Created attachment 10947 [details]
cxxfilt ASAN executable, ASAN report and causing input
after reporting the following bugs to the Ubuntu security team (https://bugs.launchpad.net/ubuntu/+source/binutils/+bug/1763101), we were ask to report them directly to the binutils developers:
The following binutils cxxfilt OOM bug was found by a modified version of the kAFL fuzzer (https://github.com/RUB-SysSec/kAFL). I have attached the input and an ASAN report.
Steps to reproduce:
Build current verison of binutils:
CC=clang CXX=clang++ CFLAGS="-fsanitize=address -fsanitize-recover=address -ggdb" CXXFLAGS="-fsanitize=address -fsanitize-recover=address -ggdb" LDFLAGS="-fsanitize=address" ./configure
CC=clang CXX=clang++ CFLAGS="-fsanitize=address -fsanitize-recover=address -ggdb" CXXFLAGS="-fsanitize=address
-fsanitize-recover=address -ggdb" LDFLAGS="-fsanitize=address" make
Run inputs under ASAN:
ASAN_OPTIONS=halt_on_error=false:allow_addr2line=true ./cxxfilt -t < oom
We can verify this issue for cxxfilt binuitils-2.30-15ubuntu1 (Ubuntu 16.04.4 LTS / sources from "pull-lp-source bintuils") on an Intel(R) Core(TM) i7-6700 CPU @ 3.40GHz server machine with 32GB RAM.
Credits: Sergej Schumilo, Cornelius Aschermann (both of Ruhr-Universität Bochum)
Thanks for reporting these bugs. The problem however is in the C++ name
demangler, which is part of the libiberty library. This library is
maintained by the gcc project, not the binutils project. (It is used
by the binutils, but now owned by them). Therefore, please could you
refile this bug report on the gcc bugzilla system:
Thanks very much.
https://gcc.gnu.org/bugzilla/show_bug.cgi?id=85453 resp. https://gcc.gnu.org/bugzilla/show_bug.cgi?id=84950
ChangeLog which fixes this.
2018-12-22 Jason Merrill <firstname.lastname@example.org>
Remove support for demangling GCC 2.x era mangling schemes.
* cplus-dem.c: Remove cplus_mangle_opname, cplus_demangle_opname,
internal_cplus_demangle, and all subroutines.
(libiberty_demanglers): Remove entries for ancient GNU (pre-3.0),
Lucid, ARM, HP, and EDG demangling styles.
(cplus_demangle): Remove 'work' variable. Don't call