Re: Report a bug of binutils-2.38

2022-10-03 Thread Nick Clifton 

Hi bjchan9an,


There is an uncontrolled stack recursion vulnerability in binutils-2.38, which 
allows stack consumption in demangle_path_maybe_open_generics().


As Alan said, we are really only interested in bugs triggered by fuzzed binaries
if they are reported against the current mainline code.  Given the trouble that
I know that you have had in reporting this problem however I thought that I
would add a few more details:

  1. As it happens the string demangling code is part of the libiberty library
 which actually maintained by the GCC project not us.  (The binutils project
 makes use of the code, but it does not maintain the code).  Hence bug 
reports
 about demangling should be sent to the gcc mailing list.

  2. This problem - with the Rust demangler - has already been reported and 
fixed.
 If you try the current mainline GNU binutils sources you should find that 
the
 stack exhaustion does not occur.

Cheers
  Nick

Re: Report a bug of binutils-2.38

2022-09-30 Thread Alan Modra 
On Fri, Sep 30, 2022 at 09:52:41PM +0800, bjchan9an wrote:
> There is an uncontrolled stack recursion vulnerability in binutils-2.38

Sorry, fuzzing reports against anything but current mainline will be
ignored.

-- 
Alan Modra
Australia Development Lab, IBM

Report a bug of binutils-2.38

2022-09-30 Thread bjchan9an 
Version: binutils-2.38 release
Machine: ubuntu 18, 64bit server
Compiler: clang-6.0
Command argument: binutils/nm-new -C ./poc
Bug Type: CWE-674 Uncontrolled Recursion
Crash 
location:demangle_path_maybe_open_generics(),libiberty/rust-demangle.c:1087
Found by: bjchan...@foxmail.com
Details:


There is an uncontrolled stack recursion vulnerability in binutils-2.38, 
whichallows stack consumption in 
demangle_path_maybe_open_generics().


To trigger this bug, use the poc file in attachment and run the following 
commands:


```
cd binutils-2.38
CC=clang ./configure --disable-shared
./binutils/nm-new -C ./poc
```


The gdb trace is as follows:
```
Program received signal SIGSEGV, Segmentation fault.
0x005f2a2d in demangle_path_maybe_open_generics (rdm=0x7fffe0b8) at 
../../libiberty/rust-demangle.c:1087
1087   backref = parse_integer_62 (rdm);
(gdb) bt
#0 0x005f2a2d in demangle_path_maybe_open_generics 
(rdm=0x7fffe0b8) at ../../libiberty/rust-demangle.c:1087
#1 0x005f2a6d in demangle_path_maybe_open_generics 
(rdm=0x7fffe0b8) at ../../libiberty/rust-demangle.c:1092
#2 0x005f2a6d in demangle_path_maybe_open_generics 
(rdm=0x7fffe0b8) at ../../libiberty/rust-demangle.c:1092
#3 0x005f2a6d in demangle_path_maybe_open_generics 
(rdm=0x7fffe0b8) at ../../libiberty/rust-demangle.c:1092
#4 0x005f2a6d in demangle_path_maybe_open_generics 
(rdm=0x7fffe0b8) at ../../libiberty/rust-demangle.c:1092
#5 0x005f2a6d in demangle_path_maybe_open_generics 
(rdm=0x7fffe0b8) at ../../libiberty/rust-demangle.c:1092
#6 0x005f2a6d in demangle_path_maybe_open_generics 
(rdm=0x7fffe0b8) at ../../libiberty/rust-demangle.c:1092
#7 0x005f2a6d in demangle_path_maybe_open_generics 
(rdm=0x7fffe0b8) at ../../libiberty/rust-demangle.c:1092
#8 0x005f2a6d in demangle_path_maybe_open_generics 
(rdm=0x7fffe0b8) at ../../libiberty/rust-demangle.c:1092
#9 0x005f2a6d in demangle_path_maybe_open_generics 
(rdm=0x7fffe0b8) at ../../libiberty/rust-demangle.c:1092
#10 0x005f2a6d in demangle_path_maybe_open_generics 
(rdm=0x7fffe0b8) at ../../libiberty/rust-demangle.c:1092
#11 0x005f2a6d in demangle_path_maybe_open_generics 
(rdm=0x7fffe0b8) at ../../libiberty/rust-demangle.c:1092
#12 0x005f2a6d in demangle_path_maybe_open_generics 
(rdm=0x7fffe0b8) at ../../libiberty/rust-demangle.c:1092

```

poc
Description: Binary data