GNU bug report logs -
#78879
Potential Out-of-Memory in coreutils od
Previous Next
Full log
View this message in rfc822 format
[Message part 1 (text/plain, inline)]
Your bug report
#78879: Potential Out-of-Memory in coreutils od
which was filed against the coreutils package, has been closed.
The explanation is attached below, along with your original report.
If you require more details, please reply to 78879 <at> debbugs.gnu.org.
--
78879: https://debbugs.gnu.org/cgi/bugreport.cgi?bug=78879
GNU Bug Tracking System
Contact help-debbugs <at> gnu.org with problems
[Message part 2 (message/rfc822, inline)]
On 24/06/2025 16:29, Philip Rowlands wrote:
> Small typo in
>
> + 'od -w foo' will now issue a diagnostic an exit.
Cool, I'd already changed that locally to:
'od -w0' will now issue a diagnostic and exit gracefully.
Marking this bug done.
thanks!
Padraig
[Message part 3 (message/rfc822, inline)]
[Message part 4 (text/plain, inline)]
Potential Out-of-Memory Risk in coreutils od Due to Inadequate Argument
Validation for -w Option
*Description*
```
$ src/od -w0 /bin/ls
Aborted
```
```
1835 if (s_err != LONGINT_OK || w_tmp <= 0)
1836 xstrtol_fatal (s_err, oi, c, long_options, optarg);
```
We confirmed that when the argument for -w is set to 0, the program
correctly handles the case by checking whether w_tmp is less than or equal
to zero and raises an appropriate exception.
```
$ src/od -w4294967299223422228333 /bin/ls
od: -w argument '4294967299223422228333' too large
```
```
1837 if (ckd_add (&desired_width, w_tmp, 0))
1838 error (EXIT_FAILURE, 0, _("%s is too large"), quote (optarg));
```
We also observed that when the -w argument is extremely large, the program
handles the case properly through the use of ckd_add to prevent unsafe
allocation.
*ASAN Log*
```
$ src/od -w429496729922348 /bin/ls
=================================================================
==1151683==ERROR: AddressSanitizer: requested allocation size
0x30d400009d658 (0x30d400009e658 after adjustments for alignment, red zones
etc.) exceeds maximum supported size of 0x10000000000 (thread T0)
#0 0x49c843 in __interceptor_realloc (coreutils/src/od+0x49c843)
#1 0x4dd99d in xreallocarray coreutils/lib/xmalloc.c:84:13
#2 0x4dd99d in xnmalloc coreutils/lib/xmalloc.c:102:10
#3 0x7f30f39c7d8f in __libc_start_call_main
csu/../sysdeps/nptl/libc_start_call_main.h:58:16
==1151683==HINT: if you don't care about these errors you may set
allocator_may_return_null=1
SUMMARY: AddressSanitizer: allocation-size-too-big
(coreutils/src/od+0x49c843) in __interceptor_realloc
==1151683==ABORTING
```
However, for certain specific values of -w, these two checks can be
bypassed, resulting in the program attempting to allocate an excessively
large amount of memory.
```
1427 dump (void)
1428 {
1429 char *block[2];
1430 uintmax_t current_offset;
1431 bool idx = false;
1432 bool ok = true;
1433 size_t n_bytes_read;
1434
1435 block[0] = xnmalloc (2, bytes_per_block);
```
This happens because the parsed -w value is passed to bytes_per_block,
which is then used in a call to xnmalloc, leading to potentially dangerous
memory allocation.
To mitigate this issue, we suggest adding a proper argument validation
check to handle such edge cases safely.
*Build options*```
git clone https://github.com/coreutils/coreutils
export GNULIB_SRCDIR=./gnulib
export FORCE_UNSAFE_CONFIGURE=1
./bootstrap
CC="clang -g -fsanitize=address" CXX="clang -g -fsanitize=address"
./configure $CONFIG_OPTIONS
make -j
```
*Program version*```
$ src/od --version
od (GNU coreutils) 9.7.52-b7db77
Copyright (C) 2025 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later <
https://gnu.org/licenses/gpl.html>.
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.
Written by Jim Meyering.
```
[Message part 5 (text/html, inline)]
This bug report was last modified 3 days ago.
Previous Next
GNU bug tracking system
Copyright (C) 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson.