150 lines
5.2 KiB
Diff
150 lines
5.2 KiB
Diff
From c7a121c79a158dd7c0a26f403972cb167753a1de Mon Sep 17 00:00:00 2001
|
|
From: Paul Eggert <eggert@cs.ucla.edu>
|
|
Date: Sat, 3 Aug 2024 22:31:20 -0700
|
|
Subject: [PATCH] shuf: fix randomness bug
|
|
|
|
Problem reported by Daniel Carpenter <https://bugs.gnu.org/72445>.
|
|
* gl/lib/randread.c (randread_new): Fill the ISAAC buffer
|
|
instead of storing at most BYTES_BOUND bytes into it.
|
|
|
|
(cherry picked from commit bfbb3ec7f798b179d7fa7b42673e068b18048899)
|
|
---
|
|
lib/randread.c | 12 +++++++++++-
|
|
1 file changed, 11 insertions(+), 1 deletion(-)
|
|
|
|
diff --git a/lib/randread.c b/lib/randread.c
|
|
index cbee224b..43c0cf09 100644
|
|
--- a/lib/randread.c
|
|
+++ b/lib/randread.c
|
|
@@ -189,9 +189,19 @@ randread_new (char const *name, size_t bytes_bound)
|
|
setvbuf (source, s->buf.c, _IOFBF, MIN (sizeof s->buf.c, bytes_bound));
|
|
else
|
|
{
|
|
+ /* Fill the ISAAC buffer. Although it is tempting to read at
|
|
+ most BYTES_BOUND bytes, this is incorrect for two reasons.
|
|
+ First, BYTES_BOUND is just an estimate.
|
|
+ Second, even if the estimate is correct
|
|
+ ISAAC64 poorly randomizes when BYTES_BOUND is small
|
|
+ and just the first few bytes of s->buf.isaac.state.m
|
|
+ are random while the other bytes are all zero. See:
|
|
+ Aumasson J-P. On the pseudo-random generator ISAAC.
|
|
+ Cryptology ePrint Archive. 2006;438.
|
|
+ <https://eprint.iacr.org/2006/438>. */
|
|
s->buf.isaac.buffered = 0;
|
|
if (! get_nonce (s->buf.isaac.state.m,
|
|
- MIN (sizeof s->buf.isaac.state.m, bytes_bound)))
|
|
+ sizeof s->buf.isaac.state.m))
|
|
{
|
|
int e = errno;
|
|
randread_free_body (s);
|
|
--
|
|
2.54.0
|
|
|
|
From 147a9bf745d1b99d2cf538194386ca4341574e8d Mon Sep 17 00:00:00 2001
|
|
From: =?UTF-8?q?P=C3=A1draig=20Brady?= <P@draigBrady.com>
|
|
Date: Tue, 20 May 2025 16:03:44 +0100
|
|
Subject: [PATCH] sort: fix buffer under-read (CWE-127)
|
|
|
|
* src/sort.c (begfield): Check pointer adjustment
|
|
to avoid Out-of-range pointer offset (CWE-823).
|
|
(limfield): Likewise.
|
|
* tests/sort/sort-field-limit.sh: Add a new test,
|
|
which triggers with ASAN or Valgrind.
|
|
* tests/local.mk: Reference the new test.
|
|
Fixes https://bugs.gnu.org/78507
|
|
|
|
(cherry picked from commit 8c9602e3a145e9596dc1a63c6ed67865814b6633)
|
|
---
|
|
src/sort.c | 12 ++++++++++--
|
|
tests/local.mk | 1 +
|
|
tests/sort/sort-field-limit.sh | 35 ++++++++++++++++++++++++++++++++++
|
|
3 files changed, 46 insertions(+), 2 deletions(-)
|
|
create mode 100755 tests/sort/sort-field-limit.sh
|
|
|
|
diff --git a/src/sort.c b/src/sort.c
|
|
index 2d8324ca..09634197 100644
|
|
--- a/src/sort.c
|
|
+++ b/src/sort.c
|
|
@@ -1644,7 +1644,11 @@ begfield (struct line const *line, struct keyfield const *key)
|
|
++ptr;
|
|
|
|
/* Advance PTR by SCHAR (if possible), but no further than LIM. */
|
|
- ptr = MIN (lim, ptr + schar);
|
|
+ size_t remaining_bytes = lim - ptr;
|
|
+ if (schar < remaining_bytes)
|
|
+ ptr += schar;
|
|
+ else
|
|
+ ptr = lim;
|
|
|
|
return ptr;
|
|
}
|
|
@@ -1746,7 +1750,11 @@ limfield (struct line const *line, struct keyfield const *key)
|
|
++ptr;
|
|
|
|
/* Advance PTR by ECHAR (if possible), but no further than LIM. */
|
|
- ptr = MIN (lim, ptr + echar);
|
|
+ size_t remaining_bytes = lim - ptr;
|
|
+ if (echar < remaining_bytes)
|
|
+ ptr += echar;
|
|
+ else
|
|
+ ptr = lim;
|
|
}
|
|
|
|
return ptr;
|
|
diff --git a/tests/local.mk b/tests/local.mk
|
|
index fdbf3694..0b18ec9d 100644
|
|
--- a/tests/local.mk
|
|
+++ b/tests/local.mk
|
|
@@ -385,6 +385,7 @@ all_tests = \
|
|
tests/sort/sort-debug-keys.sh \
|
|
tests/sort/sort-debug-warn.sh \
|
|
tests/sort/sort-discrim.sh \
|
|
+ tests/sort/sort-field-limit.sh \
|
|
tests/sort/sort-files0-from.pl \
|
|
tests/sort/sort-float.sh \
|
|
tests/sort/sort-h-thousands-sep.sh \
|
|
diff --git a/tests/sort/sort-field-limit.sh b/tests/sort/sort-field-limit.sh
|
|
new file mode 100755
|
|
index 00000000..52d8e1d1
|
|
--- /dev/null
|
|
+++ b/tests/sort/sort-field-limit.sh
|
|
@@ -0,0 +1,35 @@
|
|
+#!/bin/sh
|
|
+# From 7.2-9.7, this would trigger an out of bounds mem read
|
|
+
|
|
+# Copyright (C) 2025 Free Software Foundation, Inc.
|
|
+
|
|
+# This program is free software: you can redistribute it and/or modify
|
|
+# it under the terms of the GNU General Public License as published by
|
|
+# the Free Software Foundation, either version 3 of the License, or
|
|
+# (at your option) any later version.
|
|
+
|
|
+# This program is distributed in the hope that it will be useful,
|
|
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
|
|
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
|
+# GNU General Public License for more details.
|
|
+
|
|
+# You should have received a copy of the GNU General Public License
|
|
+# along with this program. If not, see <https://www.gnu.org/licenses/>.
|
|
+
|
|
+. "${srcdir=.}/tests/init.sh"; path_prepend_ ./src
|
|
+print_ver_ sort
|
|
+getlimits_
|
|
+
|
|
+# This issue triggers with valgrind or ASAN
|
|
+valgrind --error-exitcode=1 sort --version 2>/dev/null &&
|
|
+ VALGRIND='valgrind --error-exitcode=1'
|
|
+
|
|
+{ printf '%s\n' aa bb; } > in || framework_failure_
|
|
+
|
|
+_POSIX2_VERSION=200809 $VALGRIND sort +0.${SIZE_MAX}R in > out || fail=1
|
|
+compare in out || fail=1
|
|
+
|
|
+_POSIX2_VERSION=200809 $VALGRIND sort +1 -1.${SIZE_MAX}R in > out || fail=1
|
|
+compare in out || fail=1
|
|
+
|
|
+Exit $fail
|
|
--
|
|
2.54.0
|
|
|