GNU bug report logs - #78507
[Security] Heap Buffer Overflow in GNU Coreutils sort (CWE-122)

Reported by: Med Maatallah <hotelsmaatallahrecemail <at> gmail.com>

Date: Tue, 20 May 2025 11:47:02 UTC

Severity: normal

Done: Pádraig Brady <P <at> draigBrady.com>

View this message in rfc822 format

From: Pádraig Brady <P <at> draigBrady.com>
To: Med Maatallah <hotelsmaatallahrecemail <at> gmail.com>, 78507 <at> debbugs.gnu.org
Subject: bug#78507: [Security] Heap Buffer Overflow in GNU Coreutils sort (CWE-122)
Date: Tue, 20 May 2025 18:15:48 +0100

[Message part 1 (text/plain, inline)]

On 20/05/2025 16:15, Pádraig Brady wrote:
> Indeed. I introduced this in coreutils 7.2 (2009).
> One can repro on Fedora for e.g. with:
> 
> _POSIX2_VERSION=200809 LC_ALL=C valgrind sort +0.18446744073709551615R poc_input.txt
> ==984625== Memcheck, a memory error detector
> ==984625== Using Valgrind-3.24.0 and LibVEX; rerun with -h for copyright info
> ==984625== Command: sort +0.18446744073709551615R poc_input.txt
> ==984625==
> ==984625== Invalid read of size 1
> 
> Going back to the more verbose code from coreutils 7.1 avoids the issue.
> I'll test a bit more here and post a full patch in a while.

The attached patch addresses the issue here,
and includes a test verified to trigger with ASAN or valgrind available.
I'll push this later.

thanks,
Pádraig

[sort-under-read.patch (text/x-patch, attachment)]

This bug report was last modified 26 days ago.

Previous Next

GNU bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.

GNU bug report logs - #78507 [Security] Heap Buffer Overflow in GNU Coreutils sort (CWE-122)

GNU bug report logs - #78507
[Security] Heap Buffer Overflow in GNU Coreutils sort (CWE-122)