnZXItd2lkdGggYnVncyBpbiB1bmRvc3NpZnlfaW5wdXQgZXRj LgoKdW5kb3NzaWZ5X2lucHV0IGJ1ZyByZXBvcnRlZCBieSBWaW5jZW50IExlZmV2cmUgaW46 Cmh0dHA6Ly9idWdzLmdudS5vcmcvMTgyNjkKKiBzcmMvZG9zYnVmLmMgKHVuZG9zc2lmeV9p bnB1dCk6IFJldHVybiBzaXplX3QsIG5vdCBpbnQuCiogc3JjL2dyZXAuYyAoZmlsbGJ1Zik6 IFdvcmsgcG9ydGFibHkgZXZlbiBpZiBzYWZlX3JlYWQgcmV0dXJucyBhCnZhbHVlIGdyZWF0 ZXIgdGhhbiBTU0laRV9NQVgsIGUuZy4sIGlmIHRoZXJlJ3MgYW4gSS9PIGVycm9yLgotLS0K IHNyYy9kb3NidWYuYyB8IDEwICsrKysrLS0tLS0KIHNyYy9ncmVwLmMgICB8ICA2ICsrKy0t LQogMiBmaWxlcyBjaGFuZ2VkLCA4IGluc2VydGlvbnMoKyksIDggZGVsZXRpb25zKC0pCgpk aWZmIC0tZ2l0IGEvc3JjL2Rvc2J1Zi5jIGIvc3JjL2Rvc2J1Zi5jCmluZGV4IDlhYzJkMTMu LjNiNDA1MmEgMTAwNjQ0Ci0tLSBhL3NyYy9kb3NidWYuYworKysgYi9zcmMvZG9zYnVmLmMK QEAgLTkwLDE1ICs5MCwxNSBAQCBndWVzc190eXBlIChjaGFyICpidWYsIHNpemVfdCBidWZs ZW4pCiB9CiAKIC8qIENvbnZlcnQgZXh0ZXJuYWwgRE9TIGZpbGUgcmVwcmVzZW50YXRpb24g dG8gaW50ZXJuYWwuCi0gICBSZXR1cm4gdGhlIGNvdW50IG9mIGNoYXJhY3RlcnMgbGVmdCBp biB0aGUgYnVmZmVyLgorICAgUmV0dXJuIHRoZSBjb3VudCBvZiBieXRlcyBsZWZ0IGluIHRo ZSBidWZmZXIuCiAgICBCdWlsZCB0YWJsZSB0byBtYXAgY2hhcmFjdGVyIHBvc2l0aW9ucyB3 aGVuIHJlcG9ydGluZyBieXRlIGNvdW50cy4gICovCi1zdGF0aWMgaW50CitzdGF0aWMgc2l6 ZV90CiB1bmRvc3NpZnlfaW5wdXQgKGNoYXIgKmJ1Ziwgc2l6ZV90IGJ1ZmxlbikKIHsKICAg aWYgKCEgT19CSU5BUlkpCiAgICAgcmV0dXJuIGJ1ZmxlbjsKIAotICBpbnQgY2hhcnNfbGVm dCA9IDA7CisgIHNpemVfdCBieXRlc19sZWZ0ID0gMDsKIAogICBpZiAodG90YWxjYyA9PSAw KQogICAgIHsKQEAgLTEyNiw3ICsxMjYsNyBAQCB1bmRvc3NpZnlfaW5wdXQgKGNoYXIgKmJ1 Ziwgc2l6ZV90IGJ1ZmxlbikKICAgICAgICAgICBpZiAoKmJ1ZiAhPSAnXHInKQogICAgICAg ICAgICAgewogICAgICAgICAgICAgICAqZGVzdHArKyA9ICpidWYrKzsKLSAgICAgICAgICAg ICAgY2hhcnNfbGVmdCsrOworICAgICAgICAgICAgICBieXRlc19sZWZ0Kys7CiAgICAgICAg ICAgICB9CiAgICAgICAgICAgZWxzZQogICAgICAgICAgICAgewpAQCAtMTc2LDcgKzE3Niw3 IEBAIHVuZG9zc2lmeV9pbnB1dCAoY2hhciAqYnVmLCBzaXplX3QgYnVmbGVuKQogICAgICAg ICAgICAgfQogICAgICAgICB9CiAKLSAgICAgIHJldHVybiBjaGFyc19sZWZ0OworICAgICAg cmV0dXJuIGJ5dGVzX2xlZnQ7CiAgICAgfQogCiAgIHJldHVybiBidWZsZW47CmRpZmYgLS1n aXQgYS9zcmMvZ3JlcC5jIGIvc3JjL2dyZXAuYwppbmRleCA1ZTZjNWM2Li42YjkzMGRjIDEw MDY0NAotLS0gYS9zcmMvZ3JlcC5jCisrKyBiL3NyYy9ncmVwLmMKQEAgLTM5Nyw3ICszOTcs NyBAQCBzdGF0aWMgaW50IGdyZXBkZXNjIChpbnQsIGludCk7CiAKIHN0YXRpYyB2b2lkIGRv c19iaW5hcnkgKHZvaWQpOwogc3RhdGljIHZvaWQgZG9zX3VuaXhfYnl0ZV9vZmZzZXRzICh2 b2lkKTsKLXN0YXRpYyBpbnQgdW5kb3NzaWZ5X2lucHV0IChjaGFyICosIHNpemVfdCk7Citz dGF0aWMgc2l6ZV90IHVuZG9zc2lmeV9pbnB1dCAoY2hhciAqLCBzaXplX3QpOwogCiBzdGF0 aWMgaW50CiBpc19kZXZpY2VfbW9kZSAobW9kZV90IG0pCkBAIC01ODMsNyArNTgzLDcgQEAg cmVzZXQgKGludCBmZCwgc3RydWN0IHN0YXQgY29uc3QgKnN0KQogc3RhdGljIGludAogZmls bGJ1ZiAoc2l6ZV90IHNhdmUsIHN0cnVjdCBzdGF0IGNvbnN0ICpzdCkKIHsKLSAgc3NpemVf dCBmaWxsc2l6ZTsKKyAgc2l6ZV90IGZpbGxzaXplOwogICBpbnQgY2MgPSAxOwogICBjaGFy ICpyZWFkYnVmOwogICBzaXplX3QgcmVhZHNpemU7CkBAIC02NDUsNyArNjQ1LDcgQEAgZmls bGJ1ZiAoc2l6ZV90IHNhdmUsIHN0cnVjdCBzdGF0IGNvbnN0ICpzdCkKICAgcmVhZHNpemUg LT0gcmVhZHNpemUgJSBwYWdlc2l6ZTsKIAogICBmaWxsc2l6ZSA9IHNhZmVfcmVhZCAoYnVm ZGVzYywgcmVhZGJ1ZiwgcmVhZHNpemUpOwotICBpZiAoZmlsbHNpemUgPCAwKQorICBpZiAo ZmlsbHNpemUgPT0gU0FGRV9SRUFEX0VSUk9SKQogICAgIGZpbGxzaXplID0gY2MgPSAwOwog ICBidWZvZmZzZXQgKz0gZmlsbHNpemU7CiAgIGZpbGxzaXplID0gdW5kb3NzaWZ5X2lucHV0 IChyZWFkYnVmLCBmaWxsc2l6ZSk7Ci0tIAoxLjkuMwoK --------------010107090006020309070205-- ------------=_1408066923-29076-1 Content-Type: message/rfc822 Content-Disposition: inline Content-Transfer-Encoding: 7bit Received: (at submit) by debbugs.gnu.org; 15 Aug 2014 00:56:57 +0000 Received: from localhost ([127.0.0.1]:43730 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.80) (envelope-from ) id 1XI5pA-0006Ee-A3 for submit@debbugs.gnu.org; Thu, 14 Aug 2014 20:56:56 -0400 Received: from eggs.gnu.org ([208.118.235.92]:40574) by debbugs.gnu.org with esmtp (Exim 4.80) (envelope-from ) id 1XI5p6-0006EN-GJ for submit@debbugs.gnu.org; Thu, 14 Aug 2014 20:56:53 -0400 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1XI5ou-00040p-7h for submit@debbugs.gnu.org; Thu, 14 Aug 2014 20:56:47 -0400 X-Spam-Checker-Version: SpamAssassin 3.3.2 (2011-06-06) on eggs.gnu.org X-Spam-Level: X-Spam-Status: No, score=0.8 required=5.0 tests=BAYES_50 autolearn=disabled version=3.3.2 Received: from lists.gnu.org ([2001:4830:134:3::11]:37164) by eggs.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1XI5ou-00040l-4e for submit@debbugs.gnu.org; Thu, 14 Aug 2014 20:56:40 -0400 Received: from eggs.gnu.org ([2001:4830:134:3::10]:42277) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1XI5on-0007uj-VT for bug-grep@gnu.org; Thu, 14 Aug 2014 20:56:39 -0400 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1XI5oh-0003zJ-Sz for bug-grep@gnu.org; Thu, 14 Aug 2014 20:56:33 -0400 Received: from ioooi.vinc17.net ([92.243.22.117]:52824) by eggs.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1XI5oh-0003z3-Mw for bug-grep@gnu.org; Thu, 14 Aug 2014 20:56:27 -0400 Received: from smtp-xvii.vinc17.net (128.119.75.86.rev.sfr.net [86.75.119.128]) by ioooi.vinc17.net (Postfix) with ESMTPSA id EA28570A; Fri, 15 Aug 2014 02:56:19 +0200 (CEST) Received: by xvii.vinc17.org (Postfix, from userid 1000) id 9AFBD21A07C; Fri, 15 Aug 2014 02:56:19 +0200 (CEST) Date: Fri, 15 Aug 2014 02:56:19 +0200 From: Vincent Lefevre To: bug-grep@gnu.org Subject: incorrect undossify_input prototype - possible integer overflow Message-ID: <20140815005619.GK5034@xvii.vinc17.org> MIME-Version: 1.0 Content-Type: text/plain; charset=iso-8859-1 Content-Disposition: inline X-Mailer-Info: http://www.vinc17.net/mutt/ User-Agent: Mutt/1.5.23-6361-vl-r59709 (2014-07-25) Content-Transfer-Encoding: quoted-printable X-detected-operating-system: by eggs.gnu.org: GNU/Linux 3.x X-detected-operating-system: by eggs.gnu.org: Error: Malformed IPv6 address (bad octet value). X-Received-From: 2001:4830:134:3::11 X-Spam-Score: -5.0 (-----) X-Debbugs-Envelope-To: submit X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -5.0 (-----) In grep 2.20, grep.c contains: ssize_t fillsize; size_t readsize; [...] fillsize =3D safe_read (bufdesc, readbuf, readsize); if (fillsize < 0) fillsize =3D cc =3D 0; bufoffset +=3D fillsize; fillsize =3D undossify_input (readbuf, fillsize); In practice, readsize can be large on a 64-bit machine (more than 2 GB), so that the return value of safe_read(), fillsize, can also be large since a read() is called with readsize as the 3rd argument. But dosbuf.c has: static int undossify_input (char *buf, size_t buflen) { if (! O_BINARY) return buflen; [...] meaning that the potentially large buflen (> 2 GB) is returned as an int, whose usual size is 32 bits only, yielding an integer overflow. undossify_input should be rewritten in such a way that some int's are changed to size_t or ssize_t. Note: This bug is currently not visible under Linux due to a limitation in the kernel (breaking POSIX compliance, BTW): the read() return value is limited to 0x7ffff000. --=20 Vincent Lef=E8vre - Web: 100% accessible validated (X)HTML - Blog: Work: CR INRIA - computer arithmetic / AriC project (LIP, ENS-Lyon) ------------=_1408066923-29076-1--