https://gcc.gnu.org/bugzilla/show_bug.cgi?id=85454
Bug ID: 85454
Summary: Multiple memory corruptions in objdump / C++ name
demangler (binuitils-2.30-15ubuntu1)
Product: gcc
Version: unknown
Status: UNCONFIRMED
Severity: normal
Priority: P3
Component: demangler
Assignee: unassigned at gcc dot gnu.org
Reporter: sergej at schumilo dot de
Target Milestone: ---
Dear all,
according to the bintutils maintainers the following memory corruption bugs are
in the C++ name demangler (instead of the binutils application objdump), which
is part of the libiberty library.
This is the original binutils bug report
(https://sourceware.org/bugzilla/show_bug.cgi?id=23057):
-----------------------------------------------------------------------------
Dear all,
after reporting the following bugs to the Ubuntu security team
(https://bugs.launchpad.net/ubuntu/+source/binutils/+bug/1763102), we were
asked to report them directly to the binutils developers:
----------------------------------------------------
Dear all,
The following binutils objdump memory corruptions were found by a modified
version of the kAFL fuzzer (https://github.com/RUB-SysSec/kAFL). I have
attached the crashing inputs and each ASAN report.
Steps to reproduce:
Build current verison of binutils:
```
pull-lp-source binutils
cd binutils-2.30
CC=clang CXX=clang++ CFLAGS="-fsanitize=address -fsanitize-recover=address
-ggdb" CXXFLAGS="-fsanitize=address -fsanitize-recover=address -ggdb"
LDFLAGS="-fsanitize=address" ./configure
CC=clang CXX=clang++ CFLAGS="-fsanitize=address -fsanitize-recover=address
-ggdb" CXXFLAGS="-fsanitize=address
-fsanitize-recover=address -ggdb" LDFLAGS="-fsanitize=address" make
```
Run inputs under ASAN:
```
ASAN_OPTIONS=halt_on_error=false:allow_addr2line=true ./objdump --dwarf-check
-C -g -f -dwarf -x $file
```
We can verify those issues for objdump binuitils-2.30-15ubuntu1 (Ubuntu 16.04.4
LTS / sources from "pull-lp-source bintuils").
Credits: Sergej Schumilo, Cornelius Aschermann (both of Ruhr-Universität
Bochum)
Best regards,
Sergej Schumilo
