Dear all, according to the bintutils maintainers the following OOM-bug is in the C++ name demangler (instead of the binutils application cxxfilt), which is part of the libiberty library. This is the original binutils bug report (https://sourceware.org/bugzilla/show_bug.cgi?id=23059): ----------------------------------------------------------------------------- Dear all, after reporting the following bugs to the Ubuntu security team (https://bugs.launchpad.net/ubuntu/+source/binutils/+bug/1763101), we were asked to report them directly to the binutils developers: ---------------------------------------------------- Dear all, The following binutils cxxfilt OOM bug was found by a modified version of the kAFL fuzzer (https://github.com/RUB-SysSec/kAFL). I have attached the input and an ASAN report. Steps to reproduce: Build current verison of binutils: ``` pull-lp-source binutils cd binutils-2.30 CC=clang CXX=clang++ CFLAGS="-fsanitize=address -fsanitize-recover=address -ggdb" CXXFLAGS="-fsanitize=address -fsanitize-recover=address -ggdb" LDFLAGS="-fsanitize=address" ./configure CC=clang CXX=clang++ CFLAGS="-fsanitize=address -fsanitize-recover=address -ggdb" CXXFLAGS="-fsanitize=address -fsanitize-recover=address -ggdb" LDFLAGS="-fsanitize=address" make ``` Run inputs under ASAN: ``` ASAN_OPTIONS=halt_on_error=false:allow_addr2line=true ./cxxfilt -t < oom ``` We can verify this issue for cxxfilt binuitils-2.30-15ubuntu1 (Ubuntu 16.04.4 LTS / sources from "pull-lp-source bintuils") on an Intel(R) Core(TM) i7-6700 CPU @ 3.40GHz server machine with 32GB RAM. Credits: Sergej Schumilo, Cornelius Aschermann (both of Ruhr-Universität Bochum) Best regards, Sergej Schumilo
$ valgrind binutils/cxxfilt -t < ./oom ==11187== Memcheck, a memory error detector ==11187== Copyright (C) 2002-2017, and GNU GPL'd, by Julian Seward et al. ==11187== Using Valgrind-3.13.0 and LibVEX; rerun with -h for copyright info ==11187== Command: binutils/cxxfilt -t ==11187== ==11187== ==11187== Process terminating with default action of signal 2 (SIGINT) ==11187== at 0x4C367E0: memmove (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so) ==11187== by 0x1DA254: memcpy (string_fortified.h:34) ==11187== by 0x1DA254: remember_Ktype (cplus-dem.c:4430) ==11187== by 0x1DE5F4: demangle_qualified (cplus-dem.c:3495) ==11187== by 0x1DF736: demangle_signature (cplus-dem.c:1495) ==11187== by 0x1E0A62: internal_cplus_demangle (cplus-dem.c:1257) ==11187== by 0x1DB53B: cplus_demangle (cplus-dem.c:918) ==11187== by 0x13A2B3: demangle_it (cxxfilt.c:62) ==11187== by 0x139F61: main (cxxfilt.c:276) ==11187== ==11187== HEAP SUMMARY: ==11187== in use at exit: 2,506,806,484 bytes in 50,064 blocks ==11187== total heap usage: 50,092 allocs, 28 frees, 2,507,614,296 bytes allocated ==11187== ==11187== LEAK SUMMARY: ==11187== definitely lost: 100,119 bytes in 1 blocks ==11187== indirectly lost: 0 bytes in 0 blocks ==11187== possibly lost: 0 bytes in 0 blocks ==11187== still reachable: 2,506,706,365 bytes in 50,063 blocks ==11187== suppressed: 0 bytes in 0 blocks ==11187== Rerun with --leak-check=full to see details of leaked memory ==11187== ==11187== For counts of detected and suppressed errors, rerun with: -v ==11187== ERROR SUMMARY: 0 errors from 0 contexts (suppressed: 0 from 0)
This is a dup of bug 84950. *** This bug has been marked as a duplicate of bug 84950 ***