GNU bug report logs - #25011
Bugs in PTX Utility

Previous Next

Package: coreutils;

Reported by: Marcel Böhme <boehme.marcel <at> gmail.com>

Date: Thu, 24 Nov 2016 08:59:02 UTC

Severity: normal

Done: Pádraig Brady <P <at> draigBrady.com>

Bug is archived. No further changes may be made.

To add a comment to this bug, you must first unarchive it, by sending
a message to control AT debbugs.gnu.org, with unarchive 25011 in the body.
You can then email your comments to 25011 AT debbugs.gnu.org in the normal way.

Toggle the display of automated, internal messages from the tracker.

View this report as an mbox folder, status mbox, maintainer mbox

Report forwarded to bug-coreutils <at> gnu.org:
bug#25011; Package coreutils. (Thu, 24 Nov 2016 08:59:02 GMT) Full text and rfc822 format available.
Acknowledgement sent to Marcel Böhme <boehme.marcel <at> gmail.com>:
New bug report received and forwarded. Copy sent to bug-coreutils <at> gnu.org. (Thu, 24 Nov 2016 08:59:02 GMT) Full text and rfc822 format available.

Message #5 received at submit <at> debbugs.gnu.org (full text, mbox):

From: Marcel Böhme <boehme.marcel <at> gmail.com>
To: bug-coreutils <at> gnu.org
Subject: Bugs in PTX Utility
Date: Thu, 24 Nov 2016 16:57:54 +0800

Dear all,

The following produces a crash for the version in trunk and preinstalled version 8.21 on Ubuntu 14.04 x86_64.
Below is also heap-buffer-overflow that doesn’t actually crash but is flagged by ASAN as an invalid read of size 1.

Both bugs were found by AFLFast, a fork of AFL. Thanks goes out to Van-Thuan Pham.


$ ptx ptx ptx > /dev/null
Segmentation fault

ASAN says:
==47034==ERROR: AddressSanitizer: heap-use-after-free on address 0x7f2b49433093 at pc 0x000000407b8b bp 0x7ffcfc738bb0 sp 0x7ffcfc738ba8
READ of size 1 at 0x7f2b49433093 thread T0
    #0 0x407b8a in define_all_fields ../src/ptx.c:1432
    #1 0x407b8a in generate_all_output ../src/ptx.c:1778
    #2 0x407b8a in main ../src/ptx.c:2153
    #3 0x7f2b4db9af44 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x21f44)
    #4 0x409379  (/home/ubuntu/subjects/coreutils/obj-asan/src/ptx+0x409379)

0x7f2b49433093 is located 10387 bytes inside of 8388576-byte region [0x7f2b49430800,0x7f2b49c307e0)
freed by thread T0 here:
    #0 0x7f2b4ed17710 in __interceptor_realloc (/usr/lib/x86_64-linux-gnu/libasan.so.3+0xc2710)
    #1 0x414a75 in xrealloc ../lib/xmalloc.c:61

previously allocated by thread T0 here:
    #0 0x7f2b4ed17710 in __interceptor_realloc (/usr/lib/x86_64-linux-gnu/libasan.so.3+0xc2710)
    #1 0x414a75 in xrealloc ../lib/xmalloc.c:61

SUMMARY: AddressSanitizer: heap-use-after-free ../src/ptx.c:1432 in define_all_fields


This is the other one:
$ echo a > ~/a
$ ptx -w1 -A ~/a
=================================================================
==44013==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x60200000e818 at pc 0x0000004085cd bp 0x7ffc327adb70 sp 0x7ffc327adb68
READ of size 1 at 0x60200000e818 thread T0
    #0 0x4085cc in define_all_fields ../src/ptx.c:1411
    #1 0x4085cc in generate_all_output ../src/ptx.c:1778
    #2 0x4085cc in main ../src/ptx.c:2153
    #3 0x7f9ef7044f44 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x21f44)
    #4 0x409379  (/home/ubuntu/subjects/coreutils/obj-asan/src/ptx+0x409379)

0x60200000e818 is located 5 bytes to the right of 3-byte region [0x60200000e810,0x60200000e813)
allocated by thread T0 here:
    #0 0x7f9ef81c13a8 in __interceptor_malloc (/usr/lib/x86_64-linux-gnu/libasan.so.3+0xc23a8)
    #1 0x4121ed in fread_file ../lib/read-file.c:73

SUMMARY: AddressSanitizer: heap-buffer-overflow ../src/ptx.c:1411 in define_all_fields

Best regards,
- Marcel
Reply sent to Pádraig Brady <P <at> draigBrady.com>:
You have taken responsibility. (Thu, 24 Nov 2016 15:05:01 GMT) Full text and rfc822 format available.
Notification sent to Marcel Böhme <boehme.marcel <at> gmail.com>:
bug acknowledged by developer. (Thu, 24 Nov 2016 15:05:02 GMT) Full text and rfc822 format available.

Message #10 received at 25011-done <at> debbugs.gnu.org (full text, mbox):

From: Pádraig Brady <P <at> draigBrady.com>
To: Marcel Böhme <boehme.marcel <at> gmail.com>,
 25011-done <at> debbugs.gnu.org
Subject: Re: bug#25011: Bugs in PTX Utility
Date: Thu, 24 Nov 2016 15:04:46 +0000

On 24/11/16 08:57, Marcel Böhme wrote:
> Dear all,
> 
> The following produces a crash for the version in trunk and preinstalled version 8.21 on Ubuntu 14.04 x86_64.
> Below is also heap-buffer-overflow that doesn’t actually crash but is flagged by ASAN as an invalid read of size 1.
> 
> Both bugs were found by AFLFast, a fork of AFL. Thanks goes out to Van-Thuan Pham.
> 
> 
> $ ptx ptx ptx > /dev/null
> Segmentation fault
> 
> ASAN says:
> ==47034==ERROR: AddressSanitizer: heap-use-after-free on address 0x7f2b49433093 at pc 0x000000407b8b bp 0x7ffcfc738bb0 sp 0x7ffcfc738ba8
> READ of size 1 at 0x7f2b49433093 thread T0
>     #0 0x407b8a in define_all_fields ../src/ptx.c:1432
>     #1 0x407b8a in generate_all_output ../src/ptx.c:1778
>     #2 0x407b8a in main ../src/ptx.c:2153
>     #3 0x7f2b4db9af44 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x21f44)
>     #4 0x409379  (/home/ubuntu/subjects/coreutils/obj-asan/src/ptx+0x409379)
> 
> 0x7f2b49433093 is located 10387 bytes inside of 8388576-byte region [0x7f2b49430800,0x7f2b49c307e0)
> freed by thread T0 here:
>     #0 0x7f2b4ed17710 in __interceptor_realloc (/usr/lib/x86_64-linux-gnu/libasan.so.3+0xc2710)
>     #1 0x414a75 in xrealloc ../lib/xmalloc.c:61
> 
> previously allocated by thread T0 here:
>     #0 0x7f2b4ed17710 in __interceptor_realloc (/usr/lib/x86_64-linux-gnu/libasan.so.3+0xc2710)
>     #1 0x414a75 in xrealloc ../lib/xmalloc.c:61
> 
> SUMMARY: AddressSanitizer: heap-use-after-free ../src/ptx.c:1432 in define_all_fields
> 
> 
> This is the other one:
> $ echo a > ~/a
> $ ptx -w1 -A ~/a
> =================================================================
> ==44013==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x60200000e818 at pc 0x0000004085cd bp 0x7ffc327adb70 sp 0x7ffc327adb68
> READ of size 1 at 0x60200000e818 thread T0
>     #0 0x4085cc in define_all_fields ../src/ptx.c:1411
>     #1 0x4085cc in generate_all_output ../src/ptx.c:1778
>     #2 0x4085cc in main ../src/ptx.c:2153
>     #3 0x7f9ef7044f44 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x21f44)
>     #4 0x409379  (/home/ubuntu/subjects/coreutils/obj-asan/src/ptx+0x409379)
> 
> 0x60200000e818 is located 5 bytes to the right of 3-byte region [0x60200000e810,0x60200000e813)
> allocated by thread T0 here:
>     #0 0x7f9ef81c13a8 in __interceptor_malloc (/usr/lib/x86_64-linux-gnu/libasan.so.3+0xc23a8)
>     #1 0x4121ed in fread_file ../lib/read-file.c:73
> 
> SUMMARY: AddressSanitizer: heap-buffer-overflow ../src/ptx.c:1411 in define_all_fields

Right, line_width can go negative.
I'll clean up something like this and push.

thanks!

diff --git a/src/ptx.c b/src/ptx.c
index c3b60df..d189678 100644
--- a/src/ptx.c
+++ b/src/ptx.c
@@ -1235,6 +1235,8 @@ fix_output_parameters (void)

   if ((auto_reference || input_reference) && !right_reference)
     line_width -= reference_max_width + gap_size;
+  if (line_width < 0)
+    line_width = 0;

   /* The output lines, minimally, will contain from left to right a left
      context, a gap, and a keyword followed by the right context with no
bug archived. Request was from Debbugs Internal Request <help-debbugs <at> gnu.org> to internal_control <at> debbugs.gnu.org. (Fri, 23 Dec 2016 12:24:04 GMT) Full text and rfc822 format available.
This bug report was last modified 8 years and 182 days ago.

Previous Next

GNU bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.