GNU bug report logs - #75606
undefined behaviour in sort.c

Previous Next

Package: coreutils;

Reported by: Bruno Haible <bruno <at> clisp.org>

Date: Thu, 16 Jan 2025 16:20:02 UTC

Severity: normal

Done: Paul Eggert <eggert <at> cs.ucla.edu>

Bug is archived. No further changes may be made.

Full log

View this message in rfc822 format

From: help-debbugs <at> gnu.org (GNU bug Tracking System)
To: Bruno Haible <bruno <at> clisp.org>
Subject: bug#75606: closed (Re: bug#75606: undefined behaviour in sort.c)
Date: Thu, 16 Jan 2025 17:25:02 +0000

[Message part 1 (text/plain, inline)]
Your bug report

#75606: undefined behaviour in sort.c

which was filed against the coreutils package, has been closed.

The explanation is attached below, along with your original report.
If you require more details, please reply to 75606 <at> debbugs.gnu.org.

-- 
75606: https://debbugs.gnu.org/cgi/bugreport.cgi?bug=75606
GNU Bug Tracking System
Contact help-debbugs <at> gnu.org with problems

[Message part 2 (message/rfc822, inline)]
From: Paul Eggert <eggert <at> cs.ucla.edu>
To: Bruno Haible <bruno <at> clisp.org>
Cc: 75606-done <at> debbugs.gnu.org
Subject: Re: bug#75606: undefined behaviour in sort.c
Date: Thu, 16 Jan 2025 09:24:29 -0800

[Message part 3 (text/plain, inline)]
Thanks for reporting that. I installed the attached to fix it.
[0001-sort-fix-debug-buffer-overrun.patch (text/x-patch, attachment)]
[Message part 5 (message/rfc822, inline)]
From: Bruno Haible <bruno <at> clisp.org>
To: bug-coreutils <at> gnu.org
Subject: undefined behaviour in sort.c
Date: Thu, 16 Jan 2025 17:18:53 +0100

Testing the current coreutils with the current gnulib, there is an
undefined behaviour in sort.c, in or around the functions
  debug_line
  debug_key
  debug_width

 ------------------------------------------------------------------------------

Found by building on Ubuntu 24.04, with clang 19,

CC="clang -fsanitize=address,undefined,signed-integer-overflow,shift,integer-divide-by-zero -fno-sanitize-recover=undefined"

and running the test suite. The log shows this:

+ printf 'A\tchr10\nB\tchr1\n'
+ sort -s -k2.4b,2.3n --debug
sort: text ordering performed using simple byte comparison
sort: leading blanks are significant in key 1; consider also specifying 'b'
sort: note numbers use '.' as a decimal point in this locale
../lib/mbswidth.c:60:26: runtime error: addition of unsigned offset to 0x76f80b601805 overflowed to 0x76f80b601804
SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior ../lib/mbswidth.c:60:26 
../tests/sort/sort-debug-keys.sh: line 292: 345166 Done                    printf 'A\tchr10\nB\tchr1\n'
     345167 Aborted                 | sort -s -k2.4b,2.3n --debug

 ------------------------------------------------------------------------------

How to reproduce without clang and UBSAN:

$ printf 'A\tchr10\nB\tchr1\n' > in
$ gdb src/sort
(gdb) break mbsnwidth
(gdb) run -s -k2.4b,2.3n --debug < in

The first time the mbsnwidth function is invoked:
Breakpoint 1, mbsnwidth (string=0x51d000000a80 "A\tchr10", nbytes=5, flags=0) at ../lib/mbswidth.c:59

The second time the mbsnwidth function is invoked:
Breakpoint 1, mbsnwidth (string=0x51d000000a85 "10", nbytes=18446744073709551615, flags=0) at ../lib/mbswidth.c:59

The nbytes value is obviously bogus. The documentation of mbsnwidth() says:
  /* Returns the number of screen columns needed for the NBYTES bytes
     starting at BUF.  */
  extern int mbsnwidth (const char *buf, size_t nbytes, int flags);

Stack trace at the second invocation:

(gdb) where
#0  mbsnwidth (string=0x51d000000a85 "10", nbytes=18446744073709551615, flags=0) at ../lib/mbswidth.c:59
#1  0x00005555556bff9e in debug_width (text=0x51d000000a85 "10", lim=0x51d000000a84 "r10") at ../src/sort.c:2326
#2  0x00005555556bfee6 in debug_key (line=0x51d000001280, key=0x5070000001e0) at ../src/sort.c:2415
#3  0x00005555556beabc in debug_line (line=0x51d000001280) at ../src/sort.c:2427
#4  0x00005555556b487f in write_line (line=0x51d000001280, fp=0x7ffff78045c0 <_IO_2_1_stdout_>, output_file=0x0) at ../src/sort.c:2942
#5  0x00005555556cc3be in write_unique (line=0x51d000001280, tfp=0x7ffff78045c0 <_IO_2_1_stdout_>, temp_output=0x0) at ../src/sort.c:3577
#6  0x00005555556d15c8 in mergelines_node (node=0x51d000001500, total_lines=2, tfp=0x7ffff78045c0 <_IO_2_1_stdout_>, temp_output=0x0)
    at ../src/sort.c:3624
#7  0x00005555556cf27f in merge_loop (queue=0x7ffff59096c0, total_lines=2, tfp=0x7ffff78045c0 <_IO_2_1_stdout_>, temp_output=0x0)
    at ../src/sort.c:3708
#8  0x00005555556cbff7 in sortlines (lines=0x51d0000012a0, nthreads=8, total_lines=2, node=0x51d000001500, queue=0x7ffff59096c0, 
    tfp=0x7ffff78045c0 <_IO_2_1_stdout_>, temp_output=0x0) at ../src/sort.c:3825
#9  0x00005555556ae58f in sort (files=0x502000000418, nfiles=0, output_file=0x0, nthreads=8) at ../src/sort.c:4124
#10 0x00005555556a2d20 in main (argc=4, argv=0x7fffffffd0c8) at ../src/sort.c:4900

Bruno
This bug report was last modified 120 days ago.

Previous Next

GNU bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.