From unknown Sat Aug 16 21:21:38 2025 X-Loop: help-debbugs@gnu.org Subject: bug#25003: Bug in SPLIT utility Resent-From: Marcel =?UTF-8?Q?B=C3=B6hme?= Original-Sender: "Debbugs-submit" Resent-CC: bug-coreutils@gnu.org Resent-Date: Wed, 23 Nov 2016 16:30:02 +0000 Resent-Message-ID: Resent-Sender: help-debbugs@gnu.org X-GNU-PR-Message: report 25003 X-GNU-PR-Package: coreutils X-GNU-PR-Keywords: To: 25003@debbugs.gnu.org X-Debbugs-Original-To: bug-coreutils@gnu.org Received: via spool by submit@debbugs.gnu.org id=B.147991856525185 (code B ref -1); Wed, 23 Nov 2016 16:30:02 +0000 Received: (at submit) by debbugs.gnu.org; 23 Nov 2016 16:29:25 +0000 Received: from localhost ([127.0.0.1]:39456 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1c9aQH-0006Y8-2u for submit@debbugs.gnu.org; Wed, 23 Nov 2016 11:29:25 -0500 Received: from eggs.gnu.org ([208.118.235.92]:49412) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1c9XVe-0002BU-Az for submit@debbugs.gnu.org; Wed, 23 Nov 2016 08:22:46 -0500 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1c9XVY-0000oj-EU for submit@debbugs.gnu.org; Wed, 23 Nov 2016 08:22:41 -0500 X-Spam-Checker-Version: SpamAssassin 3.3.2 (2011-06-06) on eggs.gnu.org X-Spam-Level: X-Spam-Status: No, score=0.8 required=5.0 tests=BAYES_50,FREEMAIL_FROM, T_DKIM_INVALID autolearn=disabled version=3.3.2 Received: from lists.gnu.org ([2001:4830:134:3::11]:49241) by eggs.gnu.org with esmtps (TLS1.0:RSA_AES_256_CBC_SHA1:32) (Exim 4.71) (envelope-from ) id 1c9XVY-0000oI-BP for submit@debbugs.gnu.org; Wed, 23 Nov 2016 08:22:40 -0500 Received: from eggs.gnu.org ([2001:4830:134:3::10]:40381) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1c9XVX-0006zP-6y for bug-coreutils@gnu.org; Wed, 23 Nov 2016 08:22:40 -0500 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1c9XVU-0000ew-2U for bug-coreutils@gnu.org; Wed, 23 Nov 2016 08:22:39 -0500 Received: from mail-pg0-x242.google.com ([2607:f8b0:400e:c05::242]:34081) by eggs.gnu.org with esmtps (TLS1.0:RSA_AES_128_CBC_SHA1:16) (Exim 4.71) (envelope-from ) id 1c9XVT-0000cs-Rx for bug-coreutils@gnu.org; Wed, 23 Nov 2016 08:22:35 -0500 Received: by mail-pg0-x242.google.com with SMTP id e9so1120214pgc.1 for ; Wed, 23 Nov 2016 05:22:35 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=from:content-transfer-encoding:subject:message-id:date:to :mime-version; bh=EwyaKMX2iLbg9bC6NzVQYg/Slj9uErOVbAcU86Ih2MM=; b=I6GdpABD0VLM8sVK+ItJUl0FnpcgsWpeEw/hLtuQ60yXsEnKSaOdyZAOPqhm+gWsqm EvQQiBVTKvzYjf5rKxYp1A7nXIqZnc5nnqO+0wXytltW0YL2h67PdzbZYbWPZAo/4/nT Sev257tb3TldeE8fetF/SeDT+EP4pD+2a8SOrgLC+lXOXUlZRIwYhH4cKi5HujMripFj TZG5BdNeaGFtsCqjW2d/G75G9qleemkoYKHXHlNdiyKzZi34M7FBgR2RepuDw7uLEyb1 Go8QnZLYz3DxyL+LYkIe5kFRiGjmQcrjzDO+EawJ2SVOypz6j5y6DthI220FQRVka/aF AY0w== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:from:content-transfer-encoding:subject :message-id:date:to:mime-version; bh=EwyaKMX2iLbg9bC6NzVQYg/Slj9uErOVbAcU86Ih2MM=; b=WlXdT4Vno76MWLpskC/2/brCUSOwJ5tpVXr0zW1EMR0498UbUSh0x6Aj+aftX1XQky 7AN/zZTd30ZEIT9tDEQ1pA/KAB1vdDiIh8W7SiGaQvy0zYEbe3Yn+RaFvBAt2YOMdLjM BuhQDDz1QzGB74IvcI3CnNOBAC5FJjrPyWMLD5ohKPF39WLsrg90AhnuVQXdoHVlFLMm 7KyfxM+ywD4hVlWVaSu7DgiMTbELx78Jz9zNXhq4VYQVKJaQ0xJmUVPUjiupQPYeFus4 YvzxzlgZydvEMT0t750R56CJyvMCdoVmcyMkYfBn3yOzb0HmXsRN+NgZuqXncuCG+d8s MeLQ== X-Gm-Message-State: AKaTC0174Eui8ua8LBSsLMp1JvFuZndp9bI8hdeuH+ylL9QjrsvPK7KGVCk+6JEIFAEUQA== X-Received: by 10.98.205.205 with SMTP id o196mr2771792pfg.145.1479907354156; Wed, 23 Nov 2016 05:22:34 -0800 (PST) Received: from [192.168.0.129] ([116.87.35.237]) by smtp.gmail.com with ESMTPSA id c71sm35050971pga.22.2016.11.23.05.22.32 for (version=TLS1 cipher=ECDHE-RSA-AES128-SHA bits=128/128); Wed, 23 Nov 2016 05:22:33 -0800 (PST) From: Marcel =?UTF-8?Q?B=C3=B6hme?= Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable Message-Id: <22CC9A44-5071-4159-8DFB-2BD82E668CA3@gmail.com> Date: Wed, 23 Nov 2016 21:22:30 +0800 Mime-Version: 1.0 (Mac OS X Mail 9.3 \(3124\)) X-Mailer: Apple Mail (2.3124) X-detected-operating-system: by eggs.gnu.org: GNU/Linux 2.2.x-3.x [generic] X-detected-operating-system: by eggs.gnu.org: GNU/Linux 2.6.x X-Received-From: 2001:4830:134:3::11 X-Spam-Score: -4.0 (----) X-Mailman-Approved-At: Wed, 23 Nov 2016 11:29:24 -0500 X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -4.0 (----) Dear all, We are running small 1h fuzzing sessions with AFLFast, a fork of AFL. We=E2=80=99ll be reporting each found bug separately. On Coreutils v8.25 and trunk, the following input crashes. Option -n was introduced with v8.8. $ ./split -n7/75 7 Segmentation fault ASAN says: =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D =3D=3D53143=3D=3DERROR: AddressSanitizer: negative-size-param: (size=3D-6)= #0 0x7f8820eb9a10 in memmove = (/usr/lib/x86_64-linux-gnu/libasan.so.3+0x62a10) #1 0x404d12 in memmove = /usr/include/x86_64-linux-gnu/bits/string3.h:57 #2 0x404d12 in bytes_chunk_extract ../src/split.c:987 #3 0x404d12 in main ../src/split.c:1625 #4 0x7f881fd9cf44 in __libc_start_main = (/lib/x86_64-linux-gnu/libc.so.6+0x21f44) #5 0x4064a9 = (/home/ubuntu/subjects/coreutils/obj-asan/src/split+0x4064a9) 0x7f8821f9a006 is located 2054 bytes inside of 135168-byte region = [0x7f8821f99800,0x7f8821fba800) allocated by thread T0 here: #0 0x7f8820f193a8 in __interceptor_malloc = (/usr/lib/x86_64-linux-gnu/libasan.so.3+0xc23a8) #1 0x40ec88 in xmalloc ../lib/xmalloc.c:41 SUMMARY: AddressSanitizer: negative-size-param = (/usr/lib/x86_64-linux-gnu/libasan.so.3+0x62a10) in memmove Best regards, - Marcel= From unknown Sat Aug 16 21:21:38 2025 X-Loop: help-debbugs@gnu.org Subject: bug#25003: Bug in SPLIT utility Resent-From: Jim Meyering Original-Sender: "Debbugs-submit" Resent-CC: bug-coreutils@gnu.org Resent-Date: Wed, 23 Nov 2016 17:32:01 +0000 Resent-Message-ID: Resent-Sender: help-debbugs@gnu.org X-GNU-PR-Message: followup 25003 X-GNU-PR-Package: coreutils X-GNU-PR-Keywords: To: Marcel =?UTF-8?Q?B=C3=B6hme?= Cc: 25003@debbugs.gnu.org Received: via spool by 25003-submit@debbugs.gnu.org id=B25003.147992228731334 (code B ref 25003); Wed, 23 Nov 2016 17:32:01 +0000 Received: (at 25003) by debbugs.gnu.org; 23 Nov 2016 17:31:27 +0000 Received: from localhost ([127.0.0.1]:39514 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1c9bOJ-00089K-LB for submit@debbugs.gnu.org; Wed, 23 Nov 2016 12:31:27 -0500 Received: from mail-oi0-f41.google.com ([209.85.218.41]:33184) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1c9bOH-000897-Uw for 25003@debbugs.gnu.org; Wed, 23 Nov 2016 12:31:26 -0500 Received: by mail-oi0-f41.google.com with SMTP id w63so23334554oiw.0 for <25003@debbugs.gnu.org>; Wed, 23 Nov 2016 09:31:25 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:sender:in-reply-to:references:from:date:message-id :subject:to:cc:content-transfer-encoding; bh=qJEdgSqPU7lQ+D12s1hToEuZP2mtap5O/s3RdF72BIk=; b=UwXNHEhage8tcASb3O02SO2to+L/+VA63+3vyOD+iY1jTb7rKAqdwd8oPkl2x+rTfA P1uH51GFxOidzdIikRwkzL7L0NTugM9yf5P561LiPD0BiwlBBh9h3mBq0dPCU+fmNfSP OgN6if8J6IsDuAsfHVfCbphOOX50aTvMcRKmEZvxwD6ZbOjlJGNhZCMulASQh2p8wyC0 lenBpyGQWM67DRjOI5wMRNMX0SAowzLSFUxSQpD/VGzTPJtiZilBXtHsddbV1DOD3mDQ hwIMBdTcG2rfWIoXjYvGkF3l5Rti1O23PI2RgFikRJkUEMt5QXEKEKKN0vm/J1X6583N TX+Q== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:sender:in-reply-to:references:from :date:message-id:subject:to:cc:content-transfer-encoding; bh=qJEdgSqPU7lQ+D12s1hToEuZP2mtap5O/s3RdF72BIk=; b=borBujz2JYx40jt24V0H2/TJo7OSbcxV76e8KJjwvl758LtyOMLWWskCuy5mm3HTEw ncqKH6aGtvHFlHnDXWk+b/6OBujoeaS6RxHJ4uB7f2sH6naB0NE/+5dJM/uLKb0ENpdS OMvPhLmsq5JewSU+DNLDUvQjr/R0NcGQUYGZjwHSYPcz8epnq5NrbmqVQV5hjqkRsiLC 9Arcwn7AQQis/F9M+jLtTUAH2N9cptZy+zAMXKiBwn16Rgw6664L/DfHBCCJZcD/GksM YqkETwiE2YRCdLNobXTetyB2dKSDmcx728oyzCmbKda2mjvzKmRrR+7grHY6DSbTA+j2 +BzQ== X-Gm-Message-State: AKaTC018DKYk0YI126zgb9F+q7ZupfehC+Q6pPfKMZ1cJJtavXUsZYp2epSPOfYfnhZ27l42XyFTsJK7Kud5jw== X-Received: by 10.36.93.137 with SMTP id w131mr8292088ita.97.1479922280015; Wed, 23 Nov 2016 09:31:20 -0800 (PST) MIME-Version: 1.0 Received: by 10.107.146.66 with HTTP; Wed, 23 Nov 2016 09:30:59 -0800 (PST) In-Reply-To: <22CC9A44-5071-4159-8DFB-2BD82E668CA3@gmail.com> References: <22CC9A44-5071-4159-8DFB-2BD82E668CA3@gmail.com> From: Jim Meyering Date: Wed, 23 Nov 2016 09:30:59 -0800 X-Google-Sender-Auth: 6FKoD4lkv-0QWfN9OoMmltK0w7s Message-ID: Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: quoted-printable X-Spam-Score: -0.7 (/) X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -0.7 (/) On Wed, Nov 23, 2016 at 5:22 AM, Marcel B=C3=B6hme wrote: > Dear all, > > We are running small 1h fuzzing sessions with AFLFast, a fork of AFL. > We=E2=80=99ll be reporting each found bug separately. > > On Coreutils v8.25 and trunk, the following input crashes. > Option -n was introduced with v8.8. > > $ ./split -n7/75 7 > Segmentation fault > > ASAN says: > =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D > =3D=3D53143=3D=3DERROR: AddressSanitizer: negative-size-param: (size=3D-6= ) > #0 0x7f8820eb9a10 in memmove (/usr/lib/x86_64-linux-gnu/libasan.so.3+= 0x62a10) > #1 0x404d12 in memmove /usr/include/x86_64-linux-gnu/bits/string3.h:5= 7 > #2 0x404d12 in bytes_chunk_extract ../src/split.c:987 > #3 0x404d12 in main ../src/split.c:1625 > #4 0x7f881fd9cf44 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so= .6+0x21f44) > #5 0x4064a9 (/home/ubuntu/subjects/coreutils/obj-asan/src/split+0x40= 64a9) > > 0x7f8821f9a006 is located 2054 bytes inside of 135168-byte region [0x7f88= 21f99800,0x7f8821fba800) > allocated by thread T0 here: > #0 0x7f8820f193a8 in __interceptor_malloc (/usr/lib/x86_64-linux-gnu/= libasan.so.3+0xc23a8) > #1 0x40ec88 in xmalloc ../lib/xmalloc.c:41 > > SUMMARY: AddressSanitizer: negative-size-param (/usr/lib/x86_64-linux-gnu= /libasan.so.3+0x62a10) in memmove Thank you for the report. Would you please provide the contents of your file named "7"? From unknown Sat Aug 16 21:21:38 2025 X-Loop: help-debbugs@gnu.org Subject: bug#25003: Bug in SPLIT utility Resent-From: =?UTF-8?Q?P=C3=A1draig?= Brady Original-Sender: "Debbugs-submit" Resent-CC: bug-coreutils@gnu.org Resent-Date: Wed, 23 Nov 2016 22:17:03 +0000 Resent-Message-ID: Resent-Sender: help-debbugs@gnu.org X-GNU-PR-Message: followup 25003 X-GNU-PR-Package: coreutils X-GNU-PR-Keywords: To: Jim Meyering , Marcel =?UTF-8?Q?B=C3=B6hme?= Cc: 25003@debbugs.gnu.org Received: via spool by 25003-submit@debbugs.gnu.org id=B25003.147993940630988 (code B ref 25003); Wed, 23 Nov 2016 22:17:03 +0000 Received: (at 25003) by debbugs.gnu.org; 23 Nov 2016 22:16:46 +0000 Received: from localhost ([127.0.0.1]:39657 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1c9fqQ-00083k-IM for submit@debbugs.gnu.org; Wed, 23 Nov 2016 17:16:46 -0500 Received: from mail.magicbluesmoke.com ([82.195.144.49]:51320) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1c9fqP-00083c-Fs for 25003@debbugs.gnu.org; Wed, 23 Nov 2016 17:16:45 -0500 Received: from [192.168.1.80] (unknown [109.78.253.63]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by mail.magicbluesmoke.com (Postfix) with ESMTPSA id 1B01516F; Wed, 23 Nov 2016 22:16:42 +0000 (GMT) References: <22CC9A44-5071-4159-8DFB-2BD82E668CA3@gmail.com> From: =?UTF-8?Q?P=C3=A1draig?= Brady Message-ID: <6d84462b-01c6-8ba2-dfc3-b2d4de1f2981@draigBrady.com> Date: Wed, 23 Nov 2016 22:16:40 +0000 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Thunderbird/45.2.0 MIME-Version: 1.0 In-Reply-To: Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 8bit X-Spam-Score: 0.0 (/) X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: 0.0 (/) On 23/11/16 17:30, Jim Meyering wrote: > On Wed, Nov 23, 2016 at 5:22 AM, Marcel Böhme wrote: >> Dear all, >> >> We are running small 1h fuzzing sessions with AFLFast, a fork of AFL. >> We’ll be reporting each found bug separately. >> >> On Coreutils v8.25 and trunk, the following input crashes. >> Option -n was introduced with v8.8. >> >> $ ./split -n7/75 7 >> Segmentation fault >> >> ASAN says: >> ================================================================= >> ==53143==ERROR: AddressSanitizer: negative-size-param: (size=-6) >> #0 0x7f8820eb9a10 in memmove (/usr/lib/x86_64-linux-gnu/libasan.so.3+0x62a10) >> #1 0x404d12 in memmove /usr/include/x86_64-linux-gnu/bits/string3.h:57 >> #2 0x404d12 in bytes_chunk_extract ../src/split.c:987 >> #3 0x404d12 in main ../src/split.c:1625 >> #4 0x7f881fd9cf44 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x21f44) >> #5 0x4064a9 (/home/ubuntu/subjects/coreutils/obj-asan/src/split+0x4064a9) >> >> 0x7f8821f9a006 is located 2054 bytes inside of 135168-byte region [0x7f8821f99800,0x7f8821fba800) >> allocated by thread T0 here: >> #0 0x7f8820f193a8 in __interceptor_malloc (/usr/lib/x86_64-linux-gnu/libasan.so.3+0xc23a8) >> #1 0x40ec88 in xmalloc ../lib/xmalloc.c:41 >> >> SUMMARY: AddressSanitizer: negative-size-param (/usr/lib/x86_64-linux-gnu/libasan.so.3+0x62a10) in memmove > > Thank you for the report. > Would you please provide the contents of your file named "7"? That's immaterial I think. I can reproduce with: src/split -n2/3 /dev/null I'll dig into these From unknown Sat Aug 16 21:21:38 2025 MIME-Version: 1.0 X-Mailer: MIME-tools 5.505 (Entity 5.505) X-Loop: help-debbugs@gnu.org From: help-debbugs@gnu.org (GNU bug Tracking System) To: Marcel =?UTF-8?Q?B=C3=B6hme?= Subject: bug#25003: closed (Re: bug#25003: Bug in SPLIT utility) Message-ID: References: <578cfd35-4645-3800-9f25-68ade9244dad@draigBrady.com> <22CC9A44-5071-4159-8DFB-2BD82E668CA3@gmail.com> X-Gnu-PR-Message: they-closed 25003 X-Gnu-PR-Package: coreutils Reply-To: 25003@debbugs.gnu.org Date: Thu, 24 Nov 2016 00:22:02 +0000 Content-Type: multipart/mixed; boundary="----------=_1479946922-16166-1" This is a multi-part message in MIME format... ------------=_1479946922-16166-1 Content-Disposition: inline Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="utf-8" Your bug report #25003: Bug in SPLIT utility which was filed against the coreutils package, has been closed. The explanation is attached below, along with your original report. If you require more details, please reply to 25003@debbugs.gnu.org. --=20 25003: http://debbugs.gnu.org/cgi/bugreport.cgi?bug=3D25003 GNU Bug Tracking System Contact help-debbugs@gnu.org with problems ------------=_1479946922-16166-1 Content-Type: message/rfc822 Content-Disposition: inline Content-Transfer-Encoding: 7bit Received: (at 25003-done) by debbugs.gnu.org; 24 Nov 2016 00:21:28 +0000 Received: from localhost ([127.0.0.1]:39725 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1c9hn6-0004Bt-EP for submit@debbugs.gnu.org; Wed, 23 Nov 2016 19:21:28 -0500 Received: from mail.magicbluesmoke.com ([82.195.144.49]:51774) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1c9hn4-0004Bk-Ex for 25003-done@debbugs.gnu.org; Wed, 23 Nov 2016 19:21:27 -0500 Received: from [192.168.1.80] (unknown [109.78.253.63]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by mail.magicbluesmoke.com (Postfix) with ESMTPSA id CB9E4233; Thu, 24 Nov 2016 00:21:24 +0000 (GMT) Subject: Re: bug#25003: Bug in SPLIT utility To: Jim Meyering , =?UTF-8?Q?Marcel_B=c3=b6hme?= References: <22CC9A44-5071-4159-8DFB-2BD82E668CA3@gmail.com> <6d84462b-01c6-8ba2-dfc3-b2d4de1f2981@draigBrady.com> From: =?UTF-8?Q?P=c3=a1draig_Brady?= Message-ID: <578cfd35-4645-3800-9f25-68ade9244dad@draigBrady.com> Date: Thu, 24 Nov 2016 00:21:24 +0000 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Thunderbird/45.2.0 MIME-Version: 1.0 In-Reply-To: <6d84462b-01c6-8ba2-dfc3-b2d4de1f2981@draigBrady.com> Content-Type: multipart/mixed; boundary="------------F6F55EF7B95830A892E23CF9" X-Spam-Score: 0.0 (/) X-Debbugs-Envelope-To: 25003-done Cc: 25003-done@debbugs.gnu.org X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: 0.0 (/) This is a multi-part message in MIME format. --------------F6F55EF7B95830A892E23CF9 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 8bit On 23/11/16 22:16, Pádraig Brady wrote: > On 23/11/16 17:30, Jim Meyering wrote: >> On Wed, Nov 23, 2016 at 5:22 AM, Marcel Böhme wrote: >>> Dear all, >>> >>> We are running small 1h fuzzing sessions with AFLFast, a fork of AFL. >>> We’ll be reporting each found bug separately. >>> >>> On Coreutils v8.25 and trunk, the following input crashes. >>> Option -n was introduced with v8.8. >>> >>> $ ./split -n7/75 7 >>> Segmentation fault >>> >>> ASAN says: >>> ================================================================= >>> ==53143==ERROR: AddressSanitizer: negative-size-param: (size=-6) >>> #0 0x7f8820eb9a10 in memmove (/usr/lib/x86_64-linux-gnu/libasan.so.3+0x62a10) >>> #1 0x404d12 in memmove /usr/include/x86_64-linux-gnu/bits/string3.h:57 >>> #2 0x404d12 in bytes_chunk_extract ../src/split.c:987 >>> #3 0x404d12 in main ../src/split.c:1625 >>> #4 0x7f881fd9cf44 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x21f44) >>> #5 0x4064a9 (/home/ubuntu/subjects/coreutils/obj-asan/src/split+0x4064a9) >>> >>> 0x7f8821f9a006 is located 2054 bytes inside of 135168-byte region [0x7f8821f99800,0x7f8821fba800) >>> allocated by thread T0 here: >>> #0 0x7f8820f193a8 in __interceptor_malloc (/usr/lib/x86_64-linux-gnu/libasan.so.3+0xc23a8) >>> #1 0x40ec88 in xmalloc ../lib/xmalloc.c:41 >>> >>> SUMMARY: AddressSanitizer: negative-size-param (/usr/lib/x86_64-linux-gnu/libasan.so.3+0x62a10) in memmove >> >> Thank you for the report. >> Would you please provide the contents of your file named "7"? > > That's immaterial I think. I can reproduce with: > src/split -n2/3 /dev/null > I'll dig into these Patch attached. thanks! Pádraig --------------F6F55EF7B95830A892E23CF9 Content-Type: text/x-patch; name="split-n-corruption.patch" Content-Transfer-Encoding: 7bit Content-Disposition: attachment; filename="split-n-corruption.patch" >From 2ecc0890aa9fb182fe4362475d2d040607219cb1 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?P=C3=A1draig=20Brady?= Date: Thu, 24 Nov 2016 00:03:16 +0000 Subject: [PATCH] split: fix memory corruption during chunk extraction ASAN reported this error for: split -n2/3 /dev/null ERROR: AddressSanitizer: negative-size-param: (size=-1) #0 0x7f0d4c36951d in __asan_memmove (/lib64/libasan.so.2+0x8d51d) #1 0x404e06 in memmove /usr/include/bits/string3.h:59 #2 0x404e06 in bytes_chunk_extract src/split.c:988 #3 0x404e06 in main src/split.c:1626 Specifically there would be invalid memory access and subsequent processing if the chunk to be extracted was beyond the initial amount read from file (which is currently capped at 128KiB). This issue is not in a released version, only being introduced in commit v8.25-4-g62e7af0 * src/split.c (bytes_chunk_extract): The initial_read != SIZE_MAX should have been combined with && rather than ||, but also this condition is always true in this function so remove entirely. * tests/split/b-chunk.sh: Add a test case. Fixes http://bugs.gnu.org/25003 --- src/split.c | 2 +- tests/split/b-chunk.sh | 7 ++++++- 2 files changed, 7 insertions(+), 2 deletions(-) diff --git a/src/split.c b/src/split.c index f9c99db..9a0704c 100644 --- a/src/split.c +++ b/src/split.c @@ -982,7 +982,7 @@ bytes_chunk_extract (uintmax_t k, uintmax_t n, char *buf, size_t bufsize, start = (k - 1) * (file_size / n); end = (k == n) ? file_size : k * (file_size / n); - if (initial_read != SIZE_MAX || start < initial_read) + if (start < initial_read) { memmove (buf, buf + start, initial_read - start); initial_read -= start; diff --git a/tests/split/b-chunk.sh b/tests/split/b-chunk.sh index 8475f96..c6619a2 100755 --- a/tests/split/b-chunk.sh +++ b/tests/split/b-chunk.sh @@ -25,9 +25,14 @@ split -n 10 /dev/null || fail=1 test "$(stat -c %s x* | uniq -c | sed 's/^ *//; s/ /x/')" = "10x0" || fail=1 rm -f x?? +# When extracting K of N where N > file size +# no data is extracted, and no files are written +split -n 2/3 /dev/null || fail=1 +returns_ 1 stat x?? 2>/dev/null || fail=1 + # Ensure --elide-empty-files is honored split -e -n 10 /dev/null || fail=1 -stat x?? 2>/dev/null && fail=1 +returns_ 1 stat x?? 2>/dev/null || fail=1 printf '1\n2\n3\n4\n5\n' > input || framework_failure_ -- 2.5.5 --------------F6F55EF7B95830A892E23CF9-- ------------=_1479946922-16166-1 Content-Type: message/rfc822 Content-Disposition: inline Content-Transfer-Encoding: 7bit Received: (at submit) by debbugs.gnu.org; 23 Nov 2016 16:29:25 +0000 Received: from localhost ([127.0.0.1]:39456 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1c9aQH-0006Y8-2u for submit@debbugs.gnu.org; Wed, 23 Nov 2016 11:29:25 -0500 Received: from eggs.gnu.org ([208.118.235.92]:49412) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1c9XVe-0002BU-Az for submit@debbugs.gnu.org; Wed, 23 Nov 2016 08:22:46 -0500 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1c9XVY-0000oj-EU for submit@debbugs.gnu.org; Wed, 23 Nov 2016 08:22:41 -0500 X-Spam-Checker-Version: SpamAssassin 3.3.2 (2011-06-06) on eggs.gnu.org X-Spam-Level: X-Spam-Status: No, score=0.8 required=5.0 tests=BAYES_50,FREEMAIL_FROM, T_DKIM_INVALID autolearn=disabled version=3.3.2 Received: from lists.gnu.org ([2001:4830:134:3::11]:49241) by eggs.gnu.org with esmtps (TLS1.0:RSA_AES_256_CBC_SHA1:32) (Exim 4.71) (envelope-from ) id 1c9XVY-0000oI-BP for submit@debbugs.gnu.org; Wed, 23 Nov 2016 08:22:40 -0500 Received: from eggs.gnu.org ([2001:4830:134:3::10]:40381) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1c9XVX-0006zP-6y for bug-coreutils@gnu.org; Wed, 23 Nov 2016 08:22:40 -0500 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1c9XVU-0000ew-2U for bug-coreutils@gnu.org; Wed, 23 Nov 2016 08:22:39 -0500 Received: from mail-pg0-x242.google.com ([2607:f8b0:400e:c05::242]:34081) by eggs.gnu.org with esmtps (TLS1.0:RSA_AES_128_CBC_SHA1:16) (Exim 4.71) (envelope-from ) id 1c9XVT-0000cs-Rx for bug-coreutils@gnu.org; Wed, 23 Nov 2016 08:22:35 -0500 Received: by mail-pg0-x242.google.com with SMTP id e9so1120214pgc.1 for ; Wed, 23 Nov 2016 05:22:35 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=from:content-transfer-encoding:subject:message-id:date:to :mime-version; bh=EwyaKMX2iLbg9bC6NzVQYg/Slj9uErOVbAcU86Ih2MM=; b=I6GdpABD0VLM8sVK+ItJUl0FnpcgsWpeEw/hLtuQ60yXsEnKSaOdyZAOPqhm+gWsqm EvQQiBVTKvzYjf5rKxYp1A7nXIqZnc5nnqO+0wXytltW0YL2h67PdzbZYbWPZAo/4/nT Sev257tb3TldeE8fetF/SeDT+EP4pD+2a8SOrgLC+lXOXUlZRIwYhH4cKi5HujMripFj TZG5BdNeaGFtsCqjW2d/G75G9qleemkoYKHXHlNdiyKzZi34M7FBgR2RepuDw7uLEyb1 Go8QnZLYz3DxyL+LYkIe5kFRiGjmQcrjzDO+EawJ2SVOypz6j5y6DthI220FQRVka/aF AY0w== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:from:content-transfer-encoding:subject :message-id:date:to:mime-version; bh=EwyaKMX2iLbg9bC6NzVQYg/Slj9uErOVbAcU86Ih2MM=; b=WlXdT4Vno76MWLpskC/2/brCUSOwJ5tpVXr0zW1EMR0498UbUSh0x6Aj+aftX1XQky 7AN/zZTd30ZEIT9tDEQ1pA/KAB1vdDiIh8W7SiGaQvy0zYEbe3Yn+RaFvBAt2YOMdLjM BuhQDDz1QzGB74IvcI3CnNOBAC5FJjrPyWMLD5ohKPF39WLsrg90AhnuVQXdoHVlFLMm 7KyfxM+ywD4hVlWVaSu7DgiMTbELx78Jz9zNXhq4VYQVKJaQ0xJmUVPUjiupQPYeFus4 YvzxzlgZydvEMT0t750R56CJyvMCdoVmcyMkYfBn3yOzb0HmXsRN+NgZuqXncuCG+d8s MeLQ== X-Gm-Message-State: AKaTC0174Eui8ua8LBSsLMp1JvFuZndp9bI8hdeuH+ylL9QjrsvPK7KGVCk+6JEIFAEUQA== X-Received: by 10.98.205.205 with SMTP id o196mr2771792pfg.145.1479907354156; Wed, 23 Nov 2016 05:22:34 -0800 (PST) Received: from [192.168.0.129] ([116.87.35.237]) by smtp.gmail.com with ESMTPSA id c71sm35050971pga.22.2016.11.23.05.22.32 for (version=TLS1 cipher=ECDHE-RSA-AES128-SHA bits=128/128); Wed, 23 Nov 2016 05:22:33 -0800 (PST) From: =?utf-8?Q?Marcel_B=C3=B6hme?= Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable Subject: Bug in SPLIT utility Message-Id: <22CC9A44-5071-4159-8DFB-2BD82E668CA3@gmail.com> Date: Wed, 23 Nov 2016 21:22:30 +0800 To: bug-coreutils@gnu.org Mime-Version: 1.0 (Mac OS X Mail 9.3 \(3124\)) X-Mailer: Apple Mail (2.3124) X-detected-operating-system: by eggs.gnu.org: GNU/Linux 2.2.x-3.x [generic] X-detected-operating-system: by eggs.gnu.org: GNU/Linux 2.6.x X-Received-From: 2001:4830:134:3::11 X-Spam-Score: -4.0 (----) X-Debbugs-Envelope-To: submit X-Mailman-Approved-At: Wed, 23 Nov 2016 11:29:24 -0500 X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -4.0 (----) Dear all, We are running small 1h fuzzing sessions with AFLFast, a fork of AFL. We=E2=80=99ll be reporting each found bug separately. On Coreutils v8.25 and trunk, the following input crashes. Option -n was introduced with v8.8. $ ./split -n7/75 7 Segmentation fault ASAN says: =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D =3D=3D53143=3D=3DERROR: AddressSanitizer: negative-size-param: (size=3D-6)= #0 0x7f8820eb9a10 in memmove = (/usr/lib/x86_64-linux-gnu/libasan.so.3+0x62a10) #1 0x404d12 in memmove = /usr/include/x86_64-linux-gnu/bits/string3.h:57 #2 0x404d12 in bytes_chunk_extract ../src/split.c:987 #3 0x404d12 in main ../src/split.c:1625 #4 0x7f881fd9cf44 in __libc_start_main = (/lib/x86_64-linux-gnu/libc.so.6+0x21f44) #5 0x4064a9 = (/home/ubuntu/subjects/coreutils/obj-asan/src/split+0x4064a9) 0x7f8821f9a006 is located 2054 bytes inside of 135168-byte region = [0x7f8821f99800,0x7f8821fba800) allocated by thread T0 here: #0 0x7f8820f193a8 in __interceptor_malloc = (/usr/lib/x86_64-linux-gnu/libasan.so.3+0xc23a8) #1 0x40ec88 in xmalloc ../lib/xmalloc.c:41 SUMMARY: AddressSanitizer: negative-size-param = (/usr/lib/x86_64-linux-gnu/libasan.so.3+0x62a10) in memmove Best regards, - Marcel= ------------=_1479946922-16166-1-- From unknown Sat Aug 16 21:21:38 2025 X-Loop: help-debbugs@gnu.org Subject: bug#25003: Bug in SPLIT utility Resent-From: Jim Meyering Original-Sender: "Debbugs-submit" Resent-CC: bug-coreutils@gnu.org Resent-Date: Thu, 24 Nov 2016 01:35:01 +0000 Resent-Message-ID: Resent-Sender: help-debbugs@gnu.org X-GNU-PR-Message: followup 25003 X-GNU-PR-Package: coreutils X-GNU-PR-Keywords: To: =?UTF-8?Q?P=C3=A1draig?= Brady Cc: Marcel =?UTF-8?Q?B=C3=B6hme?= , 25003-done@debbugs.gnu.org Received: via spool by 25003-done@debbugs.gnu.org id=D25003.147995129722928 (code D ref 25003); Thu, 24 Nov 2016 01:35:01 +0000 Received: (at 25003-done) by debbugs.gnu.org; 24 Nov 2016 01:34:57 +0000 Received: from localhost ([127.0.0.1]:39792 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1c9iwD-0005xk-H1 for submit@debbugs.gnu.org; Wed, 23 Nov 2016 20:34:57 -0500 Received: from mail-io0-f170.google.com ([209.85.223.170]:36647) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1c9iwB-0005xY-S6 for 25003-done@debbugs.gnu.org; Wed, 23 Nov 2016 20:34:56 -0500 Received: by mail-io0-f170.google.com with SMTP id x94so55214802ioi.3 for <25003-done@debbugs.gnu.org>; Wed, 23 Nov 2016 17:34:55 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:sender:in-reply-to:references:from:date:message-id :subject:to:cc:content-transfer-encoding; bh=xFFqfDWu7JGUmB7bs+QuuZVCHse0WzBEFDBLSDuS8sI=; b=zLXyT4X+v3DuH3TgDL7ol2oamjANoYF7Y1tA5xyNDu3J2R8nxrCP/fAnyj/4hWTQul R9+Kn1mNNtSuvFy4CfprWVuHKaqOmemN9tOr6id3fa+3CDnMN3/1eNOCF17aNxA+7ifR figFZ7DYQp5r6pESD2S7ih2FZ5yTfoG1Q7OtW1r9p4Tu6kfMf7RDsvEGrvCdArMohYAi 5t1aw2Je3YQQ3t8D06a8GaF0eeKWuvAsI2mycNE5uybQAcBWShBX3rP/DV09H1x3cjex g2JGTfr4gZr02b8Bv5dX8uBKnMa7f4A3lIH2SOe03wGwEsPCq2/YUL/thTNo009jmhnU ftOg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:sender:in-reply-to:references:from :date:message-id:subject:to:cc:content-transfer-encoding; bh=xFFqfDWu7JGUmB7bs+QuuZVCHse0WzBEFDBLSDuS8sI=; b=kquLc5RDv5UpQArN21foheiIictEtx4XQpB+FcOQVi3JIBXBLULRkAVyGAekumTzr+ Q5pI/KX+rr9UmIYl5/1k9dWTju/AacSplq/KhIu4WsCGCcNMhRCJ13r/L9ZMXpkYmmCB yvDqkHaAJL2soZSLytgq6euTAwmNR3fnTNpNtpL1oYAsOwotah+D0PDrQFh2FTVvZgxS nwpCOckfZqaw4RMyVTxnQl/Swi5KpjHuU/I6SPCJYOC8cEZjqPKzXOoBYOPXqUxcHjhh LFWVMjf2pwRittdizsish6PK6SmPj0Rw6s5f80a04Snufmk726oxUPXJ/aW9TlWAMXWa nCiQ== X-Gm-Message-State: AKaTC02eDQFAIL+fj1JEwJQdBEIprveukj5y9zoc6k8pPnPzAfIK4ok6yiJ3x0Q3FSHDx/MZPzTF9SILutYttA== X-Received: by 10.36.17.133 with SMTP id 127mr10000107itf.31.1479951289936; Wed, 23 Nov 2016 17:34:49 -0800 (PST) MIME-Version: 1.0 Received: by 10.107.146.66 with HTTP; Wed, 23 Nov 2016 17:34:29 -0800 (PST) In-Reply-To: <578cfd35-4645-3800-9f25-68ade9244dad@draigBrady.com> References: <22CC9A44-5071-4159-8DFB-2BD82E668CA3@gmail.com> <6d84462b-01c6-8ba2-dfc3-b2d4de1f2981@draigBrady.com> <578cfd35-4645-3800-9f25-68ade9244dad@draigBrady.com> From: Jim Meyering Date: Wed, 23 Nov 2016 17:34:29 -0800 X-Google-Sender-Auth: lz5OlyXFXQjh8-8gVDr4WVkOJjw Message-ID: Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: quoted-printable X-Spam-Score: 0.0 (/) X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: 0.0 (/) On Wed, Nov 23, 2016 at 4:21 PM, P=C3=A1draig Brady wrot= e: > On 23/11/16 22:16, P=C3=A1draig Brady wrote: >> On 23/11/16 17:30, Jim Meyering wrote: >>> On Wed, Nov 23, 2016 at 5:22 AM, Marcel B=C3=B6hme wrote: >>>> Dear all, >>>> >>>> We are running small 1h fuzzing sessions with AFLFast, a fork of AFL. >>>> We=E2=80=99ll be reporting each found bug separately. >>>> >>>> On Coreutils v8.25 and trunk, the following input crashes. >>>> Option -n was introduced with v8.8. >>>> >>>> $ ./split -n7/75 7 >>>> Segmentation fault >>>> >>>> ASAN says: >>>> =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D >>>> =3D=3D53143=3D=3DERROR: AddressSanitizer: negative-size-param: (size= =3D-6) >>>> #0 0x7f8820eb9a10 in memmove (/usr/lib/x86_64-linux-gnu/libasan.so= .3+0x62a10) >>>> #1 0x404d12 in memmove /usr/include/x86_64-linux-gnu/bits/string3.= h:57 >>>> #2 0x404d12 in bytes_chunk_extract ../src/split.c:987 >>>> #3 0x404d12 in main ../src/split.c:1625 >>>> #4 0x7f881fd9cf44 in __libc_start_main (/lib/x86_64-linux-gnu/libc= .so.6+0x21f44) >>>> #5 0x4064a9 (/home/ubuntu/subjects/coreutils/obj-asan/src/split+0= x4064a9) >>>> >>>> 0x7f8821f9a006 is located 2054 bytes inside of 135168-byte region [0x7= f8821f99800,0x7f8821fba800) >>>> allocated by thread T0 here: >>>> #0 0x7f8820f193a8 in __interceptor_malloc (/usr/lib/x86_64-linux-g= nu/libasan.so.3+0xc23a8) >>>> #1 0x40ec88 in xmalloc ../lib/xmalloc.c:41 >>>> >>>> SUMMARY: AddressSanitizer: negative-size-param (/usr/lib/x86_64-linux-= gnu/libasan.so.3+0x62a10) in memmove >>> >>> Thank you for the report. >>> Would you please provide the contents of your file named "7"? >> >> That's immaterial I think. I can reproduce with: >> src/split -n2/3 /dev/null >> I'll dig into these Looks perfect. Thanks!