bug#25003: Bug in SPLIT utility
On Wed, Nov 23, 2016 at 4:21 PM, Pádraig Brady wrote: > On 23/11/16 22:16, Pádraig Brady wrote: >> On 23/11/16 17:30, Jim Meyering wrote: >>> On Wed, Nov 23, 2016 at 5:22 AM, Marcel Böhme >>> wrote: Dear all, We are running small 1h fuzzing sessions with AFLFast, a fork of AFL. We’ll be reporting each found bug separately. On Coreutils v8.25 and trunk, the following input crashes. Option -n was introduced with v8.8. $ ./split -n7/75 7 Segmentation fault ASAN says: = ==53143==ERROR: AddressSanitizer: negative-size-param: (size=-6) #0 0x7f8820eb9a10 in memmove (/usr/lib/x86_64-linux-gnu/libasan.so.3+0x62a10) #1 0x404d12 in memmove /usr/include/x86_64-linux-gnu/bits/string3.h:57 #2 0x404d12 in bytes_chunk_extract ../src/split.c:987 #3 0x404d12 in main ../src/split.c:1625 #4 0x7f881fd9cf44 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x21f44) #5 0x4064a9 (/home/ubuntu/subjects/coreutils/obj-asan/src/split+0x4064a9) 0x7f8821f9a006 is located 2054 bytes inside of 135168-byte region [0x7f8821f99800,0x7f8821fba800) allocated by thread T0 here: #0 0x7f8820f193a8 in __interceptor_malloc (/usr/lib/x86_64-linux-gnu/libasan.so.3+0xc23a8) #1 0x40ec88 in xmalloc ../lib/xmalloc.c:41 SUMMARY: AddressSanitizer: negative-size-param (/usr/lib/x86_64-linux-gnu/libasan.so.3+0x62a10) in memmove >>> >>> Thank you for the report. >>> Would you please provide the contents of your file named "7"? >> >> That's immaterial I think. I can reproduce with: >> src/split -n2/3 /dev/null >> I'll dig into these Looks perfect. Thanks!
bug#25003: Bug in SPLIT utility
On 23/11/16 22:16, Pádraig Brady wrote: > On 23/11/16 17:30, Jim Meyering wrote: >> On Wed, Nov 23, 2016 at 5:22 AM, Marcel Böhme >> wrote: >>> Dear all, >>> >>> We are running small 1h fuzzing sessions with AFLFast, a fork of AFL. >>> We’ll be reporting each found bug separately. >>> >>> On Coreutils v8.25 and trunk, the following input crashes. >>> Option -n was introduced with v8.8. >>> >>> $ ./split -n7/75 7 >>> Segmentation fault >>> >>> ASAN says: >>> = >>> ==53143==ERROR: AddressSanitizer: negative-size-param: (size=-6) >>> #0 0x7f8820eb9a10 in memmove >>> (/usr/lib/x86_64-linux-gnu/libasan.so.3+0x62a10) >>> #1 0x404d12 in memmove /usr/include/x86_64-linux-gnu/bits/string3.h:57 >>> #2 0x404d12 in bytes_chunk_extract ../src/split.c:987 >>> #3 0x404d12 in main ../src/split.c:1625 >>> #4 0x7f881fd9cf44 in __libc_start_main >>> (/lib/x86_64-linux-gnu/libc.so.6+0x21f44) >>> #5 0x4064a9 >>> (/home/ubuntu/subjects/coreutils/obj-asan/src/split+0x4064a9) >>> >>> 0x7f8821f9a006 is located 2054 bytes inside of 135168-byte region >>> [0x7f8821f99800,0x7f8821fba800) >>> allocated by thread T0 here: >>> #0 0x7f8820f193a8 in __interceptor_malloc >>> (/usr/lib/x86_64-linux-gnu/libasan.so.3+0xc23a8) >>> #1 0x40ec88 in xmalloc ../lib/xmalloc.c:41 >>> >>> SUMMARY: AddressSanitizer: negative-size-param >>> (/usr/lib/x86_64-linux-gnu/libasan.so.3+0x62a10) in memmove >> >> Thank you for the report. >> Would you please provide the contents of your file named "7"? > > That's immaterial I think. I can reproduce with: > src/split -n2/3 /dev/null > I'll dig into these Patch attached. thanks! Pádraig >From 2ecc0890aa9fb182fe4362475d2d040607219cb1 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?P=C3=A1draig=20Brady?= Date: Thu, 24 Nov 2016 00:03:16 + Subject: [PATCH] split: fix memory corruption during chunk extraction ASAN reported this error for: split -n2/3 /dev/null ERROR: AddressSanitizer: negative-size-param: (size=-1) #0 0x7f0d4c36951d in __asan_memmove (/lib64/libasan.so.2+0x8d51d) #1 0x404e06 in memmove /usr/include/bits/string3.h:59 #2 0x404e06 in bytes_chunk_extract src/split.c:988 #3 0x404e06 in main src/split.c:1626 Specifically there would be invalid memory access and subsequent processing if the chunk to be extracted was beyond the initial amount read from file (which is currently capped at 128KiB). This issue is not in a released version, only being introduced in commit v8.25-4-g62e7af0 * src/split.c (bytes_chunk_extract): The initial_read != SIZE_MAX should have been combined with && rather than ||, but also this condition is always true in this function so remove entirely. * tests/split/b-chunk.sh: Add a test case. Fixes http://bugs.gnu.org/25003 --- src/split.c| 2 +- tests/split/b-chunk.sh | 7 ++- 2 files changed, 7 insertions(+), 2 deletions(-) diff --git a/src/split.c b/src/split.c index f9c99db..9a0704c 100644 --- a/src/split.c +++ b/src/split.c @@ -982,7 +982,7 @@ bytes_chunk_extract (uintmax_t k, uintmax_t n, char *buf, size_t bufsize, start = (k - 1) * (file_size / n); end = (k == n) ? file_size : k * (file_size / n); - if (initial_read != SIZE_MAX || start < initial_read) + if (start < initial_read) { memmove (buf, buf + start, initial_read - start); initial_read -= start; diff --git a/tests/split/b-chunk.sh b/tests/split/b-chunk.sh index 8475f96..c6619a2 100755 --- a/tests/split/b-chunk.sh +++ b/tests/split/b-chunk.sh @@ -25,9 +25,14 @@ split -n 10 /dev/null || fail=1 test "$(stat -c %s x* | uniq -c | sed 's/^ *//; s/ /x/')" = "10x0" || fail=1 rm -f x?? +# When extracting K of N where N > file size +# no data is extracted, and no files are written +split -n 2/3 /dev/null || fail=1 +returns_ 1 stat x?? 2>/dev/null || fail=1 + # Ensure --elide-empty-files is honored split -e -n 10 /dev/null || fail=1 -stat x?? 2>/dev/null && fail=1 +returns_ 1 stat x?? 2>/dev/null || fail=1 printf '1\n2\n3\n4\n5\n' > input || framework_failure_ -- 2.5.5
bug#25003: Bug in SPLIT utility
On 23/11/16 17:30, Jim Meyering wrote: > On Wed, Nov 23, 2016 at 5:22 AM, Marcel Böhme wrote: >> Dear all, >> >> We are running small 1h fuzzing sessions with AFLFast, a fork of AFL. >> We’ll be reporting each found bug separately. >> >> On Coreutils v8.25 and trunk, the following input crashes. >> Option -n was introduced with v8.8. >> >> $ ./split -n7/75 7 >> Segmentation fault >> >> ASAN says: >> = >> ==53143==ERROR: AddressSanitizer: negative-size-param: (size=-6) >> #0 0x7f8820eb9a10 in memmove >> (/usr/lib/x86_64-linux-gnu/libasan.so.3+0x62a10) >> #1 0x404d12 in memmove /usr/include/x86_64-linux-gnu/bits/string3.h:57 >> #2 0x404d12 in bytes_chunk_extract ../src/split.c:987 >> #3 0x404d12 in main ../src/split.c:1625 >> #4 0x7f881fd9cf44 in __libc_start_main >> (/lib/x86_64-linux-gnu/libc.so.6+0x21f44) >> #5 0x4064a9 >> (/home/ubuntu/subjects/coreutils/obj-asan/src/split+0x4064a9) >> >> 0x7f8821f9a006 is located 2054 bytes inside of 135168-byte region >> [0x7f8821f99800,0x7f8821fba800) >> allocated by thread T0 here: >> #0 0x7f8820f193a8 in __interceptor_malloc >> (/usr/lib/x86_64-linux-gnu/libasan.so.3+0xc23a8) >> #1 0x40ec88 in xmalloc ../lib/xmalloc.c:41 >> >> SUMMARY: AddressSanitizer: negative-size-param >> (/usr/lib/x86_64-linux-gnu/libasan.so.3+0x62a10) in memmove > > Thank you for the report. > Would you please provide the contents of your file named "7"? That's immaterial I think. I can reproduce with: src/split -n2/3 /dev/null I'll dig into these
bug#25003: Bug in SPLIT utility
On Wed, Nov 23, 2016 at 5:22 AM, Marcel Böhme wrote: > Dear all, > > We are running small 1h fuzzing sessions with AFLFast, a fork of AFL. > We’ll be reporting each found bug separately. > > On Coreutils v8.25 and trunk, the following input crashes. > Option -n was introduced with v8.8. > > $ ./split -n7/75 7 > Segmentation fault > > ASAN says: > = > ==53143==ERROR: AddressSanitizer: negative-size-param: (size=-6) > #0 0x7f8820eb9a10 in memmove > (/usr/lib/x86_64-linux-gnu/libasan.so.3+0x62a10) > #1 0x404d12 in memmove /usr/include/x86_64-linux-gnu/bits/string3.h:57 > #2 0x404d12 in bytes_chunk_extract ../src/split.c:987 > #3 0x404d12 in main ../src/split.c:1625 > #4 0x7f881fd9cf44 in __libc_start_main > (/lib/x86_64-linux-gnu/libc.so.6+0x21f44) > #5 0x4064a9 (/home/ubuntu/subjects/coreutils/obj-asan/src/split+0x4064a9) > > 0x7f8821f9a006 is located 2054 bytes inside of 135168-byte region > [0x7f8821f99800,0x7f8821fba800) > allocated by thread T0 here: > #0 0x7f8820f193a8 in __interceptor_malloc > (/usr/lib/x86_64-linux-gnu/libasan.so.3+0xc23a8) > #1 0x40ec88 in xmalloc ../lib/xmalloc.c:41 > > SUMMARY: AddressSanitizer: negative-size-param > (/usr/lib/x86_64-linux-gnu/libasan.so.3+0x62a10) in memmove Thank you for the report. Would you please provide the contents of your file named "7"?
bug#25003: Bug in SPLIT utility
Dear all, We are running small 1h fuzzing sessions with AFLFast, a fork of AFL. We’ll be reporting each found bug separately. On Coreutils v8.25 and trunk, the following input crashes. Option -n was introduced with v8.8. $ ./split -n7/75 7 Segmentation fault ASAN says: = ==53143==ERROR: AddressSanitizer: negative-size-param: (size=-6) #0 0x7f8820eb9a10 in memmove (/usr/lib/x86_64-linux-gnu/libasan.so.3+0x62a10) #1 0x404d12 in memmove /usr/include/x86_64-linux-gnu/bits/string3.h:57 #2 0x404d12 in bytes_chunk_extract ../src/split.c:987 #3 0x404d12 in main ../src/split.c:1625 #4 0x7f881fd9cf44 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x21f44) #5 0x4064a9 (/home/ubuntu/subjects/coreutils/obj-asan/src/split+0x4064a9) 0x7f8821f9a006 is located 2054 bytes inside of 135168-byte region [0x7f8821f99800,0x7f8821fba800) allocated by thread T0 here: #0 0x7f8820f193a8 in __interceptor_malloc (/usr/lib/x86_64-linux-gnu/libasan.so.3+0xc23a8) #1 0x40ec88 in xmalloc ../lib/xmalloc.c:41 SUMMARY: AddressSanitizer: negative-size-param (/usr/lib/x86_64-linux-gnu/libasan.so.3+0x62a10) in memmove Best regards, - Marcel