bug-coreutils
[Top][All Lists]
Advanced
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: ptx bug -- unbounded buffer overflow

From: Dawson Engler
Subject: Re: ptx bug -- unbounded buffer overflow
Date: Fri, 21 Mar 2008 13:36:48 -0700 (PDT) 
Cristi,

were there any statements in ptx you were having a hard time hitting that it
might make sense to ask Jim about?

> 
> 
>   Hello Jim,
> 
>   Thanks for the prompt answer.
>   Could you please acknowledge Daniel Dunbar (address@hidden) and
> Dawson Engler (address@hidden) as well?
>   
>   Our tool works by generating test cases that achieve very high
> statement and branch coverage.  At this point, the tool is not mature
> enough for distribution, but if you'd like to send you the test suites
> that we generate after we finish our study, we can do that.
> 
>   We'll send you any more bug reports that our tool generates.  We plan
> to focus on coreutils over the next two weeks, so this synchronizes well
> with your release deadline.
> 
>   Best,
>   Cristian
> 
> On Fri, 2008-03-21 at 11:11 +0100, Jim Meyering wrote:
> > Cristian Cadar <address@hidden> wrote:
> > >   Hello, I'm part of a research group at Stanford, working on automatic
> > > bug-finding tools.  We are currently testing coreutils, and we found a
> > > crash bug in ptx due to an unbounded buffer overflow.
> > >
> > >   Here is a trivial test case that triggers the bug in the current
> > > version of coreutils (6.10):
> > >
> > > $ ptx -F\\
> > >
> > >   Another example, which overflows more bytes would be:
> > > $ ptx -F\\ abcdef
> > >
> > > (the overflow increases w/ the length of the second argument).
> > >
> > >   The problem is in function copy_unescaped_string(const char *string),
> > > which in the presence of backslashes can advance the pointer "string"
> > > past the end of the buffer.  This in turn causes an unbounded overflow
> > > of the buffer malloc-ed at the very beginning of the function, which in
> > > turn can be used to corrupt the heap metadata and crash the program.
> > 
> > Thank you for finding/reporting that.  It is indeed a bug.
> > I've included a patch and a test-suite addition below.
> > 
> > Are your tools freely available?
> > 
> > If you have any more reports like that, please send them in soon.
> > I expect to make a new release in the next week or two.
> > 
> > Regarding attribution, for now, I've listed only your name
> > in the commit log and THANKS file.
> > Let me know if something else would be more appropriate.
> > 
> >     ptx: avoid heap overrun for backslash at end of optarg string
> >     * src/ptx.c (copy_unescaped_string): Ignore a lone backslash
> >     at end of string.  Reported by Cristian Cadar.
> >     * tests/misc/Makefile.am (TESTS): Add ptx-overrun.
> >     * tests/misc/ptx-overrun: New file.  Test for the above fix.
> >     * NEWS: Mention the fix.
> > 
> > Signed-off-by: Jim Meyering <address@hidden>
> > ---
> >  NEWS                   |    5 +++++
> >  THANKS                 |    1 +
> >  src/ptx.c              |    4 ++++
> >  tests/misc/Makefile.am |    3 ++-
> >  tests/misc/ptx-overrun |   40 ++++++++++++++++++++++++++++++++++++++++
> >  5 files changed, 52 insertions(+), 1 deletions(-)
> >  create mode 100755 tests/misc/ptx-overrun
> > 
> > diff --git a/NEWS b/NEWS
> > index 93f1331..3be7db8 100644
> > --- a/NEWS
> > +++ b/NEWS
> > @@ -16,6 +16,11 @@ GNU coreutils NEWS                                    
> > -*- outline -*-
> >    when the destination had two or more hard links.  It no longer does that.
> >    [bug introduced in coreutils-5.3.0]
> > 
> > +  "ptx -F'\' long-file-name" would overrun a malloc'd buffer and corrupt
> > +  the heap.  That was triggered by a lone backslash (or odd number of them)
> > +  at the end of the option argument to --flag-truncation=STRING (-F),
> > +  --word-regexp=REGEXP (-W), or --sentence-regexp=REGEXP (-S).
> > +
> >    "rmdir --ignore-fail-on-non-empty" detects and ignores the failure
> >    in more cases when a directory is empty.
> > 
> > diff --git a/THANKS b/THANKS
> > index 186bf5f..b5dc348 100644
> > --- a/THANKS
> > +++ b/THANKS
> > @@ -105,6 +105,7 @@ Colin Plumb                         address@hidden
> >  Colin Watson                        address@hidden
> >  Collin Rogowski                     address@hidden
> >  Cray-Cyber Project                  http://www.cray-cyber.org
> > +Cristian Cadar                      address@hidden
> >  Cyril Bouthors                      address@hidden
> >  Dale Scheetz                        address@hidden
> >  Dan Hagerty                         address@hidden
> > diff --git a/src/ptx.c b/src/ptx.c
> > index dafcbe2..8f7ae95 100644
> > --- a/src/ptx.c
> > +++ b/src/ptx.c
> > @@ -388,6 +388,10 @@ copy_unescaped_string (const char *string)
> >           string++;
> >           break;
> > 
> > +       case '\0':          /* lone backslash at end of string */
> > +         /* ignore it */
> > +         break;
> > +
> >         default:
> >           *cursor++ = '\\';
> >           *cursor++ = *string++;
> > diff --git a/tests/misc/Makefile.am b/tests/misc/Makefile.am
> > index 2be132f..f3ed132 100644
> > --- a/tests/misc/Makefile.am
> > +++ b/tests/misc/Makefile.am
> > @@ -1,6 +1,6 @@
> >  # Make miscellaneous coreutils tests.                      -*-Makefile-*-
> > 
> > -# Copyright (C) 2001-2007 Free Software Foundation, Inc.
> > +# Copyright (C) 2001-2008 Free Software Foundation, Inc.
> > 
> >  # This program is free software: you can redistribute it and/or modify
> >  # it under the terms of the GNU General Public License as published by
> > @@ -38,6 +38,7 @@ TESTS = \
> >    ls-time \
> >    ls-misc \
> >    date \
> > +  ptx-overrun \
> >    xstrtol \
> >    od \
> >    mktemp \
> > diff --git a/tests/misc/ptx-overrun b/tests/misc/ptx-overrun
> > new file mode 100755
> > index 0000000..beadf7f
> > --- /dev/null
> > +++ b/tests/misc/ptx-overrun
> > @@ -0,0 +1,40 @@
> > +#!/bin/sh
> > +# Trigger a heap-clobbering bug in ptx from coreutils-6.10 and earlier.
> > +
> > +# Copyright (C) 2008 Free Software Foundation, Inc.
> > +
> > +# This program is free software: you can redistribute it and/or modify
> > +# it under the terms of the GNU General Public License as published by
> > +# the Free Software Foundation, either version 3 of the License, or
> > +# (at your option) any later version.
> > +
> > +# This program is distributed in the hope that it will be useful,
> > +# but WITHOUT ANY WARRANTY; without even the implied warranty of
> > +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
> > +# GNU General Public License for more details.
> > +
> > +# You should have received a copy of the GNU General Public License
> > +# along with this program.  If not, see <http://www.gnu.org/licenses/>.
> > +
> > +if test "$VERBOSE" = yes; then
> > +  set -x
> > +  ptx --version
> > +fi
> > +
> > +. $srcdir/../test-lib.sh
> > +
> > +# Using a long file name makes an abort more likely.
> > +# Even with no file name, valgrind detects the buffer overrun.
> > +f=01234567890123456789012345678901234567890123456789
> > +touch $f empty || framework_failure
> > +
> > +fail=0
> > +
> > +# Specifying a regular expression ending in a lone backslash
> > +# would cause ptx to write beyond the end of a malloc'd buffer.
> > +ptx -F '\'      $f < /dev/null  > out || fail=1
> > +ptx -S 'foo\'   $f < /dev/null >> out || fail=1
> > +ptx -W 'bar\\\' $f < /dev/null >> out || fail=1
> > +compare out empty || fail=1
> > +
> > +(exit $fail); exit $fail
> > --
> > 1.5.5.rc0.22.g467c
> 
> 
> 
> 
>
reply via email to
[Prev in Thread] Current Thread [Next in Thread]