[Bug c++/69687] Buffer Overflow in libiberty

["boehme.marcel at gmail dot com" <gcc-bugzilla at gcc dot gnu dot org>]

https://gcc.gnu.org/bugzilla/show_bug.cgi?id=69687

--- Comment #4 from Marcel BÃhme <boehme.marcel at gmail dot com> ---
Here is my preliminary analysis:
The function demangle_args (cplus-dem.c:4424) parses the (crafted) mangled
function args from the binary. In line 4452, r is read from mangled. In line
4491, we enter a loop with r iterations. In line 4498, arg is parsed from
mangled (always from the same region). In each loop iteration arg is appended
to decl, such that the length of decl grows in each iteration.

The function string_appends (cplus-dem.c:4820) appends string arg to string
decl. In line 4827, it uses string_need to check whether sufficient memory is
allocated in decl to append arg. Then, it memcopies whatever is in arg to the
end of decl.

The function string_need (cplus-dem.c:4751) checks whether sufficient memory is
available to append size-of-arg more characters. If not, xrealloc decl with
n=2*(length of decl + length of arg) characters. Since n is a signed int, n
wraps over at some iteration. Since, realloc expects n to be unsigned, we end
up allocating less memory then actually needed. In the beginning though n is
too large and xrealloc simply complains. However, if you play a bit with the
length of arg, you'll quickly turn that integer overflow in a buffer overflow.
Later, string_appends will memcopy whatever arg contains.

In our simple test case the relevant bits in the binary are specified the
binary (arbitrarily): r = 80000000, arg = "A______wwww\235\235\235_N____" of
length 020.

A particularly malicious attacker could craft an executable that executes when
*analysed* by objdump, nm or gdb, or any other libbfd / libiberty - based
forensics tool (if the demangling option is switched on).

--
Marcel BÃhme
Postdoctoral Researcher
TSUNAMi Security Research Lab
National University of Singapore