[Bug c++/69687] Buffer Overflow in libiberty

2016-05-19 Thread jakub at gcc dot gnu.org 
https://gcc.gnu.org/bugzilla/show_bug.cgi?id=69687

--- Comment #15 from Jakub Jelinek  ---
Author: jakub
Date: Thu May 19 12:05:41 2016
New Revision: 236456

URL: https://gcc.gnu.org/viewcvs?rev=236456=gcc=rev
Log:
Backported from mainline
2016-05-19  Jakub Jelinek  

PR c++/70498
* cp-demangle.c (d_expression_1): Formatting fix.

2016-05-02  Marcel Böhme  

PR c++/70498
* cp-demangle.c: Parse numbers as integer instead of long to avoid
overflow after sanity checks. Include  if available.
(INT_MAX): Define if necessary.
(d_make_template_param): Takes integer argument instead of long.
(d_make_function_param): Likewise.
(d_append_num): Likewise.
(d_identifier): Likewise.
(d_number): Parse as and return integer.
(d_compact_number): Handle overflow.
(d_source_name): Change variable type to integer for parsed number.
(d_java_resource): Likewise.
(d_special_name): Likewise.
(d_discriminator): Likewise.
(d_unnamed_type): Likewise.
* testsuite/demangle-expected: Add regression test cases.

2016-04-08  Marcel Böhme  

PR c++/69687
* cplus-dem.c: Include  if available.
(INT_MAX): Define if necessary.
(remember_type, remember_Ktype, register_Btype, string_need):
Abort if we detect cases where we the size of the allocation would
overflow.

PR c++/70492
* cplus-dem.c (gnu_special): Handle case where consume_count returns
-1.

2016-03-31  Mikhail Maltsev  
Marcel Bohme  

PR c++/67394
PR c++/70481
* cplus-dem.c (squangle_mop_up): Zero bsize/ksize after freeing
btypevec/ktypevec.
* testsuite/demangle-expected: Add coverage tests.

Modified:
branches/gcc-4_9-branch/libiberty/ChangeLog
branches/gcc-4_9-branch/libiberty/cp-demangle.c
branches/gcc-4_9-branch/libiberty/cplus-dem.c
branches/gcc-4_9-branch/libiberty/testsuite/demangle-expected

[Bug c++/69687] Buffer Overflow in libiberty

2016-05-19 Thread jakub at gcc dot gnu.org 
https://gcc.gnu.org/bugzilla/show_bug.cgi?id=69687

--- Comment #14 from Jakub Jelinek  ---
Author: jakub
Date: Thu May 19 10:44:31 2016
New Revision: 236452

URL: https://gcc.gnu.org/viewcvs?rev=236452=gcc=rev
Log:
Backported from mainline
2016-05-19  Jakub Jelinek  

PR c++/70498
* cp-demangle.c (d_expression_1): Formatting fix.

2016-05-02  Marcel Böhme  

PR c++/70498
* cp-demangle.c: Parse numbers as integer instead of long to avoid
overflow after sanity checks. Include  if available.
(INT_MAX): Define if necessary.
(d_make_template_param): Takes integer argument instead of long.
(d_make_function_param): Likewise.
(d_append_num): Likewise.
(d_identifier): Likewise.
(d_number): Parse as and return integer.
(d_compact_number): Handle overflow.
(d_source_name): Change variable type to integer for parsed number.
(d_java_resource): Likewise.
(d_special_name): Likewise.
(d_discriminator): Likewise.
(d_unnamed_type): Likewise.
* testsuite/demangle-expected: Add regression test cases.

2016-04-08  Marcel Böhme  

PR c++/69687
* cplus-dem.c: Include  if available.
(INT_MAX): Define if necessary.
(remember_type, remember_Ktype, register_Btype, string_need):
Abort if we detect cases where we the size of the allocation would
overflow.

PR c++/70492
* cplus-dem.c (gnu_special): Handle case where consume_count returns
-1.

2016-03-31  Mikhail Maltsev  
Marcel Bohme  

PR c++/67394
PR c++/70481
* cplus-dem.c (squangle_mop_up): Zero bsize/ksize after freeing
btypevec/ktypevec.
* testsuite/demangle-expected: Add coverage tests.

Modified:
branches/gcc-5-branch/libiberty/ChangeLog
branches/gcc-5-branch/libiberty/cp-demangle.c
branches/gcc-5-branch/libiberty/cplus-dem.c
branches/gcc-5-branch/libiberty/testsuite/demangle-expected

[Bug c++/69687] Buffer Overflow in libiberty

2016-04-08 Thread bernds at gcc dot gnu.org 
https://gcc.gnu.org/bugzilla/show_bug.cgi?id=69687

Bernd Schmidt  changed:

   What|Removed |Added

 Status|UNCONFIRMED |RESOLVED
 CC||bernds at gcc dot gnu.org
 Resolution|--- |FIXED

--- Comment #13 from Bernd Schmidt  ---
Fixed.

[Bug c++/69687] Buffer Overflow in libiberty

2016-04-08 Thread bernds at gcc dot gnu.org 
https://gcc.gnu.org/bugzilla/show_bug.cgi?id=69687

--- Comment #12 from Bernd Schmidt  ---
Author: bernds
Date: Fri Apr  8 12:10:21 2016
New Revision: 234829

URL: https://gcc.gnu.org/viewcvs?rev=234829=gcc=rev
Log:
Fix memory allocation size overflows (PR69687, patch by Marcel Böhme)

PR c++/69687
* cplus-dem.c: Include  if available.
(INT_MAX): Define if necessary.
(remember_type, remember_Ktype, register_Btype, string_need):
Abort if we detect cases where we the size of the allocation would
overflow.


Modified:
trunk/libiberty/ChangeLog
trunk/libiberty/cplus-dem.c

[Bug c++/69687] Buffer Overflow in libiberty

2016-03-02 Thread manu at gcc dot gnu.org 
https://gcc.gnu.org/bugzilla/show_bug.cgi?id=69687

--- Comment #11 from Manuel López-Ibáñez  ---
The policy of GNU software is to avoid arbitrary implementation limits whenever
possible.

(In reply to Marcel Böhme from comment #4)
> with n=2*(length of decl + length of arg) characters. Since n is a signed
> int, n wraps over at some iteration. Since, realloc expects n to be
> unsigned, we end up allocating less memory then actually needed. In the

Why n is signed if realloc expects it to be unsigned? Aren't the lengths
measured in size_t also? Moreover, it should be trivial to check for overflow
before computing n (both from the sum and from *2) by using SIZE_MAX. It should
fail only if any intermediate step overflows size_t.

[Bug c++/69687] Buffer Overflow in libiberty

2016-03-02 Thread trippels at gcc dot gnu.org 
https://gcc.gnu.org/bugzilla/show_bug.cgi?id=69687

--- Comment #10 from Markus Trippelsdorf  ---
Patches should be posted to: gcc-patc...@gcc.gnu.org

[Bug c++/69687] Buffer Overflow in libiberty

2016-03-02 Thread boehme.marcel at gmail dot com 
https://gcc.gnu.org/bugzilla/show_bug.cgi?id=69687

--- Comment #9 from Marcel Böhme  ---
Created attachment 37839
  --> https://gcc.gnu.org/bugzilla/attachment.cgi?id=37839=edit
Proposed Patch

* Limiting the length of the mangled string to 264k characters.
* Limiting the loop iterations to 256 (max. of C++ function parameters).

[Bug c++/69687] Buffer Overflow in libiberty

2016-02-10 Thread boehme.marcel at gmail dot com 
https://gcc.gnu.org/bugzilla/show_bug.cgi?id=69687

Marcel Böhme  changed:

   What|Removed |Added

   Severity|normal  |major

--- Comment #8 from Marcel Böhme  ---
Downstream:
* Valgrind: https://bugs.kde.org/show_bug.cgi?id=359181
* GDB: https://sourceware.org/bugzilla/show_bug.cgi?id=19597
* Binutils: https://sourceware.org/bugzilla/show_bug.cgi?id=19571

[Bug c++/69687] Buffer Overflow in libiberty

2016-02-10 Thread trippels at gcc dot gnu.org 
https://gcc.gnu.org/bugzilla/show_bug.cgi?id=69687

Markus Trippelsdorf  changed:

   What|Removed |Added

   Severity|major   |normal

[Bug c++/69687] Buffer Overflow in libiberty

2016-02-06 Thread boehme.marcel at gmail dot com 
https://gcc.gnu.org/bugzilla/show_bug.cgi?id=69687

--- Comment #5 from Marcel Böhme  ---
Created attachment 37612
  --> https://gcc.gnu.org/bugzilla/attachment.cgi?id=37612=edit
Debug This

[Bug c++/69687] Buffer Overflow in libiberty

2016-02-06 Thread manu at gcc dot gnu.org 
https://gcc.gnu.org/bugzilla/show_bug.cgi?id=69687

Manuel López-Ibáñez  changed:

   What|Removed |Added

 CC||manu at gcc dot gnu.org

--- Comment #6 from Manuel López-Ibáñez  ---
(In reply to Marcel Böhme from comment #5)
> Created attachment 37612 [details]
> Debug This

Scary.

[Bug c++/69687] Buffer Overflow in libiberty

2016-02-06 Thread boehme.marcel at gmail dot com 
https://gcc.gnu.org/bugzilla/show_bug.cgi?id=69687

--- Comment #7 from Marcel Böhme  ---
Created attachment 37620
  --> https://gcc.gnu.org/bugzilla/attachment.cgi?id=37620=edit
Valgrind This

$ cat compileme.c
#include
#include

const char*
X00020A___R0020A__U000R03000N_020A__K000(){
  char *p;
  p = (char *) malloc(19);
  p = (char *) malloc(12);
  free(p);
  p = (char *) malloc(16);
  return "Hello World!";
}

int main()
{
  
printf("%s\n",X00020A___R0020A__U000R03000N_020A__K000());
   return 0;
}

$ g++ compileme.c -o temp
$ sed -b s/Z68/_20/g temp > valgrindme
$ chmod u+x valgrindme
$ ./valgrindme
Hello World!
$ valgrind --leak-check=yes ./valgrindme
..
$ gdb ./valgrindme
..

[Bug c++/69687] Buffer Overflow in libiberty

2016-02-05 Thread boehme.marcel at gmail dot com 
https://gcc.gnu.org/bugzilla/show_bug.cgi?id=69687

--- Comment #4 from Marcel Böhme  ---
Here is my preliminary analysis:
The function demangle_args (cplus-dem.c:4424) parses the (crafted) mangled
function args from the binary. In line 4452, r is read from mangled. In line
4491, we enter a loop with r iterations. In line 4498, arg is parsed from
mangled (always from the same region). In each loop iteration arg is appended
to decl, such that the length of decl grows in each iteration.

The function string_appends (cplus-dem.c:4820) appends string arg to string
decl. In line 4827, it uses string_need to check whether sufficient memory is
allocated in decl to append arg. Then, it memcopies whatever is in arg to the
end of decl.

The function string_need (cplus-dem.c:4751) checks whether sufficient memory is
available to append size-of-arg more characters. If not, xrealloc decl with
n=2*(length of decl + length of arg) characters. Since n is a signed int, n
wraps over at some iteration. Since, realloc expects n to be unsigned, we end
up allocating less memory then actually needed. In the beginning though n is
too large and xrealloc simply complains. However, if you play a bit with the
length of arg, you'll quickly turn that integer overflow in a buffer overflow.
Later, string_appends will memcopy whatever arg contains.

In our simple test case the relevant bits in the binary are specified the
binary (arbitrarily): r = 8000, arg = "A__\235\235\235_N" of
length 020.

A particularly malicious attacker could craft an executable that executes when
*analysed* by objdump, nm or gdb, or any other libbfd / libiberty - based
forensics tool (if the demangling option is switched on).

--
Marcel Böhme
Postdoctoral Researcher
TSUNAMi Security Research Lab
National University of Singapore

[Bug c++/69687] Buffer Overflow in libiberty

2016-02-05 Thread trippels at gcc dot gnu.org 
https://gcc.gnu.org/bugzilla/show_bug.cgi?id=69687

Markus Trippelsdorf  changed:

   What|Removed |Added

 CC||trippels at gcc dot gnu.org
  Component|c   |c++

--- Comment #2 from Markus Trippelsdorf  ---
I don't think it makes much sense to fuzz the demangler with arbitrary binary
files.
This isn't some daemon that runs 24/7 and is vulnerable to buffer overflow
attacks.

[Bug c/69687] Buffer Overflow in libiberty

2016-02-05 Thread boehme.marcel at gmail dot com 
https://gcc.gnu.org/bugzilla/show_bug.cgi?id=69687

--- Comment #1 from Marcel Böhme  ---
Created attachment 37593
  --> https://gcc.gnu.org/bugzilla/attachment.cgi?id=37593=edit
Test Case #2

[Bug c++/69687] Buffer Overflow in libiberty

2016-02-05 Thread boehme.marcel at gmail dot com 
https://gcc.gnu.org/bugzilla/show_bug.cgi?id=69687

--- Comment #3 from Marcel Böhme  ---
Hi Markus,

Indeed, it depends on the use case. I find it quite unsettling to know that
common digital forensics tools, such as gdb and objdump, are vulnerable to
execute arbitrary code.

How much credibility would a virus scanner have that installs a virus only
because it *scanned* a malicious software?

Best regards,
- Marcel