https://gcc.gnu.org/bugzilla/show_bug.cgi?id=83495
Bug ID: 83495
Summary: Segmentation Fault - 63915465
Product: gcc
Version: unknown
Status: UNCONFIRMED
Severity: normal
Priority: P3
Component: demangler
Assignee: unassigned at gcc dot gnu.org
Reporter: security-tps at google dot com
Target Milestone: ---
Created attachment 42923
--> https://gcc.gnu.org/bugzilla/attachment.cgi?id=42923&action=edit
Dockerfile + PoC
Hello gcc team,
As part of our fuzzing efforts at Google, we have identified an issue affecting
binutils (tested with revision * master
be62dcaa1771b5f2a47f0cfd78f89828f087efff).
To reproduce, we are attaching a Dockerfile which compiles the project with
LLVM, taking advantage of the sanitizers that it offers. More information about
how to use the attached Dockerfile can be found here:
https://docs.docker.com/engine/reference/builder/
TL;DR instructions:
* `mkdir project`
* `cp Dockerfile /path/to/project`
* `docker build --no-cache /path/to/project`
* `docker run -it image_id_from_docker_build`
From another terminal, outside the container:
`docker cp /path/to/attached/reproducer
running_container_hostname:/fuzzing/reproducer`
(reference: https://docs.docker.com/engine/reference/commandline/cp/)
And, back inside the container:
`/fuzzing/repro.sh /fuzzing/reproducer`
Alternatively, and depending on the bug, you could use gcc, valgrind or other
instrumentation tools to aid in the investigation. The sanitizer error that we
encountered is here:
ASAN:DEADLYSIGNAL
=================================================================
==9==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc
0x00000051a110 bp 0x7fff56532440 sp 0x7fff56532410 T0)
==9==The signal is caused by a READ memory access.
==9==Hint: address points to the zero page.
#0 0x51a10f in d_encoding
/fuzzing/binutils-gdb/libiberty/cp-demangle.c:1332:46
#1 0x519dc7 in cplus_demangle_mangled_name
/fuzzing/binutils-gdb/libiberty/cp-demangle.c:1230:7
#2 0x51edda in d_demangle_callback
/fuzzing/binutils-gdb/libiberty/cp-demangle.c:6242:7
#3 0x51e8c8 in d_demangle
/fuzzing/binutils-gdb/libiberty/cp-demangle.c:6293:12
#4 0x51e7db in cplus_demangle_v3
/fuzzing/binutils-gdb/libiberty/cp-demangle.c:6450:10
#5 0x50a81a in cplus_demangle
/fuzzing/binutils-gdb/libiberty/cplus-dem.c:880:13
#6 0x50847d in LLVMFuzzerTestOneInput
/fuzzing/binutils-gdb/build/../libiberty/demangle_fuzzer.cc:11:20
#7 0x5376ec in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*,
unsigned long) (/fuzzing/binutils-gdb/build/demangle_fuzzer+0x5376ec)
#8 0x536eae in fuzzer::Fuzzer::RunOne(unsigned char const*, unsigned long)
(/fuzzing/binutils-gdb/build/demangle_fuzzer+0x536eae)
#9 0x530d0d in fuzzer::RunOneTest(fuzzer::Fuzzer*, char const*)
(/fuzzing/binutils-gdb/build/demangle_fuzzer+0x530d0d)
#10 0x5321df in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned char
const*, unsigned long)) (/fuzzing/binutils-gdb/build/demangle_fuzzer+0x5321df)
#11 0x530bbc in main (/fuzzing/binutils-gdb/build/demangle_fuzzer+0x530bbc)
#12 0x7fa7e9b152b0 in __libc_start_main
(/lib/x86_64-linux-gnu/libc.so.6+0x202b0)
#13 0x41db69 in _start
(/fuzzing/binutils-gdb/build/demangle_fuzzer+0x41db69)
AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV
/fuzzing/binutils-gdb/libiberty/cp-demangle.c:1332:46 in d_encoding
==9==ABORTING
We will gladly work with you so you can successfully confirm and reproduce this
issue. Do let us know if you have any feedback surrounding the documentation.
Once you have reproduced the issue, we'd appreciate to learn your expected
timeline for an update to be released. With any fix, please attribute the
report
to "Google Autofuzz project".
We are also pleased to inform you that your project is eligible for inclusion
to
the OSS-Fuzz project, which can provide additional continuous fuzzing, and
encourage you to investigate integration options.
Don't hesitate to let us know if you have any questions!
Google AutoFuzz Team
