22886 – Timeout at cplus-dem.c (73658672)

Bug 22886 - Timeout at cplus-dem.c (73658672)

Summary: Timeout at cplus-dem.c (73658672)

Status:	RESOLVED MOVED

Alias:	None

Product:	binutils
Classification:	Unclassified
Component:	binutils (show other bugs)
Version:	2.31

Importance:	P2 normal
Target Milestone:	---
Assignee:	Not yet assigned to anyone

URL:
Keywords:

Depends on:
Blocks:

Reported:	2018-02-24 00:17 UTC by Google-Autofuzz
Modified:	2018-03-31 12:34 UTC (History)
CC List:	2 users (show)

See Also:
Host:
Target:
Build:
Last reconfirmed:

Attachments
Dockerfile and poc (1.44 KB, application/zip) 2018-02-24 00:17 UTC, Google-Autofuzz	Details
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Google-Autofuzz 2018-02-24 00:17:19 UTC

Created attachment 10848 [details]
Dockerfile and poc

Hello binutils team,

As part of our fuzzing efforts at Google, we have identified an issue affecting
binutils (tested with revision * master 5bce538d6a6ec216bfbfa7484f356b396dd4da9e).

To reproduce, we are attaching a Dockerfile which compiles the project with
LLVM, taking advantage of the sanitizers that it offers. More information about
how to use the attached Dockerfile can be found here:
https://docs.docker.com/engine/reference/builder/

TL;DR instructions:
* `mkdir project`
* `cp Dockerfile.binutils /path/to/project/Dockerfile`
* `docker build --no-cache /path/to/project`
* `docker run --cap-add=SYS_PTRACE -it image_id_from_docker_build`

From another terminal, outside the container:
`docker cp /path/to/attached/reproducer running_container_hostname:/fuzzing/reproducer`
(reference: https://docs.docker.com/engine/reference/commandline/cp/)

And, back inside the container:
`/fuzzing/repro.sh /fuzzing/reproducer`

Alternatively, and depending on the bug, you could use gcc, valgrind or other
instrumentation tools to aid in the investigation. The sanitizer error that we
encountered is here:

```
INFO: Seed: 151352331
/fuzzing/binutils-gdb/build/demangle_fuzzer: Running 1 inputs 1 time(s) each.
Running: /tmp/poc
ALARM: working on the last Unit for 25 seconds
       and the timeout value is 25 (use -timeout=N to change)
==11== ERROR: libFuzzer: timeout after 25 seconds
    #0 0x4da793 in __sanitizer_print_stack_trace (/fuzzing/binutils-gdb/build/demangle_fuzzer+0x4da793)
    #1 0x535e67 in fuzzer::Fuzzer::AlarmCallback() (/fuzzing/binutils-gdb/build/demangle_fuzzer+0x535e67)
    #2 0x7f2984ebe0bf  (/lib/x86_64-linux-gnu/libpthread.so.0+0x110bf)
    #3 0x4edb08 in __sanitizer::StackDepotPut(__sanitizer::StackTrace) (/fuzzing/binutils-gdb/build/demangle_fuzzer+0x4edb08)
    #4 0x424392 in __asan::asan_malloc(unsigned long, __sanitizer::BufferedStackTrace*) (/fuzzing/binutils-gdb/build/demangle_fuzzer+0x424392)
    #5 0x4cd464 in __interceptor_malloc (/fuzzing/binutils-gdb/build/demangle_fuzzer+0x4cd464)
    #6 0x530a29 in xmalloc /fuzzing/binutils-gdb/libiberty/xmalloc.c:147:12
    #7 0x51175b in string_need /fuzzing/binutils-gdb/libiberty/cplus-dem.c:4906:21
    #8 0x5111ee in string_appends /fuzzing/binutils-gdb/libiberty/cplus-dem.c:4974:7
    #9 0x518327 in do_arg /fuzzing/binutils-gdb/libiberty/cplus-dem.c:4295:7
    #10 0x51767d in demangle_args /fuzzing/binutils-gdb/libiberty/cplus-dem.c:4659:9
    #11 0x50e229 in demangle_signature /fuzzing/binutils-gdb/libiberty/cplus-dem.c:1709:18
    #12 0x50bc20 in internal_cplus_demangle /fuzzing/binutils-gdb/libiberty/cplus-dem.c:1257:14
    #13 0x50a98c in cplus_demangle /fuzzing/binutils-gdb/libiberty/cplus-dem.c:918:9
    #14 0x50847d in LLVMFuzzerTestOneInput /fuzzing/security-research-pocs/autofuzz/demangle_fuzzer.cc:11:21
    #15 0x53779c in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, unsigned long) (/fuzzing/binutils-gdb/build/demangle_fuzzer+0x53779c)
    #16 0x536f5e in fuzzer::Fuzzer::RunOne(unsigned char const*, unsigned long) (/fuzzing/binutils-gdb/build/demangle_fuzzer+0x536f5e)
    #17 0x530dbd in fuzzer::RunOneTest(fuzzer::Fuzzer*, char const*) (/fuzzing/binutils-gdb/build/demangle_fuzzer+0x530dbd)
    #18 0x53228f in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned char const*, unsigned long)) (/fuzzing/binutils-gdb/build/demangle_fuzzer+0x53228f)
    #19 0x530c6c in main (/fuzzing/binutils-gdb/build/demangle_fuzzer+0x530c6c)
    #20 0x7f298450b2b0 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x202b0)
    #21 0x41db69 in _start (/fuzzing/binutils-gdb/build/demangle_fuzzer+0x41db69)

SUMMARY: libFuzzer: timeout

```

We will gladly work with you so you can successfully confirm and reproduce this
issue. Do let us know if you have any feedback surrounding the documentation.

Once you have reproduced the issue, we'd appreciate to learn your expected
timeline for an update to be released. With any fix, please attribute the report
to "Google Autofuzz project".

We are also pleased to inform you that your project is eligible for inclusion to
the OSS-Fuzz project, which can provide additional continuous fuzzing, and
encourage you to investigate integration options.

Don't hesitate to let us know if you have any questions!

Google AutoFuzz Team

Comment 1 Alan Modra 2018-02-27 06:37:25 UTC

demangler bugs belong with the gcc project.  The testcase added to a similar bug there, https://gcc.gnu.org/bugzilla/show_bug.cgi?id=81682