bug-binutils
[Top][All Lists]
Advanced
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Bug binutils/23776] New: NULL deref in iterate_demangle_function (11753

From: security-tps at google dot com
Subject: [Bug binutils/23776] New: NULL deref in iterate_demangle_function (117536819)
Date: Mon, 15 Oct 2018 12:49:09 +0000 
https://sourceware.org/bugzilla/show_bug.cgi?id=23776

            Bug ID: 23776
           Summary: NULL deref in iterate_demangle_function (117536819)
           Product: binutils
           Version: 2.32 (HEAD)
            Status: UNCONFIRMED
          Severity: normal
          Priority: P2
         Component: binutils
          Assignee: unassigned at sourceware dot org
          Reporter: security-tps at google dot com
  Target Milestone: ---

Created attachment 11326
  --> https://sourceware.org/bugzilla/attachment.cgi?id=11326&action=edit
artifacts

Hello binutils team,

As part of our fuzzing efforts at Google, we have identified an issue affecting
binutils (tested with revision * master
673fe0f0a7a0624819f1b4cdc289f43691567e91).

To reproduce, we are attaching a Dockerfile which compiles the project with
LLVM, taking advantage of the sanitizers that it offers. More information about
how to use the attached Dockerfile can be found here:
https://docs.docker.com/engine/reference/builder/

Instructions:
`unzip artifacts_117536819.zip`
`docker build --build-arg SANITIZER=address --tag=autofuzz-binutils-117536819
autofuzz_117536819`
`docker run --entrypoint /fuzzing/repro.sh --cap-add=SYS_PTRACE -v
$PWD/autofuzz_117536819/poc-606ae8a2c7f8322fdfbbb8b89142c457f14d52dd65ae4a05becbc18619e68504_min:/tmp/poc
autofuzz-binutils-117536819 "" /tmp/poc`
`docker run --cap-add=SYS_PTRACE -v
$PWD/autofuzz_117536819/poc-606ae8a2c7f8322fdfbbb8b89142c457f14d52dd65ae4a05becbc18619e68504_min:/tmp/poc
-it autofuzz-binutils-117536819`

Alternatively, and depending on the bug, you could use gcc, valgrind or other
instrumentation tools to aid in the investigation. The sanitizer error that we
encountered is here:

```
INFO: Seed: 3245898553
INFO: Loaded 0 modules (0 guards): 
/fuzzing/binutils-gdb/build/demangle_fuzzer: Running 1 inputs 500 time(s) each.
Running:
/tmp/poc-606ae8a2c7f8322fdfbbb8b89142c457f14d52dd65ae4a05becbc18619e68504
ASAN:DEADLYSIGNAL
=================================================================
==7==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc
0x7f3986f88676 bp 0x7ffc1870b420 sp 0x7ffc1870aba8 T0)
==7==The signal is caused by a READ memory access.
==7==Hint: address points to the zero page.
    #0 0x7f3986f88675 in strlen (/lib/x86_64-linux-gnu/libc.so.6+0x80675)
    #1 0x476d5c in __interceptor_strlen.part.31
(/fuzzing/binutils-gdb/build/demangle_fuzzer+0x476d5c)
    #2 0x525619 in work_stuff_copy_to_from
/fuzzing/binutils-gdb/libiberty/cplus-dem.c:1345:17
    #3 0x52381f in iterate_demangle_function
/fuzzing/binutils-gdb/libiberty/cplus-dem.c:2731:3
    #4 0x51afe2 in internal_cplus_demangle
/fuzzing/binutils-gdb/libiberty/cplus-dem.c:1253:14
    #5 0x519f28 in cplus_demangle
/fuzzing/binutils-gdb/libiberty/cplus-dem.c:918:9
    #6 0x5215e2 in demangle_template_value_parm
/fuzzing/binutils-gdb/libiberty/cplus-dem.c:2128:12
    #7 0x51f238 in demangle_template
/fuzzing/binutils-gdb/libiberty/cplus-dem.c:2313:14
    #8 0x51d439 in demangle_signature
/fuzzing/binutils-gdb/libiberty/cplus-dem.c:1628:14
    #9 0x523876 in iterate_demangle_function
/fuzzing/binutils-gdb/libiberty/cplus-dem.c:2743:14
    #10 0x51afe2 in internal_cplus_demangle
/fuzzing/binutils-gdb/libiberty/cplus-dem.c:1253:14
    #11 0x519f28 in cplus_demangle
/fuzzing/binutils-gdb/libiberty/cplus-dem.c:918:9
    #12 0x517a1d in LLVMFuzzerTestOneInput
/fuzzing/security-research-pocs/autofuzz/demangle_fuzzer.cc:11:21
    #13 0x54aa3e in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*,
unsigned long) (/fuzzing/binutils-gdb/build/demangle_fuzzer+0x54aa3e)
    #14 0x53fb8e in fuzzer::RunOneTest(fuzzer::Fuzzer*, char const*, unsigned
long) (/fuzzing/binutils-gdb/build/demangle_fuzzer+0x53fb8e)
    #15 0x544097 in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned char
const*, unsigned long)) (/fuzzing/binutils-gdb/build/demangle_fuzzer+0x544097)
    #16 0x53f8ab in main (/fuzzing/binutils-gdb/build/demangle_fuzzer+0x53f8ab)
    #17 0x7f3986f282e0 in __libc_start_main
(/lib/x86_64-linux-gnu/libc.so.6+0x202e0)
    #18 0x41f479 in _start
(/fuzzing/binutils-gdb/build/demangle_fuzzer+0x41f479)

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV (/lib/x86_64-linux-gnu/libc.so.6+0x80675) in
strlen
==7==ABORTING

```

We will gladly work with you so you can successfully confirm and reproduce this
issue. Do let us know if you have any feedback surrounding the documentation.

Once you have reproduced the issue, we'd appreciate to learn your expected
timeline for an update to be released. With any fix, please attribute the
report
to "Google Autofuzz project".

We are also pleased to inform you that your project is eligible for inclusion
to
the OSS-Fuzz project, which can provide additional continuous fuzzing, and
encourage you to investigate integration options.


Don't hesitate to let us know if you have any questions!

Google AutoFuzz Team

-- 
You are receiving this mail because:
You are on the CC list for the bug.
reply via email to
[Prev in Thread] Current Thread [Next in Thread]