https://sourceware.org/bugzilla/show_bug.cgi?id=30267
Bug ID: 30267
Summary: Report a solved crash. In binutils-2_26_1 of the
c++flit, heap buffer overflow in demangle_prefix() at
cplus-dem.c:2744.
Product: binutils
Version: 2.26
Status: UNCONFIRMED
Severity: normal
Priority: P2
Component: binutils
Assignee: unassigned at sourceware dot org
Reporter: fengzhengzhan at gmail dot com
Target Milestone: ---
Created attachment 14774
--> https://sourceware.org/bugzilla/attachment.cgi?id=14774&action=edit
poc
# Report a solved crash. In binutils-2_26_1 of the c++flit, heap buffer
overflow in demangle_prefix() at cplus-dem.c:2744.
When I was in the process of comparing experiments on the program for fuzzing.
I find a heap buffer overflow in the version binutils-2_26_1 of c++flit at
function demangle_prefix in cplus-dem.c:2744. But this crash has been fixed in
the binutils-2_40 version. However, I still feel that I should report this to
you, so I apologize for taking up your time.
## Environment
Ubuntu 18.04, 64 bit
binutils-2_26_1
## Steps to reproduce
1. download file
```
wget
https://github.com/bminor/binutils-gdb/archive/refs/tags/binutils-2_26_1.tar.gz
tar -zxvf binutils-2_26_1.tar.gz
```
2. compile libming with ASAN
```
cd binutils-gdb-binutils-2_26_1/
export FORCE_UNSAFE_CONFIGURE=1
export LLVM_COMPILER=clang
CC=wllvm CXX=wllvm++ CFLAGS="-DFORTIFY_SOURCE=2 -fno-omit-frame-pointer -g -O0
-Wno-error" LDFLAGS="-ldl -lutil" ./configure --prefix=`pwd`/obj-bc
--enable-static --disable-shared --disable-gdb --disable-libdecnumber
--disable-readline --disable-sim --disable-ld
make
make install
cd obj-bc/bin/
extract-bc c++filt
clang -fsanitize=address c++filt.bc -o c++filt_asan
```
3. command for reproducing the error
```
./c++filt_asan @poc
```
Download poc:
[poc](https://github.com/fengzhengzhan/FzzVul/blob/main/c%2B%2Bfilt/binutils-gdb_c%2B%2Bflit226_heap-buffer-overflow_cplus-dem2744)
## ASAN report
1. binutils-2_26_1 version.
```
root@2413df779df0:~/compiler1804/binutils-gdb-binutils-2_26_1/obj-bc/bin#
./c++filt_asan @binutils-gdb_c++flit226_heap-buffer-overflow_cplus-dem2744
o_2__S0A4X530rE_;00
=================================================================
==112308==ERROR: AddressSanitizer: heap-buffer-overflow on address
0x60200000001a at pc 0x000000439b84 bp 0x7fff173aa870 sp 0x7fff173aa020
READ of size 1 at 0x60200000001a thread T0
#0 0x439b83 in __interceptor_strlen.part.36
/root/LLVM/llvm/projects/compiler-rt/lib/asan/../sanitizer_common/sanitizer_common_interceptors.inc:372
#1 0x5f2eb6 in demangle_prefix
/root/compiler1804/binutils-gdb-binutils-2_26_1/libiberty/./cplus-dem.c:2744:7
#2 0x5f24ae in internal_cplus_demangle
/root/compiler1804/binutils-gdb-binutils-2_26_1/libiberty/./cplus-dem.c:1199:14
#3 0x5f191b in cplus_demangle
/root/compiler1804/binutils-gdb-binutils-2_26_1/libiberty/./cplus-dem.c:886:9
#4 0x4f46ac in demangle_it
/root/compiler1804/binutils-gdb-binutils-2_26_1/binutils/cxxfilt.c:62:12
#5 0x4f42ef in main
/root/compiler1804/binutils-gdb-binutils-2_26_1/binutils/cxxfilt.c:227:4
#6 0x7f5e26e7bc86 in __libc_start_main
/build/glibc-CVJwZb/glibc-2.27/csu/../csu/libc-start.c:310
#7 0x41bfc9 in _start
(/root/compiler1804/binutils-gdb-binutils-2_26_1/obj-bc/bin/c++filt_asan+0x41bfc9)
0x60200000001a is located 0 bytes to the right of 10-byte region
[0x602000000010,0x60200000001a)
allocated by thread T0 here:
#0 0x4ae5e0 in malloc
/root/LLVM/llvm/projects/compiler-rt/lib/asan/asan_malloc_linux.cpp:145
#1 0x6087d7 in xmalloc
/root/compiler1804/binutils-gdb-binutils-2_26_1/libiberty/./xmalloc.c:147:12
#2 0x608909 in xstrdup
/root/compiler1804/binutils-gdb-binutils-2_26_1/libiberty/./xstrdup.c:34:24
#3 0x600faf in buildargv
/root/compiler1804/binutils-gdb-binutils-2_26_1/libiberty/./argv.c:271:17
#4 0x601382 in expandargv
/root/compiler1804/binutils-gdb-binutils-2_26_1/libiberty/./argv.c:435:14
#5 0x4f4162 in main
/root/compiler1804/binutils-gdb-binutils-2_26_1/binutils/cxxfilt.c:181:3
#6 0x7f5e26e7bc86 in __libc_start_main
/build/glibc-CVJwZb/glibc-2.27/csu/../csu/libc-start.c:310
SUMMARY: AddressSanitizer: heap-buffer-overflow
/root/LLVM/llvm/projects/compiler-rt/lib/asan/../sanitizer_common/sanitizer_common_interceptors.inc:372
in __interceptor_strlen.part.36
Shadow bytes around the buggy address:
0x0c047fff7fb0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c047fff7fc0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c047fff7fd0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c047fff7fe0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c047fff7ff0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x0c047fff8000: fa fa 00[02]fa fa 00 07 fa fa fd fa fa fa fd fa
0x0c047fff8010: fa fa fd fa fa fa fd fa fa fa fd fa fa fa fd fa
0x0c047fff8020: fa fa fd fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c047fff8030: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c047fff8040: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c047fff8050: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
Shadow gap: cc
==112308==ABORTING
```
2. binutils-2_40 version no crash occurred.
```
> ./c++filt_asan @binutils-gdb_c++flit226_heap-buffer-overflow_cplus-dem2744
o_2__S0A4X530rE_;00
__thunk_8
=================================================================
==124985==ERROR: LeakSanitizer: detected memory leaks
Direct leak of 40 byte(s) in 1 object(s) allocated from:
#0 0x4aea08 in realloc
/root/LLVM/llvm/projects/compiler-rt/lib/asan/asan_malloc_linux.cpp:164
#1 0x6272b0 in xrealloc
/root/compiler1804/binutils-gdb/libiberty/./xmalloc.c:181:14
#2 0x61a9d5 in expandargv
/root/compiler1804/binutils-gdb/libiberty/./argv.c:474:3
#3 0x4f41f6 in main
/root/compiler1804/binutils-gdb/binutils/cxxfilt.c:151:3
#4 0x7fe9cc666082 in __libc_start_main
/build/glibc-SzIz7B/glibc-2.31/csu/../csu/libc-start.c:308:16
Indirect leak of 30 byte(s) in 2 object(s) allocated from:
#0 0x4ae670 in malloc
/root/LLVM/llvm/projects/compiler-rt/lib/asan/asan_malloc_linux.cpp:145
#1 0x6271cb in xmalloc
/root/compiler1804/binutils-gdb/libiberty/./xmalloc.c:149:12
#2 0x62730d in xstrdup
/root/compiler1804/binutils-gdb/libiberty/./xstrdup.c:34:24
#3 0x61a4b3 in buildargv
/root/compiler1804/binutils-gdb/libiberty/./argv.c:274:17
#4 0x61a94b in expandargv
/root/compiler1804/binutils-gdb/libiberty/./argv.c:461:14
#5 0x4f41f6 in main
/root/compiler1804/binutils-gdb/binutils/cxxfilt.c:151:3
#6 0x7fe9cc666082 in __libc_start_main
/build/glibc-SzIz7B/glibc-2.31/csu/../csu/libc-start.c:308:16
Indirect leak of 15 byte(s) in 1 object(s) allocated from:
#0 0x4ae670 in malloc
/root/LLVM/llvm/projects/compiler-rt/lib/asan/asan_malloc_linux.cpp:145
#1 0x6271cb in xmalloc
/root/compiler1804/binutils-gdb/libiberty/./xmalloc.c:149:12
#2 0x62730d in xstrdup
/root/compiler1804/binutils-gdb/libiberty/./xstrdup.c:34:24
#3 0x61a175 in dupargv
/root/compiler1804/binutils-gdb/libiberty/./argv.c:86:18
#4 0x61a96c in expandargv
/root/compiler1804/binutils-gdb/libiberty/./argv.c:464:11
#5 0x4f41f6 in main
/root/compiler1804/binutils-gdb/binutils/cxxfilt.c:151:3
#6 0x7fe9cc666082 in __libc_start_main
/build/glibc-SzIz7B/glibc-2.31/csu/../csu/libc-start.c:308:16
SUMMARY: AddressSanitizer: 85 byte(s) leaked in 4 allocation(s).
```
--
You are receiving this mail because:
You are on the CC list for the bug.
