This is the mail archive of the gcc-bugs@gcc.gnu.org mailing list for the GCC project.

Index Nav:	[Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav:	[Date Prev] [Date Next]	[Thread Prev] [Thread Next]
Other format:	[Raw text]

[Bug demangler/85660] New: Signed Integer Overflow (79257474)

From: "security-tps at google dot com" <gcc-bugzilla at gcc dot gnu dot org>
To: gcc-bugs at gcc dot gnu dot org
Date: Sat, 05 May 2018 04:11:10 +0000
Subject: [Bug demangler/85660] New: Signed Integer Overflow (79257474)
Auto-submitted: auto-generated

https://gcc.gnu.org/bugzilla/show_bug.cgi?id=85660

            Bug ID: 85660
           Summary: Signed Integer Overflow (79257474)
           Product: gcc
           Version: unknown
            Status: UNCONFIRMED
          Severity: normal
          Priority: P3
         Component: demangler
          Assignee: unassigned at gcc dot gnu.org
          Reporter: security-tps at google dot com
  Target Milestone: ---

Created attachment 44075
  --> https://gcc.gnu.org/bugzilla/attachment.cgi?id=44075&action=edit
proof of concept

Hello,

As part of our fuzzing efforts at Google, we have identified an issue affecting
binutils (tested with revision * master
4e6fe7477a4e9260777cbaa01f70df7ae5f063bb).

To reproduce, we are attaching a Dockerfile which compiles the project with
LLVM, taking advantage of the sanitizers that it offers. More information about
how to use the attached Dockerfile can be found here:
https://docs.docker.com/engine/reference/builder/

Instructions:
`unzip artifacts_79257474.zip`
`docker build --build-arg SANITIZER=undefined --tag=autofuzz-binutils-79257474
autofuzz_79257474`
`docker run --entrypoint /fuzzing/repro.sh --cap-add=SYS_PTRACE -v
$PWD/autofuzz_79257474/poc-7c8bacd8e3b958d37b7a4c80eb649af20e1eae6828f838d518a18781c03c438a_min:/tmp/poc
autofuzz-binutils-79257474 "" /tmp/poc`
`docker run --cap-add=SYS_PTRACE -v
$PWD/autofuzz_79257474/poc-7c8bacd8e3b958d37b7a4c80eb649af20e1eae6828f838d518a18781c03c438a_min:/tmp/poc
-it autofuzz-binutils-79257474`

Alternatively, and depending on the bug, you could use gcc, valgrind or other
instrumentation tools to aid in the investigation. The sanitizer error that we
encountered is here:

```
INFO: Seed: 1481494163
INFO: Loaded 0 modules (0 guards): 
/fuzzing/binutils-gdb/build/demangle_fuzzer: Running 1 inputs 500 time(s) each.
Running:
/tmp/poc-7c8bacd8e3b958d37b7a4c80eb649af20e1eae6828f838d518a18781c03c438a
/fuzzing/binutils-gdb/libiberty/cplus-dem.c:3597:10: runtime error: signed
integer overflow: 666666616 * 10 cannot be represented in type 'int'
    #0 0x4332c3 in get_count
/fuzzing/binutils-gdb/libiberty/cplus-dem.c:3597:10
    #1 0x42d0bd in do_type /fuzzing/binutils-gdb/libiberty/cplus-dem.c:3874:12
    #2 0x4319f4 in demangle_template
/fuzzing/binutils-gdb/libiberty/cplus-dem.c:2300:14
    #3 0x43027a in demangle_signature
/fuzzing/binutils-gdb/libiberty/cplus-dem.c:1628:14
    #4 0x42e864 in internal_cplus_demangle
/fuzzing/binutils-gdb/libiberty/cplus-dem.c:1257:14
    #5 0x42d990 in cplus_demangle
/fuzzing/binutils-gdb/libiberty/cplus-dem.c:918:9
    #6 0x42bf02 in LLVMFuzzerTestOneInput
/fuzzing/security-research-pocs/autofuzz/demangle_fuzzer.cc:11:21
    #7 0x4557ee in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*,
unsigned long) (/fuzzing/binutils-gdb/build/demangle_fuzzer+0x4557ee)
    #8 0x44a93e in fuzzer::RunOneTest(fuzzer::Fuzzer*, char const*, unsigned
long) (/fuzzing/binutils-gdb/build/demangle_fuzzer+0x44a93e)
    #9 0x44ee47 in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned char
const*, unsigned long)) (/fuzzing/binutils-gdb/build/demangle_fuzzer+0x44ee47)
    #10 0x44a65b in main (/fuzzing/binutils-gdb/build/demangle_fuzzer+0x44a65b)
    #11 0x7f090766c2e0 in __libc_start_main
(/lib/x86_64-linux-gnu/libc.so.6+0x202e0)
    #12 0x406a69 in _start
(/fuzzing/binutils-gdb/build/demangle_fuzzer+0x406a69)

SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior
/fuzzing/binutils-gdb/libiberty/cplus-dem.c:3597:10 in 

```

We will gladly work with you so you can successfully confirm and reproduce this
issue. Do let us know if you have any feedback surrounding the documentation.

Once you have reproduced the issue, we'd appreciate to learn your expected
timeline for an update to be released. With any fix, please attribute the
report
to "Google Autofuzz project".

We are also pleased to inform you that your project is eligible for inclusion
to
the OSS-Fuzz project, which can provide additional continuous fuzzing, and
encourage you to investigate integration options.


Don't hesitate to let us know if you have any questions!

Google AutoFuzz Team

Index Nav:	[Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav:	[Date Prev] [Date Next]	[Thread Prev] [Thread Next]