Bug 23059 - OOM-Bug in cxxfilt (binuitils-2.30-15ubuntu1)
Summary: OOM-Bug in cxxfilt (binuitils-2.30-15ubuntu1)
Status: RESOLVED MOVED
Alias: None
Product: binutils
Classification: Unclassified
Component: binutils (show other bugs)
Version: 2.30
: P2 normal
Target Milestone: ---
Assignee: Not yet assigned to anyone
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2018-04-13 13:31 UTC by Sergej Schumilo
Modified: 2019-10-11 08:55 UTC (History)
3 users (show)

See Also:
Host:
Target:
Build:
Last reconfirmed:


Attachments
cxxfilt ASAN executable, ASAN report and causing input (3.25 MB, application/zip)
2018-04-13 13:31 UTC, Sergej Schumilo
Details

Note You need to log in before you can comment on or make changes to this bug.
Description Sergej Schumilo 2018-04-13 13:31:18 UTC
Created attachment 10947 [details]
cxxfilt ASAN executable, ASAN report and causing input

Dear all,
after reporting the following bugs to the Ubuntu security team (https://bugs.launchpad.net/ubuntu/+source/binutils/+bug/1763101), we were ask to report them directly to the binutils developers: 

----------------------------------------------------

Dear all,
The following binutils cxxfilt OOM bug was found by a modified version of the kAFL fuzzer (https://github.com/RUB-SysSec/kAFL). I have attached the input and an ASAN report.

Steps to reproduce:

Build current verison of binutils:

```
pull-lp-source binutils
cd binutils-2.30
CC=clang CXX=clang++ CFLAGS="-fsanitize=address -fsanitize-recover=address -ggdb" CXXFLAGS="-fsanitize=address -fsanitize-recover=address -ggdb" LDFLAGS="-fsanitize=address" ./configure
CC=clang CXX=clang++ CFLAGS="-fsanitize=address -fsanitize-recover=address -ggdb" CXXFLAGS="-fsanitize=address
-fsanitize-recover=address -ggdb" LDFLAGS="-fsanitize=address" make
```

Run inputs under ASAN:

```
ASAN_OPTIONS=halt_on_error=false:allow_addr2line=true ./cxxfilt -t < oom
```

We can verify this issue for cxxfilt binuitils-2.30-15ubuntu1 (Ubuntu 16.04.4 LTS / sources from "pull-lp-source bintuils") on an Intel(R) Core(TM) i7-6700 CPU @ 3.40GHz server machine with 32GB RAM.

Credits: Sergej Schumilo, Cornelius Aschermann (both of Ruhr-Universität Bochum)

Best regards,
Sergej Schumilo
Comment 1 Nick Clifton 2018-04-18 11:12:51 UTC
Hi Sergej,

  Thanks for reporting these bugs.  The problem however is in the C++ name
  demangler, which is part of the libiberty library.  This library is
  maintained by the gcc project, not the binutils project.  (It is used
  by the binutils, but now owned by them).  Therefore, please could you
  refile this bug report on the gcc bugzilla system:

https://gcc.gnu.org/bugzilla/enter_bug.cgi?product=gcc

  Thanks very much.

Cheers
  Nick
Comment 3 Kamlesh Kumar 2019-10-11 08:55:42 UTC
ChangeLog which fixes this.

2018-12-22  Jason Merrill  <jason@redhat.com>

        Remove support for demangling GCC 2.x era mangling schemes.
        * cplus-dem.c: Remove cplus_mangle_opname, cplus_demangle_opname,
        internal_cplus_demangle, and all subroutines.
        (libiberty_demanglers): Remove entries for ancient GNU (pre-3.0),
        Lucid, ARM, HP, and EDG demangling styles.
        (cplus_demangle): Remove 'work' variable.  Don't call
        internal_cplus_demangle.