Bug 88629 (CVE-2018-20712) - Heap-buffer-overflow problem in function d_expression_1 in cp-demangle.c, as demonstrated by c++filt
Summary: Heap-buffer-overflow problem in function d_expression_1 in cp-demangle.c, as ...
Status: UNCONFIRMED
Alias: CVE-2018-20712
Product: gcc
Classification: Unclassified
Component: demangler (show other bugs)
Version: unknown
: P3 normal
Target Milestone: ---
Assignee: Not yet assigned to anyone
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2018-12-28 09:27 UTC by Cheng Wen
Modified: 2019-02-01 07:22 UTC (History)
0 users

See Also:
Host:
Target:
Build:
Known to work:
Known to fail:
Last reconfirmed:


Attachments
POC1 (173 bytes, application/octet-stream)
2018-12-28 09:27 UTC, Cheng Wen
Details
POC2 (178 bytes, application/octet-stream)
2018-12-28 09:27 UTC, Cheng Wen
Details
POC3 (142 bytes, application/octet-stream)
2018-12-28 09:27 UTC, Cheng Wen
Details

Note You need to log in before you can comment on or make changes to this bug.
Description Cheng Wen 2018-12-28 09:27:10 UTC
Created attachment 45294 [details]
POC1

Hi, there.

A Heap-buffer-overflow problem was discovered in function function d_expression_1 in cp-demangle.c of binutils latest code base, too. A crafted ELF input can cause segment faults and I have confirmed them with address sanitizer too.

Please use the "./c++filt -t < $POC" to reproduce the bug.

Note that this error only occurs in the last code base, maybe this is a regression error. I will show you the commit ID.

> $ git log
> commit ebb8004a18a3808d7197762faf3c5aaeae82371f
> Author: GDB Administrator <gdbadmin@sourceware.org>
> Date:   Wed Dec 19 00:00:21 2018 +0000
> 
>     Automatic date update in version.in

The ASAN dumps the stack trace as follows:

> =================================================================
> ==83311==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x602000000059 at pc 0x000000ac9a4b bp 0x7ffeedce2490 sp 0x7ffeedce2488
> READ of size 1 at 0x602000000059 thread T0
>     #0 0xac9a4a in d_expression_1 /binutils-gdb/libiberty/./cp-demangle.c:3356:12
>     #1 0xab4724 in d_expression /binutils-gdb/libiberty/./cp-demangle.c:3531:9
>     #2 0xaacdbe in cplus_demangle_type /binutils-gdb/libiberty/./cp-demangle.c:2615:9
>     #3 0xaaab09 in cplus_demangle_type /binutils-gdb/libiberty/./cp-demangle.c:2411:10
>     #4 0xaac400 in cplus_demangle_type /binutils-gdb/libiberty/./cp-demangle.c:2568:26
>     #5 0xaac400 in cplus_demangle_type /binutils-gdb/libiberty/./cp-demangle.c:2568:26
>     #6 0xab8dc1 in d_demangle_callback /binutils-gdb/libiberty/./cp-demangle.c:6289:7
>     #7 0xab7d4f in d_demangle /binutils-gdb/libiberty/./cp-demangle.c:6343:12
>     #8 0xab7b66 in cplus_demangle_v3 /binutils-gdb/libiberty/./cp-demangle.c:6500:10
>     #9 0xa75571 in cplus_demangle /binutils-gdb/libiberty/./cplus-dem.c:881:13
>     #10 0xa904ba in demangle_template_value_parm /binutils-gdb/libiberty/./cplus-dem.c:2146:12
>     #11 0xa8a190 in demangle_template /binutils-gdb/libiberty/./cplus-dem.c:2331:14
>     #12 0xa849c8 in demangle_signature /binutils-gdb/libiberty/./cplus-dem.c:1709:18
>     #13 0xa9715e in iterate_demangle_function /binutils-gdb/libiberty/./cplus-dem.c:2761:14
>     #14 0xa81759 in demangle_prefix /binutils-gdb/libiberty/./cplus-dem.c:2989:14
>     #15 0xa7a694 in internal_cplus_demangle /binutils-gdb/libiberty/./cplus-dem.c:1254:14
>     #16 0xa75cbb in cplus_demangle /binutils-gdb/libiberty/./cplus-dem.c:919:9
>     #17 0x51518c in demangle_it /binutils-gdb/binutils/cxxfilt.c:66:12
>     #18 0x5149e7 in main /binutils-gdb/binutils/cxxfilt.c:288:4
>     #19 0x7f702142782f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f)
>     #20 0x41ab28 in _start (/binutils-gdb/build/bin/c++filt+0x41ab28)
> 
> 0x602000000059 is located 0 bytes to the right of 9-byte region [0x602000000050,0x602000000059)
> allocated by thread T0 here:
>     #0 0x4daa50 in malloc /home/tangyun/Documents/Git/llvm-6.0.1/projects/compiler-rt/lib/asan/asan_malloc_linux.cc:88
>     #1 0xb0740f in xmalloc /binutils-gdb/libiberty/./xmalloc.c:147:12
>     #2 0xa903af in demangle_template_value_parm /binutils-gdb/libiberty/./cplus-dem.c:2138:18
>     #3 0xa8a190 in demangle_template /binutils-gdb/libiberty/./cplus-dem.c:2331:14
>     #4 0xa849c8 in demangle_signature /binutils-gdb/libiberty/./cplus-dem.c:1709:18
>     #5 0xa9715e in iterate_demangle_function /binutils-gdb/libiberty/./cplus-dem.c:2761:14
>     #6 0xa81759 in demangle_prefix /binutils-gdb/libiberty/./cplus-dem.c:2989:14
>     #7 0xa7a694 in internal_cplus_demangle /binutils-gdb/libiberty/./cplus-dem.c:1254:14
>     #8 0xa75cbb in cplus_demangle /binutils-gdb/libiberty/./cplus-dem.c:919:9
>     #9 0x51518c in demangle_it /binutils-gdb/binutils/cxxfilt.c:66:12
>     #10 0x5149e7 in main /binutils-gdb/binutils/cxxfilt.c:288:4
>     #11 0x7f702142782f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f)
> 
> SUMMARY: AddressSanitizer: heap-buffer-overflow /binutils-gdb/libiberty/./cp-demangle.c:3356:12 in d_expression_1
> Shadow bytes around the buggy address:
>   0x0c047fff7fb0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
>   0x0c047fff7fc0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
>   0x0c047fff7fd0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
>   0x0c047fff7fe0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
>   0x0c047fff7ff0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
> =>0x0c047fff8000: fa fa 02 fa fa fa 06 fa fa fa 00[01]fa fa fa fa
>   0x0c047fff8010: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
>   0x0c047fff8020: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
>   0x0c047fff8030: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
>   0x0c047fff8040: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
>   0x0c047fff8050: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
> Shadow byte legend (one shadow byte represents 8 application bytes):
>   Addressable:           00
>   Partially addressable: 01 02 03 04 05 06 07
>   Heap left redzone:       fa
>   Freed heap region:       fd
>   Stack left redzone:      f1
>   Stack mid redzone:       f2
>   Stack right redzone:     f3
>   Stack after return:      f5
>   Stack use after scope:   f8
>   Global redzone:          f9
>   Global init order:       f6
>   Poisoned by user:        f7
>   Container overflow:      fc
>   Array cookie:            ac
>   Intra object redzone:    bb
>   ASan internal:           fe
>   Left alloca redzone:     ca
>   Right alloca redzone:    cb
> ==83311==ABORTING
Comment 1 Cheng Wen 2018-12-28 09:27:34 UTC
Created attachment 45295 [details]
POC2
Comment 2 Cheng Wen 2018-12-28 09:27:49 UTC
Created attachment 45296 [details]
POC3
Comment 3 Cheng Wen 2018-12-28 10:23:29 UTC
That 's because "d_advance (di, 2);" in function d_expression_1, it change di->n = di + 2; leading to buffer-over-flow problem. 

> 3353      d_advance (di, 2);
> 3354      if (peek == 't')
> 3355	type = cplus_demangle_type (di);
> 3356      if (!d_peek_next_char (di))
> 3357	return NULL;
Comment 4 Cheng Wen 2019-01-11 06:04:12 UTC
Hi, does anyone here to look at this bug?
Comment 5 Cheng Wen 2019-02-01 07:21:12 UTC
This bug got assigned CVE-2018-20712