[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
bug#28860: Segmentation fault with out-of-bound read in 'b2sum'
From: |
Jaeseung Choi |
Subject: |
bug#28860: Segmentation fault with out-of-bound read in 'b2sum' |
Date: |
Mon, 16 Oct 2017 10:04:20 +0900 |
Dear GNU team,
While testing coreutils for a research purpose, we found the following
segfault in 'b2sum'. Running b2sum with --check option, and simply
providing a string "BLAKE2" with no trailing character raises the
crash as below.
address@hidden:~$ tar -xf coreutils-8.28.tar.xz
address@hidden:~$ cd coreutils-8.28/
address@hidden:~/coreutils-8.28$ mkdir obj
address@hidden:~/coreutils-8.28$ cd obj
address@hidden:~/coreutils-8.28/obj$ ../configure --disable-nls && make
...
address@hidden:~/coreutils-8.28/obj$ gdb ./src/b2sum -q
Reading symbols from ./src/b2sum...done.
(gdb) run --check <<< BLAKE2
Starting program: /home/jason/coreutils-8.28/obj/src/b2sum --check <<< BLAKE2
Program received signal SIGSEGV, Segmentation fault.
split_3 (file_name=<synthetic pointer>, binary=<synthetic pointer>,
hex_digest=<synthetic pointer>, s_len=<optimized out>, s=0x60dfe0
"BLAKE2") at ../src/md5sum.c:433
433 while (! ISWHITE (s[i]) && s[i] != '-' && s[i] != '(')
(gdb) x/i $rip
=> 0x401d0e <main+1262>: movzbl (%r12,%rbx,1),%ebp
(gdb) info reg r12 rbx
r12 0x60dfe0 6348768
rbx 0x20020 131104
(gdb)
We could reproduce the bug in coreutils from version 8.26 to 8.28.
Also, the bug was reproducible in both Ubuntu 16.04 and Debian 9.1,
but the b2sum program pre-built in Debian 9.1 did not crash with this
input. We assume it is due to a difference in the configuration before
build.
Please let us know if you have a problem in reproducing the bug.
Thank you.
Sincerely,
Jaeseung
- bug#28860: Segmentation fault with out-of-bound read in 'b2sum',
Jaeseung Choi <=