--- Begin Message ---
Subject: |
Report 3 UBSan integer related errors found by an automatic tool |
Date: |
Wed, 30 Jun 2021 17:07:32 +0000 |
Dear coreutils developers,
We tested coreutils with an automatic tool (based on the symbolic execution
tool KLEE). A number of test cases triggering UBSan integer related errors were
generated. We manually checked those test cases and filtered out benign cases.
Finally, we identified and report 3 cases that could trigger bugs. Below is the
information for reproducing the bugs.
- coreutils version: 8.31
- operating system: Ubuntu 16.04.7
- compiler: 6.0.0-1ubuntu2~16.04.1 (tags/RELEASE_600/final)
- compilation commands:
mkdir obj
cd obj
CC=clang CFLAGS="-g -O1 -Xclang -disable-llvm-passes -D__NO_STRING_INLINES
-D_FORTIFY_SOURCE=0 -U__OPTIMIZE__ -fsanitize=signed-integer-overflow
-fsanitize=unsigned-integer-overflow -fsanitize=shift -fsanitize=bounds
-fsanitize=pointer-overflow -fsanitize=null" ../configure --disable-nls
make
- inputs: please download the attached bug triggering inputs basenc1.stdin and
basenc2.stdin
bug1: basenc
command: cat basenc1.stdin | basenec --z -
relevant error message: ../src/basenc.c:635:25: runtime error: left shift of
128 by 24 places cannot be represented in type ‘int'
bug2: basenc
command: cat basenc2.stdin | basenc --z - -d
relevant error message: ../src/basenc.c:770:18: runtime error: signed integer
overflow: 41760500 * 85 cannot be represented in type ‘int'
bug3: seq
command: seq 3 1 1.
relevant error message: ../src/seq.c:185:21: runtime error: unsigned integer
overflow: 2 + 18446744073709551615 cannot be represented in type 'unsigned long'
Best,
Jingxuan
basenc1.stdin
Description: basenc1.stdin
basenc2.stdin
Description: basenc2.stdin
--- End Message ---
--- Begin Message ---
Subject: |
Re: bug#49300: Report 3 UBSan integer related errors found by an automatic tool |
Date: |
Wed, 30 Jun 2021 13:06:17 -0700 |
User-agent: |
Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Thunderbird/78.11.0 |
On 6/30/21 10:07 AM, He Jingxuan wrote:
bug1: basenc
command: cat basenc1.stdin | basenec --z -
relevant error message: ../src/basenc.c:635:25: runtime error: left shift of
128 by 24 places cannot be represented in type ‘int'
bug2: basenc
command: cat basenc2.stdin | basenc --z - -d
relevant error message: ../src/basenc.c:770:18: runtime error: signed integer
overflow: 41760500 * 85 cannot be represented in type ‘int'
These two bugs were fixed in coreutils 8.32; please try that instead.
bug3: seq
command: seq 3 1 1.
relevant error message: ../src/seq.c:185:21: runtime error: unsigned integer
overflow: 2 + 18446744073709551615 cannot be represented in type 'unsigned long'
This diagnostic is a false alarm. It is complaining about this statement:
ret.width += (fraction_len == 0
? -1
: (decimal_point == arg
|| ! ISDIGIT (decimal_point[-1])));
where ret.width (of type size_t) is 2. But (size_t) 2 + (int) -1 has
well-defined behavior in C: in the normal case where size_t does not
promote to int, it is equivalent to (size_t) 2 + (size_t) -1, and this
must equal 1. And in the hypothetical case where size_t promotes to int,
it is equivalent to (int) 2 + (int) -1 which also must equal 1. So there
is no error here.
That being said, coreutils uses size_t too often; it should use idx_t
(from Gnulib) to avoid common mistakes when using unsigned values. I'll
add that to my list of things to do.
--- End Message ---