From unknown Mon Aug 18 09:06:01 2025
X-Loop: help-debbugs@gnu.org
Subject: bug#20998: Out of bounds global read in shred / genpattern()
Resent-From: Hanno =?UTF-8?Q?B=C3=B6ck?= <hanno@hboeck.de>
Original-Sender: "Debbugs-submit" <debbugs-submit-bounces@debbugs.gnu.org>
Resent-CC: bug-coreutils@gnu.org
Resent-Date: Mon, 06 Jul 2015 23:43:02 +0000
Resent-Message-ID: <handler.20998.B.143622615611850@debbugs.gnu.org>
Resent-Sender: help-debbugs@gnu.org
X-GNU-PR-Message: report 20998
X-GNU-PR-Package: coreutils
X-GNU-PR-Keywords: 
To: 20998@debbugs.gnu.org
X-Debbugs-Original-To: bug-coreutils@gnu.org
Received: via spool by submit@debbugs.gnu.org id=B.143622615611850
          (code B ref -1); Mon, 06 Jul 2015 23:43:02 +0000
Received: (at submit) by debbugs.gnu.org; 6 Jul 2015 23:42:36 +0000
Received: from localhost ([127.0.0.1]:42532 helo=debbugs.gnu.org)
	by debbugs.gnu.org with esmtp (Exim 4.80)
	(envelope-from <debbugs-submit-bounces@debbugs.gnu.org>)
	id 1ZCG1z-000353-8x
	for submit@debbugs.gnu.org; Mon, 06 Jul 2015 19:42:35 -0400
Received: from eggs.gnu.org ([208.118.235.92]:42437)
 by debbugs.gnu.org with esmtp (Exim 4.80)
 (envelope-from <hanno@hboeck.de>) id 1ZCFoL-0002ko-QV
 for submit@debbugs.gnu.org; Mon, 06 Jul 2015 19:28:31 -0400
Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71)
 (envelope-from <hanno@hboeck.de>) id 1ZCFoF-0000GL-Ij
 for submit@debbugs.gnu.org; Mon, 06 Jul 2015 19:28:24 -0400
X-Spam-Checker-Version: SpamAssassin 3.3.2 (2011-06-06) on eggs.gnu.org
X-Spam-Level: 
X-Spam-Status: No, score=0.8 required=5.0 tests=BAYES_50 autolearn=disabled
 version=3.3.2
Received: from lists.gnu.org ([2001:4830:134:3::11]:51018)
 by eggs.gnu.org with esmtp (Exim 4.71)
 (envelope-from <hanno@hboeck.de>) id 1ZCFoF-0000GB-Fm
 for submit@debbugs.gnu.org; Mon, 06 Jul 2015 19:28:23 -0400
Received: from eggs.gnu.org ([2001:4830:134:3::10]:55940)
 by lists.gnu.org with esmtp (Exim 4.71)
 (envelope-from <hanno@hboeck.de>) id 1ZCFoE-0001rO-8F
 for bug-coreutils@gnu.org; Mon, 06 Jul 2015 19:28:23 -0400
Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71)
 (envelope-from <hanno@hboeck.de>) id 1ZCFo9-0000DW-4i
 for bug-coreutils@gnu.org; Mon, 06 Jul 2015 19:28:22 -0400
Received: from zucker2.schokokeks.org ([178.63.68.90]:39787)
 by eggs.gnu.org with esmtp (Exim 4.71)
 (envelope-from <hanno@hboeck.de>) id 1ZCFo8-0000DO-UB
 for bug-coreutils@gnu.org; Mon, 06 Jul 2015 19:28:17 -0400
Received: from pc1 (x4d0c552c.dyn.telefonica.de [::ffff:77.12.85.44])
 (AUTH: LOGIN hanno-default@schokokeks.org, TLS: TLSv1/SSLv3, 128bits,
 ECDHE-RSA-AES128-GCM-SHA256)
 by zucker.schokokeks.org with ESMTPSA; Tue, 07 Jul 2015 01:28:14 +0200
 id 00000000000000BA.00000000559B0F0E.00004B82
Date: Tue, 7 Jul 2015 01:29:20 +0200
From: Hanno =?UTF-8?Q?B=C3=B6ck?= <hanno@hboeck.de>
Message-ID: <20150707012920.50ae5cd5@pc1>
X-Mailer: Claws Mail 3.11.1 (GTK+ 2.24.28; x86_64-pc-linux-gnu)
Mime-Version: 1.0
Content-Type: multipart/signed; micalg=pgp-sha512;
 protocol="application/pgp-signature";
 boundary="=_zucker.schokokeks.org-19332-1436225296-0001-2"
X-detected-operating-system: by eggs.gnu.org: GNU/Linux 2.2.x-3.x (no
 timestamps) [generic]
X-detected-operating-system: by eggs.gnu.org: Error: Malformed IPv6 address
 (bad octet value).
X-Received-From: 2001:4830:134:3::11
X-Spam-Score: -4.1 (----)
X-Mailman-Approved-At: Mon, 06 Jul 2015 19:42:34 -0400
X-BeenThere: debbugs-submit@debbugs.gnu.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: <debbugs-submit.debbugs.gnu.org>
List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, 
 <mailto:debbugs-submit-request@debbugs.gnu.org?subject=unsubscribe>
List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/>
List-Post: <mailto:debbugs-submit@debbugs.gnu.org>
List-Help: <mailto:debbugs-submit-request@debbugs.gnu.org?subject=help>
List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, 
 <mailto:debbugs-submit-request@debbugs.gnu.org?subject=subscribe>
Errors-To: debbugs-submit-bounces@debbugs.gnu.org
Sender: "Debbugs-submit" <debbugs-submit-bounces@debbugs.gnu.org>
X-Spam-Score: -4.1 (----)

This is a MIME-formatted message.  If you see this text it means that your
E-mail software does not support MIME-formatted messages.

--=_zucker.schokokeks.org-19332-1436225296-0001-2
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: quoted-printable

Hi,

There is an out of bounds read error in the function genpattern() in
shred (coreutils 8.23). This issue only appears randomly.

To test:
a) recompile coreutils 8.23 with address sanitizer: ./configure
CFLAGS=3D"-fsanitize=3Daddress -g" LDFLAGS=3D"-fsanitize=3Daddress"; make
b) create a test file: touch x
c) run shred multiple times on it with -n 20:
for i in $(seq 1 1000); do src/shred -n 20 x; done

You will see the errors. Here's the output from Address Sanitizer:

=3D=3D25808=3D=3DERROR: AddressSanitizer: global-buffer-overflow on address=
 0x000000416628 at pc 0x4047a0 bp 0x7ffc99fee730 sp 0x7ffc99fee720
READ of size 4 at 0x000000416628 thread T0
    #0 0x40479f in genpattern src/shred.c:782
    #1 0x4050d9 in do_wipefd src/shred.c:921
    #2 0x406203 in wipefile src/shred.c:1175
    #3 0x406b84 in main src/shred.c:1316
    #4 0x7f3454a1ef9f in __libc_start_main (/lib64/libc.so.6+0x1ff9f)
    #5 0x4025d8 (/tmp/coreutils-8.23/src/shred+0x4025d8)

0x000000416628 is located 56 bytes to the left of global variable '*.LC49' =
from 'src/shred.c' (0x416660) of size 17
  '*.LC49' is ascii string '%s: fstat failed'
0x000000416628 is located 12 bytes to the right of global variable 'pattern=
s' from 'src/shred.c' (0x416540) of size 220
SUMMARY: AddressSanitizer: global-buffer-overflow src/shred.c:782 genpattern
Shadow bytes around the buggy address:
  0x00008007ac70: 01 f9 f9 f9 f9 f9 f9 f9 00 00 00 07 f9 f9 f9 f9
  0x00008007ac80: 00 00 01 f9 f9 f9 f9 f9 00 00 03 f9 f9 f9 f9 f9
  0x00008007ac90: 00 00 00 03 f9 f9 f9 f9 00 00 00 00 03 f9 f9 f9
  0x00008007aca0: f9 f9 f9 f9 00 00 00 00 00 00 00 00 00 00 00 00
  0x00008007acb0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=3D>0x00008007acc0: 00 00 00 04 f9[f9]f9 f9 00 00 00 00 00 00 01 f9
  0x00008007acd0: f9 f9 f9 f9 00 00 06 f9 f9 f9 f9 f9 00 00 00 03
  0x00008007ace0: f9 f9 f9 f9 00 00 05 f9 f9 f9 f9 f9 00 00 01 f9
  0x00008007acf0: f9 f9 f9 f9 00 00 00 00 00 05 f9 f9 f9 f9 f9 f9
  0x00008007ad00: 00 00 00 00 00 00 00 00 01 f9 f9 f9 f9 f9 f9 f9
  0x00008007ad10: 00 04 f9 f9 f9 f9 f9 f9 02 f9 f9 f9 f9 f9 f9 f9
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07=20
  Heap left redzone:       fa
  Heap right redzone:      fb
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack partial redzone:   f4
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Contiguous container OOB:fc
  ASan internal:           fe
=3D=3D25808=3D=3DABORTING


--=20
Hanno B=C3=B6ck
http://hboeck.de/

mail/jabber: hanno@hboeck.de
GPG: BBB51E42

--=_zucker.schokokeks.org-19332-1436225296-0001-2
Content-Type: application/pgp-signature
Content-Transfer-Encoding: 7bit
Content-Description: OpenPGP digital signature

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2

iQIcBAEBCgAGBQJVmw9RAAoJEKWIAHK7tR5Cu/AP/2Qe3OXa1br6iQl+coacJfj+
4cH0NiahZ92B990b2W9IsLI9hT1yjfgAApaF4T2mro3u0ZmRR2WVhFwY1MkzaBX6
khm/X19AuSPJZ/ERICDraEAPgzBOnjpXHrk4fAnSg1JuisnVVj8Whs0OQRpWxgnM
EjOXL1sH0khlE0LOpP6cKhEZdQSODuUeTrhqKoRo/NOYTQO9i1Jl+4eNTLxzs8mq
zWeIB53fNPcSP7cH/sVLb90DnjoEAVDKjahhBDFmD5B2YgPpP8Nps1bXF+QQVPbH
xuYg3UtRh5V869ZG//uhOYrOfxt9cQNHN8k+9+YrnOz/6jLYvyPeCnB37NyQC4Iy
e8hg0/O4Iu7dtpQjIdsbKscieO6BXIH1jnnzUqxjVb+nwKNyEztxn62oWYqgKkxw
ncCmLCpQjyetRbRfblRjlOSH6uojK9tX4gwywMjLizFlqOXTTGrbMWmE059bE/gf
k4eizEbX2Hu/CT8jRRnUWVsUiXp7VTvn44R4Qn5Crc+GpTar9qB1SXG53VGz7r0o
0qbqe6J+VCKwJfApXgGla+huMJbcsNg9/i61vYar0S4MFDz9fULAPVQiyHu0qK/A
Ztd1fRYVhPOGWYx7gOyN8mDee7IMFSsfiKVYvm0wJQMalpx7J/NuJDdtWjQIufgC
vaPwz1UYeh52VCgzOBJ+
=IeT8
-----END PGP SIGNATURE-----

--=_zucker.schokokeks.org-19332-1436225296-0001-2--




From unknown Mon Aug 18 09:06:01 2025
X-Loop: help-debbugs@gnu.org
Subject: bug#20998: Out of bounds global read in shred / genpattern()
Resent-From: =?UTF-8?Q?P=C3=A1draig?= Brady <P@draigBrady.com>
Original-Sender: "Debbugs-submit" <debbugs-submit-bounces@debbugs.gnu.org>
Resent-CC: bug-coreutils@gnu.org
Resent-Date: Tue, 07 Jul 2015 00:46:02 +0000
Resent-Message-ID: <handler.20998.B20998.143622993117363@debbugs.gnu.org>
Resent-Sender: help-debbugs@gnu.org
X-GNU-PR-Message: followup 20998
X-GNU-PR-Package: coreutils
X-GNU-PR-Keywords: 
To: Hanno =?UTF-8?Q?B=C3=B6ck?= <hanno@hboeck.de>,  20998@debbugs.gnu.org
Received: via spool by 20998-submit@debbugs.gnu.org id=B20998.143622993117363
          (code B ref 20998); Tue, 07 Jul 2015 00:46:02 +0000
Received: (at 20998) by debbugs.gnu.org; 7 Jul 2015 00:45:31 +0000
Received: from localhost ([127.0.0.1]:42555 helo=debbugs.gnu.org)
	by debbugs.gnu.org with esmtp (Exim 4.80)
	(envelope-from <debbugs-submit-bounces@debbugs.gnu.org>)
	id 1ZCH0s-0004Vz-Uu
	for submit@debbugs.gnu.org; Mon, 06 Jul 2015 20:45:31 -0400
Received: from mail2.vodafone.ie ([213.233.128.44]:53110)
 by debbugs.gnu.org with esmtp (Exim 4.80)
 (envelope-from <P@draigbrady.com>) id 1ZCH0q-0004Vh-Oi
 for 20998@debbugs.gnu.org; Mon, 06 Jul 2015 20:45:29 -0400
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-Anti-Spam-Result: AgwKAGQgm1VtTdG7/2dsb2JhbABcgxKEBU6/WIJUAoFCTAEBAQEBAYELQQWDXgEBBCMPAVYLDQsCAgUWCwICCQMCAQIBRQYBDAgBAYguAbRHhWuRBAErgSGKKoUNgmiBQwWRMYJkjSKHGAyPeCaCCR+BVD2CfAEBAQ
Received: from unknown (HELO localhost.localdomain) ([109.77.209.187])
 by mail2.vodafone.ie with ESMTP; 07 Jul 2015 01:45:21 +0100
Message-ID: <559B2120.5070001@draigBrady.com>
Date: Tue, 07 Jul 2015 01:45:20 +0100
From: =?UTF-8?Q?P=C3=A1draig?= Brady <P@draigBrady.com>
User-Agent: Mozilla/5.0 (X11; Linux x86_64;
 rv:31.0) Gecko/20100101 Thunderbird/31.6.0
MIME-Version: 1.0
References: <20150707012920.50ae5cd5@pc1>
In-Reply-To: <20150707012920.50ae5cd5@pc1>
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: 8bit
X-Spam-Score: 0.0 (/)
X-BeenThere: debbugs-submit@debbugs.gnu.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: <debbugs-submit.debbugs.gnu.org>
List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, 
 <mailto:debbugs-submit-request@debbugs.gnu.org?subject=unsubscribe>
List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/>
List-Post: <mailto:debbugs-submit@debbugs.gnu.org>
List-Help: <mailto:debbugs-submit-request@debbugs.gnu.org?subject=help>
List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, 
 <mailto:debbugs-submit-request@debbugs.gnu.org?subject=subscribe>
Errors-To: debbugs-submit-bounces@debbugs.gnu.org
Sender: "Debbugs-submit" <debbugs-submit-bounces@debbugs.gnu.org>
X-Spam-Score: 0.0 (/)

On 07/07/15 00:29, Hanno Böck wrote:
> Hi,
> 
> There is an out of bounds read error in the function genpattern() in
> shred (coreutils 8.23). This issue only appears randomly.
> 
> To test:
> a) recompile coreutils 8.23 with address sanitizer: ./configure
> CFLAGS="-fsanitize=address -g" LDFLAGS="-fsanitize=address"; make
> b) create a test file: touch x
> c) run shred multiple times on it with -n 20:
> for i in $(seq 1 1000); do src/shred -n 20 x; done
> 
> You will see the errors. Here's the output from Address Sanitizer:
> 
> ==25808==ERROR: AddressSanitizer: global-buffer-overflow on address 0x000000416628 at pc 0x4047a0 bp 0x7ffc99fee730 sp 0x7ffc99fee720
> READ of size 4 at 0x000000416628 thread T0
>     #0 0x40479f in genpattern src/shred.c:782
>     #1 0x4050d9 in do_wipefd src/shred.c:921
>     #2 0x406203 in wipefile src/shred.c:1175
>     #3 0x406b84 in main src/shred.c:1316
>     #4 0x7f3454a1ef9f in __libc_start_main (/lib64/libc.so.6+0x1ff9f)
>     #5 0x4025d8 (/tmp/coreutils-8.23/src/shred+0x4025d8)
> 
> 0x000000416628 is located 56 bytes to the left of global variable '*.LC49' from 'src/shred.c' (0x416660) of size 17
>   '*.LC49' is ascii string '%s: fstat failed'
> 0x000000416628 is located 12 bytes to the right of global variable 'patterns' from 'src/shred.c' (0x416540) of size 220
> SUMMARY: AddressSanitizer: global-buffer-overflow src/shred.c:782 genpattern


Nice one!

It looks like the restriction to the k patterns available
was lost with v5.92-1462-g65533e1 and that this should
fix it up.

diff --git a/src/shred.c b/src/shred.c
index 63bcd6f..74f7ad9 100644
--- a/src/shred.c
+++ b/src/shred.c
@@ -785,6 +785,7 @@ genpattern (int *dest, size_t num, struct randint_source *s)
                   n--;
                 }
               p++;
+              k--;
             }
           while (n);
           break;

thanks!
Pádraig.




From unknown Mon Aug 18 09:06:01 2025
MIME-Version: 1.0
X-Mailer: MIME-tools 5.503 (Entity 5.503)
X-Loop: help-debbugs@gnu.org
From: help-debbugs@gnu.org (GNU bug Tracking System)
To: Hanno =?UTF-8?Q?B=C3=B6ck?= <hanno@hboeck.de>
Subject: bug#20998: closed (Re: bug#20998: Out of bounds global read in
 shred / genpattern())
Message-ID: <handler.20998.D20998.143623615826420.notifdone@debbugs.gnu.org>
References: <559B3950.4070602@draigBrady.com> <20150707012920.50ae5cd5@pc1>
X-Gnu-PR-Message: they-closed 20998
X-Gnu-PR-Package: coreutils
Reply-To: 20998@debbugs.gnu.org
Date: Tue, 07 Jul 2015 02:30:07 +0000
Content-Type: multipart/mixed; boundary="----------=_1436236207-26495-1"

This is a multi-part message in MIME format...

------------=_1436236207-26495-1
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable
Content-Type: text/plain; charset="utf-8"

Your bug report

#20998: Out of bounds global read in shred / genpattern()

which was filed against the coreutils package, has been closed.

The explanation is attached below, along with your original report.
If you require more details, please reply to 20998@debbugs.gnu.org.

--=20
20998: http://debbugs.gnu.org/cgi/bugreport.cgi?bug=3D20998
GNU Bug Tracking System
Contact help-debbugs@gnu.org with problems

------------=_1436236207-26495-1
Content-Type: message/rfc822
Content-Disposition: inline
Content-Transfer-Encoding: 7bit

Received: (at 20998-done) by debbugs.gnu.org; 7 Jul 2015 02:29:18 +0000
Received: from localhost ([127.0.0.1]:42632 helo=debbugs.gnu.org)
	by debbugs.gnu.org with esmtp (Exim 4.80)
	(envelope-from <debbugs-submit-bounces@debbugs.gnu.org>)
	id 1ZCIdJ-0006s4-Gz
	for submit@debbugs.gnu.org; Mon, 06 Jul 2015 22:29:18 -0400
Received: from mail2.vodafone.ie ([213.233.128.44]:33508)
 by debbugs.gnu.org with esmtp (Exim 4.80)
 (envelope-from <P@draigbrady.com>) id 1ZCIdH-0006rp-Ce
 for 20998-done@debbugs.gnu.org; Mon, 06 Jul 2015 22:29:16 -0400
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-Anti-Spam-Result: AkQFAAI5m1VtTdG7/2dsb2JhbABcgxJUWwWCUk68MoV4AQICgUNMAQEBAQEBgQuEIwEBAQMBI1sLCw0EAwECAQkUAgsCAgkDAgECAT0IBgEMBgIBARaIDAwBA7JhhWuRFAEBAQEBBQEBAQEBAQEbi0uEdRiCaIFDBZQYgiuBUmWIQUWGVQyIZYcUJoIJH4FUPTGCSwEBAQ
Received: from unknown (HELO localhost.localdomain) ([109.77.209.187])
 by mail2.vodafone.ie with ESMTP; 07 Jul 2015 03:28:34 +0100
Message-ID: <559B3950.4070602@draigBrady.com>
Date: Tue, 07 Jul 2015 03:28:32 +0100
From: =?UTF-8?B?UMOhZHJhaWcgQnJhZHk=?= <P@draigBrady.com>
User-Agent: Mozilla/5.0 (X11; Linux x86_64;
 rv:31.0) Gecko/20100101 Thunderbird/31.6.0
MIME-Version: 1.0
To: =?UTF-8?B?SGFubm8gQsO2Y2s=?= <hanno@hboeck.de>, 20998-done@debbugs.gnu.org
Subject: Re: bug#20998: Out of bounds global read in shred / genpattern()
References: <20150707012920.50ae5cd5@pc1> <559B2120.5070001@draigBrady.com>
In-Reply-To: <559B2120.5070001@draigBrady.com>
Content-Type: multipart/mixed; boundary="------------090706030309030405030309"
X-Spam-Score: 0.0 (/)
X-Debbugs-Envelope-To: 20998-done
X-BeenThere: debbugs-submit@debbugs.gnu.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: <debbugs-submit.debbugs.gnu.org>
List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, 
 <mailto:debbugs-submit-request@debbugs.gnu.org?subject=unsubscribe>
List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/>
List-Post: <mailto:debbugs-submit@debbugs.gnu.org>
List-Help: <mailto:debbugs-submit-request@debbugs.gnu.org?subject=help>
List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, 
 <mailto:debbugs-submit-request@debbugs.gnu.org?subject=subscribe>
Errors-To: debbugs-submit-bounces@debbugs.gnu.org
Sender: "Debbugs-submit" <debbugs-submit-bounces@debbugs.gnu.org>
X-Spam-Score: 0.0 (/)

This is a multi-part message in MIME format.
--------------090706030309030405030309
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: 8bit

On 07/07/15 01:45, Pádraig Brady wrote:
> On 07/07/15 00:29, Hanno Böck wrote:
>> Hi,
>>
>> There is an out of bounds read error in the function genpattern() in
>> shred (coreutils 8.23). This issue only appears randomly.
>>
>> To test:
>> a) recompile coreutils 8.23 with address sanitizer

> Nice one!
> 
> It looks like the restriction to the k patterns available
> was lost with v5.92-1462-g65533e1 and that this should
> fix it up.
> 
> diff --git a/src/shred.c b/src/shred.c
> index 63bcd6f..74f7ad9 100644
> --- a/src/shred.c
> +++ b/src/shred.c
> @@ -785,6 +785,7 @@ genpattern (int *dest, size_t num, struct randint_source *s)
>                    n--;
>                  }
>                p++;
> +              k--;
>              }
>            while (n);
>            break;

Attached is the full patch including a test.
Marking this as done.

thanks!
Pádraig.

--------------090706030309030405030309
Content-Type: text/x-patch;
 name="shred-patterns.patch"
Content-Transfer-Encoding: quoted-printable
Content-Disposition: attachment;
 filename="shred-patterns.patch"

=46rom 5e5d454037df549cc914f45891957181aa3b0a45 Mon Sep 17 00:00:00 2001
From: =3D?UTF-8?q?P=3DC3=3DA1draig=3D20Brady?=3D <P@draigBrady.com>
Date: Tue, 7 Jul 2015 01:46:54 +0100
Subject: [PATCH] shred: fix pattern selection for certain iteration count=
s

This was detected in about 25% of runs with gcc -fsanitize=3Daddress

  ERROR: AddressSanitizer: global-buffer-overflow on address ...
  READ of size 4 at 0x000000416628 thread T0
    #0 0x40479f in genpattern src/shred.c:782
    #1 0x4050d9 in do_wipefd src/shred.c:921
    #2 0x406203 in wipefile src/shred.c:1175
    #3 0x406b84 in main src/shred.c:1316
    #4 0x7f3454a1ef9f in __libc_start_main (/lib64/libc.so.6+0x1ff9f)
    #5 0x4025d8 (/tmp/coreutils-8.23/src/shred+0x4025d8)
  0x000000416628 is located 56 bytes to the left of
  global variable '*.LC49' from 'src/shred.c' (0x416660) of size 17
  0x000000416628 is located 12 bytes to the right of
  global variable 'patterns' from 'src/shred.c' (0x416540) of size 220
  SUMMARY: AddressSanitizer: global-buffer-overflow src/shred.c:782

* src/shred.c (gen_patterns): Restrict pattern selection
to the K available, which regressed due to v5.92-1462-g65533e1.
* tests/misc/shred-passes.sh: Add a deterministic test case.
* NEWS: Mention the bug fix.
Fixes http://bugs.gnu.org/20998
---
 NEWS                       |  5 +++++
 src/shred.c                |  5 +++--
 tests/misc/shred-passes.sh | 34 +++++++++++++++++++++++++++++++++-
 3 files changed, 41 insertions(+), 3 deletions(-)

diff --git a/NEWS b/NEWS
index 7e213fd..54a0ab6 100644
--- a/NEWS
+++ b/NEWS
@@ -2,6 +2,11 @@ GNU coreutils NEWS                                    -*=
- outline -*-
=20
 * Noteworthy changes in release ?.? (????-??-??) [?]
=20
+** Bug fixes
+
+  shred again uses defined patterns for all iteration counts.
+  [bug introduced in coreutils-5.93]
+
=20
 * Noteworthy changes in release 8.24 (2015-07-03) [stable]
=20
diff --git a/src/shred.c b/src/shred.c
index 63bcd6f..52c93ef 100644
--- a/src/shred.c
+++ b/src/shred.c
@@ -712,7 +712,7 @@ static int const
   12, 0x111, 0x222, 0x333, 0x444, 0x666, 0x777,
   0x888, 0x999, 0xBBB, 0xCCC, 0xDDD, 0xEEE,	/* 4-bit */
   -1,				/* 1 random pass */
-        /* The following patterns have the frst bit per block flipped */=

+        /* The following patterns have the first bit per block flipped *=
/
   8, 0x1000, 0x1249, 0x1492, 0x16DB, 0x1924, 0x1B6D, 0x1DB6, 0x1FFF,
   14, 0x1111, 0x1222, 0x1333, 0x1444, 0x1555, 0x1666, 0x1777,
   0x1888, 0x1999, 0x1AAA, 0x1BBB, 0x1CCC, 0x1DDD, 0x1EEE,
@@ -776,7 +776,7 @@ genpattern (int *dest, size_t num, struct randint_sou=
rce *s)
           break;
         }
       else
-        {			/* Pad out with k of the n available */
+        {			/* Pad out with n of the k available */
           do
             {
               if (n =3D=3D (size_t) k || randint_choose (s, k) < n)
@@ -785,6 +785,7 @@ genpattern (int *dest, size_t num, struct randint_sou=
rce *s)
                   n--;
                 }
               p++;
+              k--;
             }
           while (n);
           break;
diff --git a/tests/misc/shred-passes.sh b/tests/misc/shred-passes.sh
index 0fa63be..64216fd 100755
--- a/tests/misc/shred-passes.sh
+++ b/tests/misc/shred-passes.sh
@@ -32,9 +32,9 @@ shred: f: renamed to 0
 shred: f: removed" > exp || framework_failure_
=20
 shred -v -u f 2>out || fail=3D1
-
 compare exp out || fail=3D1
=20
+
 # Likewise but for a zero length file
 # to bypass the data passes
 touch f || framework_failure_
@@ -44,7 +44,39 @@ shred: f: renamed to 0
 shred: f: removed" > exp || framework_failure_
=20
 shred -v -u f 2>out || fail=3D1
+compare exp out || fail=3D1
+
+
+# shred data 20 times and verify the passes used.
+# This would consume all random data between 5.93 and 8.24 inclusive.
+dd bs=3D100K count=3D1 if=3D/dev/zero | tr '\0' 'U' > Us || framework_fa=
ilure_
+printf 1 > f || framework_failure_
+echo "\
+shred: f: pass 1/20 (random)...
+shred: f: pass 2/20 (ffffff)...
+shred: f: pass 3/20 (924924)...
+shred: f: pass 4/20 (888888)...
+shred: f: pass 5/20 (db6db6)...
+shred: f: pass 6/20 (777777)...
+shred: f: pass 7/20 (492492)...
+shred: f: pass 8/20 (bbbbbb)...
+shred: f: pass 9/20 (555555)...
+shred: f: pass 10/20 (aaaaaa)...
+shred: f: pass 11/20 (random)...
+shred: f: pass 12/20 (6db6db)...
+shred: f: pass 13/20 (249249)...
+shred: f: pass 14/20 (999999)...
+shred: f: pass 15/20 (111111)...
+shred: f: pass 16/20 (000000)...
+shred: f: pass 17/20 (b6db6d)...
+shred: f: pass 18/20 (eeeeee)...
+shred: f: pass 19/20 (333333)...
+shred: f: pass 20/20 (random)...
+shred: f: removing
+shred: f: renamed to 0
+shred: f: removed" > exp || framework_failure_
=20
+shred -v -u -n20 --random-source=3DUs f 2>out || fail=3D1
 compare exp out || fail=3D1
=20
=20
--=20
2.4.1


--------------090706030309030405030309--


------------=_1436236207-26495-1
Content-Type: message/rfc822
Content-Disposition: inline
Content-Transfer-Encoding: 7bit

Received: (at submit) by debbugs.gnu.org; 6 Jul 2015 23:42:36 +0000
Received: from localhost ([127.0.0.1]:42532 helo=debbugs.gnu.org)
	by debbugs.gnu.org with esmtp (Exim 4.80)
	(envelope-from <debbugs-submit-bounces@debbugs.gnu.org>)
	id 1ZCG1z-000353-8x
	for submit@debbugs.gnu.org; Mon, 06 Jul 2015 19:42:35 -0400
Received: from eggs.gnu.org ([208.118.235.92]:42437)
 by debbugs.gnu.org with esmtp (Exim 4.80)
 (envelope-from <hanno@hboeck.de>) id 1ZCFoL-0002ko-QV
 for submit@debbugs.gnu.org; Mon, 06 Jul 2015 19:28:31 -0400
Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71)
 (envelope-from <hanno@hboeck.de>) id 1ZCFoF-0000GL-Ij
 for submit@debbugs.gnu.org; Mon, 06 Jul 2015 19:28:24 -0400
X-Spam-Checker-Version: SpamAssassin 3.3.2 (2011-06-06) on eggs.gnu.org
X-Spam-Level: 
X-Spam-Status: No, score=0.8 required=5.0 tests=BAYES_50 autolearn=disabled
 version=3.3.2
Received: from lists.gnu.org ([2001:4830:134:3::11]:51018)
 by eggs.gnu.org with esmtp (Exim 4.71)
 (envelope-from <hanno@hboeck.de>) id 1ZCFoF-0000GB-Fm
 for submit@debbugs.gnu.org; Mon, 06 Jul 2015 19:28:23 -0400
Received: from eggs.gnu.org ([2001:4830:134:3::10]:55940)
 by lists.gnu.org with esmtp (Exim 4.71)
 (envelope-from <hanno@hboeck.de>) id 1ZCFoE-0001rO-8F
 for bug-coreutils@gnu.org; Mon, 06 Jul 2015 19:28:23 -0400
Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71)
 (envelope-from <hanno@hboeck.de>) id 1ZCFo9-0000DW-4i
 for bug-coreutils@gnu.org; Mon, 06 Jul 2015 19:28:22 -0400
Received: from zucker2.schokokeks.org ([178.63.68.90]:39787)
 by eggs.gnu.org with esmtp (Exim 4.71)
 (envelope-from <hanno@hboeck.de>) id 1ZCFo8-0000DO-UB
 for bug-coreutils@gnu.org; Mon, 06 Jul 2015 19:28:17 -0400
Received: from pc1 (x4d0c552c.dyn.telefonica.de [::ffff:77.12.85.44])
 (AUTH: LOGIN hanno-default@schokokeks.org, TLS: TLSv1/SSLv3, 128bits,
 ECDHE-RSA-AES128-GCM-SHA256)
 by zucker.schokokeks.org with ESMTPSA; Tue, 07 Jul 2015 01:28:14 +0200
 id 00000000000000BA.00000000559B0F0E.00004B82
Date: Tue, 7 Jul 2015 01:29:20 +0200
From: Hanno =?UTF-8?B?QsO2Y2s=?= <hanno@hboeck.de>
To: bug-coreutils@gnu.org
Subject: Out of bounds global read in shred / genpattern()
Message-ID: <20150707012920.50ae5cd5@pc1>
X-Mailer: Claws Mail 3.11.1 (GTK+ 2.24.28; x86_64-pc-linux-gnu)
Mime-Version: 1.0
Content-Type: multipart/signed; micalg=pgp-sha512;
 protocol="application/pgp-signature";
 boundary="=_zucker.schokokeks.org-19332-1436225296-0001-2"
X-detected-operating-system: by eggs.gnu.org: GNU/Linux 2.2.x-3.x (no
 timestamps) [generic]
X-detected-operating-system: by eggs.gnu.org: Error: Malformed IPv6 address
 (bad octet value).
X-Received-From: 2001:4830:134:3::11
X-Spam-Score: -4.1 (----)
X-Debbugs-Envelope-To: submit
X-Mailman-Approved-At: Mon, 06 Jul 2015 19:42:34 -0400
X-BeenThere: debbugs-submit@debbugs.gnu.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: <debbugs-submit.debbugs.gnu.org>
List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, 
 <mailto:debbugs-submit-request@debbugs.gnu.org?subject=unsubscribe>
List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/>
List-Post: <mailto:debbugs-submit@debbugs.gnu.org>
List-Help: <mailto:debbugs-submit-request@debbugs.gnu.org?subject=help>
List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, 
 <mailto:debbugs-submit-request@debbugs.gnu.org?subject=subscribe>
Errors-To: debbugs-submit-bounces@debbugs.gnu.org
Sender: "Debbugs-submit" <debbugs-submit-bounces@debbugs.gnu.org>
X-Spam-Score: -4.1 (----)

This is a MIME-formatted message.  If you see this text it means that your
E-mail software does not support MIME-formatted messages.

--=_zucker.schokokeks.org-19332-1436225296-0001-2
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: quoted-printable

Hi,

There is an out of bounds read error in the function genpattern() in
shred (coreutils 8.23). This issue only appears randomly.

To test:
a) recompile coreutils 8.23 with address sanitizer: ./configure
CFLAGS=3D"-fsanitize=3Daddress -g" LDFLAGS=3D"-fsanitize=3Daddress"; make
b) create a test file: touch x
c) run shred multiple times on it with -n 20:
for i in $(seq 1 1000); do src/shred -n 20 x; done

You will see the errors. Here's the output from Address Sanitizer:

=3D=3D25808=3D=3DERROR: AddressSanitizer: global-buffer-overflow on address=
 0x000000416628 at pc 0x4047a0 bp 0x7ffc99fee730 sp 0x7ffc99fee720
READ of size 4 at 0x000000416628 thread T0
    #0 0x40479f in genpattern src/shred.c:782
    #1 0x4050d9 in do_wipefd src/shred.c:921
    #2 0x406203 in wipefile src/shred.c:1175
    #3 0x406b84 in main src/shred.c:1316
    #4 0x7f3454a1ef9f in __libc_start_main (/lib64/libc.so.6+0x1ff9f)
    #5 0x4025d8 (/tmp/coreutils-8.23/src/shred+0x4025d8)

0x000000416628 is located 56 bytes to the left of global variable '*.LC49' =
from 'src/shred.c' (0x416660) of size 17
  '*.LC49' is ascii string '%s: fstat failed'
0x000000416628 is located 12 bytes to the right of global variable 'pattern=
s' from 'src/shred.c' (0x416540) of size 220
SUMMARY: AddressSanitizer: global-buffer-overflow src/shred.c:782 genpattern
Shadow bytes around the buggy address:
  0x00008007ac70: 01 f9 f9 f9 f9 f9 f9 f9 00 00 00 07 f9 f9 f9 f9
  0x00008007ac80: 00 00 01 f9 f9 f9 f9 f9 00 00 03 f9 f9 f9 f9 f9
  0x00008007ac90: 00 00 00 03 f9 f9 f9 f9 00 00 00 00 03 f9 f9 f9
  0x00008007aca0: f9 f9 f9 f9 00 00 00 00 00 00 00 00 00 00 00 00
  0x00008007acb0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=3D>0x00008007acc0: 00 00 00 04 f9[f9]f9 f9 00 00 00 00 00 00 01 f9
  0x00008007acd0: f9 f9 f9 f9 00 00 06 f9 f9 f9 f9 f9 00 00 00 03
  0x00008007ace0: f9 f9 f9 f9 00 00 05 f9 f9 f9 f9 f9 00 00 01 f9
  0x00008007acf0: f9 f9 f9 f9 00 00 00 00 00 05 f9 f9 f9 f9 f9 f9
  0x00008007ad00: 00 00 00 00 00 00 00 00 01 f9 f9 f9 f9 f9 f9 f9
  0x00008007ad10: 00 04 f9 f9 f9 f9 f9 f9 02 f9 f9 f9 f9 f9 f9 f9
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07=20
  Heap left redzone:       fa
  Heap right redzone:      fb
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack partial redzone:   f4
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Contiguous container OOB:fc
  ASan internal:           fe
=3D=3D25808=3D=3DABORTING


--=20
Hanno B=C3=B6ck
http://hboeck.de/

mail/jabber: hanno@hboeck.de
GPG: BBB51E42

--=_zucker.schokokeks.org-19332-1436225296-0001-2
Content-Type: application/pgp-signature
Content-Transfer-Encoding: 7bit
Content-Description: OpenPGP digital signature

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2

iQIcBAEBCgAGBQJVmw9RAAoJEKWIAHK7tR5Cu/AP/2Qe3OXa1br6iQl+coacJfj+
4cH0NiahZ92B990b2W9IsLI9hT1yjfgAApaF4T2mro3u0ZmRR2WVhFwY1MkzaBX6
khm/X19AuSPJZ/ERICDraEAPgzBOnjpXHrk4fAnSg1JuisnVVj8Whs0OQRpWxgnM
EjOXL1sH0khlE0LOpP6cKhEZdQSODuUeTrhqKoRo/NOYTQO9i1Jl+4eNTLxzs8mq
zWeIB53fNPcSP7cH/sVLb90DnjoEAVDKjahhBDFmD5B2YgPpP8Nps1bXF+QQVPbH
xuYg3UtRh5V869ZG//uhOYrOfxt9cQNHN8k+9+YrnOz/6jLYvyPeCnB37NyQC4Iy
e8hg0/O4Iu7dtpQjIdsbKscieO6BXIH1jnnzUqxjVb+nwKNyEztxn62oWYqgKkxw
ncCmLCpQjyetRbRfblRjlOSH6uojK9tX4gwywMjLizFlqOXTTGrbMWmE059bE/gf
k4eizEbX2Hu/CT8jRRnUWVsUiXp7VTvn44R4Qn5Crc+GpTar9qB1SXG53VGz7r0o
0qbqe6J+VCKwJfApXgGla+huMJbcsNg9/i61vYar0S4MFDz9fULAPVQiyHu0qK/A
Ztd1fRYVhPOGWYx7gOyN8mDee7IMFSsfiKVYvm0wJQMalpx7J/NuJDdtWjQIufgC
vaPwz1UYeh52VCgzOBJ+
=IeT8
-----END PGP SIGNATURE-----

--=_zucker.schokokeks.org-19332-1436225296-0001-2--



------------=_1436236207-26495-1--


From unknown Mon Aug 18 09:06:01 2025
X-Loop: help-debbugs@gnu.org
Subject: bug#20998: Out of bounds global read in shred / genpattern()
Resent-From: Paul Eggert <eggert@cs.ucla.edu>
Original-Sender: "Debbugs-submit" <debbugs-submit-bounces@debbugs.gnu.org>
Resent-CC: bug-coreutils@gnu.org
Resent-Date: Tue, 07 Jul 2015 02:31:01 +0000
Resent-Message-ID: <handler.20998.B20998.143623624526650@debbugs.gnu.org>
Resent-Sender: help-debbugs@gnu.org
X-GNU-PR-Message: followup 20998
X-GNU-PR-Package: coreutils
X-GNU-PR-Keywords: 
To: =?UTF-8?Q?P=C3=A1draig?= Brady <P@draigBrady.com>, Hanno =?UTF-8?Q?B=C3=B6ck?= <hanno@hboeck.de>, 20998@debbugs.gnu.org
Received: via spool by 20998-submit@debbugs.gnu.org id=B20998.143623624526650
          (code B ref 20998); Tue, 07 Jul 2015 02:31:01 +0000
Received: (at 20998) by debbugs.gnu.org; 7 Jul 2015 02:30:45 +0000
Received: from localhost ([127.0.0.1]:42639 helo=debbugs.gnu.org)
	by debbugs.gnu.org with esmtp (Exim 4.80)
	(envelope-from <debbugs-submit-bounces@debbugs.gnu.org>)
	id 1ZCIei-0006vl-E0
	for submit@debbugs.gnu.org; Mon, 06 Jul 2015 22:30:44 -0400
Received: from zimbra.cs.ucla.edu ([131.179.128.68]:45033)
 by debbugs.gnu.org with esmtp (Exim 4.80)
 (envelope-from <eggert@cs.ucla.edu>) id 1ZCIef-0006vX-Af
 for 20998@debbugs.gnu.org; Mon, 06 Jul 2015 22:30:42 -0400
Received: from localhost (localhost [127.0.0.1])
 by zimbra.cs.ucla.edu (Postfix) with ESMTP id 4A5031608D6;
 Mon,  6 Jul 2015 19:30:35 -0700 (PDT)
Received: from zimbra.cs.ucla.edu ([127.0.0.1])
 by localhost (zimbra.cs.ucla.edu [127.0.0.1]) (amavisd-new, port 10032)
 with ESMTP id 241Gfjgnn_9z; Mon,  6 Jul 2015 19:30:34 -0700 (PDT)
Received: from localhost (localhost [127.0.0.1])
 by zimbra.cs.ucla.edu (Postfix) with ESMTP id A62EB16096A;
 Mon,  6 Jul 2015 19:30:34 -0700 (PDT)
X-Virus-Scanned: amavisd-new at zimbra.cs.ucla.edu
Received: from zimbra.cs.ucla.edu ([127.0.0.1])
 by localhost (zimbra.cs.ucla.edu [127.0.0.1]) (amavisd-new, port 10026)
 with ESMTP id Z4JSYueiv6Cv; Mon,  6 Jul 2015 19:30:34 -0700 (PDT)
Received: from [192.168.1.9] (pool-100-32-155-148.lsanca.fios.verizon.net
 [100.32.155.148])
 by zimbra.cs.ucla.edu (Postfix) with ESMTPSA id 597CD1608D6;
 Mon,  6 Jul 2015 19:30:34 -0700 (PDT)
Message-ID: <559B39C9.2030806@cs.ucla.edu>
Date: Mon, 06 Jul 2015 19:30:33 -0700
From: Paul Eggert <eggert@cs.ucla.edu>
Organization: UCLA Computer Science Department
User-Agent: Mozilla/5.0 (X11; Linux x86_64;
 rv:31.0) Gecko/20100101 Thunderbird/31.7.0
MIME-Version: 1.0
References: <20150707012920.50ae5cd5@pc1> <559B2120.5070001@draigBrady.com>
In-Reply-To: <559B2120.5070001@draigBrady.com>
Content-Type: text/plain; charset=utf-8; format=flowed
Content-Transfer-Encoding: quoted-printable
X-Spam-Score: -0.7 (/)
X-BeenThere: debbugs-submit@debbugs.gnu.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: <debbugs-submit.debbugs.gnu.org>
List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, 
 <mailto:debbugs-submit-request@debbugs.gnu.org?subject=unsubscribe>
List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/>
List-Post: <mailto:debbugs-submit@debbugs.gnu.org>
List-Help: <mailto:debbugs-submit-request@debbugs.gnu.org?subject=help>
List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, 
 <mailto:debbugs-submit-request@debbugs.gnu.org?subject=subscribe>
Errors-To: debbugs-submit-bounces@debbugs.gnu.org
Sender: "Debbugs-submit" <debbugs-submit-bounces@debbugs.gnu.org>
X-Spam-Score: -0.7 (/)

P=C3=A1draig Brady wrote:
> Nice one!

Yes, very nice.

> It looks like the restriction to the k patterns available
> was lost with v5.92-1462-g65533e1 and that this should
> fix it up.

And thanks for the fix; it looks good to me too.




From unknown Mon Aug 18 09:06:01 2025
X-Loop: help-debbugs@gnu.org
Subject: bug#20998: Out of bounds global read in shred / genpattern()
Resent-From: Jim Meyering <jim@meyering.net>
Original-Sender: "Debbugs-submit" <debbugs-submit-bounces@debbugs.gnu.org>
Resent-CC: bug-coreutils@gnu.org
Resent-Date: Tue, 07 Jul 2015 02:57:01 +0000
Resent-Message-ID: <handler.20998.B20998.143623781328848@debbugs.gnu.org>
Resent-Sender: help-debbugs@gnu.org
X-GNU-PR-Message: followup 20998
X-GNU-PR-Package: coreutils
X-GNU-PR-Keywords: 
To: =?UTF-8?Q?P=C3=A1draig?= Brady <P@draigbrady.com>
Cc: Hanno =?UTF-8?Q?B=C3=B6ck?= <hanno@hboeck.de>, 20998@debbugs.gnu.org
Received: via spool by 20998-submit@debbugs.gnu.org id=B20998.143623781328848
          (code B ref 20998); Tue, 07 Jul 2015 02:57:01 +0000
Received: (at 20998) by debbugs.gnu.org; 7 Jul 2015 02:56:53 +0000
Received: from localhost ([127.0.0.1]:42651 helo=debbugs.gnu.org)
	by debbugs.gnu.org with esmtp (Exim 4.80)
	(envelope-from <debbugs-submit-bounces@debbugs.gnu.org>)
	id 1ZCJ41-0007VD-8S
	for submit@debbugs.gnu.org; Mon, 06 Jul 2015 22:56:53 -0400
Received: from mail-yk0-f182.google.com ([209.85.160.182]:34777)
 by debbugs.gnu.org with esmtp (Exim 4.80)
 (envelope-from <meyering@gmail.com>) id 1ZCJ3z-0007V0-Uk
 for 20998@debbugs.gnu.org; Mon, 06 Jul 2015 22:56:52 -0400
Received: by ykfy125 with SMTP id y125so166749759ykf.1
 for <20998@debbugs.gnu.org>; Mon, 06 Jul 2015 19:56:46 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113;
 h=mime-version:sender:in-reply-to:references:from:date:message-id
 :subject:to:cc:content-type:content-transfer-encoding;
 bh=CR2rCVPZcxp9isWuKSSN38DG+/MLZ3n5nxJVylOueP0=;
 b=Xfdb2F+AdE+g/E84CISpzG88WmG5TpBSBJs5KP3u1A5+xraAftWgZIfR+R8EGe7nIs
 /JTDmAgbRy/4Def6Xpm1QYy15IWcNfo9qD8ZSp5Nehj9CawRngSVLBWM35HMKE+TP6Kc
 yOhZZ26SF4LXw7ecI1uRKV5bHQMmUBMMvRzPByVgV/q8WxT+PTodhWrM2v2cBMfm8JCi
 Eenvl5d4D2gd162B/vxq6Kh72La8toSNvHaW08nEWgzSPl6b0VqzZ5PKW62XCGv4sL9F
 GnyuHMH9AaCPRKN2mbpF/gdaiNPv0vluq/2HyrO4U9uHVVVaV/0t6HwfkrV4KbHsyONY
 REzA==
X-Received: by 10.170.190.203 with SMTP id h194mr2309669yke.110.1436237806196; 
 Mon, 06 Jul 2015 19:56:46 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.37.201.66 with HTTP; Mon, 6 Jul 2015 19:56:26 -0700 (PDT)
In-Reply-To: <559B2120.5070001@draigBrady.com>
References: <20150707012920.50ae5cd5@pc1> <559B2120.5070001@draigBrady.com>
From: Jim Meyering <jim@meyering.net>
Date: Mon, 6 Jul 2015 19:56:26 -0700
X-Google-Sender-Auth: cQFUcSXm1y0RpgUL-UZwHiFSgvY
Message-ID: <CA+8g5KEd_Kd-95e-_WkN0q5-3NhNMnh+CNbRTUyfkK7ammj4NA@mail.gmail.com>
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: quoted-printable
X-Spam-Score: -0.7 (/)
X-BeenThere: debbugs-submit@debbugs.gnu.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: <debbugs-submit.debbugs.gnu.org>
List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, 
 <mailto:debbugs-submit-request@debbugs.gnu.org?subject=unsubscribe>
List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/>
List-Post: <mailto:debbugs-submit@debbugs.gnu.org>
List-Help: <mailto:debbugs-submit-request@debbugs.gnu.org?subject=help>
List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, 
 <mailto:debbugs-submit-request@debbugs.gnu.org?subject=subscribe>
Errors-To: debbugs-submit-bounces@debbugs.gnu.org
Sender: "Debbugs-submit" <debbugs-submit-bounces@debbugs.gnu.org>
X-Spam-Score: -0.7 (/)

On Mon, Jul 6, 2015 at 5:45 PM, P=C3=A1draig Brady <P@draigbrady.com> wrote=
:
> On 07/07/15 00:29, Hanno B=C3=B6ck wrote:
>> Hi,
>>
>> There is an out of bounds read error in the function genpattern() in
>> shred (coreutils 8.23). This issue only appears randomly.
>>
>> To test:
>> a) recompile coreutils 8.23 with address sanitizer: ./configure
>> CFLAGS=3D"-fsanitize=3Daddress -g" LDFLAGS=3D"-fsanitize=3Daddress"; mak=
e
>> b) create a test file: touch x
>> c) run shred multiple times on it with -n 20:
>> for i in $(seq 1 1000); do src/shred -n 20 x; done
>>
>> You will see the errors. Here's the output from Address Sanitizer:
>>
>> =3D=3D25808=3D=3DERROR: AddressSanitizer: global-buffer-overflow on addr=
ess 0x000000416628 at pc 0x4047a0 bp 0x7ffc99fee730 sp 0x7ffc99fee720
>> READ of size 4 at 0x000000416628 thread T0
...
>> SUMMARY: AddressSanitizer: global-buffer-overflow src/shred.c:782 genpat=
tern
>
>
> Nice one!
>
> It looks like the restriction to the k patterns available
> was lost with v5.92-1462-g65533e1 and that this should
> fix it up.
>
> diff --git a/src/shred.c b/src/shred.c
> index 63bcd6f..74f7ad9 100644
> --- a/src/shred.c
> +++ b/src/shred.c
> @@ -785,6 +785,7 @@ genpattern (int *dest, size_t num, struct randint_sou=
rce *s)
>                    n--;
>                  }
>                p++;
> +              k--;

Nice one, indeed.  Thanks to both of you!