GNU bug report logs - #78879
Potential Out-of-Memory in coreutils od

Previous Next

Package: coreutils;

Reported by: Jaehoon Jang <jaehoon.jang <at> prosys.kaist.ac.kr>

Date: Mon, 23 Jun 2025 19:13:03 UTC

Severity: normal

Done: Pádraig Brady <P <at> draigBrady.com>

Bug is archived. No further changes may be made.

Full log

View this message in rfc822 format

From: Jaehoon Jang <jaehoon.jang <at> prosys.kaist.ac.kr>
To: Paul Eggert <eggert <at> cs.ucla.edu>, 78879 <at> debbugs.gnu.org
Subject: bug#78879: Potential Out-of-Memory in coreutils od
Date: Wed, 25 Jun 2025 11:14:49 +0900

[Message part 1 (text/plain, inline)]
I think your argument makes sense, and I now understand your perspective as
well.

But whatever arbitrary limits we impose, there could be problems with
> people who need to go over those limits.


I especially agree with this point, so it's reasonable not to address the
issue related to -w with an arbitrary size.

Thank you for the kind and detailed explanation.

2025년 6월 25일 (수) 오전 4:40, Paul Eggert <eggert <at> cs.ucla.edu>님이 작성:

> On 2025-06-24 06:03, Jaehoon Jang wrote:
>
> > The issue here is not that "od" performs a large task,
> > but that it allows unbounded, unchecked memory allocation from a single
> > user-supplied argument, with no upper bound or safety net, leading to
> > potential denial-of-service.
>
> The memory allocation *is* checked for success, so I assume by
> "unchecked" you mean "we don't check whether the allocation size exceeds
> a limit that we arbitrarily impose". If so, I disagree that this is a
> valid security vulnerability that needs to be addressed.
>
> Many standard programs attempt to allocate lots of memory given
> user-supplied input. "awk" does it. "sort" does it. "diff" does it. They
> all can be part of denial-of-service attacks when asked to do a lot of
> work, just as most nontrivial programs can.
>
> We could impose arbitrary limits on these programs. For example, we
> could say "od -w" can handle at most 1000 or 1000000 or whatever.
> Similarly, we could also say that "diff" can't handle lines longer than
> 255 bytes, or files containing more than 100,000 lines. But whatever
> arbitrary limits we impose, there could be problems with people who need
> to go over those limits.
>
> This is why the GNU coding standards say "Avoid arbitrary limits on the
> length or number of any data structure"[1]. This guideline suggests that
> od -w should not impose an arbitrary limit on the width.
>
> It's longstanding practice that it is not the job of standard programs
> to fend off denial-of-service insider attacks. I don't see why we should
> change that practice for 'od'.
>
> [1]: https://www.gnu.org/prep/standards/html_node/Semantics.html
>

[Message part 2 (text/html, inline)]
This bug report was last modified 3 days ago.

Previous Next

GNU bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.