Hi, There is an out of bounds read error in the function genpattern() in shred (coreutils 8.23). This issue only appears randomly.
To test: a) recompile coreutils 8.23 with address sanitizer: ./configure CFLAGS="-fsanitize=address -g" LDFLAGS="-fsanitize=address"; make b) create a test file: touch x c) run shred multiple times on it with -n 20: for i in $(seq 1 1000); do src/shred -n 20 x; done You will see the errors. Here's the output from Address Sanitizer: ==25808==ERROR: AddressSanitizer: global-buffer-overflow on address 0x000000416628 at pc 0x4047a0 bp 0x7ffc99fee730 sp 0x7ffc99fee720 READ of size 4 at 0x000000416628 thread T0 #0 0x40479f in genpattern src/shred.c:782 #1 0x4050d9 in do_wipefd src/shred.c:921 #2 0x406203 in wipefile src/shred.c:1175 #3 0x406b84 in main src/shred.c:1316 #4 0x7f3454a1ef9f in __libc_start_main (/lib64/libc.so.6+0x1ff9f) #5 0x4025d8 (/tmp/coreutils-8.23/src/shred+0x4025d8) 0x000000416628 is located 56 bytes to the left of global variable '*.LC49' from 'src/shred.c' (0x416660) of size 17 '*.LC49' is ascii string '%s: fstat failed' 0x000000416628 is located 12 bytes to the right of global variable 'patterns' from 'src/shred.c' (0x416540) of size 220 SUMMARY: AddressSanitizer: global-buffer-overflow src/shred.c:782 genpattern Shadow bytes around the buggy address: 0x00008007ac70: 01 f9 f9 f9 f9 f9 f9 f9 00 00 00 07 f9 f9 f9 f9 0x00008007ac80: 00 00 01 f9 f9 f9 f9 f9 00 00 03 f9 f9 f9 f9 f9 0x00008007ac90: 00 00 00 03 f9 f9 f9 f9 00 00 00 00 03 f9 f9 f9 0x00008007aca0: f9 f9 f9 f9 00 00 00 00 00 00 00 00 00 00 00 00 0x00008007acb0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 =>0x00008007acc0: 00 00 00 04 f9[f9]f9 f9 00 00 00 00 00 00 01 f9 0x00008007acd0: f9 f9 f9 f9 00 00 06 f9 f9 f9 f9 f9 00 00 00 03 0x00008007ace0: f9 f9 f9 f9 00 00 05 f9 f9 f9 f9 f9 00 00 01 f9 0x00008007acf0: f9 f9 f9 f9 00 00 00 00 00 05 f9 f9 f9 f9 f9 f9 0x00008007ad00: 00 00 00 00 00 00 00 00 01 f9 f9 f9 f9 f9 f9 f9 0x00008007ad10: 00 04 f9 f9 f9 f9 f9 f9 02 f9 f9 f9 f9 f9 f9 f9 Shadow byte legend (one shadow byte represents 8 application bytes): Addressable: 00 Partially addressable: 01 02 03 04 05 06 07 Heap left redzone: fa Heap right redzone: fb Freed heap region: fd Stack left redzone: f1 Stack mid redzone: f2 Stack right redzone: f3 Stack partial redzone: f4 Stack after return: f5 Stack use after scope: f8 Global redzone: f9 Global init order: f6 Poisoned by user: f7 Contiguous container OOB:fc ASan internal: fe ==25808==ABORTING -- Hanno Böck http://hboeck.de/ mail/jabber: ha...@hboeck.de GPG: BBB51E42
pgpfse6a9JwDX.pgp
Description: OpenPGP digital signature