[fedora-arm] Broken sha512sum in coreutils

Gordan Bobic gordan at bobich.net
Fri Jan 7 14:51:01 UTC 2011 

Gordan Bobic wrote:
> Andy Green wrote:
>> On 01/07/11 10:40, Somebody in the thread at some point said:
>>> It would appear that sha512sum is broken, at least in the F12 distro
>>> (coreutils-7.6-5.fc12.fa1.armv5tel). It is producing a different hash
>>> for the same file compared to what my x86 machines produce. This is
>>> quite worrying and a potentially dangerous crypto-security issue.
>>>
>>> The only thing that comes to mind as a potential cause (other than a
>>> bug) is that I am using gcc/libgcc from F13 with F12 coreutils. I just
>>> updated coreutils to the F13 package (coreutils-8.4-5.fc13.armv5tel),
>>> and that produces the correct hashes.
>>>
>>> Can anybody with a clean F12 vanilla copy check if they can reproduce
>>> the problem?
>> No problem here.
>>
>> ARM: coreutils-7.6-5.fc12.fa1.armv5tel
>>
>> [root at ivmon ~]# dd if=/dev/zero of=/tmp/z bs=512 count=10
>> 10+0 records in
>> 10+0 records out
>> 5120 bytes (5.1 kB) copied, 0.000959 s, 5.3 MB/s
>> [root at ivmon ~]# sha512sum /tmp/z
>> 1f1e6f098e99bb0ab52c3142f0fb545b00470d267823d44fd609fdaae1a6f45fb437de931fa16bbb4a702c0cba7abb9954b737ff4edb30f16ae39a2c67ee6bb7 
>>  /tmp/z
>> [root at ivmon ~]#
>>
>>
>> x86_64: coreutils-8.8-2.fc15.x86_64
>>
>> [agreen at otae Downloads]$ dd if=/dev/zero of=/tmp/z bs=512 count=10
>> 10+0 records in
>> 10+0 records out
>> 5120 bytes (5.1 kB) copied, 7.6686e-05 s, 66.8 MB/s
>> [agreen at otae Downloads]$ sha512sum /tmp/z
>> 1f1e6f098e99bb0ab52c3142f0fb545b00470d267823d44fd609fdaae1a6f45fb437de931fa16bbb4a702c0cba7abb9954b737ff4edb30f16ae39a2c67ee6bb7 
>>  /tmp/z
>> [agreen at otae Downloads]$
>>
>> Check with ldd what it is linking to.
> 
> Thanks for that. I'll check as soon as I get my vserver chroots going. 
> I'll put a clean F12 from the backup I took in there and see what it 
> does. Hopefully it's just a libgcc mismatch issue - which would be 
> worrying, but it'd only arise in a franken-distro half way between F12 
> and F13 (which is, sadly, all I have handy at the moment).

OK, this is deeply weird. My F12 rootfs in a chroot is again showing the 
broken behaviour:

[root at sheeva /]# sha512sum /vservers/f12/test-file
9d5f70ef2b126ada3750027b5cd8d2a97c96c66d334385ffea5ae1e7cfd596e1e5ac6930f47b95c5b5b916a3709ba1e1ed3be5e0e47d0327f873ea84bedab2fa 
  /vservers/f12/test-file
[root at sheeva /]# vserver f12 enter
[root at f12 /]# sha512sum /test-file
3e6984afdbbdc6012df975d70ddbde5166dd216271387a89c4970d6927b461adeb5815453bd994a24566cb9bd04910f62850e1b9f922d7ec4d28b7ef0629e61b 
  /test-file

It's the same file, but the computed hash is different. That indicates 
that it's not a mismatched libgcc linking issue (*phew*).


On the broken machine:

[root at f12 /]# rpm -qa | grep -i coreutils
coreutils-libs-7.6-5.fc12.fa1.armv5tel
coreutils-7.6-5.fc12.fa1.armv5tel

[root at f12 /]# ldd /usr/bin/sha512sum
	libgcc_s.so.1 => /lib/libgcc_s.so.1 (0x40241000)
	libc.so.6 => /lib/libc.so.6 (0x40254000)
	/lib/ld-linux.so.3 (0x40092000)



On the working machine:

[root at sheeva /]# rpm -qa | grep coreutils
coreutils-8.4-5.fc13.armv5tel
coreutils-libs-8.4-5.fc13.armv5tel

[root at sheeva /]# ldd /usr/bin/sha512sum
	libgcc_s.so.1 => /lib/libgcc_s.so.1 (0x401c2000)
	libc.so.6 => /lib/libc.so.6 (0x401d5000)
	/lib/ld-linux.so.3 (0x4008d000)

So the linking seems to be the same. The only packages that are 
different between the two are the gcc stuff updated to f13 (which didn't 
cause the problem in the first place) and the coreutils. The fc13 
coreutils package fixed it.

Have you god an md5sum of the sha512 binary? Mine is:
[root at sheeva ~]# md5sum /vservers/f12/usr/bin/sha512sum
7667ac4b53249e53533860518e916719  /vservers/f12/usr/bin/sha512sum

It's the only thing I can think of right now, since your coreutils 
version is exactly the same as mine, and mine is verifiably and 
consistently producing wrong hashes.

Gordan

More information about the arm mailing list