A buffer overflow in cplus-dem.c (GNU Libiberty) is caused when GDB tries to demangle specially crafted function arguments in the binary. Both the buffer size as well as the buffer content are controlled from the binary. Upstream: https://gcc.gnu.org/bugzilla/show_bug.cgi?id=69687 Steps to reproduce: $ cat compileme.c #include <stdio.h> const char *__020A___________________X00020A___R0020A__U000R03000N99999999_020A__K000="deadbeef"; int main() { printf("%s\n",__020A___________________X00020A___R0020A__U000R03000N99999999_020A__K000); } $ g++ compileme.c -o debugme $ gdb debugme ..
With current master, I get: $ gdb -ex "demangle -l c++ __020A___________________X00020A___R0020A__U000R03000N99999999_020A__K000" GNU gdb (GDB) 7.12.50.20160808-git [...] /home/pedro/gdb/mygit/src/gdb/utils.c:1096: internal-error: virtual memory exhausted: can't allocate 2147483647 bytes. A problem internal to GDB has been detected, further debugging may prove unreliable. Quit this debugging session? (y or n) (and it takes quite a bit to reach that.) Is this expected? AFAICS, the relevant patches mentioned in gcc PR69687 have been merged to gdb/binutils master already.
This observation is correct and was discussed in the code review of the patch for PR/19597. The problem is that the untrusted binary can specify the number of iterations for a certain loop to be arbitrarily high resulting in an integer overflow and subsequently in a buffer overflow. Bounding the number of loop iterations is not an option (https://gcc.gnu.org/ml/gcc-patches/2016-03/msg00181.html). So we settled for preventing the integer overflow (which happens only after a few minutes) and aborting with xmalloc_failed (https://gcc.gnu.org/ml/gcc-patches/2016-04/msg00072.html). The conclusion was that the buffer overflow vulnerability is gone and -- assuming that normal binaries do not specify such a high number of loop iterations -- the exhausted memory after a long wait might not be a bug in practical terms.
OK, thanks. And thanks for all the demangler fixes. I'll see about cherry picking master's last libiberty sync to the gdb 7.12 branch.
Now done: https://sourceware.org/ml/gdb-patches/2016-08/msg00112.html If you're aware of other gdb demangler PRs that might now be fixed, please go ahead and mark them as fixed.