22710 – Signed Integer Overflow (71889280)

Bug 22710 - Signed Integer Overflow (71889280)

Summary: Signed Integer Overflow (71889280)

Status:	RESOLVED INVALID

Alias:	None

Product:	binutils
Classification:	Unclassified
Component:	binutils (show other bugs)
Version:	2.30

Importance:	P2 normal
Target Milestone:	---
Assignee:	Not yet assigned to anyone

URL:
Keywords:

Depends on:
Blocks:

Reported:	2018-01-15 10:35 UTC by Google-Autofuzz
Modified:	2018-03-31 12:38 UTC (History)
CC List:	2 users (show)

See Also:
Host:
Target:
Build:
Last reconfirmed:
Project(s) to access:
ssh public key:

Attachments
poc and dockerfile to reproduce (1.41 KB, application/zip) 2018-01-15 10:35 UTC, Google-Autofuzz	Details
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Google-Autofuzz 2018-01-15 10:35:07 UTC

Created attachment 10745 [details]
poc and dockerfile to reproduce

Hello binutils team,

As part of our fuzzing efforts at Google, we have identified an issue affecting
binutils (tested with revision * master 58807c48a5a317ad3e2d39a8755168a3d4d5fdf8).

To reproduce, we are attaching a Dockerfile which compiles the project with
LLVM, taking advantage of the sanitizers that it offers. More information about
how to use the attached Dockerfile can be found here:
https://docs.docker.com/engine/reference/builder/

TL;DR instructions:
* `mkdir project`
* `cp Dockerfile.binutils /path/to/project/Dockerfile`
* `docker build --no-cache /path/to/project`
* `docker run -it image_id_from_docker_build`

From another terminal, outside the container:
`docker cp /path/to/attached/reproducer running_container_hostname:/fuzzing/reproducer`
(reference: https://docs.docker.com/engine/reference/commandline/cp/)

And, back inside the container:
`/fuzzing/repro.sh /fuzzing/reproducer`

Alternatively, and depending on the bug, you could use gcc, valgrind or other
instrumentation tools to aid in the investigation. The sanitizer error that we
encountered is here:

```
INFO: Seed: 3029575691
/fuzzing/binutils-gdb/build/demangle_fuzzer: Running 1 inputs 1 time(s) each.
Running: /tmp/poc
/fuzzing/binutils-gdb/libiberty/cplus-dem.c:3597:10: runtime error: signed integer overflow: 777777777 * 10 cannot be represented in type 'int'
SUMMARY: AddressSanitizer: undefined-behavior /fuzzing/binutils-gdb/libiberty/cplus-dem.c:3597:10 in 

```

We will gladly work with you so you can successfully confirm and reproduce this
issue. Do let us know if you have any feedback surrounding the documentation.

Once you have reproduced the issue, we'd appreciate to learn your expected
timeline for an update to be released. With any fix, please attribute the report
to "Google Autofuzz project".

We are also pleased to inform you that your project is eligible for inclusion to
the OSS-Fuzz project, which can provide additional continuous fuzzing, and
encourage you to investigate integration options.

Don't hesitate to let us know if you have any questions!

Google AutoFuzz Team

Comment 1 Nick Clifton 2018-02-06 17:27:03 UTC

Hi Google-Autofuzz,

  Thanks very much for reporting this problem.  Unfortunately bugs in the
  libiberty library, including the C++ name demangler, should be reported
  to the GCC project and not the binutils.  (https://gcc.gnu.org/bugzilla/enter_bug.cgi?product=gcc component = demangler).

  The libiberty library is used by the binutils project, but it is not
  owned by it.  We try to keep the sources in the binutils repository
  in sync with the sources in the gcc repository, but there is no formal
  process for doing this.  So sometimes it may happen that a bug has been
  fixed in the gcc sources, but the patch has not yet been imported into
  the binutils sources.  If you find that this is the case, please do let
  us know so that we can fix the problem.

Cheers
  Nick