bug-binutils
[Top][All Lists]
Advanced

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Bug binutils/21877] New: Memory leak in demangle


From: security-tps at google dot com
Subject: [Bug binutils/21877] New: Memory leak in demangle
Date: Tue, 01 Aug 2017 19:50:25 +0000

https://sourceware.org/bugzilla/show_bug.cgi?id=21877

            Bug ID: 21877
           Summary: Memory leak in demangle
           Product: binutils
           Version: 2.30 (HEAD)
            Status: UNCONFIRMED
          Severity: normal
          Priority: P2
         Component: binutils
          Assignee: unassigned at sourceware dot org
          Reporter: security-tps at google dot com
  Target Milestone: ---

Created attachment 10299
  --> https://sourceware.org/bugzilla/attachment.cgi?id=10299&action=edit
binutils docker file

Hello binutils team,

As part of our fuzzing efforts at Google, we have identified an issue affecting
binutils (tested with master branch, 6dc8d7579d1857460 commit).  To reproduce
we are attaching a dockerfile to help compiling the project with the LLVM
taking advantage of the sanitizers that it offers.

Attached is a dockerfile that can be used for reproduction.  More information
about how to use the dockerfile can be found here: 
https://docs.docker.com/engine/reference/builder/
TL;DR instructions:
mkdir binutils
cp Dockerfile /path/to/binutils
docker build --no-cache /path/to/binutils
docker run -it <image id>
(from another terminal, outside the container):
docker cp /path/to/attached/reproducer <container id>:/fuzzing/
https://docs.docker.com/engine/reference/commandline/cp/
(back inside the container) /fuzzing/repro.sh /fuzzing/reproducer

Alternatively, and depending on the bug, you could use gcc, valgrind or other
instrumentation tools to aid in the investigation.

The sanitizer error that we encountered is here:

==38==ERROR: LeakSanitizer: detected memory leaks

Direct leak of 24 byte(s) in 1 object(s) allocated from:
    #0 0x4d5c48 in malloc
(/fuzzing/binutils-gdb/build/demangle_fuzzer+0x4d5c48)
    #1 0x536e39 in xmalloc /fuzzing/binutils-gdb/libiberty/xmalloc.c:147:12
    #2 0x51783e in demangle_template
/fuzzing/binutils-gdb/libiberty/cplus-dem.c:2228:27
    #3 0x515fcd in demangle_signature
/fuzzing/binutils-gdb/libiberty/cplus-dem.c:1691:18
    #4 0x5138e0 in internal_cplus_demangle
/fuzzing/binutils-gdb/libiberty/cplus-dem.c:1257:14
    #5 0x51265c in cplus_demangle
/fuzzing/binutils-gdb/libiberty/cplus-dem.c:918:9
    #6 0x51013d in LLVMFuzzerTestOneInput
/fuzzing/binutils-gdb/build/../libiberty/demangle_fuzzer.cc:11:20
    #7 0x53f66c in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*,
unsigned long) (/fuzzing/binutils-gdb/build/demangle_fuzzer+0x53f66c)

Indirect leak of 3 byte(s) in 3 object(s) allocated from:
    #0 0x4d5c48 in malloc
(/fuzzing/binutils-gdb/build/demangle_fuzzer+0x4d5c48)
    #1 0x536e39 in xmalloc /fuzzing/binutils-gdb/libiberty/xmalloc.c:147:12
    #2 0x517d9b in demangle_template
/fuzzing/binutils-gdb/libiberty/cplus-dem.c:2327:31
    #3 0x515fcd in demangle_signature
/fuzzing/binutils-gdb/libiberty/cplus-dem.c:1691:18
    #4 0x5138e0 in internal_cplus_demangle
/fuzzing/binutils-gdb/libiberty/cplus-dem.c:1257:14
    #5 0x51265c in cplus_demangle
/fuzzing/binutils-gdb/libiberty/cplus-dem.c:918:9
    #6 0x51013d in LLVMFuzzerTestOneInput
/fuzzing/binutils-gdb/build/../libiberty/demangle_fuzzer.cc:11:20
    #7 0x53f66c in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*,
unsigned long) (/fuzzing/binutils-gdb/build/demangle_fuzzer+0x53f66c)

SUMMARY: AddressSanitizer: 27 byte(s) leaked in 4 allocation(s). 

We will gladly work with you so you can successfully confirm and reproduce this
issue. Do let us know if you have any feedback surrounding the documentation.

Once you have reproduced the issue, we’d appreciate to learn your expected
timeline for an update to be released. With any fix, please attribute the
report to “Google Autofuzz project”.

We are also pleased to inform you that your project is eligible for inclusion
to the OSS-Fuzz project, which can provide additional continuous fuzzing, and
encourage you to investigate integration options.

Don’t hesitate to let us know if you have any questions!

Google AutoFuzz Team

-- 
You are receiving this mail because:
You are on the CC list for the bug.


reply via email to

[Prev in Thread] Current Thread [Next in Thread]