Bug 85453 - OOM-Bug in cxxfilt / C++ name demangler (binuitils-2.30-15ubuntu1)
Summary: OOM-Bug in cxxfilt / C++ name demangler (binuitils-2.30-15ubuntu1)
Status: RESOLVED DUPLICATE of bug 84950
Alias: None
Product: gcc
Classification: Unclassified
Component: demangler (show other bugs)
Version: unknown
: P3 normal
Target Milestone: ---
Assignee: Not yet assigned to anyone
Depends on:
Reported: 2018-04-18 14:35 UTC by Sergej Schumilo
Modified: 2018-11-16 03:27 UTC (History)
0 users

See Also:
Known to work:
Known to fail:
Last reconfirmed:


Note You need to log in before you can comment on or make changes to this bug.
Description Sergej Schumilo 2018-04-18 14:35:37 UTC
Dear all,
according to the bintutils maintainers the following OOM-bug is in the C++ name demangler (instead of the binutils application cxxfilt), which is part of the libiberty library. 

This is the original binutils bug report (https://sourceware.org/bugzilla/show_bug.cgi?id=23059):


Dear all,
after reporting the following bugs to the Ubuntu security team (https://bugs.launchpad.net/ubuntu/+source/binutils/+bug/1763101), we were asked to report them directly to the binutils developers: 


Dear all,
The following binutils cxxfilt OOM bug was found by a modified version of the kAFL fuzzer (https://github.com/RUB-SysSec/kAFL). I have attached the input and an ASAN report.

Steps to reproduce:

Build current verison of binutils:

pull-lp-source binutils
cd binutils-2.30
CC=clang CXX=clang++ CFLAGS="-fsanitize=address -fsanitize-recover=address -ggdb" CXXFLAGS="-fsanitize=address -fsanitize-recover=address -ggdb" LDFLAGS="-fsanitize=address" ./configure
CC=clang CXX=clang++ CFLAGS="-fsanitize=address -fsanitize-recover=address -ggdb" CXXFLAGS="-fsanitize=address
-fsanitize-recover=address -ggdb" LDFLAGS="-fsanitize=address" make

Run inputs under ASAN:

ASAN_OPTIONS=halt_on_error=false:allow_addr2line=true ./cxxfilt -t < oom

We can verify this issue for cxxfilt binuitils-2.30-15ubuntu1 (Ubuntu 16.04.4 LTS / sources from "pull-lp-source bintuils") on an Intel(R) Core(TM) i7-6700 CPU @ 3.40GHz server machine with 32GB RAM.

Credits: Sergej Schumilo, Cornelius Aschermann (both of Ruhr-Universität Bochum)

Best regards,
Sergej Schumilo
Comment 1 Simon Wörner 2018-06-27 14:38:54 UTC
$ valgrind binutils/cxxfilt -t < ./oom
==11187== Memcheck, a memory error detector
==11187== Copyright (C) 2002-2017, and GNU GPL'd, by Julian Seward et al.
==11187== Using Valgrind-3.13.0 and LibVEX; rerun with -h for copyright info
==11187== Command: binutils/cxxfilt -t
==11187== Process terminating with default action of signal 2 (SIGINT)
==11187==    at 0x4C367E0: memmove (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
==11187==    by 0x1DA254: memcpy (string_fortified.h:34)
==11187==    by 0x1DA254: remember_Ktype (cplus-dem.c:4430)
==11187==    by 0x1DE5F4: demangle_qualified (cplus-dem.c:3495)
==11187==    by 0x1DF736: demangle_signature (cplus-dem.c:1495)
==11187==    by 0x1E0A62: internal_cplus_demangle (cplus-dem.c:1257)
==11187==    by 0x1DB53B: cplus_demangle (cplus-dem.c:918)
==11187==    by 0x13A2B3: demangle_it (cxxfilt.c:62)
==11187==    by 0x139F61: main (cxxfilt.c:276)
==11187== HEAP SUMMARY:
==11187==     in use at exit: 2,506,806,484 bytes in 50,064 blocks
==11187==   total heap usage: 50,092 allocs, 28 frees, 2,507,614,296 bytes allocated
==11187== LEAK SUMMARY:
==11187==    definitely lost: 100,119 bytes in 1 blocks
==11187==    indirectly lost: 0 bytes in 0 blocks
==11187==      possibly lost: 0 bytes in 0 blocks
==11187==    still reachable: 2,506,706,365 bytes in 50,063 blocks
==11187==         suppressed: 0 bytes in 0 blocks
==11187== Rerun with --leak-check=full to see details of leaked memory
==11187== For counts of detected and suppressed errors, rerun with: -v
==11187== ERROR SUMMARY: 0 errors from 0 contexts (suppressed: 0 from 0)
Comment 2 Andrew Pinski 2018-11-16 03:27:11 UTC
This is a dup of bug 84950.

*** This bug has been marked as a duplicate of bug 84950 ***