[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Bug binutils/23767] New: Out of Memory problem caused by Integer Overfl
From: |
wcventure at 126 dot com |
Subject: |
[Bug binutils/23767] New: Out of Memory problem caused by Integer Overflow in c++filt |
Date: |
Fri, 12 Oct 2018 20:25:04 +0000 |
https://sourceware.org/bugzilla/show_bug.cgi?id=23767
Bug ID: 23767
Summary: Out of Memory problem caused by Integer Overflow in
c++filt
Product: binutils
Version: 2.31
Status: UNCONFIRMED
Severity: normal
Priority: P2
Component: binutils
Assignee: unassigned at sourceware dot org
Reporter: wcventure at 126 dot com
Target Milestone: ---
Created attachment 11321
--> https://sourceware.org/bugzilla/attachment.cgi?id=11321&action=edit
POC_input
Hi. We are doing research on Fuzz testing. Our fuzzer caught an Out of Memory
problem in program c++filt of the latest binutils(v2.31.1) code base, a
malicious input of format strings will cause the LargeMmapAllocator faults and
I have confirmed it with address sanitizer too. This Bug is caused by Integer
Overflow.
The way to reproduce the bug:
I have provided the POC file and the
input(_rttt4tttt6__H7666666666666666666__c). Please use the "./c++filt < $POC"
to reproduce the bug. Another way to reproduce this bug is type "c++filt
_rttt4tttt6__H7666666666666666666__c" directly. If you have any questions,
please let me know.
The ASAN dumps the stack trace as follows:
cplus-dem.c:3597:10: runtime error: signed integer overflow: 766666666 * 10
cannot be represented in type 'int'
SUMMARY: AddressSanitizer: undefined-behavior cplus-dem.c:3597:10 in
==13543==WARNING: AddressSanitizer failed to allocate 0xfffffffd6ff55550 bytes
==13543==AddressSanitizer's allocator is terminating the process instead of
returning 0
==13543==If you don't like this behavior set allocator_may_return_null=1
==13543==AddressSanitizer CHECK failed:
/build/llvm-toolchain-3.8-_PD09B/llvm-toolchain-3.8-3.8/projects/compiler-rt/lib/sanitizer_common/sanitizer_allocator.cc:147
"((0))
)" (0x0, 0x0)
#0 0x4c2a2d (/binutils_latest_AFL_ASAN/build/bin/c++filt+0x4c2a2d)
#1 0x4c9653 (/binutils_latest_AFL_ASAN/build/bin/c++filt+0x4c9653)
#2 0x4c71d6 (/binutils_latest_AFL_ASAN/build/bin/c++filt+0x4c71d6)
#3 0x41efec (/binutils_latest_AFL_ASAN/build/bin/c++filt+0x41efec)
#4 0x4b9401 (/binutils_latest_AFL_ASAN/build/bin/c++filt+0x4b9401)
#5 0x21e42be (/binutils_latest_AFL_ASAN/build/bin/c++filt+0x21e42be)
#6 0x1ffc3b7 (/binutils_latest_AFL_ASAN/build/bin/c++filt+0x1ffc3b7)
#7 0x1fe8a17 (/binutils_latest_AFL_ASAN/build/bin/c++filt+0x1fe8a17)
#8 0x2039f37 (/binutils_latest_AFL_ASAN/build/bin/c++filt+0x2039f37)
#9 0x1fcbb2c (/binutils_latest_AFL_ASAN/build/bin/c++filt+0x1fcbb2c)
#10 0x1fb8b23 (/binutils_latest_AFL_ASAN/build/bin/c++filt+0x1fb8b23)
#11 0x4eef03 (/binutils_latest_AFL_ASAN/build/bin/c++filt+0x4eef03)
#12 0x4ed203 (/binutils_latest_AFL_ASAN/build/bin/c++filt+0x4ed203)
#13 0x7f49e9d5182f (/lib/x86_64-linux-gnu/libc.so.6+0x2082f)
#14 0x419318 (/binutils_latest_AFL_ASAN/build/bin/c++filt+0x419318)
Aborted
--
You are receiving this mail because:
You are on the CC list for the bug.
- [Bug binutils/23767] New: Out of Memory problem caused by Integer Overflow in c++filt,
wcventure at 126 dot com <=