GNU bug report logs - #20998
Out of bounds global read in shred / genpattern()

Previous Next

Full log

View this message in rfc822 format

From: Jim Meyering <jim <at> meyering.net>
To: Pádraig Brady <P <at> draigbrady.com>
Cc: Hanno Böck <hanno <at> hboeck.de>, 20998 <at> debbugs.gnu.org
Subject: bug#20998: Out of bounds global read in shred / genpattern()
Date: Mon, 6 Jul 2015 19:56:26 -0700

On Mon, Jul 6, 2015 at 5:45 PM, Pádraig Brady <P <at> draigbrady.com> wrote:
> On 07/07/15 00:29, Hanno Böck wrote:
>> Hi,
>>
>> There is an out of bounds read error in the function genpattern() in
>> shred (coreutils 8.23). This issue only appears randomly.
>>
>> To test:
>> a) recompile coreutils 8.23 with address sanitizer: ./configure
>> CFLAGS="-fsanitize=address -g" LDFLAGS="-fsanitize=address"; make
>> b) create a test file: touch x
>> c) run shred multiple times on it with -n 20:
>> for i in $(seq 1 1000); do src/shred -n 20 x; done
>>
>> You will see the errors. Here's the output from Address Sanitizer:
>>
>> ==25808==ERROR: AddressSanitizer: global-buffer-overflow on address 0x000000416628 at pc 0x4047a0 bp 0x7ffc99fee730 sp 0x7ffc99fee720
>> READ of size 4 at 0x000000416628 thread T0
...
>> SUMMARY: AddressSanitizer: global-buffer-overflow src/shred.c:782 genpattern
>
>
> Nice one!
>
> It looks like the restriction to the k patterns available
> was lost with v5.92-1462-g65533e1 and that this should
> fix it up.
>
> diff --git a/src/shred.c b/src/shred.c
> index 63bcd6f..74f7ad9 100644
> --- a/src/shred.c
> +++ b/src/shred.c
> @@ -785,6 +785,7 @@ genpattern (int *dest, size_t num, struct randint_source *s)
>                    n--;
>                  }
>                p++;
> +              k--;

Nice one, indeed.  Thanks to both of you!

Previous Next

GNU bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.