From unknown Tue Jun 17 20:16:37 2025 Content-Disposition: inline Content-Transfer-Encoding: quoted-printable MIME-Version: 1.0 X-Mailer: MIME-tools 5.509 (Entity 5.509) Content-Type: text/plain; charset=utf-8 From: bug#25023 <25023@debbugs.gnu.org> To: bug#25023 <25023@debbugs.gnu.org> Subject: Status: Bug PR utility with -S option Reply-To: bug#25023 <25023@debbugs.gnu.org> Date: Wed, 18 Jun 2025 03:16:37 +0000 retitle 25023 Bug PR utility with -S option reassign 25023 coreutils submitter 25023 Marcel B=C3=B6hme severity 25023 normal thanks From debbugs-submit-bounces@debbugs.gnu.org Thu Nov 24 21:37:06 2016 Received: (at submit) by debbugs.gnu.org; 25 Nov 2016 02:37:06 +0000 Received: from localhost ([127.0.0.1]:40862 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1cA6Nu-0006mY-8G for submit@debbugs.gnu.org; Thu, 24 Nov 2016 21:37:06 -0500 Received: from eggs.gnu.org ([208.118.235.92]:49964) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1cA6Ns-0006m3-Cy for submit@debbugs.gnu.org; Thu, 24 Nov 2016 21:37:04 -0500 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1cA6Nl-0005x3-Fb for submit@debbugs.gnu.org; Thu, 24 Nov 2016 21:36:58 -0500 X-Spam-Checker-Version: SpamAssassin 3.3.2 (2011-06-06) on eggs.gnu.org X-Spam-Level: X-Spam-Status: No, score=0.8 required=5.0 tests=BAYES_50,FREEMAIL_FROM, T_DKIM_INVALID autolearn=disabled version=3.3.2 Received: from lists.gnu.org ([2001:4830:134:3::11]:37654) by eggs.gnu.org with esmtps (TLS1.0:RSA_AES_256_CBC_SHA1:32) (Exim 4.71) (envelope-from ) id 1cA6Nl-0005wz-CL for submit@debbugs.gnu.org; Thu, 24 Nov 2016 21:36:57 -0500 Received: from eggs.gnu.org ([2001:4830:134:3::10]:40935) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1cA6Nk-0001Ce-7V for bug-coreutils@gnu.org; Thu, 24 Nov 2016 21:36:57 -0500 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1cA6Nf-0005v0-CB for bug-coreutils@gnu.org; Thu, 24 Nov 2016 21:36:56 -0500 Received: from mail-pf0-x243.google.com ([2607:f8b0:400e:c00::243]:33106) by eggs.gnu.org with esmtps (TLS1.0:RSA_AES_128_CBC_SHA1:16) (Exim 4.71) (envelope-from ) id 1cA6Nf-0005uc-4X for bug-coreutils@gnu.org; Thu, 24 Nov 2016 21:36:51 -0500 Received: by mail-pf0-x243.google.com with SMTP id 144so2400431pfv.0 for ; Thu, 24 Nov 2016 18:36:50 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=from:content-transfer-encoding:subject:message-id:date:to :mime-version; bh=+4jvPstN5HkPsJ/9PrhjkkxVU4F2WZKBJfdttjETQOM=; b=oDZggGJ3a/2jkHeXe8aqXRZCCKNiczpeHIOv9vHeXovMazNd0t/Z16AODwjVCgRCi6 6IBGy5KwAMGcOcplGQNhyVtnto7HstMCZIZkIbrW92F+XZXNZZPdGOqdJ1ieZ3x7GczD gSGW1T4/4koWMg9j9+y2DkKoi+XvdxLv2cYyRCgE9fYL0VEAX2tSWfr790I1jKiltgZB WgKDJAj+r0EX17pmI9s8iOreaq4Du1ge1WcBJJkfr9qKjsGkAHvPy4KNEzpsFpLWKRtC ghQ3sDW7yMJ6zvrjJCNKDQ6Hsm5ibdHHhd3zSZusiqbLcPoVwMJHUUIk6xXFzXdcNWLM z4tw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:from:content-transfer-encoding:subject :message-id:date:to:mime-version; bh=+4jvPstN5HkPsJ/9PrhjkkxVU4F2WZKBJfdttjETQOM=; b=L5u9RoCRi+F/Q0sJXrHnWD3SyksdQM8FhI65CbiC2dT6hKzLpLrDUiE0hYgHfNeqsW A2FglTLIMFwao3nkCsA4gw94GAP1dbA7wUGcnHC+/13LgmWPBxHuM7F/5RP7t+7pqO/T cCMBqsGdPgwL4BuSORO71WaQF05RJC2XMn4wrZm/M/Skju0XUwQoMoLHcnchnyioR82M ElFS7W7pGmnjLS6yEnCvYo+Z3QaSDZ8d+dIysHUqIkDkOM3V6Oef+TpXYsh3PKSb2Yxb UPdQsfPKAkIz3WHleree0S1bxG9f11v3NjoPXOVMWp6HuCbB8MKTUjkv0j18khP8eSy/ n4wg== X-Gm-Message-State: AKaTC02znrQj+YVAtpFTgwEyGb64dZkNou9/BCvKLkkHmdfBgLKcFb4X7PYVr5nGfZm+Bg== X-Received: by 10.84.218.3 with SMTP id q3mr12061348pli.80.1480041409779; Thu, 24 Nov 2016 18:36:49 -0800 (PST) Received: from [192.168.0.129] ([116.87.35.237]) by smtp.gmail.com with ESMTPSA id p25sm63129371pfk.20.2016.11.24.18.36.48 for (version=TLS1 cipher=ECDHE-RSA-AES128-SHA bits=128/128); Thu, 24 Nov 2016 18:36:49 -0800 (PST) From: =?utf-8?Q?Marcel_B=C3=B6hme?= Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: quoted-printable Subject: Bug PR utility with -S option Message-Id: Date: Fri, 25 Nov 2016 10:36:47 +0800 To: bug-coreutils@gnu.org Mime-Version: 1.0 (Mac OS X Mail 9.3 \(3124\)) X-Mailer: Apple Mail (2.3124) X-detected-operating-system: by eggs.gnu.org: GNU/Linux 2.2.x-3.x [generic] X-detected-operating-system: by eggs.gnu.org: GNU/Linux 2.6.x X-Received-From: 2001:4830:134:3::11 X-Spam-Score: -4.0 (----) X-Debbugs-Envelope-To: submit X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -4.0 (----) Dear all, The following input to PR does not crash the program but ASAN reports a = buffer overflow. The bug was found with AFLFast, a fork of AFL. Thanks also to Van-Thuan = Pham. $ echo a > a $ pr "-S$(printf "\t\t\t")" a -m a > /dev/null =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D =3D=3D102438=3D=3DERROR: AddressSanitizer: global-buffer-overflow on = address 0x00000041b622 at pc 0x00000040506b bp 0x7ffc95917160 sp = 0x7ffc95917158 READ of size 1 at 0x00000041b622 thread T0 #0 0x40506a in print_sep_string ../src/pr.c:2241 #1 0x407ec4 in read_line ../src/pr.c:2493 #2 0x40985c in print_page ../src/pr.c:1802 #3 0x40985c in print_files ../src/pr.c:1618 #4 0x4036e0 in main ../src/pr.c:1136 #5 0x7ff29fa67f44 in __libc_start_main = (/lib/x86_64-linux-gnu/libc.so.6+0x21f44) #6 0x404209 = (/home/ubuntu/subjects/coreutils_fixed/obj-asan/src/pr+0x404209) 0x00000041b622 is located 62 bytes to the left of global variable = '*.LC12' defined in '../src/pr.c' (0x41b660) of size 4 '*.LC12' is ascii string '%*d' 0x00000041b622 is located 0 bytes to the right of global variable = '*.LC11' defined in '../src/pr.c' (0x41b620) of size 2 '*.LC11' is ascii string ' ' SUMMARY: AddressSanitizer: global-buffer-overflow ../src/pr.c:2241 in = print_sep_string Best regards, - Marcel= From debbugs-submit-bounces@debbugs.gnu.org Fri Nov 25 09:10:31 2016 Received: (at 25023-done) by debbugs.gnu.org; 25 Nov 2016 14:10:31 +0000 Received: from localhost ([127.0.0.1]:41294 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1cAHCw-0001Zr-8J for submit@debbugs.gnu.org; Fri, 25 Nov 2016 09:10:31 -0500 Received: from mail.magicbluesmoke.com ([82.195.144.49]:59206) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1cAHCq-0001Ze-6n for 25023-done@debbugs.gnu.org; Fri, 25 Nov 2016 09:10:28 -0500 Received: from [192.168.1.80] (unknown [109.77.120.105]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by mail.magicbluesmoke.com (Postfix) with ESMTPSA id 5D4629493; Fri, 25 Nov 2016 14:10:22 +0000 (GMT) Subject: Re: bug#25023: Bug PR utility with -S option To: =?UTF-8?Q?Marcel_B=c3=b6hme?= , 25023-done@debbugs.gnu.org References: From: =?UTF-8?Q?P=c3=a1draig_Brady?= Message-ID: Date: Fri, 25 Nov 2016 14:10:21 +0000 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Thunderbird/45.2.0 MIME-Version: 1.0 In-Reply-To: Content-Type: multipart/mixed; boundary="------------332153D04437E6B8909321CB" X-Spam-Score: 0.0 (/) X-Debbugs-Envelope-To: 25023-done X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: 0.0 (/) This is a multi-part message in MIME format. --------------332153D04437E6B8909321CB Content-Type: text/plain; charset=windows-1252 Content-Transfer-Encoding: 8bit On 25/11/16 02:36, Marcel Böhme wrote: > Dear all, > > The following input to PR does not crash the program but ASAN reports a buffer overflow. > The bug was found with AFLFast, a fork of AFL. Thanks also to Van-Thuan Pham. > > $ echo a > a > $ pr "-S$(printf "\t\t\t")" a -m a > /dev/null > > ================================================================= > ==102438==ERROR: AddressSanitizer: global-buffer-overflow on address 0x00000041b622 at pc 0x00000040506b bp 0x7ffc95917160 sp 0x7ffc95917158 > READ of size 1 at 0x00000041b622 thread T0 > #0 0x40506a in print_sep_string ../src/pr.c:2241 > #1 0x407ec4 in read_line ../src/pr.c:2493 > #2 0x40985c in print_page ../src/pr.c:1802 > #3 0x40985c in print_files ../src/pr.c:1618 > #4 0x4036e0 in main ../src/pr.c:1136 > #5 0x7ff29fa67f44 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x21f44) > #6 0x404209 (/home/ubuntu/subjects/coreutils_fixed/obj-asan/src/pr+0x404209) > > 0x00000041b622 is located 62 bytes to the left of global variable '*.LC12' defined in '../src/pr.c' (0x41b660) of size 4 > '*.LC12' is ascii string '%*d' > 0x00000041b622 is located 0 bytes to the right of global variable '*.LC11' defined in '../src/pr.c' (0x41b620) of size 2 > '*.LC11' is ascii string ' ' > SUMMARY: AddressSanitizer: global-buffer-overflow ../src/pr.c:2241 in print_sep_string Fixed in that attached. thanks! --------------332153D04437E6B8909321CB Content-Type: text/x-patch; name="pr-S-error.patch" Content-Transfer-Encoding: 7bit Content-Disposition: attachment; filename="pr-S-error.patch" >From d91aeef0527bf8ec0f83c3c3b69f3979c0b4c4a0 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?P=C3=A1draig=20Brady?= Date: Fri, 25 Nov 2016 13:46:23 +0000 Subject: [PATCH] pr: fix read from invalid memory with tabs in separator This was detected with: echo a > a; pr "-S$(printf "\t\t\t")" a -m a > /dev/null Resulting in ASAN triggering: ==================================================== ERROR: AddressSanitizer: global-buffer-overflow READ of size 1 at 0x00000041b622 thread T0 #0 0x40506a in print_sep_string ../src/pr.c:2241 #1 0x407ec4 in read_line ../src/pr.c:2493 #2 0x40985c in print_page ../src/pr.c:1802 #3 0x40985c in print_files ../src/pr.c:1618 #4 0x4036e0 in main ../src/pr.c:1136 * src/pr.c (init_parameters): Ensure we only override the specified separator when it's a single tab, thus matching the calculated separator length. * tests/pr/pr-tests.pl: Add a test case. * NEWS: Mention the fix. --- NEWS | 4 ++++ src/pr.c | 2 +- tests/pr/pr-tests.pl | 7 +++++++ 3 files changed, 12 insertions(+), 1 deletion(-) diff --git a/NEWS b/NEWS index edfbdfa..ba7679f 100644 --- a/NEWS +++ b/NEWS @@ -35,6 +35,10 @@ GNU coreutils NEWS -*- outline -*- nl now resets numbering for each page section rather than just for each page. [This bug was present in "the beginning".] + pr now handles specified separator strings containing tabs correctly. + Previously it would have output random data from memory. + [This bug was detected with ASAN and present in "the beginning".] + sort -h -k now works even in locales that use blank as thousands separator. stty --help no longer outputs extraneous gettext header lines diff --git a/src/pr.c b/src/pr.c index 20e8637..26f221f 100644 --- a/src/pr.c +++ b/src/pr.c @@ -1233,7 +1233,7 @@ init_parameters (int number_of_files) } /* It's rather pointless to define a TAB separator with column alignment */ - else if (!join_lines && *col_sep_string == '\t') + else if (!join_lines && col_sep_length == 1 && *col_sep_string == '\t') col_sep_string = column_separator; truncate_lines = true; diff --git a/tests/pr/pr-tests.pl b/tests/pr/pr-tests.pl index 4d85dc9..ec3980a 100755 --- a/tests/pr/pr-tests.pl +++ b/tests/pr/pr-tests.pl @@ -467,6 +467,13 @@ push @Tests, {IN=>{3=>"x\ty\tz\n"}}, {OUT=>join("\t", qw(a b c m n o x y z)) . "\n"} ]; +# This resulted in reading invalid memory before coreutils-8.26 +push @Tests, + ['asan1', "-m -S'\t\t\t' -t", + {IN=>{1=>"a\n"}}, + {IN=>{2=>"a\n"}}, + {OUT=>"a\t\t\t\t \t\t\ta\n"} ]; + @Tests = triple_test \@Tests; my $save_temps = $ENV{DEBUG}; -- 2.5.5 --------------332153D04437E6B8909321CB-- From unknown Tue Jun 17 20:16:37 2025 Received: (at fakecontrol) by fakecontrolmessage; To: internal_control@debbugs.gnu.org From: Debbugs Internal Request Subject: Internal Control Message-Id: bug archived. Date: Sat, 24 Dec 2016 12:24:04 +0000 User-Agent: Fakemail v42.6.9 # This is a fake control message. # # The action: # bug archived. thanks # This fakemail brought to you by your local debbugs # administrator