[Bug binutils/30267] New: Report a solved crash. In binutils-2_26

bug-binutils

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Bug binutils/30267] New: Report a solved crash. In binutils-2_26_1 of t

From:	fengzhengzhan at gmail dot com
Subject:	[Bug binutils/30267] New: Report a solved crash. In binutils-2_26_1 of the c++flit, heap buffer overflow in demangle_prefix() at cplus-dem.c:2744.
Date:	Thu, 23 Mar 2023 14:26:42 +0000

https://sourceware.org/bugzilla/show_bug.cgi?id=30267

            Bug ID: 30267
           Summary: Report a solved crash. In binutils-2_26_1 of the
                    c++flit, heap buffer overflow in demangle_prefix() at
                    cplus-dem.c:2744.
           Product: binutils
           Version: 2.26
            Status: UNCONFIRMED
          Severity: normal
          Priority: P2
         Component: binutils
          Assignee: unassigned at sourceware dot org
          Reporter: fengzhengzhan at gmail dot com
  Target Milestone: ---

Created attachment 14774
  --> https://sourceware.org/bugzilla/attachment.cgi?id=14774&action=edit
poc

# Report a solved crash. In binutils-2_26_1 of the c++flit, heap buffer
overflow in demangle_prefix() at cplus-dem.c:2744.

When I was in the process of comparing experiments on the program for fuzzing.
I find a heap buffer overflow in the version binutils-2_26_1 of c++flit at
function demangle_prefix in cplus-dem.c:2744. But this crash has been fixed in
the binutils-2_40 version. However, I still feel that I should report this to
you, so I apologize for taking up your time.

## Environment
Ubuntu 18.04, 64 bit
binutils-2_26_1

## Steps to reproduce
1. download file
```
wget
https://github.com/bminor/binutils-gdb/archive/refs/tags/binutils-2_26_1.tar.gz
tar -zxvf binutils-2_26_1.tar.gz
```
2. compile libming with ASAN
```
cd binutils-gdb-binutils-2_26_1/
export FORCE_UNSAFE_CONFIGURE=1
export LLVM_COMPILER=clang
CC=wllvm CXX=wllvm++ CFLAGS="-DFORTIFY_SOURCE=2 -fno-omit-frame-pointer -g -O0
-Wno-error" LDFLAGS="-ldl -lutil" ./configure --prefix=`pwd`/obj-bc
--enable-static --disable-shared --disable-gdb --disable-libdecnumber
--disable-readline --disable-sim --disable-ld
make
make install

cd obj-bc/bin/
extract-bc c++filt
clang -fsanitize=address c++filt.bc -o c++filt_asan
```
3. command for reproducing the error
```
./c++filt_asan @poc
```
Download poc:
[poc](https://github.com/fengzhengzhan/FzzVul/blob/main/c%2B%2Bfilt/binutils-gdb_c%2B%2Bflit226_heap-buffer-overflow_cplus-dem2744)

## ASAN report
1. binutils-2_26_1 version.
```
root@2413df779df0:~/compiler1804/binutils-gdb-binutils-2_26_1/obj-bc/bin#
./c++filt_asan @binutils-gdb_c++flit226_heap-buffer-overflow_cplus-dem2744 
o_2__S0A4X530rE_;00
=================================================================
==112308==ERROR: AddressSanitizer: heap-buffer-overflow on address
0x60200000001a at pc 0x000000439b84 bp 0x7fff173aa870 sp 0x7fff173aa020
READ of size 1 at 0x60200000001a thread T0
    #0 0x439b83 in __interceptor_strlen.part.36
/root/LLVM/llvm/projects/compiler-rt/lib/asan/../sanitizer_common/sanitizer_common_interceptors.inc:372
    #1 0x5f2eb6 in demangle_prefix
/root/compiler1804/binutils-gdb-binutils-2_26_1/libiberty/./cplus-dem.c:2744:7
    #2 0x5f24ae in internal_cplus_demangle
/root/compiler1804/binutils-gdb-binutils-2_26_1/libiberty/./cplus-dem.c:1199:14
    #3 0x5f191b in cplus_demangle
/root/compiler1804/binutils-gdb-binutils-2_26_1/libiberty/./cplus-dem.c:886:9
    #4 0x4f46ac in demangle_it
/root/compiler1804/binutils-gdb-binutils-2_26_1/binutils/cxxfilt.c:62:12
    #5 0x4f42ef in main
/root/compiler1804/binutils-gdb-binutils-2_26_1/binutils/cxxfilt.c:227:4
    #6 0x7f5e26e7bc86 in __libc_start_main
/build/glibc-CVJwZb/glibc-2.27/csu/../csu/libc-start.c:310
    #7 0x41bfc9 in _start
(/root/compiler1804/binutils-gdb-binutils-2_26_1/obj-bc/bin/c++filt_asan+0x41bfc9)

0x60200000001a is located 0 bytes to the right of 10-byte region
[0x602000000010,0x60200000001a)
allocated by thread T0 here:
    #0 0x4ae5e0 in malloc
/root/LLVM/llvm/projects/compiler-rt/lib/asan/asan_malloc_linux.cpp:145
    #1 0x6087d7 in xmalloc
/root/compiler1804/binutils-gdb-binutils-2_26_1/libiberty/./xmalloc.c:147:12
    #2 0x608909 in xstrdup
/root/compiler1804/binutils-gdb-binutils-2_26_1/libiberty/./xstrdup.c:34:24
    #3 0x600faf in buildargv
/root/compiler1804/binutils-gdb-binutils-2_26_1/libiberty/./argv.c:271:17
    #4 0x601382 in expandargv
/root/compiler1804/binutils-gdb-binutils-2_26_1/libiberty/./argv.c:435:14
    #5 0x4f4162 in main
/root/compiler1804/binutils-gdb-binutils-2_26_1/binutils/cxxfilt.c:181:3
    #6 0x7f5e26e7bc86 in __libc_start_main
/build/glibc-CVJwZb/glibc-2.27/csu/../csu/libc-start.c:310

SUMMARY: AddressSanitizer: heap-buffer-overflow
/root/LLVM/llvm/projects/compiler-rt/lib/asan/../sanitizer_common/sanitizer_common_interceptors.inc:372
in __interceptor_strlen.part.36
Shadow bytes around the buggy address:
  0x0c047fff7fb0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c047fff7fc0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c047fff7fd0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c047fff7fe0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c047fff7ff0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x0c047fff8000: fa fa 00[02]fa fa 00 07 fa fa fd fa fa fa fd fa
  0x0c047fff8010: fa fa fd fa fa fa fd fa fa fa fd fa fa fa fd fa
  0x0c047fff8020: fa fa fd fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047fff8030: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047fff8040: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047fff8050: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
  Shadow gap:              cc
==112308==ABORTING
```

2. binutils-2_40 version no crash occurred.
```
> ./c++filt_asan @binutils-gdb_c++flit226_heap-buffer-overflow_cplus-dem2744
o_2__S0A4X530rE_;00
__thunk_8

=================================================================
==124985==ERROR: LeakSanitizer: detected memory leaks

Direct leak of 40 byte(s) in 1 object(s) allocated from:
    #0 0x4aea08 in realloc
/root/LLVM/llvm/projects/compiler-rt/lib/asan/asan_malloc_linux.cpp:164
    #1 0x6272b0 in xrealloc
/root/compiler1804/binutils-gdb/libiberty/./xmalloc.c:181:14
    #2 0x61a9d5 in expandargv
/root/compiler1804/binutils-gdb/libiberty/./argv.c:474:3
    #3 0x4f41f6 in main
/root/compiler1804/binutils-gdb/binutils/cxxfilt.c:151:3
    #4 0x7fe9cc666082 in __libc_start_main
/build/glibc-SzIz7B/glibc-2.31/csu/../csu/libc-start.c:308:16

Indirect leak of 30 byte(s) in 2 object(s) allocated from:
    #0 0x4ae670 in malloc
/root/LLVM/llvm/projects/compiler-rt/lib/asan/asan_malloc_linux.cpp:145
    #1 0x6271cb in xmalloc
/root/compiler1804/binutils-gdb/libiberty/./xmalloc.c:149:12
    #2 0x62730d in xstrdup
/root/compiler1804/binutils-gdb/libiberty/./xstrdup.c:34:24
    #3 0x61a4b3 in buildargv
/root/compiler1804/binutils-gdb/libiberty/./argv.c:274:17
    #4 0x61a94b in expandargv
/root/compiler1804/binutils-gdb/libiberty/./argv.c:461:14
    #5 0x4f41f6 in main
/root/compiler1804/binutils-gdb/binutils/cxxfilt.c:151:3
    #6 0x7fe9cc666082 in __libc_start_main
/build/glibc-SzIz7B/glibc-2.31/csu/../csu/libc-start.c:308:16

Indirect leak of 15 byte(s) in 1 object(s) allocated from:
    #0 0x4ae670 in malloc
/root/LLVM/llvm/projects/compiler-rt/lib/asan/asan_malloc_linux.cpp:145
    #1 0x6271cb in xmalloc
/root/compiler1804/binutils-gdb/libiberty/./xmalloc.c:149:12
    #2 0x62730d in xstrdup
/root/compiler1804/binutils-gdb/libiberty/./xstrdup.c:34:24
    #3 0x61a175 in dupargv
/root/compiler1804/binutils-gdb/libiberty/./argv.c:86:18
    #4 0x61a96c in expandargv
/root/compiler1804/binutils-gdb/libiberty/./argv.c:464:11
    #5 0x4f41f6 in main
/root/compiler1804/binutils-gdb/binutils/cxxfilt.c:151:3
    #6 0x7fe9cc666082 in __libc_start_main
/build/glibc-SzIz7B/glibc-2.31/csu/../csu/libc-start.c:308:16

SUMMARY: AddressSanitizer: 85 byte(s) leaked in 4 allocation(s).

```

-- 
You are receiving this mail because:
You are on the CC list for the bug.

[Prev in Thread]

Current Thread

[Next in Thread]

[Bug binutils/30267] New: Report a solved crash. In binutils-2_26_1 of the c++flit, heap buffer overflow in demangle_prefix() at cplus-dem.c:2744., fengzhengzhan at gmail dot com <=
- [Bug binutils/30267] Report a solved crash. In binutils-2_26_1 of the c++flit, heap buffer overflow in demangle_prefix() at cplus-dem.c:2744., nickc at redhat dot com, 2023/03/23

Prev by Date: [Bug ld/30076] aarch64: stubs can add indirect branch that breaks BTI
Next by Date: [Bug gas/27217] aarch64 as Internal error in md_apply_fix at ....../gas/config/tc-aarch64.c:8330.
Previous by thread: [Bug gas/30153] MIPS: gccrs failed to bootstrap with -mfix-loongson3-llsc
Next by thread: [Bug binutils/30267] Report a solved crash. In binutils-2_26_1 of the c++flit, heap buffer overflow in demangle_prefix() at cplus-dem.c:2744.
Index(es):
- Date
- Thread