GNU bug report logs - #49300
Report 3 UBSan integer related errors found by an automatic tool

Previous Next

Package: coreutils;

Reported by: "He Jingxuan" <jingxuan.he <at> inf.ethz.ch>

Date: Wed, 30 Jun 2021 18:22:01 UTC

Severity: normal

Done: Paul Eggert <eggert <at> cs.ucla.edu>

Bug is archived. No further changes may be made.

To add a comment to this bug, you must first unarchive it, by sending
a message to control AT debbugs.gnu.org, with unarchive 49300 in the body.
You can then email your comments to 49300 AT debbugs.gnu.org in the normal way.

Toggle the display of automated, internal messages from the tracker.

View this report as an mbox folder, status mbox, maintainer mbox


Report forwarded to bug-coreutils <at> gnu.org:
bug#49300; Package coreutils. (Wed, 30 Jun 2021 18:22:01 GMT) Full text and rfc822 format available.

Acknowledgement sent to "He Jingxuan" <jingxuan.he <at> inf.ethz.ch>:
New bug report received and forwarded. Copy sent to bug-coreutils <at> gnu.org. (Wed, 30 Jun 2021 18:22:01 GMT) Full text and rfc822 format available.

Message #5 received at submit <at> debbugs.gnu.org (full text, mbox):

From: "He  Jingxuan" <jingxuan.he <at> inf.ethz.ch>
To: "bug-coreutils <at> gnu.org" <bug-coreutils <at> gnu.org>
Subject: Report 3 UBSan integer related errors found by an automatic tool
Date: Wed, 30 Jun 2021 17:07:32 +0000
[Message part 1 (text/plain, inline)]
Dear coreutils developers,

We tested coreutils with an automatic tool (based on the symbolic execution tool KLEE). A number of test cases triggering UBSan integer related errors were generated. We manually checked those test cases and filtered out benign cases. Finally, we identified and report 3 cases that could trigger bugs. Below is the information for reproducing the bugs.

- coreutils version: 8.31
- operating system: Ubuntu 16.04.7
- compiler: 6.0.0-1ubuntu2~16.04.1 (tags/RELEASE_600/final)
- compilation commands:
    mkdir obj
    cd obj
    CC=clang CFLAGS="-g -O1 -Xclang -disable-llvm-passes -D__NO_STRING_INLINES -D_FORTIFY_SOURCE=0 -U__OPTIMIZE__ -fsanitize=signed-integer-overflow -fsanitize=unsigned-integer-overflow -fsanitize=shift -fsanitize=bounds -fsanitize=pointer-overflow -fsanitize=null" ../configure --disable-nls
    make
- inputs: please download the attached bug triggering inputs basenc1.stdin and basenc2.stdin

bug1: basenc
command: cat basenc1.stdin | basenec --z -
relevant error message: ../src/basenc.c:635:25: runtime error: left shift of 128 by 24 places cannot be represented in type ‘int'

bug2: basenc
command: cat basenc2.stdin | basenc --z - -d
relevant error message: ../src/basenc.c:770:18: runtime error: signed integer overflow: 41760500 * 85 cannot be represented in type ‘int'

bug3: seq
command: seq 3 1 1.
relevant error message: ../src/seq.c:185:21: runtime error: unsigned integer overflow: 2 + 18446744073709551615 cannot be represented in type 'unsigned long'

Best,
Jingxuan

[basenc1.stdin (application/octet-stream, attachment)]
[basenc2.stdin (application/octet-stream, attachment)]

Reply sent to Paul Eggert <eggert <at> cs.ucla.edu>:
You have taken responsibility. (Wed, 30 Jun 2021 20:07:01 GMT) Full text and rfc822 format available.

Notification sent to "He Jingxuan" <jingxuan.he <at> inf.ethz.ch>:
bug acknowledged by developer. (Wed, 30 Jun 2021 20:07:02 GMT) Full text and rfc822 format available.

Message #10 received at 49300-done <at> debbugs.gnu.org (full text, mbox):

From: Paul Eggert <eggert <at> cs.ucla.edu>
To: He Jingxuan <jingxuan.he <at> inf.ethz.ch>
Cc: 49300-done <at> debbugs.gnu.org
Subject: Re: bug#49300: Report 3 UBSan integer related errors found by an
 automatic tool
Date: Wed, 30 Jun 2021 13:06:17 -0700
On 6/30/21 10:07 AM, He Jingxuan wrote:

> bug1: basenc
> command: cat basenc1.stdin | basenec --z -
> relevant error message: ../src/basenc.c:635:25: runtime error: left shift of 128 by 24 places cannot be represented in type ‘int'
> 
> bug2: basenc
> command: cat basenc2.stdin | basenc --z - -d
> relevant error message: ../src/basenc.c:770:18: runtime error: signed integer overflow: 41760500 * 85 cannot be represented in type ‘int'

These two bugs were fixed in coreutils 8.32; please try that instead.

> bug3: seq
> command: seq 3 1 1.
> relevant error message: ../src/seq.c:185:21: runtime error: unsigned integer overflow: 2 + 18446744073709551615 cannot be represented in type 'unsigned long'

This diagnostic is a false alarm. It is complaining about this statement:

          ret.width += (fraction_len == 0
                        ? -1
                        : (decimal_point == arg
                           || ! ISDIGIT (decimal_point[-1])));

where ret.width (of type size_t) is 2. But (size_t) 2 + (int) -1 has 
well-defined behavior in C: in the normal case where size_t does not 
promote to int, it is equivalent to (size_t) 2 + (size_t) -1, and this 
must equal 1. And in the hypothetical case where size_t promotes to int, 
it is equivalent to (int) 2 + (int) -1 which also must equal 1. So there 
is no error here.

That being said, coreutils uses size_t too often; it should use idx_t 
(from Gnulib) to avoid common mistakes when using unsigned values. I'll 
add that to my list of things to do.




bug archived. Request was from Debbugs Internal Request <help-debbugs <at> gnu.org> to internal_control <at> debbugs.gnu.org. (Thu, 29 Jul 2021 11:24:03 GMT) Full text and rfc822 format available.

This bug report was last modified 2 years and 242 days ago.

Previous Next


GNU bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.