Bug 70926 - Libiberty Demangler segfaults (5)
Summary: Libiberty Demangler segfaults (5)
Status: RESOLVED FIXED
Alias: None
Product: gcc
Classification: Unclassified
Component: c++ (show other bugs)
Version: unknown
: P3 normal
Target Milestone: ---
Assignee: Not yet assigned to anyone
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2016-05-03 12:58 UTC by Marcel Böhme
Modified: 2016-07-13 22:06 UTC (History)
2 users (show)

See Also:
Host:
Target:
Build:
Known to work:
Known to fail:
Last reconfirmed:


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Marcel Böhme 2016-05-03 12:58:17 UTC
A write access violation on destination operand in the libiberty demangler causes its host applications to crash. There are also two other read access violations on source operand that are caused by the same problem (overflow when parsing a number).

How to reproduce:
$valgrind c++filt 0__Ot2m02R5T0000500000
==86038== Invalid read of size 1
==86038==    at 0x752150: do_type (cplus-dem.c:3729)
==86038==    by 0x7640F5: do_arg (cplus-dem.c:4239)
==86038==    by 0x7659D7: demangle_args (cplus-dem.c:4528)
==86038==    by 0x778425: demangle_signature (cplus-dem.c:1645)
==86038==    by 0x784701: internal_cplus_demangle (cplus-dem.c:1204)
==86038==    by 0x74F572: cplus_demangle (cplus-dem.c:887)
==86038==    by 0x406251: demangle_it (cxxfilt.c:62)
==86038==    by 0x40582E: main (cxxfilt.c:227)

$ valgrind c++filt 0__GT50000000000_
==10196== Invalid read of size 8
==10196==    at 0x7519A7: do_type (cplus-dem.c:3623)
==10196==    by 0x763DB5: do_arg (cplus-dem.c:4249)
==10196==    by 0x76568F: demangle_args (cplus-dem.c:4538)
==10196==    by 0x778825: demangle_signature (cplus-dem.c:1653)
==10196==    by 0x784961: internal_cplus_demangle (cplus-dem.c:1210)
==10196==    by 0x74F582: cplus_demangle (cplus-dem.c:893)
==10196==    by 0x406251: demangle_it (cxxfilt.c:62)
==10196==    by 0x40582E: main (cxxfilt.c:227)

$ valgrind c++filt __t2m05B500000000000000000_
==13052== Invalid read of size 8
==13052==    at 0x7541FF: do_type (cplus-dem.c:3798)
==13052==    by 0x76B2B3: demangle_template.constprop.15 (cplus-dem.c:2241)
==13052==    by 0x7761B7: demangle_signature (cplus-dem.c:1573)
==13052==    by 0x784811: internal_cplus_demangle (cplus-dem.c:1210)
==13052==    by 0x74F582: cplus_demangle (cplus-dem.c:893)
==13052==    by 0x406251: demangle_it (cxxfilt.c:62)
==13052==    by 0x40582E: main (cxxfilt.c:227)

Analysis: The demangler reads sometimes the value of an array index from the mangled string. Now, it is checked whether it exceeds the array length. However, the parsing can cause an overflow and the index is negative.

This vulnerability was found with a more efficient version of AFL.
I am preparing a patch.
Comment 1 Jeffrey A. Law 2016-07-13 22:06:39 UTC
Fixed by commit on trunk
Comment 2 Jeffrey A. Law 2016-07-13 22:06:40 UTC
Author: law
Date: Wed Jul 13 22:06:09 2016
New Revision: 238313

URL: https://gcc.gnu.org/viewcvs?rev=238313&root=gcc&view=rev
Log:
	PR c++/70926
	* cplus-dem.c: Handle large values and overflow when demangling
	length variables.
	(demangle_template_value_parm): Read only until end of mangled string.
	(do_hpacc_template_literal): Likewise.
	(do_type): Handle overflow when demangling array indices.

Modified:
    trunk/libiberty/ChangeLog
    trunk/libiberty/cplus-dem.c
    trunk/libiberty/testsuite/demangle-expected