Reporting Security Violations in Software Package

Yao Shuangjie Wed, 12 Mar 2025 09:23:33 -0700

Dear maintainers,
We are cybersecurity researchers from the Hong Kong University of Science and 
Technology. We found several security violations of undefined behaviors in GNU 
make 4.4.1 using our novel symbolic execution technique several months ago. The 
details are shown below.


../src/hash.c:397:7: runtime error: unsigned integer overflow: 3735928566 + 
1886610017 cannot be represented in type 'unsigned int'
    #0 0x50816d in jhash /root/projects/make-4.4.1/obj-san/../src/hash.c:397:7
    #1 0x4f6690 in function_table_entry_hash_1 
/root/projects/make-4.4.1/obj-san/../src/function.c:50:3
    #2 0x504969 in hash_find_slot 
/root/projects/make-4.4.1/obj-san/../src/hash.c:90:25
    #3 0x504808 in hash_insert 
/root/projects/make-4.4.1/obj-san/../src/hash.c:129:17
    #4 0x504808 in hash_load 
/root/projects/make-4.4.1/obj-san/../src/hash.c:74:7
    #5 0x4f661b in hash_init_function_table 
/root/projects/make-4.4.1/obj-san/../src/function.c:2849:3
    #6 0x528ef0 in initialize_global_hash_tables 
/root/projects/make-4.4.1/obj-san/../src/main.c:647:3
    #7 0x528ef0 in main /root/projects/make-4.4.1/obj-san/../src/main.c:1401:3
    #8 0x7f8415f31d8f in __libc_start_call_main 
csu/../sysdeps/nptl/libc_start_call_main.h:58:16
    #9 0x7f8415f31e3f in __libc_start_main csu/../csu/libc-start.c:392:3
    #10 0x420584 in _start (/root/projects/make-4.4.1/obj-san/make+0x420584)

SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior ../src/hash.c:409:3 in
../src/hash.c:409:3: runtime error: left shift of 1205943864 by 11 places 
cannot be represented in type 'unsigned int'
    #0 0x508017 in jhash /root/projects/make-4.4.1/obj-san/../src/hash.c:409:3
    #1 0x4f6690 in function_table_entry_hash_1 
/root/projects/make-4.4.1/obj-san/../src/function.c:50:3
    #2 0x504969 in hash_find_slot 
/root/projects/make-4.4.1/obj-san/../src/hash.c:90:25
    #3 0x504808 in hash_insert 
/root/projects/make-4.4.1/obj-san/../src/hash.c:129:17
    #4 0x504808 in hash_load 
/root/projects/make-4.4.1/obj-san/../src/hash.c:74:7
    #5 0x4f661b in hash_init_function_table 
/root/projects/make-4.4.1/obj-san/../src/function.c:2849:3
    #6 0x528ef0 in initialize_global_hash_tables 
/root/projects/make-4.4.1/obj-san/../src/main.c:647:3
    #7 0x528ef0 in main /root/projects/make-4.4.1/obj-san/../src/main.c:1401:3
    #8 0x7f8415f31d8f in __libc_start_call_main 
csu/../sysdeps/nptl/libc_start_call_main.h:58:16
    #9 0x7f8415f31e3f in __libc_start_main csu/../csu/libc-start.c:392:3
    #10 0x420584 in _start (/root/projects/make-4.4.1/obj-san/make+0x420584)

SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior ../src/hash.c:391:7 in
../src/hash.c:409:3: runtime error: unsigned integer overflow: 3264031308 - 
4165512300 cannot be represented in type 'unsigned int'
    #0 0x50802b in jhash /root/projects/make-4.4.1/obj-san/../src/hash.c:409:3
    #1 0x4f6690 in function_table_entry_hash_1 
/root/projects/make-4.4.1/obj-san/../src/function.c:50:3
    #2 0x504969 in hash_find_slot 
/root/projects/make-4.4.1/obj-san/../src/hash.c:90:25
    #3 0x504808 in hash_insert 
/root/projects/make-4.4.1/obj-san/../src/hash.c:129:17
    #4 0x504808 in hash_load 
/root/projects/make-4.4.1/obj-san/../src/hash.c:74:7
    #5 0x4f661b in hash_init_function_table 
/root/projects/make-4.4.1/obj-san/../src/function.c:2849:3
    #6 0x528ef0 in initialize_global_hash_tables 
/root/projects/make-4.4.1/obj-san/../src/main.c:647:3
    #7 0x528ef0 in main /root/projects/make-4.4.1/obj-san/../src/main.c:1401:3
    #8 0x7f8415f31d8f in __libc_start_call_main 
csu/../sysdeps/nptl/libc_start_call_main.h:58:16
    #9 0x7f8415f31e3f in __libc_start_main csu/../csu/libc-start.c:392:3
    #10 0x420584 in _start (/root/projects/make-4.4.1/obj-san/make+0x420584)

SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior ../src/hash.c:403:7 in
../src/hash.c:409:3: runtime error: unsigned integer overflow: 3801148 - 
1209422088 cannot be represented in type 'unsigned int'
    #0 0x508000 in jhash /root/projects/make-4.4.1/obj-san/../src/hash.c:409:3
    #1 0x4f6690 in function_table_entry_hash_1 
/root/projects/make-4.4.1/obj-san/../src/function.c:50:3
    #2 0x504969 in hash_find_slot 
/root/projects/make-4.4.1/obj-san/../src/hash.c:90:25
    #3 0x504808 in hash_insert 
/root/projects/make-4.4.1/obj-san/../src/hash.c:129:17
    #4 0x504808 in hash_load 
/root/projects/make-4.4.1/obj-san/../src/hash.c:74:7
    #5 0x4f661b in hash_init_function_table 
/root/projects/make-4.4.1/obj-san/../src/function.c:2849:3
    #6 0x528ef0 in initialize_global_hash_tables 
/root/projects/make-4.4.1/obj-san/../src/main.c:647:3
    #7 0x528ef0 in main /root/projects/make-4.4.1/obj-san/../src/main.c:1401:3
    #8 0x7f8415f31d8f in __libc_start_call_main 
csu/../sysdeps/nptl/libc_start_call_main.h:58:16
    #9 0x7f8415f31e3f in __libc_start_main csu/../csu/libc-start.c:392:3
    #10 0x420584 in _start (/root/projects/make-4.4.1/obj-san/make+0x420584)

SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior ../src/hash.c:381:5 in
../src/hash.c:381:5: runtime error: unsigned integer overflow: 787681093 - 
2260682814 cannot be represented in type 'unsigned int'
    #0 0x5078d8 in jhash /root/projects/make-4.4.1/obj-san/../src/hash.c:381:5
    #1 0x57a933 in variable_hash_1 
/root/projects/make-4.4.1/obj-san/../src/variable.c:148:3
    #2 0x504969 in hash_find_slot 
/root/projects/make-4.4.1/obj-san/../src/hash.c:90:25
    #3 0x57b027 in define_variable_in_set 
/root/projects/make-4.4.1/obj-san/../src/variable.c:215:35
    #4 0x52907c in main /root/projects/make-4.4.1/obj-san/../src/main.c:1434:3
    #5 0x7f8415f31d8f in __libc_start_call_main 
csu/../sysdeps/nptl/libc_start_call_main.h:58:16
    #6 0x7f8415f31e3f in __libc_start_main csu/../csu/libc-start.c:392:3
    #7 0x420584 in _start (/root/projects/make-4.4.1/obj-san/make+0x420584)

SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior ../src/hash.c:499:3 in
../src/hash.c:499:3: runtime error: left shift of 2420377685 by 11 places 
cannot be represented in type 'unsigned int'
    #0 0x5090d6 in jhash_string 
/root/projects/make-4.4.1/obj-san/../src/hash.c:499:3
    #1 0x578eb8 in str_hash_1 
/root/projects/make-4.4.1/obj-san/../src/strcache.c:163:3
    #2 0x504969 in hash_find_slot 
/root/projects/make-4.4.1/obj-san/../src/hash.c:90:25
    #3 0x57867c in add_hash 
/root/projects/make-4.4.1/obj-san/../src/strcache.c:193:26
    #4 0x578550 in strcache_add 
/root/projects/make-4.4.1/obj-san/../src/strcache.c:237:10
    #5 0x53cb4f in expand_command_line_file 
/root/projects/make-4.4.1/obj-san/../src/main.c:776:8
    #6 0x535d64 in decode_switches 
/root/projects/make-4.4.1/obj-san/../src/main.c:3285:45
    #7 0x529cd9 in main /root/projects/make-4.4.1/obj-san/../src/main.c:1624:5
    #8 0x7f8415f31d8f in __libc_start_call_main 
csu/../sysdeps/nptl/libc_start_call_main.h:58:16
    #9 0x7f8415f31e3f in __libc_start_main csu/../csu/libc-start.c:392:3
    #10 0x420584 in _start (/root/projects/make-4.4.1/obj-san/make+0x420584)

Best regards,
Shuangjie

Reporting Security Violations in Software Package

Reply via email to