Bug 21878 - Memory leak in demangle
Summary: Memory leak in demangle
Status: RESOLVED INVALID
Alias: None
Product: binutils
Classification: Unclassified
Component: binutils (show other bugs)
Version: 2.28
: P2 normal
Target Milestone: ---
Assignee: Not yet assigned to anyone
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2017-08-01 19:56 UTC by Google-Autofuzz
Modified: 2018-05-09 08:30 UTC (History)
1 user (show)

See Also:
Host:
Target:
Build:
Last reconfirmed:


Attachments
binutils docker file (1.26 KB, text/plain)
2017-08-01 19:56 UTC, Google-Autofuzz
Details
Demangle PoC (14 bytes, text/plain)
2017-08-01 19:57 UTC, Google-Autofuzz
Details

Note You need to log in before you can comment on or make changes to this bug.
Description Google-Autofuzz 2017-08-01 19:56:12 UTC
Created attachment 10301 [details]
binutils docker file

Hello binutils team,
 
As part of our fuzzing efforts at Google, we have identified an issue affecting binutils (tested with revision 7639175c9add472d9271318996547a57acbcc062).  To reproduce we are attaching a dockerfile to help compiling the project with the LLVM taking advantage of the sanitizers that it offers.
 
Attached is a dockerfile that can be used for reproduction.  More information about how to use the dockerfile can be found here:  https://docs.docker.com/engine/reference/builder/
TL;DR instructions:
mkdir binutils
cp Dockerfile /path/to/binutils
docker build --no-cache /path/to/binutils
docker run -it <image id>
(from another terminal, outside the container):
docker cp /path/to/attached/reproducer <container id>:/fuzzing/
https://docs.docker.com/engine/reference/commandline/cp/
(back inside the container) /fuzzing/repro.sh /fuzzing/reproducer
 
Alternatively, and depending on the bug, you could use gcc, valgrind or other instrumentation tools to aid in the investigation.
 
The sanitizer error that we encountered is here:
 
 ==3170==ERROR: LeakSanitizer: detected memory leaks
 
  Direct leak of 8 byte(s) in 1 object(s) allocated from:
      #0 0x4cd488 in __interceptor_malloc (/fuzzing/binutils-gdb/build/demangle_fuzzer+0x4cd488)
      #1 0x52f179 in xmalloc /fuzzing/binutils-gdb/libiberty/xmalloc.c:147:12
      #2 0x50fb7e in demangle_template /fuzzing/binutils-gdb/libiberty/cplus-dem.c:2228:27
      #3 0x50e30d in demangle_signature /fuzzing/binutils-gdb/libiberty/cplus-dem.c:1691:18
      #4 0x50bc20 in internal_cplus_demangle /fuzzing/binutils-gdb/libiberty/cplus-dem.c:1257:14
      #5 0x50a99c in cplus_demangle /fuzzing/binutils-gdb/libiberty/cplus-dem.c:918:9
      #6 0x50847d in LLVMFuzzerTestOneInput /fuzzing/binutils-gdb/build/../libiberty/demangle_fuzzer.cc:11:20
      #7 0x535eec in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, unsigned long) (/fuzzing/binutils-gdb/build/demangle_fuzzer+0x535eec)
      #8 0x52f3bc in main (/fuzzing/binutils-gdb/build/demangle_fuzzer+0x52f3bc)
 
  Indirect leak of 1 byte(s) in 1 object(s) allocated from:
      #0 0x4cd488 in __interceptor_malloc (/fuzzing/binutils-gdb/build/demangle_fuzzer+0x4cd488)
      #1 0x52f179 in xmalloc /fuzzing/binutils-gdb/libiberty/xmalloc.c:147:12
      #2 0x5100db in demangle_template /fuzzing/binutils-gdb/libiberty/cplus-dem.c:2327:31
      #3 0x50e30d in demangle_signature /fuzzing/binutils-gdb/libiberty/cplus-dem.c:1691:18
      #4 0x50bc20 in internal_cplus_demangle /fuzzing/binutils-gdb/libiberty/cplus-dem.c:1257:14
      #5 0x50a99c in cplus_demangle /fuzzing/binutils-gdb/libiberty/cplus-dem.c:918:9
      #6 0x50847d in LLVMFuzzerTestOneInput /fuzzing/binutils-gdb/build/../libiberty/demangle_fuzzer.cc:11:20
      #7 0x535eec in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, unsigned long) (/fuzzing/binutils-gdb/build/demangle_fuzzer+0x535eec)
      #8 0x52f3bc in main (/fuzzing/binutils-gdb/build/demangle_fuzzer+0x52f3bc)
 
  SUMMARY: AddressSanitizer: 9 byte(s) leaked in 2 allocation(s). 
 
We will gladly work with you so you can successfully confirm and reproduce this issue. Do let us know if you have any feedback surrounding the documentation.
 
Once you have reproduced the issue, we’d appreciate to learn your expected timeline for an update to be released. With any fix, please attribute the report to “Google Autofuzz project”.
 
We are also pleased to inform you that your project is eligible for inclusion to the OSS-Fuzz project, which can provide additional continuous fuzzing, and encourage you to investigate integration options (https://github.com/google/oss-fuzz/blob/master/docs/new_project_guide.md).
 
Don’t hesitate to let us know if you have any questions!
 
Google AutoFuzz Team
Comment 1 Google-Autofuzz 2017-08-01 19:57:32 UTC
Created attachment 10302 [details]
Demangle PoC
Comment 2 Google-Autofuzz 2017-08-02 00:38:09 UTC
Resolving in favor of reporting directly to GCC.
Comment 3 Google-Autofuzz 2017-08-03 23:18:08 UTC
GCC indicated that this was the proper component for our report since this only reproduces with binutils, apologies for the noise.
Comment 4 Alan Modra 2018-05-09 08:30:40 UTC
Not a binutils bug.