[Bug c++/69687] Buffer Overflow in libiberty
https://gcc.gnu.org/bugzilla/show_bug.cgi?id=69687 --- Comment #15 from Jakub Jelinek --- Author: jakub Date: Thu May 19 12:05:41 2016 New Revision: 236456 URL: https://gcc.gnu.org/viewcvs?rev=236456=gcc=rev Log: Backported from mainline 2016-05-19 Jakub JelinekPR c++/70498 * cp-demangle.c (d_expression_1): Formatting fix. 2016-05-02 Marcel Böhme PR c++/70498 * cp-demangle.c: Parse numbers as integer instead of long to avoid overflow after sanity checks. Include if available. (INT_MAX): Define if necessary. (d_make_template_param): Takes integer argument instead of long. (d_make_function_param): Likewise. (d_append_num): Likewise. (d_identifier): Likewise. (d_number): Parse as and return integer. (d_compact_number): Handle overflow. (d_source_name): Change variable type to integer for parsed number. (d_java_resource): Likewise. (d_special_name): Likewise. (d_discriminator): Likewise. (d_unnamed_type): Likewise. * testsuite/demangle-expected: Add regression test cases. 2016-04-08 Marcel Böhme PR c++/69687 * cplus-dem.c: Include if available. (INT_MAX): Define if necessary. (remember_type, remember_Ktype, register_Btype, string_need): Abort if we detect cases where we the size of the allocation would overflow. PR c++/70492 * cplus-dem.c (gnu_special): Handle case where consume_count returns -1. 2016-03-31 Mikhail Maltsev Marcel Bohme PR c++/67394 PR c++/70481 * cplus-dem.c (squangle_mop_up): Zero bsize/ksize after freeing btypevec/ktypevec. * testsuite/demangle-expected: Add coverage tests. Modified: branches/gcc-4_9-branch/libiberty/ChangeLog branches/gcc-4_9-branch/libiberty/cp-demangle.c branches/gcc-4_9-branch/libiberty/cplus-dem.c branches/gcc-4_9-branch/libiberty/testsuite/demangle-expected
[Bug c++/69687] Buffer Overflow in libiberty
https://gcc.gnu.org/bugzilla/show_bug.cgi?id=69687 --- Comment #14 from Jakub Jelinek --- Author: jakub Date: Thu May 19 10:44:31 2016 New Revision: 236452 URL: https://gcc.gnu.org/viewcvs?rev=236452=gcc=rev Log: Backported from mainline 2016-05-19 Jakub JelinekPR c++/70498 * cp-demangle.c (d_expression_1): Formatting fix. 2016-05-02 Marcel Böhme PR c++/70498 * cp-demangle.c: Parse numbers as integer instead of long to avoid overflow after sanity checks. Include if available. (INT_MAX): Define if necessary. (d_make_template_param): Takes integer argument instead of long. (d_make_function_param): Likewise. (d_append_num): Likewise. (d_identifier): Likewise. (d_number): Parse as and return integer. (d_compact_number): Handle overflow. (d_source_name): Change variable type to integer for parsed number. (d_java_resource): Likewise. (d_special_name): Likewise. (d_discriminator): Likewise. (d_unnamed_type): Likewise. * testsuite/demangle-expected: Add regression test cases. 2016-04-08 Marcel Böhme PR c++/69687 * cplus-dem.c: Include if available. (INT_MAX): Define if necessary. (remember_type, remember_Ktype, register_Btype, string_need): Abort if we detect cases where we the size of the allocation would overflow. PR c++/70492 * cplus-dem.c (gnu_special): Handle case where consume_count returns -1. 2016-03-31 Mikhail Maltsev Marcel Bohme PR c++/67394 PR c++/70481 * cplus-dem.c (squangle_mop_up): Zero bsize/ksize after freeing btypevec/ktypevec. * testsuite/demangle-expected: Add coverage tests. Modified: branches/gcc-5-branch/libiberty/ChangeLog branches/gcc-5-branch/libiberty/cp-demangle.c branches/gcc-5-branch/libiberty/cplus-dem.c branches/gcc-5-branch/libiberty/testsuite/demangle-expected
[Bug c++/69687] Buffer Overflow in libiberty
https://gcc.gnu.org/bugzilla/show_bug.cgi?id=69687 Bernd Schmidt changed: What|Removed |Added Status|UNCONFIRMED |RESOLVED CC||bernds at gcc dot gnu.org Resolution|--- |FIXED --- Comment #13 from Bernd Schmidt --- Fixed.
[Bug c++/69687] Buffer Overflow in libiberty
https://gcc.gnu.org/bugzilla/show_bug.cgi?id=69687 --- Comment #12 from Bernd Schmidt --- Author: bernds Date: Fri Apr 8 12:10:21 2016 New Revision: 234829 URL: https://gcc.gnu.org/viewcvs?rev=234829=gcc=rev Log: Fix memory allocation size overflows (PR69687, patch by Marcel Böhme) PR c++/69687 * cplus-dem.c: Include if available. (INT_MAX): Define if necessary. (remember_type, remember_Ktype, register_Btype, string_need): Abort if we detect cases where we the size of the allocation would overflow. Modified: trunk/libiberty/ChangeLog trunk/libiberty/cplus-dem.c
[Bug c++/69687] Buffer Overflow in libiberty
https://gcc.gnu.org/bugzilla/show_bug.cgi?id=69687 --- Comment #11 from Manuel López-Ibáñez --- The policy of GNU software is to avoid arbitrary implementation limits whenever possible. (In reply to Marcel Böhme from comment #4) > with n=2*(length of decl + length of arg) characters. Since n is a signed > int, n wraps over at some iteration. Since, realloc expects n to be > unsigned, we end up allocating less memory then actually needed. In the Why n is signed if realloc expects it to be unsigned? Aren't the lengths measured in size_t also? Moreover, it should be trivial to check for overflow before computing n (both from the sum and from *2) by using SIZE_MAX. It should fail only if any intermediate step overflows size_t.
[Bug c++/69687] Buffer Overflow in libiberty
https://gcc.gnu.org/bugzilla/show_bug.cgi?id=69687 --- Comment #10 from Markus Trippelsdorf --- Patches should be posted to: gcc-patc...@gcc.gnu.org
[Bug c++/69687] Buffer Overflow in libiberty
https://gcc.gnu.org/bugzilla/show_bug.cgi?id=69687 --- Comment #9 from Marcel Böhme --- Created attachment 37839 --> https://gcc.gnu.org/bugzilla/attachment.cgi?id=37839=edit Proposed Patch * Limiting the length of the mangled string to 264k characters. * Limiting the loop iterations to 256 (max. of C++ function parameters).
[Bug c++/69687] Buffer Overflow in libiberty
https://gcc.gnu.org/bugzilla/show_bug.cgi?id=69687 Marcel Böhme changed: What|Removed |Added Severity|normal |major --- Comment #8 from Marcel Böhme --- Downstream: * Valgrind: https://bugs.kde.org/show_bug.cgi?id=359181 * GDB: https://sourceware.org/bugzilla/show_bug.cgi?id=19597 * Binutils: https://sourceware.org/bugzilla/show_bug.cgi?id=19571
[Bug c++/69687] Buffer Overflow in libiberty
https://gcc.gnu.org/bugzilla/show_bug.cgi?id=69687 Markus Trippelsdorf changed: What|Removed |Added Severity|major |normal
[Bug c++/69687] Buffer Overflow in libiberty
https://gcc.gnu.org/bugzilla/show_bug.cgi?id=69687 --- Comment #5 from Marcel Böhme --- Created attachment 37612 --> https://gcc.gnu.org/bugzilla/attachment.cgi?id=37612=edit Debug This
[Bug c++/69687] Buffer Overflow in libiberty
https://gcc.gnu.org/bugzilla/show_bug.cgi?id=69687 Manuel López-Ibáñez changed: What|Removed |Added CC||manu at gcc dot gnu.org --- Comment #6 from Manuel López-Ibáñez --- (In reply to Marcel Böhme from comment #5) > Created attachment 37612 [details] > Debug This Scary.
[Bug c++/69687] Buffer Overflow in libiberty
https://gcc.gnu.org/bugzilla/show_bug.cgi?id=69687 --- Comment #7 from Marcel Böhme --- Created attachment 37620 --> https://gcc.gnu.org/bugzilla/attachment.cgi?id=37620=edit Valgrind This $ cat compileme.c #include #include const char* X00020A___R0020A__U000R03000N_020A__K000(){ char *p; p = (char *) malloc(19); p = (char *) malloc(12); free(p); p = (char *) malloc(16); return "Hello World!"; } int main() { printf("%s\n",X00020A___R0020A__U000R03000N_020A__K000()); return 0; } $ g++ compileme.c -o temp $ sed -b s/Z68/_20/g temp > valgrindme $ chmod u+x valgrindme $ ./valgrindme Hello World! $ valgrind --leak-check=yes ./valgrindme .. $ gdb ./valgrindme ..
[Bug c++/69687] Buffer Overflow in libiberty
https://gcc.gnu.org/bugzilla/show_bug.cgi?id=69687 --- Comment #4 from Marcel Böhme --- Here is my preliminary analysis: The function demangle_args (cplus-dem.c:4424) parses the (crafted) mangled function args from the binary. In line 4452, r is read from mangled. In line 4491, we enter a loop with r iterations. In line 4498, arg is parsed from mangled (always from the same region). In each loop iteration arg is appended to decl, such that the length of decl grows in each iteration. The function string_appends (cplus-dem.c:4820) appends string arg to string decl. In line 4827, it uses string_need to check whether sufficient memory is allocated in decl to append arg. Then, it memcopies whatever is in arg to the end of decl. The function string_need (cplus-dem.c:4751) checks whether sufficient memory is available to append size-of-arg more characters. If not, xrealloc decl with n=2*(length of decl + length of arg) characters. Since n is a signed int, n wraps over at some iteration. Since, realloc expects n to be unsigned, we end up allocating less memory then actually needed. In the beginning though n is too large and xrealloc simply complains. However, if you play a bit with the length of arg, you'll quickly turn that integer overflow in a buffer overflow. Later, string_appends will memcopy whatever arg contains. In our simple test case the relevant bits in the binary are specified the binary (arbitrarily): r = 8000, arg = "A__\235\235\235_N" of length 020. A particularly malicious attacker could craft an executable that executes when *analysed* by objdump, nm or gdb, or any other libbfd / libiberty - based forensics tool (if the demangling option is switched on). -- Marcel Böhme Postdoctoral Researcher TSUNAMi Security Research Lab National University of Singapore
[Bug c++/69687] Buffer Overflow in libiberty
https://gcc.gnu.org/bugzilla/show_bug.cgi?id=69687 Markus Trippelsdorf changed: What|Removed |Added CC||trippels at gcc dot gnu.org Component|c |c++ --- Comment #2 from Markus Trippelsdorf --- I don't think it makes much sense to fuzz the demangler with arbitrary binary files. This isn't some daemon that runs 24/7 and is vulnerable to buffer overflow attacks.
[Bug c/69687] Buffer Overflow in libiberty
https://gcc.gnu.org/bugzilla/show_bug.cgi?id=69687 --- Comment #1 from Marcel Böhme --- Created attachment 37593 --> https://gcc.gnu.org/bugzilla/attachment.cgi?id=37593=edit Test Case #2
[Bug c++/69687] Buffer Overflow in libiberty
https://gcc.gnu.org/bugzilla/show_bug.cgi?id=69687 --- Comment #3 from Marcel Böhme --- Hi Markus, Indeed, it depends on the use case. I find it quite unsettling to know that common digital forensics tools, such as gdb and objdump, are vulnerable to execute arbitrary code. How much credibility would a virus scanner have that installs a virus only because it *scanned* a malicious software? Best regards, - Marcel