Bug 85454 - Multiple memory corruptions in objdump / C++ name demangler (binuitils-2.30-15ubuntu1)
Summary: Multiple memory corruptions in objdump / C++ name demangler (binuitils-2.30-1...
Status: RESOLVED FIXED
Alias: None
Product: gcc
Classification: Unclassified
Component: demangler (show other bugs)
Version: unknown
: P3 normal
Target Milestone: ---
Assignee: Not yet assigned to anyone
URL:
Keywords:
Depends on:
Blocks: asan
  Show dependency treegraph
 
Reported: 2018-04-18 15:11 UTC by Sergej Schumilo
Modified: 2018-12-07 12:37 UTC (History)
2 users (show)

See Also:
Host:
Target:
Build:
Known to work:
Known to fail:
Last reconfirmed:


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Sergej Schumilo 2018-04-18 15:11:09 UTC
Dear all,
according to the bintutils maintainers the following memory corruption bugs are in the C++ name demangler (instead of the binutils application objdump), which is part of the libiberty library. 

This is the original binutils bug report (https://sourceware.org/bugzilla/show_bug.cgi?id=23057):

-----------------------------------------------------------------------------

Dear all,
after reporting the following bugs to the Ubuntu security team (https://bugs.launchpad.net/ubuntu/+source/binutils/+bug/1763102), we were asked to report them directly to the binutils developers: 

----------------------------------------------------

Dear all,
The following binutils objdump memory corruptions were found by a modified version of the kAFL fuzzer (https://github.com/RUB-SysSec/kAFL). I have attached the crashing inputs and each ASAN report.

Steps to reproduce:

Build current verison of binutils:
```
pull-lp-source binutils
cd binutils-2.30
CC=clang CXX=clang++ CFLAGS="-fsanitize=address -fsanitize-recover=address -ggdb" CXXFLAGS="-fsanitize=address -fsanitize-recover=address -ggdb" LDFLAGS="-fsanitize=address" ./configure
CC=clang CXX=clang++ CFLAGS="-fsanitize=address -fsanitize-recover=address -ggdb" CXXFLAGS="-fsanitize=address
-fsanitize-recover=address -ggdb" LDFLAGS="-fsanitize=address" make
```

Run inputs under ASAN:

```
ASAN_OPTIONS=halt_on_error=false:allow_addr2line=true ./objdump --dwarf-check -C -g -f -dwarf -x $file
```

We can verify those issues for objdump binuitils-2.30-15ubuntu1 (Ubuntu 16.04.4 LTS / sources from "pull-lp-source bintuils").

Credits: Sergej Schumilo, Cornelius Aschermann (both of Ruhr-Universität Bochum)

Best regards,
Sergej Schumilo
Comment 1 Nick Clifton 2018-12-07 12:37:49 UTC
Fixed with commit 266886.