|
From: | GNU bug Tracking System |
Subject: | [debbugs-tracker] bug#16855: closed (report a bug about shuf) |
Date: | Sun, 23 Feb 2014 23:38:02 +0000 |
Your message dated Sun, 23 Feb 2014 15:37:41 -0800 with message-id <address@hidden> and subject line Re: bug#16855: report a bug about shuf has caused the debbugs.gnu.org bug report #16855, regarding report a bug about shuf to be marked as done. (If you believe you have received this mail in error, please contact address@hidden) -- 16855: http://debbugs.gnu.org/cgi/bugreport.cgi?bug=16855 GNU Bug Tracking System Contact address@hidden with problems
--- Begin Message ---Subject: report a bug about shuf Date: Sun, 23 Feb 2014 16:03:59 +0800 my box that is ubuntu 12.04 x64. the bug details as follows.we compile coreutils 8.22 which is download from http://ftp.gnu.org/gnu/coreutils/, and run it onHi,We have found a bug in shuf, and we think it may be result a security problem.
### Bug overview
shuf -er or shuf -eer [ segment fault]
impact [coreutils 8.22 ]
```
[15:03:address@hidden:~/data/xqx/projects/coreutils-8.22$ ./obj-gcov/src/shuf -er
Segmentation fault (core dumped)
```
### Analysis
when shuf execute -e without give the expected input lines, it will assign n_lines to 0 in "write_random_lines" while the "repeat" (-r) be set. and this var will be as the genmax parameter when "randint_genmax" function called. the code as follows in shuf.c:
```
369 for (i = 0; i < count; i++)
370 {
371 const randint j = randint_choose (s, n_lines);
372 char *const *p = lines + j;
373 size_t len = p[1] - p[0];
374 if (fwrite (p[0], sizeof *p[0], len, stdout) != len)
375 return -1;
376 }
377
```
'j' will be a random number between 0-0xffffffffffffffff in my 64bit ubuntu, and 'p' will be a unexpected point which will be access next. when p point to an ilegal memory, it will be error when access it, which may be result in a Segmentation fault.
if an attacker could control the random which gened by randint_choose, it may be get the infomation without an legal authority. However, It may be difficult.
yours
xqx
--- End Message ---
--- Begin Message ---Subject: Re: bug#16855: report a bug about shuf Date: Sun, 23 Feb 2014 15:37:41 -0800 User-agent: Mozilla/5.0 (X11; Linux x86_64; rv:24.0) Gecko/20100101 Thunderbird/24.3.0 Thanks for the bug report. I've committed the attached patch.shuf.diff
Description: Text document
--- End Message ---
[Prev in Thread] | Current Thread | [Next in Thread] |