#20998 - Out of bounds global read in shred / genpattern()

GNU bug report logs - #20998
Out of bounds global read in shred / genpattern()

Reported by: Hanno Böck <hanno <at> hboeck.de>

Date: Mon, 6 Jul 2015 23:43:02 UTC

Severity: normal

Done: Pádraig Brady <P <at> draigBrady.com>

Bug is archived. No further changes may be made.

View this message in rfc822 format

From: help-debbugs <at> gnu.org (GNU bug Tracking System) To: Pádraig Brady <P <at> draigBrady.com> Cc: tracker <at> debbugs.gnu.org Subject: bug#20998: closed (Out of bounds global read in shred / genpattern()) Date: Tue, 07 Jul 2015 02:30:06 +0000

[Message part 1 (text/plain, inline)]

Your message dated Tue, 07 Jul 2015 03:28:32 +0100 with message-id <559B3950.4070602 <at> draigBrady.com> and subject line Re: bug#20998: Out of bounds global read in shred / genpattern() has caused the debbugs.gnu.org bug report #20998, regarding Out of bounds global read in shred / genpattern() to be marked as done. (If you believe you have received this mail in error, please contact help-debbugs <at> gnu.org.) -- 20998: http://debbugs.gnu.org/cgi/bugreport.cgi?bug=20998 GNU Bug Tracking System Contact help-debbugs <at> gnu.org with problems

[Message part 2 (message/rfc822, inline)]

From: Hanno Böck <hanno <at> hboeck.de>
To: bug-coreutils <at> gnu.org
Subject: Out of bounds global read in shred / genpattern()
Date: Tue, 7 Jul 2015 01:29:20 +0200

[Message part 3 (text/plain, inline)]

Hi,

There is an out of bounds read error in the function genpattern() in
shred (coreutils 8.23). This issue only appears randomly.

To test:
a) recompile coreutils 8.23 with address sanitizer: ./configure
CFLAGS="-fsanitize=address -g" LDFLAGS="-fsanitize=address"; make
b) create a test file: touch x
c) run shred multiple times on it with -n 20:
for i in $(seq 1 1000); do src/shred -n 20 x; done

You will see the errors. Here's the output from Address Sanitizer:

==25808==ERROR: AddressSanitizer: global-buffer-overflow on address 0x000000416628 at pc 0x4047a0 bp 0x7ffc99fee730 sp 0x7ffc99fee720
READ of size 4 at 0x000000416628 thread T0
    #0 0x40479f in genpattern src/shred.c:782
    #1 0x4050d9 in do_wipefd src/shred.c:921
    #2 0x406203 in wipefile src/shred.c:1175
    #3 0x406b84 in main src/shred.c:1316
    #4 0x7f3454a1ef9f in __libc_start_main (/lib64/libc.so.6+0x1ff9f)
    #5 0x4025d8 (/tmp/coreutils-8.23/src/shred+0x4025d8)

0x000000416628 is located 56 bytes to the left of global variable '*.LC49' from 'src/shred.c' (0x416660) of size 17
  '*.LC49' is ascii string '%s: fstat failed'
0x000000416628 is located 12 bytes to the right of global variable 'patterns' from 'src/shred.c' (0x416540) of size 220
SUMMARY: AddressSanitizer: global-buffer-overflow src/shred.c:782 genpattern
Shadow bytes around the buggy address:
  0x00008007ac70: 01 f9 f9 f9 f9 f9 f9 f9 00 00 00 07 f9 f9 f9 f9
  0x00008007ac80: 00 00 01 f9 f9 f9 f9 f9 00 00 03 f9 f9 f9 f9 f9
  0x00008007ac90: 00 00 00 03 f9 f9 f9 f9 00 00 00 00 03 f9 f9 f9
  0x00008007aca0: f9 f9 f9 f9 00 00 00 00 00 00 00 00 00 00 00 00
  0x00008007acb0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x00008007acc0: 00 00 00 04 f9[f9]f9 f9 00 00 00 00 00 00 01 f9
  0x00008007acd0: f9 f9 f9 f9 00 00 06 f9 f9 f9 f9 f9 00 00 00 03
  0x00008007ace0: f9 f9 f9 f9 00 00 05 f9 f9 f9 f9 f9 00 00 01 f9
  0x00008007acf0: f9 f9 f9 f9 00 00 00 00 00 05 f9 f9 f9 f9 f9 f9
  0x00008007ad00: 00 00 00 00 00 00 00 00 01 f9 f9 f9 f9 f9 f9 f9
  0x00008007ad10: 00 04 f9 f9 f9 f9 f9 f9 02 f9 f9 f9 f9 f9 f9 f9
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Heap right redzone:      fb
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack partial redzone:   f4
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Contiguous container OOB:fc
  ASan internal:           fe
==25808==ABORTING


-- 
Hanno Böck
http://hboeck.de/

mail/jabber: hanno <at> hboeck.de
GPG: BBB51E42

[Message part 4 (application/pgp-signature, inline)]

[Message part 5 (message/rfc822, inline)]

From: Pádraig Brady <P <at> draigBrady.com>
To: Hanno Böck <hanno <at> hboeck.de>, 20998-done <at> debbugs.gnu.org
Subject: Re: bug#20998: Out of bounds global read in shred / genpattern()
Date: Tue, 07 Jul 2015 03:28:32 +0100

[Message part 6 (text/plain, inline)]

On 07/07/15 01:45, Pádraig Brady wrote:
> On 07/07/15 00:29, Hanno Böck wrote:
>> Hi,
>>
>> There is an out of bounds read error in the function genpattern() in
>> shred (coreutils 8.23). This issue only appears randomly.
>>
>> To test:
>> a) recompile coreutils 8.23 with address sanitizer

> Nice one!
> 
> It looks like the restriction to the k patterns available
> was lost with v5.92-1462-g65533e1 and that this should
> fix it up.
> 
> diff --git a/src/shred.c b/src/shred.c
> index 63bcd6f..74f7ad9 100644
> --- a/src/shred.c
> +++ b/src/shred.c
> @@ -785,6 +785,7 @@ genpattern (int *dest, size_t num, struct randint_source *s)
>                    n--;
>                  }
>                p++;
> +              k--;
>              }
>            while (n);
>            break;

Attached is the full patch including a test.
Marking this as done.

thanks!
Pádraig.

[shred-patterns.patch (text/x-patch, attachment)]

This bug report was last modified 10 years and 16 days ago.

GNU bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.

GNU bug report logs - #20998 Out of bounds global read in shred / genpattern()

GNU bug report logs - #20998
Out of bounds global read in shred / genpattern()