Bug#1041542: uuid: Memory unsafety for version 1 UUID with out-of-range timestamp

Tim Duesterhus Thu, 20 Jul 2023 08:24:19 -0700

Package: uuid
Version: 1.6.2-1.5+b11
Severity: normal

Dear Maintainer,


   * What led up to the situation?

I ran `uuid -d 00000000-0000-1100-a000-000000000000` and noticed that the time
content was strangely formatted with a dot where a digit should be:

    encode: STR:     00000000-0000-1100-a000-000000000000
            SIV:     80291759423830037102592
    decode: variant: DCE 1.1, ISO/IEC 11578:1996
            version: 1 (time and node based)
            content: time:  60266-07-14 05:26:.747955.2 UTC
                     clock: 8192 (usually random)
                     node:  00:00:00:00:00:00 (global unicast)

   * What exactly did you do (or not do) that was effective (or
     ineffective)?

Suspecting memory unsafety, I reran the command in `valgrind` as

    valgrind uuid -d 00000000-0000-1100-a000-000000000000

   * What was the outcome of this action?

This showed a number of "use of uninitialized value" errors:

    ==6046== Memcheck, a memory error detector
    ==6046== Copyright (C) 2002-2022, and GNU GPL'd, by Julian Seward et al.
    ==6046== Using Valgrind-3.19.0 and LibVEX; rerun with -h for copyright info
    ==6046== Command: uuid -d 00000000-0000-1100-a000-000000000000
    ==6046== 
    ==6046== Conditional jump or move depends on uninitialised value(s)
    ==6046==    at 0x4846798: strlen (in 
/usr/libexec/valgrind/vgpreload_memcheck-amd64-linux.so)
    ==6046==    by 0x485D47A: uuid_str_vsnprintf (in 
/usr/lib/x86_64-linux-gnu/libossp-uuid.so.16.0.22)
    ==6046==    by 0x485DDE5: uuid_str_vrsprintf (in 
/usr/lib/x86_64-linux-gnu/libossp-uuid.so.16.0.22)
    ==6046==    by 0x485DF03: uuid_str_rsprintf (in 
/usr/lib/x86_64-linux-gnu/libossp-uuid.so.16.0.22)
    ==6046==    by 0x48582AA: uuid_export (in 
/usr/lib/x86_64-linux-gnu/libossp-uuid.so.16.0.22)
    ==6046==    by 0x1098DE: ??? (in /usr/bin/uuid)
    ==6046==    by 0x4889189: (below main) (libc_start_call_main.h:58)
    ==6046== 
    ==6046== Conditional jump or move depends on uninitialised value(s)
    ==6046==    at 0x485D509: uuid_str_vsnprintf (in 
/usr/lib/x86_64-linux-gnu/libossp-uuid.so.16.0.22)
    ==6046==    by 0x485DDE5: uuid_str_vrsprintf (in 
/usr/lib/x86_64-linux-gnu/libossp-uuid.so.16.0.22)
    ==6046==    by 0x485DF03: uuid_str_rsprintf (in 
/usr/lib/x86_64-linux-gnu/libossp-uuid.so.16.0.22)
    ==6046==    by 0x48582AA: uuid_export (in 
/usr/lib/x86_64-linux-gnu/libossp-uuid.so.16.0.22)
    ==6046==    by 0x1098DE: ??? (in /usr/bin/uuid)
    ==6046==    by 0x4889189: (below main) (libc_start_call_main.h:58)
    ==6046== 
    ==6046== Conditional jump or move depends on uninitialised value(s)
    ==6046==    at 0x4846798: strlen (in 
/usr/libexec/valgrind/vgpreload_memcheck-amd64-linux.so)
    ==6046==    by 0x485D47A: uuid_str_vsnprintf (in 
/usr/lib/x86_64-linux-gnu/libossp-uuid.so.16.0.22)
    ==6046==    by 0x485DE15: uuid_str_vrsprintf (in 
/usr/lib/x86_64-linux-gnu/libossp-uuid.so.16.0.22)
    ==6046==    by 0x485DF03: uuid_str_rsprintf (in 
/usr/lib/x86_64-linux-gnu/libossp-uuid.so.16.0.22)
    ==6046==    by 0x48582AA: uuid_export (in 
/usr/lib/x86_64-linux-gnu/libossp-uuid.so.16.0.22)
    ==6046==    by 0x1098DE: ??? (in /usr/bin/uuid)
    ==6046==    by 0x4889189: (below main) (libc_start_call_main.h:58)
    ==6046== 
    ==6046== Conditional jump or move depends on uninitialised value(s)
    ==6046==    at 0x485D509: uuid_str_vsnprintf (in 
/usr/lib/x86_64-linux-gnu/libossp-uuid.so.16.0.22)
    ==6046==    by 0x485DE15: uuid_str_vrsprintf (in 
/usr/lib/x86_64-linux-gnu/libossp-uuid.so.16.0.22)
    ==6046==    by 0x485DF03: uuid_str_rsprintf (in 
/usr/lib/x86_64-linux-gnu/libossp-uuid.so.16.0.22)
    ==6046==    by 0x48582AA: uuid_export (in 
/usr/lib/x86_64-linux-gnu/libossp-uuid.so.16.0.22)
    ==6046==    by 0x1098DE: ??? (in /usr/bin/uuid)
    ==6046==    by 0x4889189: (below main) (libc_start_call_main.h:58)
    ==6046== 
    encode: STR:     00000000-0000-1100-a000-000000000000
            SIV:     80291759423830037102592
    decode: variant: DCE 1.1, ISO/IEC 11578:1996
            version: 1 (time and node based)
            content: time:  60266-07-14 05:26:.747955.2 UTC
                     clock: 8192 (usually random)
                     node:  00:00:00:00:00:00 (global unicast)
    ==6046== 
    ==6046== HEAP SUMMARY:
    ==6046==     in use at exit: 0 bytes in 0 blocks
    ==6046==   total heap usage: 18 allocs, 18 frees, 10,431 bytes allocated
    ==6046== 
    ==6046== All heap blocks were freed -- no leaks are possible
    ==6046== 
    ==6046== Use --track-origins=yes to see where uninitialised values come from
    ==6046== For lists of detected and suppressed errors, rerun with: -s
    ==6046== ERROR SUMMARY: 4 errors from 4 contexts (suppressed: 0 from 0)

   * What outcome did you expect instead?

I did not expect any use of uninitialized values, even for malformatted /
strange / out of range UUIDs. Instead the UUID should either be correctly
handled or an error message should be emitted.

-- System Information:
Debian Release: 12.0
  APT prefers stable-updates
  APT policy: (500, 'stable-updates'), (500, 'stable-security'), (500, 'stable')
Architecture: amd64 (x86_64)

Kernel: Linux 6.1.0-10-amd64 (SMP w/1 CPU thread; PREEMPT)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8) (ignored: LC_ALL 
set to en_US.UTF-8), LANGUAGE not set
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)

Versions of packages uuid depends on:
ii  libc6           2.36-9
ii  libossp-uuid16  1.6.2-1.5+b11

uuid recommends no packages.

uuid suggests no packages.

-- no debconf information

Bug#1041542: uuid: Memory unsafety for version 1 UUID with out-of-range timestamp

Reply via email to