Summary: | Regression lead to Heap-buffer-overflow problem in function d_expression_1 in cp-demangle.c, as demonstrated by c++filt | ||
---|---|---|---|
Product: | gcc | Reporter: | Cheng Wen <wcventure> |
Component: | demangler | Assignee: | Not yet assigned to anyone <unassigned> |
Status: | UNCONFIRMED --- | ||
Severity: | normal | CC: | nickc, nickc, prajwapa, trupti_pardeshi |
Priority: | P3 | ||
Version: | unknown | ||
Target Milestone: | --- | ||
Host: | Target: | ||
Build: | Known to work: | ||
Known to fail: | Last reconfirmed: | ||
Attachments: |
POC1
POC2 POC3 |
Description
Cheng Wen
2018-12-28 09:27:10 UTC
Created attachment 45295 [details]
POC2
Created attachment 45296 [details]
POC3
That 's because "d_advance (di, 2);" in function d_expression_1, it change di->n = di + 2; leading to buffer-over-flow problem.
> 3353 d_advance (di, 2);
> 3354 if (peek == 't')
> 3355 type = cplus_demangle_type (di);
> 3356 if (!d_peek_next_char (di))
> 3357 return NULL;
Hi, does anyone here to look at this bug? This bug got assigned CVE-2018-20712 I can't reproduce this on any of the three testcases with today's binutils built with ASAN Hi, May I know, if this bug is going to be fixed in binutils and in which version? Any heads up will be appreciated. Best Regards, (In reply to Trupti Pardeshi from comment #7) > commit ebb8004a18a3808d7197762faf3c5aaeae82371f > Author: GDB Administrator <gdbadmin@sourceware.org> > Date: Wed Dec 19 00:00:21 2018 +0000 > > Automatic date update in version.in Hi, Didn't understand reply given comment#8. Please, may I know, if this bug is going to be fixed in binutils and in which version? Or this will be closed as Not reproduced as per comment#6. Any heads up will be appreciated. Best Regards, (In reply to Trupti Pardeshi from comment #9) This bug can be reproduced in the commit version ebb8004a18a3808d7197762faf3c5aaeae82371f. But now is fixed. (In reply to Cheng Wen from comment #10) > (In reply to Trupti Pardeshi from comment #9) > > This bug can be reproduced in the commit version > ebb8004a18a3808d7197762faf3c5aaeae82371f. > > But now is fixed. Thanks for reply Cheng. But could you please help me to know, the version of binutils and version of gcc having the fix of this issue? Knowing fixed-in version (of binutils and gcc) will be very helpful. Looking forward for reply. Many Thanks, Trupti Could someone please let me know, in which binutils version is this fixed?(In reply to Cheng Wen from comment #10) > (In reply to Trupti Pardeshi from comment #9) > > This bug can be reproduced in the commit version > ebb8004a18a3808d7197762faf3c5aaeae82371f. > > But now is fixed. Could you please let me know, in which binutils version is this fixed? Thanks. (In reply to prajwapa from comment #12) > Could you please let me know, in which binutils version is this fixed? Not really. I can confirm that the test cases do not fail when tested with binutils 2.35 (with sanitization enabled) and with any binutils all the way back to 2.30 if sanitization is not enabled. Given that the bug was reported in 2018-12 and assuming that it was fixed at some point in the 6 months after that, then the nearest binutils release that would have included the fix is 2.33. I hope that this helps. Cheers Nick |