24791 – Heap Overflow issue in cp-demangle

Bug 24791 - Heap Overflow issue in cp-demangle

Summary: Heap Overflow issue in cp-demangle

Status:	RESOLVED INVALID

Alias:	None

Product:	binutils
Classification:	Unclassified
Component:	binutils (show other bugs)
Version:	2.33

Importance:	P2 normal
Target Milestone:	---
Assignee:	Not yet assigned to anyone

URL:
Keywords:

Depends on:
Blocks:

Reported:	2019-07-09 14:34 UTC by Heqing HUANG
Modified:	2019-07-10 06:13 UTC (History)
CC List:	1 user (show)

See Also:
Host:
Target:
Build:
Last reconfirmed:

Attachments
POC input (2.02 KB, application/x-sharedlib) 2019-07-09 14:34 UTC, Heqing HUANG	Details
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Heqing HUANG 2019-07-09 14:34:58 UTC

Created attachment 11897 [details]
POC input

Hi, there.

There is a heap overflow in nm.

To reproduce the issue, the complie flag is:
CFLAGS="-g -O0 -m32 -fsanitize=address,undefined" ./configure;make

then,
nm-new -C -a -l --synthetic input

Here are the details reported by ASAN:
==178966==ERROR: AddressSanitizer: heap-buffer-overflow on address 0xf4e02883 at pc 0x085d6167 bp 0xffe086d8 sp 0xffe086c8
READ of size 1 at 0xf4e02883 thread T0
    #0 0x85d6166 in d_expression_1 cp-demangle.c:3356
    #1 0x85d4f12 in d_expression_1 cp-demangle.c:3449
    #2 0x85d4f12 in d_expression_1 cp-demangle.c:3449
    #3 0x85d4f12 in d_expression_1 cp-demangle.c:3449
    #4 0x85d4f12 in d_expression_1 cp-demangle.c:3449
    #5 0x85d4f12 in d_expression_1 cp-demangle.c:3449
    #6 0x85d4f12 in d_expression_1 cp-demangle.c:3449
    #7 0x85d4f12 in d_expression_1 cp-demangle.c:3449
    #8 0x85d4f12 in d_expression_1 cp-demangle.c:3449
    #9 0x85c8395 in d_expression cp-demangle.c:3531
    #10 0x85c8395 in d_array_type cp-demangle.c:3011
    #11 0x85c8395 in cplus_demangle_type cp-demangle.c:2463
    #12 0x85ca143 in d_parmlist cp-demangle.c:2908
    #13 0x85d907c in d_bare_function_type cp-demangle.c:2962
    #14 0x85d907c in d_encoding cp-demangle.c:1343
    #15 0x85dc451 in cplus_demangle_mangled_name cp-demangle.c:1234
    #16 0x85e29ed in d_demangle_callback cp-demangle.c:6292
    #17 0x85e29ed in d_demangle cp-demangle.c:6343
    #18 0x85e29ed in cplus_demangle_v3 cp-demangle.c:6500
    #19 0x858e46c in cplus_demangle cplus-dem.c:165
    #20 0x808ea57 in bfd_demangle /mnt/data/playground/binutils-2.32-a/bfd/bfd.c:2254
    #21 0x805f51f in print_symname /mnt/data/playground/binutils-2.32-a/binutils/nm.c:423
    #22 0x805f51f in print_symbol_info_bsd /mnt/data/playground/binutils-2.32-a/binutils/nm.c:1565
    #23 0x8053fcf in print_symbol /mnt/data/playground/binutils-2.32-a/binutils/nm.c:903
    #24 0x80571b5 in print_symbols /mnt/data/playground/binutils-2.32-a/binutils/nm.c:1102
    #25 0x80571b5 in display_rel_file /mnt/data/playground/binutils-2.32-a/binutils/nm.c:1215
    #26 0x805adb1 in display_file /mnt/data/playground/binutils-2.32-a/binutils/nm.c:1335
    #27 0x804f98a in main /mnt/data/playground/binutils-2.32-a/binutils/nm.c:1816
    #28 0xf7000636 in __libc_start_main (/lib/i386-linux-gnu/libc.so.6+0x18636)
    #29 0x805154b  (/mnt/data/playground/binutils-2.32-a/binutils/nm-new+0x805154b)

0xf4e02883 is located 0 bytes to the right of 99-byte region [0xf4e02820,0xf4e02883)
allocated by thread T0 here:
    #0 0xf7239dee in malloc (/usr/lib32/libasan.so.2+0x96dee)
    #1 0x80abadd in bfd_malloc /mnt/data/playground/binutils-2.32-a/bfd/libbfd.c:275

SUMMARY: AddressSanitizer: heap-buffer-overflow cp-demangle.c:3356 d_expression_1
Shadow bytes around the buggy address:
  0x3e9c04c0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x3e9c04d0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x3e9c04e0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x3e9c04f0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x3e9c0500: fa fa fa fa 00 00 00 00 00 00 00 00 00 00 00 00
=>0x3e9c0510:[03]fa fa fa fa fa fa fa fa fa 00 00 00 00 00 00
  0x3e9c0520: 00 00 00 00 00 00 00 fa fa fa fa fa fa fa fa fa
  0x3e9c0530: 00 00 00 00 00 00 00 00 00 00 00 00 00 fa fa fa
  0x3e9c0540: fa fa fa fa fa fa 00 00 00 00 00 00 00 00 00 00
  0x3e9c0550: 00 00 00 fa fa fa fa fa fa fa fa fa 00 00 00 00
  0x3e9c0560: 00 00 00 00 00 00 00 00 04 fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Heap right redzone:      fb
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack partial redzone:   f4
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
==178966==ABORTING

The attachment is the POC input.

Comment 1 Alan Modra 2019-07-10 03:34:32 UTC

This is likely already fixed.  In any case, problems with libiberty files such as cp-demangele.c should be reported against gcc.

Comment 2 Heqing HUANG 2019-07-10 06:13:16 UTC

It still can be triggered after the patch of GCC.

This is the link to the previous GCC patch:
https://gcc.gnu.org/viewcvs/gcc?view=revision&revision=270258