Bug 23767

Summary: Integer Overflow in cplus-dem.c in c++filt in bintuils which leads to Undefined-behavior(OOM in this POC)
Product: binutils Reporter: wcventure <wcventure>
Component: binutilsAssignee: Not yet assigned to anyone <unassigned>
Status: RESOLVED INVALID    
Severity: normal CC: amodra, carnil
Priority: P2    
Version: 2.31   
Target Milestone: ---   
Host: Target:
Build: Last reconfirmed:
Attachments: POC_input

Description wcventure 2018-10-12 20:25:04 UTC 
Created attachment 11321 [details]
POC_input

Hi. We are doing research on Fuzz testing. Our fuzzer caught an Out of Memory problem in program c++filt of the latest binutils(v2.31.1) code base, a malicious input of format strings will cause the LargeMmapAllocator faults and I have confirmed it with address sanitizer too. This Bug is caused by Integer Overflow.

The way to reproduce the bug:
I have provided the POC file and the input(_rttt4tttt6__H7666666666666666666__c). Please use the "./c++filt < $POC" to reproduce the bug. Another way to reproduce this bug is type "c++filt _rttt4tttt6__H7666666666666666666__c" directly. If you have any questions, please let me know.


The ASAN dumps the stack trace as follows:
cplus-dem.c:3597:10: runtime error: signed integer overflow: 766666666 * 10 cannot be represented in type 'int'
SUMMARY: AddressSanitizer: undefined-behavior cplus-dem.c:3597:10 in
==13543==WARNING: AddressSanitizer failed to allocate 0xfffffffd6ff55550 bytes
==13543==AddressSanitizer's allocator is terminating the process instead of returning 0
==13543==If you don't like this behavior set allocator_may_return_null=1
==13543==AddressSanitizer CHECK failed: /build/llvm-toolchain-3.8-_PD09B/llvm-toolchain-3.8-3.8/projects/compiler-rt/lib/sanitizer_common/sanitizer_allocator.cc:147 "((0))
)" (0x0, 0x0)
    #0 0x4c2a2d  (/binutils_latest_AFL_ASAN/build/bin/c++filt+0x4c2a2d)
    #1 0x4c9653  (/binutils_latest_AFL_ASAN/build/bin/c++filt+0x4c9653)
    #2 0x4c71d6  (/binutils_latest_AFL_ASAN/build/bin/c++filt+0x4c71d6)
    #3 0x41efec  (/binutils_latest_AFL_ASAN/build/bin/c++filt+0x41efec)
    #4 0x4b9401  (/binutils_latest_AFL_ASAN/build/bin/c++filt+0x4b9401)
    #5 0x21e42be  (/binutils_latest_AFL_ASAN/build/bin/c++filt+0x21e42be)
    #6 0x1ffc3b7  (/binutils_latest_AFL_ASAN/build/bin/c++filt+0x1ffc3b7)
    #7 0x1fe8a17  (/binutils_latest_AFL_ASAN/build/bin/c++filt+0x1fe8a17)
    #8 0x2039f37  (/binutils_latest_AFL_ASAN/build/bin/c++filt+0x2039f37)
    #9 0x1fcbb2c  (/binutils_latest_AFL_ASAN/build/bin/c++filt+0x1fcbb2c)
    #10 0x1fb8b23  (/binutils_latest_AFL_ASAN/build/bin/c++filt+0x1fb8b23)
    #11 0x4eef03  (/binutils_latest_AFL_ASAN/build/bin/c++filt+0x4eef03)
    #12 0x4ed203  (/binutils_latest_AFL_ASAN/build/bin/c++filt+0x4ed203)
    #13 0x7f49e9d5182f  (/lib/x86_64-linux-gnu/libc.so.6+0x2082f)
    #14 0x419318  (/binutils_latest_AFL_ASAN/build/bin/c++filt+0x419318)

Aborted
Comment 1 wcventure 2018-10-15 09:20:47 UTC 
In cplus-dem.c:3597
   n *= 10;
   n += *p - '0';
   p++;
This testcase will set n = 766666666. 766666666 * 10 cannot be represented in type 'int', which make n have a Integer overflow problem. This problem leads to undefined-behavior.


I will show you the debug process as follow:

> $ gdb --args ./c++filt _rttt4tttt6__H7666666666666666666_
> (gdb) start
> Temporary breakpoint 1 at 0x4ea9a6: file cxxfilt.c, line 172.
> Starting program: /build/bin/c++filt _rttt4tttt6__H7666666666666666666__c
> [Thread debugging using libthread_db enabled]
> Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1".
> Temporary breakpoint 1, main (argc=2, argv=0x7fffffffdff8) at cxxfilt.c:172
> 172     {
> (gdb) b cplus-dem.c:3597
> Breakpoint 2 at 0x20171b4: file ./cplus-dem.c, line 3597.
> (gdb) c
> Continuing.
> Breakpoint 2, get_count (type=<optimized out>, count=<optimized out>) at ./cplus-dem.c:3597
> 3597                  n *= 10;
> (gdb) n
> cplus-dem.c:3597:10: runtime error: signed integer overflow: 766666666 * 10 cannot be represented in type 'int'
> SUMMARY: AddressSanitizer: undefined-behavior cplus-dem.c:3597:10 in
> 3598                  n += *p - '0';
> (gdb) n
> 3599                  p++;
Comment 2 Alan Modra 2018-10-16 01:26:19 UTC 
gcc is the owning project for libiberty.  Please report this bug there.
Comment 3 Salvatore Bonaccorso 2019-01-01 22:03:23 UTC 
Was this issue reported to the GCC bugzilla?
Comment 4 wcventure 2019-01-02 05:07:20 UTC 
(In reply to Salvatore Bonaccorso from comment #3)
> Was this issue reported to the GCC bugzilla?

Yes, see
https://gcc.gnu.org/bugzilla/show_bug.cgi?id=87602
Comment 5 wcventure 2019-01-02 05:08:56 UTC 
(In reply to wcventure from comment #4)
> (In reply to Salvatore Bonaccorso from comment #3)
> > Was this issue reported to the GCC bugzilla?
> 
> Yes, see
> https://gcc.gnu.org/bugzilla/show_bug.cgi?id=87602

also see 
https://gcc.gnu.org/bugzilla/show_bug.cgi?id=83472
https://gcc.gnu.org/bugzilla/show_bug.cgi?id=79111