Bug 19597 - Buffer Overflow during Demangling
Summary: Buffer Overflow during Demangling
Status: RESOLVED FIXED
Alias: None
Product: gdb
Classification: Unclassified
Component: c++ (show other bugs)
Version: unknown
: P2 critical
Target Milestone: 7.12
Assignee: Not yet assigned to anyone
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2016-02-10 14:33 UTC by Marcel Böhme
Modified: 2016-08-09 12:18 UTC (History)
1 user (show)

See Also:
Host:
Target:
Build:
Last reconfirmed:


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Marcel Böhme 2016-02-10 14:33:32 UTC
A buffer overflow in cplus-dem.c (GNU Libiberty) is caused when GDB tries to demangle specially crafted function arguments in the binary. Both the buffer size as well as the buffer content are controlled from the binary.

Upstream: https://gcc.gnu.org/bugzilla/show_bug.cgi?id=69687

Steps to reproduce:

$ cat compileme.c
#include <stdio.h>
const char *__020A___________________X00020A___R0020A__U000R03000N99999999_020A__K000="deadbeef";
int main() {
  printf("%s\n",__020A___________________X00020A___R0020A__U000R03000N99999999_020A__K000);
}

$ g++ compileme.c -o debugme
$ gdb debugme
..
Comment 1 Pedro Alves 2016-08-08 16:04:07 UTC
With current master, I get:

 $ gdb -ex "demangle -l c++ __020A___________________X00020A___R0020A__U000R03000N99999999_020A__K000"
GNU gdb (GDB) 7.12.50.20160808-git
 [...]
 /home/pedro/gdb/mygit/src/gdb/utils.c:1096: internal-error: virtual memory exhausted: can't allocate 2147483647 bytes.
A problem internal to GDB has been detected,
further debugging may prove unreliable.
Quit this debugging session? (y or n) 

(and it takes quite a bit to reach that.)

Is this expected?  AFAICS, the relevant patches mentioned in gcc PR69687 have been merged to gdb/binutils master already.
Comment 2 Marcel Böhme 2016-08-09 03:23:00 UTC
This observation is correct and was discussed in the code review of the patch for PR/19597. The problem is that the untrusted binary can specify the number of iterations for a certain loop to be arbitrarily high resulting in an integer overflow and subsequently in a buffer overflow. Bounding the number of loop iterations is not an option (https://gcc.gnu.org/ml/gcc-patches/2016-03/msg00181.html). So we settled for preventing the integer overflow (which happens only after a few minutes) and aborting with xmalloc_failed (https://gcc.gnu.org/ml/gcc-patches/2016-04/msg00072.html).

The conclusion was that the buffer overflow vulnerability is gone and -- assuming that normal binaries do not specify such a high number of loop iterations -- the exhausted memory after a long wait might not be a bug in practical terms.
Comment 3 Pedro Alves 2016-08-09 11:43:09 UTC
OK, thanks.  And thanks for all the demangler fixes.

I'll see about cherry picking master's last libiberty sync to the gdb 7.12 branch.
Comment 4 Pedro Alves 2016-08-09 12:18:06 UTC
Now done:

 https://sourceware.org/ml/gdb-patches/2016-08/msg00112.html

If you're aware of other gdb demangler PRs that might now be fixed, please go ahead and mark them as fixed.