[Bug binutils/30507] New: NULL dereference in rust-demangle reachable via nm-new
https://sourceware.org/bugzilla/show_bug.cgi?id=30507 Bug ID: 30507 Summary: NULL dereference in rust-demangle reachable via nm-new Product: binutils Version: 2.40 Status: UNCONFIRMED Severity: normal Priority: P2 Component: binutils Assignee: unassigned at sourceware dot org Reporter: lukas.dresel at cs dot ucsb.edu Target Milestone: --- Created attachment 14911 --> https://sourceware.org/bugzilla/attachment.cgi?id=14911&action=edit Testcase reproducing the above issue Our hybrid fuzzer found a testcase which causes `rust-demangle` to call memcpy with a NULL source pointer. The output of `nm-new` compiled with undefined-behavior-sanitizer is shown below ``` $ /experiments/targets/nm-new-original -C /tmp/crash_nm_rust-demangle-1572 w __azb]axhaotqd;@RSXEE\7.1.9__cbme_hzdvh 201c B __bgo[ytdlv 0506 R bgq 0087 d __bp_spkccp]bpisq]fqr[blqj[arsbv]ariwu 200b D __cbme_hzdvh 200b W cbme_hzdvh 0430 r cbxdvztzcw\wj^ckvqdy__ex_lzocax`dxiqo_ehj 00f4 d _`crcif_cnljx_umih`fsjbs\byhxr 2007 D _]esp`qatezf 04c0 t __ex_lzocax`dxiqo_ehj 05e8 T _fg[zz 0593 t _fya 2001 d _GLOBAL_WDDUFZ^VBCKF` w _GRW[cbpfwogufyKXCshmdGaclf__t58.sak_sd]litts.dp 039f T _hzdvh 0568 T __ired[cnq_polk_fg[zz 050f r iso,bz 201c b j 201c D __NJD]AVA][ 008b d __nkjo_cmufy`nrcqg__QJG\FU[BLDPE\YBU w _NPP[ofkpkvdjVOCjghfLabge 055f T __p98-reg[hb^wvytp.fk__NJD]AVA][ 037d T _polk_fg[zz 05f4 t __QJG\FU[BLDPE\YBU 0087 d __qvix]cmjco_fya U @ROVFB`5.0_ZdaAT1_RYC0.vdj\lc[kniso,bz rust-demangle.c:1572:32: runtime error: null pointer passed as argument 2, which is declared to never be null /usr/include/string.h:44:28: note: nonnull attribute specified here SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior rust-demangle.c:1572:32 in``` The output of --version for `nm-new` is ``` $ /experiments/targets/nm-new-original --version GNU nm (GNU Binutils) 2.40.50.20230411 Copyright (C) 2023 Free Software Foundation, Inc. This program is free software; you may redistribute it under the terms of the GNU General Public License version 3 or (at your option) any later version. This program has absolutely no warranty. ``` -- You are receiving this mail because: You are on the CC list for the bug.
[Bug binutils/30507] NULL dereference in rust-demangle reachable via nm-new
https://sourceware.org/bugzilla/show_bug.cgi?id=30507 --- Comment #1 from Lukas Dresel --- The fuzzer ran on binutils from git commit 44019209faf3db952a6a04aaeeaa779a8ff7e661 ``` $ git log -n 1 commit 44019209faf3db952a6a04aaeeaa779a8ff7e661 (HEAD -> master, origin/master, origin/HEAD) Author: GDB Administrator Date: Tue Apr 11 00:00:19 2023 + Automatic date update in version.in ``` -- You are receiving this mail because: You are on the CC list for the bug.
[Bug binutils/30507] NULL pointer passed to memcpy in rust-demangle reachable via nm-new
https://sourceware.org/bugzilla/show_bug.cgi?id=30507 Lukas Dresel changed: What|Removed |Added Summary|NULL dereference in |NULL pointer passed to |rust-demangle reachable via |memcpy in rust-demangle |nm-new |reachable via nm-new -- You are receiving this mail because: You are on the CC list for the bug.
[Bug binutils/30507] NULL pointer passed to memcpy in rust-demangle reachable via nm-new
https://sourceware.org/bugzilla/show_bug.cgi?id=30507 --- Comment #2 from Lukas Dresel --- The `length` passed to memcpy and the `data` are zero in this case, causing it to be a non-issue on my system (if len is zero, memcpy does not attempt to dereference the pointer), but I'm not sure about other libc's or other architectures. -- You are receiving this mail because: You are on the CC list for the bug.
[Bug binutils/30507] NULL pointer passed to memcpy in rust-demangle reachable via nm-new
https://sourceware.org/bugzilla/show_bug.cgi?id=30507 Alan Modra changed: What|Removed |Added Resolution|--- |MOVED Status|UNCONFIRMED |RESOLVED --- Comment #3 from Alan Modra --- Please report demangler issues to the project that owns the demangler. https://gcc.gnu.org/bugzilla/ Closing as "moved" but note that I haven't opened a gcc bug. -- You are receiving this mail because: You are on the CC list for the bug.
[Bug ld/22263] -fpie -pie generates dynamic relocations in text section
https://sourceware.org/bugzilla/show_bug.cgi?id=22263 Sam James changed: What|Removed |Added CC||sam at gentoo dot org -- You are receiving this mail because: You are on the CC list for the bug.
[Bug gprofng/30490] -Wsign-compare warning in gprofng build
https://sourceware.org/bugzilla/show_bug.cgi?id=30490 Vladimir Mezentsev changed: What|Removed |Added Resolution|--- |FIXED Status|ASSIGNED|RESOLVED --- Comment #2 from Vladimir Mezentsev --- Update status as resolved/fixed. -- You are receiving this mail because: You are on the CC list for the bug.
[Bug gprofng/29470] [test suite] The test suite should be made more flexible
https://sourceware.org/bugzilla/show_bug.cgi?id=29470 Vladimir Mezentsev changed: What|Removed |Added Resolution|--- |FIXED Status|ASSIGNED|RESOLVED --- Comment #4 from Vladimir Mezentsev --- Update status as resolved/fixed. -- You are receiving this mail because: You are on the CC list for the bug.
