Bug 88783 - integer overflow in libiberty, heap overflow will be triggered in nm
Summary: integer overflow in libiberty, heap overflow will be triggered in nm
Status: UNCONFIRMED
Alias: None
Product: gcc
Classification: Unclassified
Component: demangler (show other bugs)
Version: unknown
: P3 normal
Target Milestone: ---
Assignee: Not yet assigned to anyone
URL: https://sourceware.org/bugzilla/show_...
Keywords:
Depends on:
Blocks:
 
Reported: 2019-01-10 06:12 UTC by tfx
Modified: 2019-06-01 17:29 UTC (History)
2 users (show)

See Also:
Host:
Target:
Build:
Known to work:
Known to fail:
Last reconfirmed:


Attachments
nm -C POC (89 bytes, application/octet-stream)
2019-01-10 06:12 UTC, tfx
Details

Note You need to log in before you can comment on or make changes to this bug.
Description tfx 2019-01-10 06:12:40 UTC
Created attachment 45396 [details]
nm -C POC

nm -C POC

I use 32bit binutils in 64bit Ubuntu 16.04.4 LTS.

The trigger command is ./nm -C POC

The source Code show as follow in cplus-dem.c

>2246      work->tmpl_argvec = XNEWVEC (char *, r);  //sizeof(char*) * r
>2247      work->ntmpl_args = r;
>2248      for (i = 0; i < r; i++)
>2249   	work->tmpl_argvec[i] = 0;

Integer overflow when r > 0x40000000 in line 2246, that will trigger heap overflow in in line 2249. 
There are several similar problems in libiberty.

The part of crash output show as follow.
=================================================================
==9029==ERROR: AddressSanitizer: heap-buffer-overflow on address 0xf3bfea80 at pc 0x083ba887 bp 0xffabcac8 sp 0xffabcac0
WRITE of size 4 at 0xf3bfea80 thread T0
    #0 0x83ba886 in demangle_template ./binutils-gdb/libiberty/./cplus-dem.c:2249:23
    #1 0x83b8c2e in demangle_signature ./binutils-gdb/libiberty/./cplus-dem.c:1709:18
    #2 0x83b62da in internal_cplus_demangle ./binutils-gdb/libiberty/./cplus-dem.c:1258:14
    #3 0x83b5143 in cplus_demangle ./binutils-gdb/libiberty/./cplus-dem.c:919:9
    #4 0x815d092 in bfd_demangle ./binutils-gdb/bfd/bfd.c:2254:9
    #5 0x81460a0 in print_symname ./binutils-gdb/binutils/nm.c:423:19
    #6 0x8145035 in print_symbol_info_bsd ./binutils-gdb/binutils/nm.c:1565:3
    #7 0x8149d87 in print_symbol ./binutils-gdb/binutils/nm.c:903:3
    #8 0x8148828 in print_symbols ./binutils-gdb/binutils/nm.c:1102:7
    #9 0x8146fdb in display_rel_file ./binutils-gdb/binutils/nm.c:1215:5
    #10 0x8144a11 in display_file ./binutils-gdb/binutils/nm.c:1335:7
    #11 0x814424f in main ./binutils-gdb/binutils/nm.c:1816:12
    #12 0xf7d3f636 in __libc_start_main (/lib/i386-linux-gnu/libc.so.6+0x18636)
    #13 0x806be08 in _start (./binutils-gdb/binutils/nm-new+0x806be08)

0xf3bfea80 is located 0 bytes to the right of 251581056-byte region [0xe4c11800,0xf3bfea80)
allocated by thread T0 here:
    #0 0x8112215 in malloc  asan_malloc_linux.cc:146:3
    #1 0x83e6659 in xmalloc ./binutils-gdb/libiberty/./xmalloc.c:147:12
    #2 0x83b8c2e in demangle_signature ./binutils-gdb/libiberty/./cplus-dem.c:1709:18
    #3 0x83b62da in internal_cplus_demangle ./binutils-gdb/libiberty/./cplus-dem.c:1258:14
    #4 0x83b5143 in cplus_demangle ./binutils-gdb/libiberty/./cplus-dem.c:919:9
    #5 0x815d092 in bfd_demangle ./binutils-gdb/bfd/bfd.c:2254:9

SUMMARY: AddressSanitizer: heap-buffer-overflow ./binutils-gdb/libiberty/./cplus-dem.c:2249:23 in demangle_template
Shadow bytes around the buggy address:
  0x3e77fd00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x3e77fd10: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x3e77fd20: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x3e77fd30: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x3e77fd40: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x3e77fd50:[fa]fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x3e77fd60: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x3e77fd70: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x3e77fd80: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x3e77fd90: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x3e77fda0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
  Shadow gap:              cc
==9029==ABORTING
Comment 1 tfx 2019-01-10 06:21:42 UTC
I use latest binutils.
Comment 2 Nick Clifton 2019-05-24 09:47:51 UTC
Hi tfx,

  Thank you vert much for reporting this bug.  Unfortunately the binutils
  project does not maintain the libiberty library (which contains the 
  cplus-dem.c source file).  Instead this is handled by the gcc project.
  So please could you refile your bug report on the gcc bugzilla system:

   https://gcc.gnu.org/bugzilla/enter_bug.cgi?product=gcc

  Thank you.

Cheers
  Nick
Comment 3 Richard Earnshaw 2019-05-24 09:50:22 UTC
(In reply to Nick Clifton from comment #2)
> Hi tfx,
> 
>   Thank you vert much for reporting this bug.  Unfortunately the binutils
>   project does not maintain the libiberty library (which contains the 
>   cplus-dem.c source file).  Instead this is handled by the gcc project.
>   So please could you refile your bug report on the gcc bugzilla system:
> 
>    https://gcc.gnu.org/bugzilla/enter_bug.cgi?product=gcc
> 
>   Thank you.
> 
> Cheers
>   Nick

??? This is the gcc bugzilla.
Comment 4 Andrew Pinski 2019-05-24 14:05:53 UTC
.
Comment 5 tfx 2019-06-01 17:29:13 UTC
CVE-2018-20673 has been assigned to this bug.