Bug 19571

Summary: Buffer Overflow in libbfd
Product: binutils Reporter: Marcel Böhme <boehme.marcel>
Component: binutilsAssignee: Not yet assigned to anyone <unassigned>
Status: RESOLVED MOVED    
Severity: critical CC: g.gupta, markus, nickc
Priority: P2    
Version: unspecified   
Target Milestone: ---   
URL: https://gcc.gnu.org/bugzilla/show_bug.cgi?id=69687
Host: Target:
Build: Last reconfirmed:
Attachments: Test case #1
Test Case #2

Description Marcel Böhme 2016-02-05 10:13:55 UTC 
Created attachment 8956 [details]
Test case #1

The attached program binary causes a buffer overflow in cplus-dem.c when it tries to demangle specially crafted function arguments in the binary. Both the buffer size as well as the buffer content are controlled from the binary.

Tested on the following configurations
* 2.6.32-573.7.1.el6.x86_64 #1 SMP Tue Sep 22 22:00:00 UTC 2015 x86_64 x86_64 x86_64 GNU/Linux
* 4.1.12-boot2docker #1 SMP Tue Nov 3 06:03:36 UTC 2015 x86_64 x86_64 x86_64 GNU/Linux
* Binutils versions: 2.20 and 2.26

Best regards,
- Marcel
Comment 1 Marcel Böhme 2016-02-05 10:15:14 UTC 
Created attachment 8957 [details]
Test Case #2
Comment 2 Nick Clifton 2016-02-05 10:24:16 UTC 
Hi Marcel,

> The attached program binary causes a buffer overflow in cplus-dem.c when it
> tries to demangle specially crafted function arguments in the binary.

cplus-dem.c is part of the libiberty package, which is not part of the binutils.  Please could you report this problem using the gcc bugzilla system instead ?

When you do, please could you also include details of how to trigger the bug, ie the command that you ran. It would also help if you could say how you detected the bug - are you running the command under valgrind, or did you compile it with sanitization enabled ?

Cheers
  Nick
Comment 3 Marcel Böhme 2016-02-05 10:30:29 UTC 
Hi Nick,

Sure. I'll send the bug report to the gcc bugzilla.

The bug can be triggered with:
objdump -x -C <file>
nm -C <file>

I detected the bug with a modified version of the AFL Fuzzer w/out sanitization.
Comment 4 Markus Trippelsdorf 2016-02-05 10:36:22 UTC 
I don't think it makes any sense to fuzz the demangler with arbitrary binary files.
Comment 5 Nick Clifton 2016-02-05 11:05:35 UTC 
Hi Markus,

> I don't think it makes any sense to fuzz the demangler with arbitrary binary
> files.

The tools (nm, objdump) should be able to cope though.  When I tried running nm for example I received this error message (after a long pause):

  ./binutils/nm-new: out of memory allocating 18446744071629176800 bytes after a total of 3221147648 bytes

We ought to be able to better than this.  Or rather the libiberty demangler should be able to cope better.

Cheers
  Nick
Comment 6 Markus Trippelsdorf 2016-02-05 11:11:13 UTC 
https://gcc.gnu.org/bugzilla/show_bug.cgi?id=69687
Comment 7 Gaurav Gupta 2016-05-05 06:27:15 UTC 
It need to apply below patch:
https://github.com/gcc-mirror/gcc/commit/7d235b1b5ea35352c54957ef5530d9a02c46962f