Created attachment 8956 [details]
Test case #1
The attached program binary causes a buffer overflow in cplus-dem.c when it tries to demangle specially crafted function arguments in the binary. Both the buffer size as well as the buffer content are controlled from the binary.
Tested on the following configurations
* 2.6.32-573.7.1.el6.x86_64 #1 SMP Tue Sep 22 22:00:00 UTC 2015 x86_64 x86_64 x86_64 GNU/Linux
* 4.1.12-boot2docker #1 SMP Tue Nov 3 06:03:36 UTC 2015 x86_64 x86_64 x86_64 GNU/Linux
* Binutils versions: 2.20 and 2.26
Created attachment 8957 [details]
Test Case #2
> The attached program binary causes a buffer overflow in cplus-dem.c when it
> tries to demangle specially crafted function arguments in the binary.
cplus-dem.c is part of the libiberty package, which is not part of the binutils. Please could you report this problem using the gcc bugzilla system instead ?
When you do, please could you also include details of how to trigger the bug, ie the command that you ran. It would also help if you could say how you detected the bug - are you running the command under valgrind, or did you compile it with sanitization enabled ?
Sure. I'll send the bug report to the gcc bugzilla.
The bug can be triggered with:
objdump -x -C <file>
nm -C <file>
I detected the bug with a modified version of the AFL Fuzzer w/out sanitization.
I don't think it makes any sense to fuzz the demangler with arbitrary binary files.
> I don't think it makes any sense to fuzz the demangler with arbitrary binary
The tools (nm, objdump) should be able to cope though. When I tried running nm for example I received this error message (after a long pause):
./binutils/nm-new: out of memory allocating 18446744071629176800 bytes after a total of 3221147648 bytes
We ought to be able to better than this. Or rather the libiberty demangler should be able to cope better.
It need to apply below patch: