[Bug binutils/23833] New: Segmentation Fault (118485394)

security-tps at google dot com Fri, 26 Oct 2018 15:41:18 -0700

https://sourceware.org/bugzilla/show_bug.cgi?id=23833


            Bug ID: 23833
           Summary: Segmentation Fault (118485394)
           Product: binutils
           Version: 2.32 (HEAD)
            Status: UNCONFIRMED
          Severity: normal
          Priority: P2
         Component: binutils
          Assignee: unassigned at sourceware dot org
          Reporter: security-tps at google dot com
  Target Milestone: ---

Created attachment 11368
  --> https://sourceware.org/bugzilla/attachment.cgi?id=11368&action=edit
Proof of concept

Hello binutils team,

As part of our fuzzing efforts at Google, we have identified an issue affecting
binutils (tested with revision * master
fd2b4de5e63ad5994baf9c57b5d0c49d1f1dd4e4).

To reproduce, we are attaching a Dockerfile which compiles the project with
LLVM, taking advantage of the sanitizers that it offers. More information about
how to use the attached Dockerfile can be found here:
https://docs.docker.com/engine/reference/builder/

Instructions:
`unzip artifacts_118485394.zip`
`docker build --build-arg SANITIZER=address --tag=autofuzz-binutils-118485394
autofuzz_118485394`
`docker run --entrypoint /fuzzing/repro.sh --cap-add=SYS_PTRACE -v
$PWD/autofuzz_118485394/poc-0d94a933986f6862d85612a4b4318f589de3a9b1e998551df2a9d4983c4f6935_min:/tmp/poc
autofuzz-binutils-118485394 "" /tmp/poc`
`docker run --cap-add=SYS_PTRACE -v
$PWD/autofuzz_118485394/poc-0d94a933986f6862d85612a4b4318f589de3a9b1e998551df2a9d4983c4f6935_min:/tmp/poc
-it autofuzz-binutils-118485394`

Alternatively, and depending on the bug, you could use gcc, valgrind or other
instrumentation tools to aid in the investigation. The sanitizer error that we
encountered is here:

```
INFO: Seed: 1711824187
INFO: Loaded 0 modules (0 guards): 
/fuzzing/binutils-gdb/build/demangle_fuzzer: Running 1 inputs 500 time(s) each.
Running:
/tmp/poc-0d94a933986f6862d85612a4b4318f589de3a9b1e998551df2a9d4983c4f6935
ASAN:DEADLYSIGNAL
=================================================================
==8==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc
0x00000053686d bp 0x7ffdab291030 sp 0x7ffdab290d20 T0)
==8==The signal is caused by a READ memory access.
==8==Hint: address points to the zero page.
    #0 0x53686c in d_print_comp_inner
/fuzzing/binutils-gdb/libiberty/cp-demangle.c
    #1 0x52d07c in d_print_comp
/fuzzing/binutils-gdb/libiberty/cp-demangle.c:5728:3
    #2 0x534434 in d_print_comp_inner
/fuzzing/binutils-gdb/libiberty/cp-demangle.c:4661:7
    #3 0x52d07c in d_print_comp
/fuzzing/binutils-gdb/libiberty/cp-demangle.c:5728:3
    #4 0x52ca6a in cplus_demangle_print_callback
/fuzzing/binutils-gdb/libiberty/cp-demangle.c:4305:5
    #5 0x52df35 in d_demangle_callback
/fuzzing/binutils-gdb/libiberty/cp-demangle.c:6277:16
    #6 0x52d95b in d_demangle
/fuzzing/binutils-gdb/libiberty/cp-demangle.c:6299:12
    #7 0x52d855 in cplus_demangle_v3
/fuzzing/binutils-gdb/libiberty/cp-demangle.c:6456:10
    #8 0x519da3 in cplus_demangle
/fuzzing/binutils-gdb/libiberty/cplus-dem.c:880:13
    #9 0x5215e2 in demangle_template_value_parm
/fuzzing/binutils-gdb/libiberty/cplus-dem.c:2128:12
    #10 0x51f238 in demangle_template
/fuzzing/binutils-gdb/libiberty/cplus-dem.c:2313:14
    #11 0x528287 in demangle_fund_type
/fuzzing/binutils-gdb/libiberty/cplus-dem.c:4132:19
    #12 0x519565 in do_type /fuzzing/binutils-gdb/libiberty/cplus-dem.c:3907:17
    #13 0x527378 in do_arg /fuzzing/binutils-gdb/libiberty/cplus-dem.c:4332:8
    #14 0x526682 in demangle_args
/fuzzing/binutils-gdb/libiberty/cplus-dem.c:4659:9
    #15 0x51d087 in demangle_signature
/fuzzing/binutils-gdb/libiberty/cplus-dem.c:1732:16
    #16 0x51b02d in internal_cplus_demangle
/fuzzing/binutils-gdb/libiberty/cplus-dem.c:1257:14
    #17 0x519f28 in cplus_demangle
/fuzzing/binutils-gdb/libiberty/cplus-dem.c:918:9
    #18 0x517a1d in LLVMFuzzerTestOneInput
/fuzzing/security-research-pocs/autofuzz/demangle_fuzzer.cc:11:21
    #19 0x54aa3e in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*,
unsigned long) (/fuzzing/binutils-gdb/build/demangle_fuzzer+0x54aa3e)
    #20 0x53fb8e in fuzzer::RunOneTest(fuzzer::Fuzzer*, char const*, unsigned
long) (/fuzzing/binutils-gdb/build/demangle_fuzzer+0x53fb8e)
    #21 0x544097 in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned char
const*, unsigned long)) (/fuzzing/binutils-gdb/build/demangle_fuzzer+0x544097)
    #22 0x53f8ab in main (/fuzzing/binutils-gdb/build/demangle_fuzzer+0x53f8ab)
    #23 0x7fc9ada182e0 in __libc_start_main
(/lib/x86_64-linux-gnu/libc.so.6+0x202e0)
    #24 0x41f479 in _start
(/fuzzing/binutils-gdb/build/demangle_fuzzer+0x41f479)

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV /fuzzing/binutils-gdb/libiberty/cp-demangle.c
in d_print_comp_inner
==8==ABORTING

```

We will gladly work with you so you can successfully confirm and reproduce this
issue. Do let us know if you have any feedback surrounding the documentation.

Once you have reproduced the issue, we'd appreciate to learn your expected
timeline for an update to be released. With any fix, please attribute the
report
to "Google Autofuzz project".

We are also pleased to inform you that your project is eligible for inclusion
to
the OSS-Fuzz project, which can provide additional continuous fuzzing, and
encourage you to investigate integration options.


Don't hesitate to let us know if you have any questions!

Google AutoFuzz Team

-- 
You are receiving this mail because:
You are on the CC list for the bug.
_______________________________________________
bug-binutils mailing list
bug-binutils@gnu.org
https://lists.gnu.org/mailman/listinfo/bug-binutils

[Bug binutils/23833] New: Segmentation Fault (118485394)

Reply via email to