Bug 19571 - Buffer Overflow in libbfd
Summary: Buffer Overflow in libbfd
Status: RESOLVED MOVED
Alias: None
Product: binutils
Classification: Unclassified
Component: binutils (show other bugs)
Version: unspecified
: P2 critical
Target Milestone: ---
Assignee: Not yet assigned to anyone
URL: https://gcc.gnu.org/bugzilla/show_bug...
Keywords:
Depends on:
Blocks:
 
Reported: 2016-02-05 10:13 UTC by Marcel Böhme
Modified: 2016-05-05 06:27 UTC (History)
3 users (show)

See Also:
Host:
Target:
Build:
Last reconfirmed:


Attachments
Test case #1 (71 bytes, application/octet-stream)
2016-02-05 10:13 UTC, Marcel Böhme
Details
Test Case #2 (185 bytes, application/octet-stream)
2016-02-05 10:15 UTC, Marcel Böhme
Details

Note You need to log in before you can comment on or make changes to this bug.
Description Marcel Böhme 2016-02-05 10:13:55 UTC
Created attachment 8956 [details]
Test case #1

The attached program binary causes a buffer overflow in cplus-dem.c when it tries to demangle specially crafted function arguments in the binary. Both the buffer size as well as the buffer content are controlled from the binary.

Tested on the following configurations
* 2.6.32-573.7.1.el6.x86_64 #1 SMP Tue Sep 22 22:00:00 UTC 2015 x86_64 x86_64 x86_64 GNU/Linux
* 4.1.12-boot2docker #1 SMP Tue Nov 3 06:03:36 UTC 2015 x86_64 x86_64 x86_64 GNU/Linux
* Binutils versions: 2.20 and 2.26

Best regards,
- Marcel
Comment 1 Marcel Böhme 2016-02-05 10:15:14 UTC
Created attachment 8957 [details]
Test Case #2
Comment 2 Nick Clifton 2016-02-05 10:24:16 UTC
Hi Marcel,

> The attached program binary causes a buffer overflow in cplus-dem.c when it
> tries to demangle specially crafted function arguments in the binary.

cplus-dem.c is part of the libiberty package, which is not part of the binutils.  Please could you report this problem using the gcc bugzilla system instead ?

When you do, please could you also include details of how to trigger the bug, ie the command that you ran. It would also help if you could say how you detected the bug - are you running the command under valgrind, or did you compile it with sanitization enabled ?

Cheers
  Nick
Comment 3 Marcel Böhme 2016-02-05 10:30:29 UTC
Hi Nick,

Sure. I'll send the bug report to the gcc bugzilla.

The bug can be triggered with:
objdump -x -C <file>
nm -C <file>

I detected the bug with a modified version of the AFL Fuzzer w/out sanitization.
Comment 4 Markus Trippelsdorf 2016-02-05 10:36:22 UTC
I don't think it makes any sense to fuzz the demangler with arbitrary binary files.
Comment 5 Nick Clifton 2016-02-05 11:05:35 UTC
Hi Markus,

> I don't think it makes any sense to fuzz the demangler with arbitrary binary
> files.

The tools (nm, objdump) should be able to cope though.  When I tried running nm for example I received this error message (after a long pause):

  ./binutils/nm-new: out of memory allocating 18446744071629176800 bytes after a total of 3221147648 bytes

We ought to be able to better than this.  Or rather the libiberty demangler should be able to cope better.

Cheers
  Nick
Comment 6 Markus Trippelsdorf 2016-02-05 11:11:13 UTC
https://gcc.gnu.org/bugzilla/show_bug.cgi?id=69687
Comment 7 Gaurav Gupta 2016-05-05 06:27:15 UTC
It need to apply below patch:
https://github.com/gcc-mirror/gcc/commit/7d235b1b5ea35352c54957ef5530d9a02c46962f