Created attachment 11321 [details] POC_input Hi. We are doing research on Fuzz testing. Our fuzzer caught an Out of Memory problem in program c++filt of the latest binutils(v2.31.1) code base, a malicious input of format strings will cause the LargeMmapAllocator faults and I have confirmed it with address sanitizer too. This Bug is caused by Integer Overflow. The way to reproduce the bug: I have provided the POC file and the input(_rttt4tttt6__H7666666666666666666__c). Please use the "./c++filt < $POC" to reproduce the bug. Another way to reproduce this bug is type "c++filt _rttt4tttt6__H7666666666666666666__c" directly. If you have any questions, please let me know. The ASAN dumps the stack trace as follows: cplus-dem.c:3597:10: runtime error: signed integer overflow: 766666666 * 10 cannot be represented in type 'int' SUMMARY: AddressSanitizer: undefined-behavior cplus-dem.c:3597:10 in ==13543==WARNING: AddressSanitizer failed to allocate 0xfffffffd6ff55550 bytes ==13543==AddressSanitizer's allocator is terminating the process instead of returning 0 ==13543==If you don't like this behavior set allocator_may_return_null=1 ==13543==AddressSanitizer CHECK failed: /build/llvm-toolchain-3.8-_PD09B/llvm-toolchain-3.8-3.8/projects/compiler-rt/lib/sanitizer_common/sanitizer_allocator.cc:147 "((0)) )" (0x0, 0x0) #0 0x4c2a2d (/binutils_latest_AFL_ASAN/build/bin/c++filt+0x4c2a2d) #1 0x4c9653 (/binutils_latest_AFL_ASAN/build/bin/c++filt+0x4c9653) #2 0x4c71d6 (/binutils_latest_AFL_ASAN/build/bin/c++filt+0x4c71d6) #3 0x41efec (/binutils_latest_AFL_ASAN/build/bin/c++filt+0x41efec) #4 0x4b9401 (/binutils_latest_AFL_ASAN/build/bin/c++filt+0x4b9401) #5 0x21e42be (/binutils_latest_AFL_ASAN/build/bin/c++filt+0x21e42be) #6 0x1ffc3b7 (/binutils_latest_AFL_ASAN/build/bin/c++filt+0x1ffc3b7) #7 0x1fe8a17 (/binutils_latest_AFL_ASAN/build/bin/c++filt+0x1fe8a17) #8 0x2039f37 (/binutils_latest_AFL_ASAN/build/bin/c++filt+0x2039f37) #9 0x1fcbb2c (/binutils_latest_AFL_ASAN/build/bin/c++filt+0x1fcbb2c) #10 0x1fb8b23 (/binutils_latest_AFL_ASAN/build/bin/c++filt+0x1fb8b23) #11 0x4eef03 (/binutils_latest_AFL_ASAN/build/bin/c++filt+0x4eef03) #12 0x4ed203 (/binutils_latest_AFL_ASAN/build/bin/c++filt+0x4ed203) #13 0x7f49e9d5182f (/lib/x86_64-linux-gnu/libc.so.6+0x2082f) #14 0x419318 (/binutils_latest_AFL_ASAN/build/bin/c++filt+0x419318) Aborted
In cplus-dem.c:3597 n *= 10; n += *p - '0'; p++; This testcase will set n = 766666666. 766666666 * 10 cannot be represented in type 'int', which make n have a Integer overflow problem. This problem leads to undefined-behavior. I will show you the debug process as follow: > $ gdb --args ./c++filt _rttt4tttt6__H7666666666666666666_ > (gdb) start > Temporary breakpoint 1 at 0x4ea9a6: file cxxfilt.c, line 172. > Starting program: /build/bin/c++filt _rttt4tttt6__H7666666666666666666__c > [Thread debugging using libthread_db enabled] > Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1". > Temporary breakpoint 1, main (argc=2, argv=0x7fffffffdff8) at cxxfilt.c:172 > 172 { > (gdb) b cplus-dem.c:3597 > Breakpoint 2 at 0x20171b4: file ./cplus-dem.c, line 3597. > (gdb) c > Continuing. > Breakpoint 2, get_count (type=<optimized out>, count=<optimized out>) at ./cplus-dem.c:3597 > 3597 n *= 10; > (gdb) n > cplus-dem.c:3597:10: runtime error: signed integer overflow: 766666666 * 10 cannot be represented in type 'int' > SUMMARY: AddressSanitizer: undefined-behavior cplus-dem.c:3597:10 in > 3598 n += *p - '0'; > (gdb) n > 3599 p++;
gcc is the owning project for libiberty. Please report this bug there.
Was this issue reported to the GCC bugzilla?
(In reply to Salvatore Bonaccorso from comment #3) > Was this issue reported to the GCC bugzilla? Yes, see https://gcc.gnu.org/bugzilla/show_bug.cgi?id=87602
(In reply to wcventure from comment #4) > (In reply to Salvatore Bonaccorso from comment #3) > > Was this issue reported to the GCC bugzilla? > > Yes, see > https://gcc.gnu.org/bugzilla/show_bug.cgi?id=87602 also see https://gcc.gnu.org/bugzilla/show_bug.cgi?id=83472 https://gcc.gnu.org/bugzilla/show_bug.cgi?id=79111