[Bug binutils/22712] New: Stack Overflow (71959517)

bug-binutils
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Bug binutils/22712] New: Stack Overflow (71959517)

From:	security-tps at google dot com
Subject:	[Bug binutils/22712] New: Stack Overflow (71959517)
Date:	Mon, 15 Jan 2018 10:36:46 +0000
https://sourceware.org/bugzilla/show_bug.cgi?id=22712

            Bug ID: 22712
           Summary: Stack Overflow (71959517)
           Product: binutils
           Version: 2.30 (HEAD)
            Status: UNCONFIRMED
          Severity: normal
          Priority: P2
         Component: binutils
          Assignee: unassigned at sourceware dot org
          Reporter: security-tps at google dot com
  Target Milestone: ---

Created attachment 10747
  --> https://sourceware.org/bugzilla/attachment.cgi?id=10747&action=edit
poc and dockerfile to reproduce

Hello binutils team,

As part of our fuzzing efforts at Google, we have identified an issue affecting
binutils (tested with revision * master
58807c48a5a317ad3e2d39a8755168a3d4d5fdf8).

To reproduce, we are attaching a Dockerfile which compiles the project with
LLVM, taking advantage of the sanitizers that it offers. More information about
how to use the attached Dockerfile can be found here:
https://docs.docker.com/engine/reference/builder/

TL;DR instructions:
* `mkdir project`
* `cp Dockerfile.binutils /path/to/project/Dockerfile`
* `docker build --no-cache /path/to/project`
* `docker run -it image_id_from_docker_build`

>From another terminal, outside the container:
`docker cp /path/to/attached/reproducer
running_container_hostname:/fuzzing/reproducer`
(reference: https://docs.docker.com/engine/reference/commandline/cp/)

And, back inside the container:
`/fuzzing/repro.sh /fuzzing/reproducer`

Alternatively, and depending on the bug, you could use gcc, valgrind or other
instrumentation tools to aid in the investigation. The sanitizer error that we
encountered is here:

```
 in demangle_nested_args /fuzzing/binutils-gdb/libiberty/cplus-dem.c:4713:12
    #139 0x509722 in do_type /fuzzing/binutils-gdb/libiberty/cplus-dem.c:3719:9
    #140 0x5183a2 in do_arg /fuzzing/binutils-gdb/libiberty/cplus-dem.c:4332:8
    #141 0x51792c in demangle_args
/fuzzing/binutils-gdb/libiberty/cplus-dem.c:4641:13
    #142 0x5188ad in demangle_nested_args
/fuzzing/binutils-gdb/libiberty/cplus-dem.c:4713:12
    #143 0x509722 in do_type /fuzzing/binutils-gdb/libiberty/cplus-dem.c:3719:9
    #144 0x5138db in demangle_arm_hp_template
/fuzzing/binutils-gdb/libiberty/cplus-dem.c:2560:20
    #145 0x517e68 in demangle_class_name
/fuzzing/binutils-gdb/libiberty/cplus-dem.c:2614:7
    #146 0x518e6b in demangle_fund_type
/fuzzing/binutils-gdb/libiberty/cplus-dem.c:4118:13
    #147 0x509f90 in do_type
/fuzzing/binutils-gdb/libiberty/cplus-dem.c:3907:17
    #148 0x5183a2 in do_arg /fuzzing/binutils-gdb/libiberty/cplus-dem.c:4332:8
    #149 0x51767d in demangle_args
/fuzzing/binutils-gdb/libiberty/cplus-dem.c:4659:9
    #150 0x5188ad in demangle_nested_args
/fuzzing/binutils-gdb/libiberty/cplus-dem.c:4713:12
    #151 0x509722 in do_type /fuzzing/binutils-gdb/libiberty/cplus-dem.c:3719:9
    #152 0x5183a2 in do_arg /fuzzing/binutils-gdb/libiberty/cplus-dem.c:4332:8
    #153 0x51792c in demangle_args
/fuzzing/binutils-gdb/libiberty/cplus-dem.c:4641:13
    #154 0x5188ad in demangle_nested_args
/fuzzing/binutils-gdb/libiberty/cplus-dem.c:4713:12
    #155 0x509722 in do_type /fuzzing/binutils-gdb/libiberty/cplus-dem.c:3719:9
    #156 0x5138db in demangle_arm_hp_template
/fuzzing/binutils-gdb/libiberty/cplus-dem.c:2560:20
    #157 0x517e68 in demangle_class_name
/fuzzing/binutils-gdb/libiberty/cplus-dem.c:2614:7
    #158 0x518e6b in demangle_fund_type
/fuzzing/binutils-gdb/libiberty/cplus-dem.c:4118:13
    #159 0x509f90 in do_type
/fuzzing/binutils-gdb/libiberty/cplus-dem.c:3907:17
    #160 0x5183a2 in do_arg /fuzzing/binutils-gdb/libiberty/cplus-dem.c:4332:8
    #161 0x51767d in demangle_args
/fuzzing/binutils-gdb/libiberty/cplus-dem.c:4659:9
    #162 0x5188ad in demangle_nested_args
/fuzzing/binutils-gdb/libiberty/cplus-dem.c:4713:12
    #163 0x509722 in do_type /fuzzing/binutils-gdb/libiberty/cplus-dem.c:3719:9
    #164 0x5183a2 in do_arg /fuzzing/binutils-gdb/libiberty/cplus-dem.c:4332:8
    #165 0x51792c in demangle_args
/fuzzing/binutils-gdb/libiberty/cplus-dem.c:4641:13
    #166 0x5188ad in demangle_nested_args
/fuzzing/binutils-gdb/libiberty/cplus-dem.c:4713:12
    #167 0x509722 in do_type /fuzzing/binutils-gdb/libiberty/cplus-dem.c:3719:9
    #168 0x5138db in demangle_arm_hp_template
/fuzzing/binutils-gdb/libiberty/cplus-dem.c:2560:20
    #169 0x517e68 in demangle_class_name
/fuzzing/binutils-gdb/libiberty/cplus-dem.c:2614:7
    #170 0x518e6b in demangle_fund_type
/fuzzing/binutils-gdb/libiberty/cplus-dem.c:4118:13
    #171 0x509f90 in do_type
/fuzzing/binutils-gdb/libiberty/cplus-dem.c:3907:17
    #172 0x5183a2 in do_arg /fuzzing/binutils-gdb/libiberty/cplus-dem.c:4332:8
    #173 0x51767d in demangle_args
/fuzzing/binutils-gdb/libiberty/cplus-dem.c:4659:9
    #174 0x5188ad in demangle_nested_args
/fuzzing/binutils-gdb/libiberty/cplus-dem.c:4713:12
    #175 0x509722 in do_type /fuzzing/binutils-gdb/libiberty/cplus-dem.c:3719:9
    #176 0x5183a2 in do_arg /fuzzing/binutils-gdb/libiberty/cplus-dem.c:4332:8
    #177 0x51792c in demangle_args
/fuzzing/binutils-gdb/libiberty/cplus-dem.c:4641:13
    #178 0x5188ad in demangle_nested_args
/fuzzing/binutils-gdb/libiberty/cplus-dem.c:4713:12
    #179 0x509722 in do_type /fuzzing/binutils-gdb/libiberty/cplus-dem.c:3719:9
    #180 0x5138db in demangle_arm_hp_template
/fuzzing/binutils-gdb/libiberty/cplus-dem.c:2560:20
    #181 0x517e68 in demangle_class_name
/fuzzing/binutils-gdb/libiberty/cplus-dem.c:2614:7
    #182 0x518e6b in demangle_fund_type
/fuzzing/binutils-gdb/libiberty/cplus-dem.c:4118:13
    #183 0x509f90 in do_type
/fuzzing/binutils-gdb/libiberty/cplus-dem.c:3907:17
    #184 0x5183a2 in do_arg /fuzzing/binutils-gdb/libiberty/cplus-dem.c:4332:8
    #185 0x51767d in demangle_args
/fuzzing/binutils-gdb/libiberty/cplus-dem.c:4659:9
    #186 0x5188ad in demangle_nested_args
/fuzzing/binutils-gdb/libiberty/cplus-dem.c:4713:12
    #187 0x509722 in do_type /fuzzing/binutils-gdb/libiberty/cplus-dem.c:3719:9
    #188 0x5183a2 in do_arg /fuzzing/binutils-gdb/libiberty/cplus-dem.c:4332:8
    #189 0x51792c in demangle_args
/fuzzing/binutils-gdb/libiberty/cplus-dem.c:4641:13
    #190 0x5188ad in demangle_nested_args
/fuzzing/binutils-gdb/libiberty/cplus-dem.c:4713:12
    #191 0x509722 in do_type /fuzzing/binutils-gdb/libiberty/cplus-dem.c:3719:9
    #192 0x5138db in demangle_arm_hp_template
/fuzzing/binutils-gdb/libiberty/cplus-dem.c:2560:20
    #193 0x517e68 in demangle_class_name
/fuzzing/binutils-gdb/libiberty/cplus-dem.c:2614:7
    #194 0x518e6b in demangle_fund_type
/fuzzing/binutils-gdb/libiberty/cplus-dem.c:4118:13
    #195 0x509f90 in do_type
/fuzzing/binutils-gdb/libiberty/cplus-dem.c:3907:17
    #196 0x5183a2 in do_arg /fuzzing/binutils-gdb/libiberty/cplus-dem.c:4332:8
    #197 0x51767d in demangle_args
/fuzzing/binutils-gdb/libiberty/cplus-dem.c:4659:9
    #198 0x5188ad in demangle_nested_args
/fuzzing/binutils-gdb/libiberty/cplus-dem.c:4713:12
    #199 0x509722 in do_type /fuzzing/binutils-gdb/libiberty/cplus-dem.c:3719:9
    #200 0x5183a2 in do_arg /fuzzing/binutils-gdb/libiberty/cplus-dem.c:4332:8
    #201 0x51792c in demangle_args
/fuzzing/binutils-gdb/libiberty/cplus-dem.c:4641:13
    #202 0x5188ad in demangle_nested_args
/fuzzing/binutils-gdb/libiberty/cplus-dem.c:4713:12
    #203 0x509722 in do_type /fuzzing/binutils-gdb/libiberty/cplus-dem.c:3719:9
    #204 0x5138db in demangle_arm_hp_template
/fuzzing/binutils-gdb/libiberty/cplus-dem.c:2560:20
    #205 0x517e68 in demangle_class_name
/fuzzing/binutils-gdb/libiberty/cplus-dem.c:2614:7
    #206 0x518e6b in demangle_fund_type
/fuzzing/binutils-gdb/libiberty/cplus-dem.c:4118:13
    #207 0x509f90 in do_type
/fuzzing/binutils-gdb/libiberty/cplus-dem.c:3907:17
    #208 0x5183a2 in do_arg /fuzzing/binutils-gdb/libiberty/cplus-dem.c:4332:8
    #209 0x51767d in demangle_args
/fuzzing/binutils-gdb/libiberty/cplus-dem.c:4659:9
    #210 0x5188ad in demangle_nested_args
/fuzzing/binutils-gdb/libiberty/cplus-dem.c:4713:12
    #211 0x509722 in do_type /fuzzing/binutils-gdb/libiberty/cplus-dem.c:3719:9
    #212 0x5183a2 in do_arg /fuzzing/binutils-gdb/libiberty/cplus-dem.c:4332:8
    #213 0x51792c in demangle_args
/fuzzing/binutils-gdb/libiberty/cplus-dem.c:4641:13
    #214 0x5188ad in demangle_nested_args
/fuzzing/binutils-gdb/libiberty/cplus-dem.c:4713:12
    #215 0x509722 in do_type /fuzzing/binutils-gdb/libiberty/cplus-dem.c:3719:9
    #216 0x5138db in demangle_arm_hp_template
/fuzzing/binutils-gdb/libiberty/cplus-dem.c:2560:20
    #217 0x517e68 in demangle_class_name
/fuzzing/binutils-gdb/libiberty/cplus-dem.c:2614:7
    #218 0x518e6b in demangle_fund_type
/fuzzing/binutils-gdb/libiberty/cplus-dem.c:4118:13
    #219 0x509f90 in do_type
/fuzzing/binutils-gdb/libiberty/cplus-dem.c:3907:17
    #220 0x5183a2 in do_arg /fuzzing/binutils-gdb/libiberty/cplus-dem.c:4332:8
    #221 0x51767d in demangle_args
/fuzzing/binutils-gdb/libiberty/cplus-dem.c:4659:9
    #222 0x5188ad in demangle_nested_args
/fuzzing/binutils-gdb/libiberty/cplus-dem.c:4713:12
    #223 0x509722 in do_type /fuzzing/binutils-gdb/libiberty/cplus-dem.c:3719:9
    #224 0x5183a2 in do_arg /fuzzing/binutils-gdb/libiberty/cplus-dem.c:4332:8
    #225 0x51792c in demangle_args
/fuzzing/binutils-gdb/libiberty/cplus-dem.c:4641:13
    #226 0x5188ad in demangle_nested_args
/fuzzing/binutils-gdb/libiberty/cplus-dem.c:4713:12
    #227 0x509722 in do_type /fuzzing/binutils-gdb/libiberty/cplus-dem.c:3719:9
    #228 0x5138db in demangle_arm_hp_template
/fuzzing/binutils-gdb/libiberty/cplus-dem.c:2560:20
    #229 0x517e68 in demangle_class_name
/fuzzing/binutils-gdb/libiberty/cplus-dem.c:2614:7
    #230 0x518e6b in demangle_fund_type
/fuzzing/binutils-gdb/libiberty/cplus-dem.c:4118:13
    #231 0x509f90 in do_type
/fuzzing/binutils-gdb/libiberty/cplus-dem.c:3907:17
    #232 0x5183a2 in do_arg /fuzzing/binutils-gdb/libiberty/cplus-dem.c:4332:8
    #233 0x51767d in demangle_args
/fuzzing/binutils-gdb/libiberty/cplus-dem.c:4659:9
    #234 0x5188ad in demangle_nested_args
/fuzzing/binutils-gdb/libiberty/cplus-dem.c:4713:12
    #235 0x509722 in do_type /fuzzing/binutils-gdb/libiberty/cplus-dem.c:3719:9
    #236 0x5183a2 in do_arg /fuzzing/binutils-gdb/libiberty/cplus-dem.c:4332:8
    #237 0x51792c in demangle_args
/fuzzing/binutils-gdb/libiberty/cplus-dem.c:4641:13
    #238 0x5188ad in demangle_nested_args
/fuzzing/binutils-gdb/libiberty/cplus-dem.c:4713:12
    #239 0x509722 in do_type /fuzzing/binutils-gdb/libiberty/cplus-dem.c:3719:9
    #240 0x5138db in demangle_arm_hp_template
/fuzzing/binutils-gdb/libiberty/cplus-dem.c:2560:20
    #241 0x517e68 in demangle_class_name
/fuzzing/binutils-gdb/libiberty/cplus-dem.c:2614:7
    #242 0x518e6b in demangle_fund_type
/fuzzing/binutils-gdb/libiberty/cplus-dem.c:4118:13
    #243 0x509f90 in do_type
/fuzzing/binutils-gdb/libiberty/cplus-dem.c:3907:17
    #244 0x5183a2 in do_arg /fuzzing/binutils-gdb/libiberty/cplus-dem.c:4332:8
    #245 0x51767d in demangle_args
/fuzzing/binutils-gdb/libiberty/cplus-dem.c:4659:9
    #246 0x5188ad in demangle_nested_args
/fuzzing/binutils-gdb/libiberty/cplus-dem.c:4713:12
    #247 0x509722 in do_type /fuzzing/binutils-gdb/libiberty/cplus-dem.c:3719:9
    #248 0x5183a2 in do_arg /fuzzing/binutils-gdb/libiberty/cplus-dem.c:4332:8
    #249 0x51792c in demangle_args
/fuzzing/binutils-gdb/libiberty/cplus-dem.c:4641:13
    #250 0x5188ad in demangle_nested_args
/fuzzing/binutils-gdb/libiberty/cplus-dem.c:4713:12
    #251 0x509722 in do_type /fuzzing/binutils-gdb/libiberty/cplus-dem.c:3719:9

SUMMARY: AddressSanitizer: stack-overflow
(/fuzzing/binutils-gdb/build/demangle_fuzzer+0x43c4e6) in
__interceptor_strlen.part.25
==11==ABORTING

```

We will gladly work with you so you can successfully confirm and reproduce this
issue. Do let us know if you have any feedback surrounding the documentation.

Once you have reproduced the issue, we'd appreciate to learn your expected
timeline for an update to be released. With any fix, please attribute the
report
to "Google Autofuzz project".

We are also pleased to inform you that your project is eligible for inclusion
to
the OSS-Fuzz project, which can provide additional continuous fuzzing, and
encourage you to investigate integration options.

Don't hesitate to let us know if you have any questions!

Google AutoFuzz Team

-- 
You are receiving this mail because:
You are on the CC list for the bug.
[Prev in Thread]
Current Thread
[Next in Thread]
[Bug binutils/22712] New: Stack Overflow (71959517), security-tps at google dot com <=
Prev by Date: [Bug binutils/22710] New: Signed Integer Overflow (71889280)
Next by Date: [Bug gold/22694] [2.30 Regression] -fuse-ld=gold not recognized
Previous by thread: [Bug binutils/22710] New: Signed Integer Overflow (71889280)
Next by thread: [Bug gas/22714] New: Two files, one containing one more character in a comment, one is translated, the other not
Index(es):
- Date
- Thread