[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Bug binutils/23832] New: Memory Leak (118487342)
|
From: |
security-tps at google dot com |
|
Subject: |
[Bug binutils/23832] New: Memory Leak (118487342) |
|
Date: |
Fri, 26 Oct 2018 17:08:11 +0000 |
https://sourceware.org/bugzilla/show_bug.cgi?id=23832
Bug ID: 23832
Summary: Memory Leak (118487342)
Product: binutils
Version: 2.32 (HEAD)
Status: UNCONFIRMED
Severity: normal
Priority: P2
Component: binutils
Assignee: unassigned at sourceware dot org
Reporter: security-tps at google dot com
Target Milestone: ---
Created attachment 11367
--> https://sourceware.org/bugzilla/attachment.cgi?id=11367&action=edit
Proof of concept
Hello binutils team,
As part of our fuzzing efforts at Google, we have identified an issue affecting
binutils (tested with revision * master
fd2b4de5e63ad5994baf9c57b5d0c49d1f1dd4e4).
To reproduce, we are attaching a Dockerfile which compiles the project with
LLVM, taking advantage of the sanitizers that it offers. More information about
how to use the attached Dockerfile can be found here:
https://docs.docker.com/engine/reference/builder/
Instructions:
`unzip artifacts_118487342.zip`
`docker build --build-arg SANITIZER=address --tag=autofuzz-binutils-118487342
autofuzz_118487342`
`docker run --entrypoint /fuzzing/repro.sh --cap-add=SYS_PTRACE -v
$PWD/autofuzz_118487342/poc-c1878acf79314dc6651e4b972cf574c16cd008c6ebbb5bec39edf0383e4ef270_min:/tmp/poc
autofuzz-binutils-118487342 "" /tmp/poc`
`docker run --cap-add=SYS_PTRACE -v
$PWD/autofuzz_118487342/poc-c1878acf79314dc6651e4b972cf574c16cd008c6ebbb5bec39edf0383e4ef270_min:/tmp/poc
-it autofuzz-binutils-118487342`
Alternatively, and depending on the bug, you could use gcc, valgrind or other
instrumentation tools to aid in the investigation. The sanitizer error that we
encountered is here:
```
INFO: Seed: 1569119816
INFO: Loaded 0 modules (0 guards):
/fuzzing/binutils-gdb/build/demangle_fuzzer: Running 1 inputs 500 time(s) each.
Running:
/tmp/poc-c1878acf79314dc6651e4b972cf574c16cd008c6ebbb5bec39edf0383e4ef270
/fuzzing/binutils-gdb/libiberty/cplus-dem.c:3597:10: runtime error: signed
integer overflow: 814616325 * 10 cannot be represented in type 'int'
#0 0x520dbb in get_count
/fuzzing/binutils-gdb/libiberty/cplus-dem.c:3597:10
#1 0x51ee52 in demangle_template
/fuzzing/binutils-gdb/libiberty/cplus-dem.c:2221:8
#2 0x51b9ad in gnu_special
/fuzzing/binutils-gdb/libiberty/cplus-dem.c:3057:18
#3 0x51afbc in internal_cplus_demangle
/fuzzing/binutils-gdb/libiberty/cplus-dem.c:1244:14
#4 0x519f28 in cplus_demangle
/fuzzing/binutils-gdb/libiberty/cplus-dem.c:918:9
#5 0x5215e2 in demangle_template_value_parm
/fuzzing/binutils-gdb/libiberty/cplus-dem.c:2128:12
#6 0x51f238 in demangle_template
/fuzzing/binutils-gdb/libiberty/cplus-dem.c:2313:14
#7 0x528287 in demangle_fund_type
/fuzzing/binutils-gdb/libiberty/cplus-dem.c:4132:19
#8 0x519565 in do_type /fuzzing/binutils-gdb/libiberty/cplus-dem.c:3907:17
#9 0x527378 in do_arg /fuzzing/binutils-gdb/libiberty/cplus-dem.c:4332:8
#10 0x526682 in demangle_args
/fuzzing/binutils-gdb/libiberty/cplus-dem.c:4659:9
#11 0x51d3c2 in demangle_signature
/fuzzing/binutils-gdb/libiberty/cplus-dem.c:1709:18
#12 0x523876 in iterate_demangle_function
/fuzzing/binutils-gdb/libiberty/cplus-dem.c:2743:14
#13 0x51afe2 in internal_cplus_demangle
/fuzzing/binutils-gdb/libiberty/cplus-dem.c:1253:14
#14 0x519f28 in cplus_demangle
/fuzzing/binutils-gdb/libiberty/cplus-dem.c:918:9
#15 0x5215e2 in demangle_template_value_parm
/fuzzing/binutils-gdb/libiberty/cplus-dem.c:2128:12
#16 0x51f238 in demangle_template
/fuzzing/binutils-gdb/libiberty/cplus-dem.c:2313:14
#17 0x528287 in demangle_fund_type
/fuzzing/binutils-gdb/libiberty/cplus-dem.c:4132:19
#18 0x519565 in do_type /fuzzing/binutils-gdb/libiberty/cplus-dem.c:3907:17
#19 0x527378 in do_arg /fuzzing/binutils-gdb/libiberty/cplus-dem.c:4332:8
#20 0x526682 in demangle_args
/fuzzing/binutils-gdb/libiberty/cplus-dem.c:4659:9
#21 0x51d3c2 in demangle_signature
/fuzzing/binutils-gdb/libiberty/cplus-dem.c:1709:18
#22 0x523876 in iterate_demangle_function
/fuzzing/binutils-gdb/libiberty/cplus-dem.c:2743:14
#23 0x51afe2 in internal_cplus_demangle
/fuzzing/binutils-gdb/libiberty/cplus-dem.c:1253:14
#24 0x519f28 in cplus_demangle
/fuzzing/binutils-gdb/libiberty/cplus-dem.c:918:9
#25 0x517a1d in LLVMFuzzerTestOneInput
/fuzzing/security-research-pocs/autofuzz/demangle_fuzzer.cc:11:21
#26 0x54aa3e in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*,
unsigned long) (/fuzzing/binutils-gdb/build/demangle_fuzzer+0x54aa3e)
#27 0x53fb8e in fuzzer::RunOneTest(fuzzer::Fuzzer*, char const*, unsigned
long) (/fuzzing/binutils-gdb/build/demangle_fuzzer+0x53fb8e)
#28 0x544097 in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned char
const*, unsigned long)) (/fuzzing/binutils-gdb/build/demangle_fuzzer+0x544097)
#29 0x53f8ab in main (/fuzzing/binutils-gdb/build/demangle_fuzzer+0x53f8ab)
#30 0x7f7194ce92e0 in __libc_start_main
(/lib/x86_64-linux-gnu/libc.so.6+0x202e0)
#31 0x41f479 in _start
(/fuzzing/binutils-gdb/build/demangle_fuzzer+0x41f479)
SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior
/fuzzing/binutils-gdb/libiberty/cplus-dem.c:3597:10 in
```
We will gladly work with you so you can successfully confirm and reproduce this
issue. Do let us know if you have any feedback surrounding the documentation.
Once you have reproduced the issue, we'd appreciate to learn your expected
timeline for an update to be released. With any fix, please attribute the
report
to "Google Autofuzz project".
We are also pleased to inform you that your project is eligible for inclusion
to
the OSS-Fuzz project, which can provide additional continuous fuzzing, and
encourage you to investigate integration options.
Don't hesitate to let us know if you have any questions!
Google AutoFuzz Team
--
You are receiving this mail because:
You are on the CC list for the bug.
- [Bug binutils/23832] New: Memory Leak (118487342),
security-tps at google dot com <=