GNU bug report logs - #20998
Out of bounds global read in shred / genpattern()

Previous Next

Package: coreutils;

Reported by: Hanno Böck <hanno <at> hboeck.de>

Date: Mon, 6 Jul 2015 23:43:02 UTC

Severity: normal

Done: Pádraig Brady <P <at> draigBrady.com>

Bug is archived. No further changes may be made.

Full log

Message #8 received at 20998 <at> debbugs.gnu.org (full text, mbox):

From: Pádraig Brady <P <at> draigBrady.com>
To: Hanno Böck <hanno <at> hboeck.de>, 
 20998 <at> debbugs.gnu.org
Subject: Re: bug#20998: Out of bounds global read in shred / genpattern()
Date: Tue, 07 Jul 2015 01:45:20 +0100

On 07/07/15 00:29, Hanno Böck wrote:
> Hi,
> 
> There is an out of bounds read error in the function genpattern() in
> shred (coreutils 8.23). This issue only appears randomly.
> 
> To test:
> a) recompile coreutils 8.23 with address sanitizer: ./configure
> CFLAGS="-fsanitize=address -g" LDFLAGS="-fsanitize=address"; make
> b) create a test file: touch x
> c) run shred multiple times on it with -n 20:
> for i in $(seq 1 1000); do src/shred -n 20 x; done
> 
> You will see the errors. Here's the output from Address Sanitizer:
> 
> ==25808==ERROR: AddressSanitizer: global-buffer-overflow on address 0x000000416628 at pc 0x4047a0 bp 0x7ffc99fee730 sp 0x7ffc99fee720
> READ of size 4 at 0x000000416628 thread T0
>     #0 0x40479f in genpattern src/shred.c:782
>     #1 0x4050d9 in do_wipefd src/shred.c:921
>     #2 0x406203 in wipefile src/shred.c:1175
>     #3 0x406b84 in main src/shred.c:1316
>     #4 0x7f3454a1ef9f in __libc_start_main (/lib64/libc.so.6+0x1ff9f)
>     #5 0x4025d8 (/tmp/coreutils-8.23/src/shred+0x4025d8)
> 
> 0x000000416628 is located 56 bytes to the left of global variable '*.LC49' from 'src/shred.c' (0x416660) of size 17
>   '*.LC49' is ascii string '%s: fstat failed'
> 0x000000416628 is located 12 bytes to the right of global variable 'patterns' from 'src/shred.c' (0x416540) of size 220
> SUMMARY: AddressSanitizer: global-buffer-overflow src/shred.c:782 genpattern


Nice one!

It looks like the restriction to the k patterns available
was lost with v5.92-1462-g65533e1 and that this should
fix it up.

diff --git a/src/shred.c b/src/shred.c
index 63bcd6f..74f7ad9 100644
--- a/src/shred.c
+++ b/src/shred.c
@@ -785,6 +785,7 @@ genpattern (int *dest, size_t num, struct randint_source *s)
                   n--;
                 }
               p++;
+              k--;
             }
           while (n);
           break;

thanks!
Pádraig.
This bug report was last modified 10 years and 16 days ago.

Previous Next

GNU bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.