[Bug binutils/30546] New: Submitted 5 older versions crashed, but its been resolved in the new version.
https://sourceware.org/bugzilla/show_bug.cgi?id=30546 Bug ID: 30546 Summary: Submitted 5 older versions crashed, but its been resolved in the new version. Product: binutils Version: 2.28 Status: UNCONFIRMED Severity: normal Priority: P2 Component: binutils Assignee: unassigned at sourceware dot org Reporter: fengzhengzhan at gmail dot com Target Milestone: --- Created attachment 14929 --> https://sourceware.org/bugzilla/attachment.cgi?id=14929&action=edit Includes 5 crashes. Hello, reporting to you 5 vulnerabilities that existed in older versions of the software, but have been fixed in newer versions. However, I still feel that I should report this to you, so I apologize for taking up your time. - # Report a solved crash. In binutils-2_26_1 of the c++flit, heap buffer overflow in remember_type() at cplus-dem.c:4263. When I was in the process of comparing experiments on the program for fuzzing. I find a heap buffer overflow in the version binutils-2_26_1 of c++flit at function remember_type in cplus-dem.c:4263. But this crash has been fixed in the binutils-2_40 version. ## Environment Ubuntu 18.04, 64 bit binutils-2_26_1 ## Steps to reproduce 1. download file ``` wget https://github.com/bminor/binutils-gdb/archive/refs/tags/binutils-2_26_1.tar.gz tar -zxvf binutils-2_26_1.tar.gz ``` 2. compile libming with ASAN ``` cd binutils-gdb-binutils-2_26_1/ export FORCE_UNSAFE_CONFIGURE=1 export LLVM_COMPILER=clang CC=wllvm CXX=wllvm++ CFLAGS="-DFORTIFY_SOURCE=2 -fno-omit-frame-pointer -g -O0 -Wno-error" LDFLAGS="-ldl -lutil" ./configure --prefix=`pwd`/obj-bc --enable-static --disable-shared --disable-gdb --disable-libdecnumber --disable-readline --disable-sim --disable-ld make make install cd obj-bc/bin/ extract-bc c++filt clang -fsanitize=address c++filt.bc -o c++filt_asan ``` 3. command for reproducing the error ``` ./c++filt_asan @poc ``` Download poc: [binutils-gdb_c++flit226_heap-buffer-overflow_cplus-dem4263.zip]() ## ASAN report 1. binutils-2_26_1 version. ``` = ==15635==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x6020002b at pc 0x0043812d bp 0x7fffe720 sp 0x7fffded0 READ of size 1 at 0x6020002b thread T0 #0 0x43812c in __interceptor_memcpy.part.0 /home/fzz/Desktop/STFGFuzz/LLVM/llvm/projects/compiler-rt/lib/asan/../sanitizer_common/sanitizer_common_interceptors.inc:810:5 #1 0x6c7371 in remember_type /home/fzz/Desktop/STFGFuzz/dataset/CVE/CVE-2016-4488/binutils-gdb/libiberty/./cplus-dem.c:4263:3 #2 0x6c84fe in do_arg /home/fzz/Desktop/STFGFuzz/dataset/CVE/CVE-2016-4488/binutils-gdb/libiberty/./cplus-dem.c:4236:3 #3 0x6c7f66 in demangle_args /home/fzz/Desktop/STFGFuzz/dataset/CVE/CVE-2016-4488/binutils-gdb/libiberty/./cplus-dem.c:4514:9 #4 0x6c6a45 in demangle_signature /home/fzz/Desktop/STFGFuzz/dataset/CVE/CVE-2016-4488/binutils-gdb/libiberty/./cplus-dem.c:1642:18 #5 0x6c33ef in internal_cplus_demangle /home/fzz/Desktop/STFGFuzz/dataset/CVE/CVE-2016-4488/binutils-gdb/libiberty/./cplus-dem.c:1203:14 #6 0x6c1af9 in cplus_demangle /home/fzz/Desktop/STFGFuzz/dataset/CVE/CVE-2016-4488/binutils-gdb/libiberty/./cplus-dem.c:886:9 #7 0x4fb7a0 in demangle_it /home/fzz/Desktop/STFGFuzz/dataset/CVE/CVE-2016-4488/binutils-gdb/binutils/cxxfilt.c:62:12 #8 0x4fb12e in main /home/fzz/Desktop/STFGFuzz/dataset/CVE/CVE-2016-4488/binutils-gdb/binutils/cxxfilt.c:227:4 #9 0x77bf3082 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x24082) #10 0x41d53d in _start (/home/fzz/Desktop/STFGFuzz/Programs/cxxflit-CVE-2016-6131/code_Bin/cxxflit-CVE-2016-6131+0x41d53d) 0x6020002b is located 5 bytes to the left of 8-byte region [0x60200030comma0x60200038) allocated by thread T0 here: #0 0x4c30af in malloc /home/fzz/Desktop/STFGFuzz/LLVM/llvm/projects/compiler-rt/lib/asan/asan_malloc_linux.cpp:145:3 #1 0x6ebed9 in xmalloc /home/fzz/Desktop/STFGFuzz/dataset/CVE/CVE-2016-4488/binutils-gdb/libiberty/./xmalloc.c:147:12 #2 0x6bcdcc in demangle_template /home/fzz/Desktop/STFGFuzz/dataset/CVE/CVE-2016-4488/binutils-gdb/libiberty/./cplus-dem.c:2157:27 #3 0x6c692a in demangle_signature /home/fzz/Desktop/STFGFuzz/dataset/CVE/CVE-2016-4488/binutils-gdb/libiberty/./cplus-dem.c:1625:18 #4 0x6c33ef in internal_cplus_demangle /home/fzz/Desktop/STFGFuzz/dataset/CVE/CVE-2016-4488/binutils-gdb/libiberty/./cplus-dem.c:1203:14 #5 0x6c1af9 in cplus_demangle /home/fzz/Desktop/STFGFuzz/dataset/CVE/CVE-2016-4488/binutils-gdb/libiberty/./cplus-dem.c:886:9 #6 0x4fb7a0 in demangle_it /home/fzz/Desktop/STFGFuzz/dataset/CVE/CVE-2016-4488/binutils-gdb/binutils/cxxfilt.c:62:12 #7 0x4fb12e in main /home/fzz/Desktop/STFGFuzz/dataset/CVE/CVE-2016-4488/binutils-gdb/binu
[Bug binutils/30267] New: Report a solved crash. In binutils-2_26_1 of the c++flit, heap buffer overflow in demangle_prefix() at cplus-dem.c:2744.
https://sourceware.org/bugzilla/show_bug.cgi?id=30267 Bug ID: 30267 Summary: Report a solved crash. In binutils-2_26_1 of the c++flit, heap buffer overflow in demangle_prefix() at cplus-dem.c:2744. Product: binutils Version: 2.26 Status: UNCONFIRMED Severity: normal Priority: P2 Component: binutils Assignee: unassigned at sourceware dot org Reporter: fengzhengzhan at gmail dot com Target Milestone: --- Created attachment 14774 --> https://sourceware.org/bugzilla/attachment.cgi?id=14774&action=edit poc # Report a solved crash. In binutils-2_26_1 of the c++flit, heap buffer overflow in demangle_prefix() at cplus-dem.c:2744. When I was in the process of comparing experiments on the program for fuzzing. I find a heap buffer overflow in the version binutils-2_26_1 of c++flit at function demangle_prefix in cplus-dem.c:2744. But this crash has been fixed in the binutils-2_40 version. However, I still feel that I should report this to you, so I apologize for taking up your time. ## Environment Ubuntu 18.04, 64 bit binutils-2_26_1 ## Steps to reproduce 1. download file ``` wget https://github.com/bminor/binutils-gdb/archive/refs/tags/binutils-2_26_1.tar.gz tar -zxvf binutils-2_26_1.tar.gz ``` 2. compile libming with ASAN ``` cd binutils-gdb-binutils-2_26_1/ export FORCE_UNSAFE_CONFIGURE=1 export LLVM_COMPILER=clang CC=wllvm CXX=wllvm++ CFLAGS="-DFORTIFY_SOURCE=2 -fno-omit-frame-pointer -g -O0 -Wno-error" LDFLAGS="-ldl -lutil" ./configure --prefix=`pwd`/obj-bc --enable-static --disable-shared --disable-gdb --disable-libdecnumber --disable-readline --disable-sim --disable-ld make make install cd obj-bc/bin/ extract-bc c++filt clang -fsanitize=address c++filt.bc -o c++filt_asan ``` 3. command for reproducing the error ``` ./c++filt_asan @poc ``` Download poc: [poc](https://github.com/fengzhengzhan/FzzVul/blob/main/c%2B%2Bfilt/binutils-gdb_c%2B%2Bflit226_heap-buffer-overflow_cplus-dem2744) ## ASAN report 1. binutils-2_26_1 version. ``` root@2413df779df0:~/compiler1804/binutils-gdb-binutils-2_26_1/obj-bc/bin# ./c++filt_asan @binutils-gdb_c++flit226_heap-buffer-overflow_cplus-dem2744 o_2__S0A4X530rE_;00 = ==112308==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x6020001a at pc 0x00439b84 bp 0x7fff173aa870 sp 0x7fff173aa020 READ of size 1 at 0x6020001a thread T0 #0 0x439b83 in __interceptor_strlen.part.36 /root/LLVM/llvm/projects/compiler-rt/lib/asan/../sanitizer_common/sanitizer_common_interceptors.inc:372 #1 0x5f2eb6 in demangle_prefix /root/compiler1804/binutils-gdb-binutils-2_26_1/libiberty/./cplus-dem.c:2744:7 #2 0x5f24ae in internal_cplus_demangle /root/compiler1804/binutils-gdb-binutils-2_26_1/libiberty/./cplus-dem.c:1199:14 #3 0x5f191b in cplus_demangle /root/compiler1804/binutils-gdb-binutils-2_26_1/libiberty/./cplus-dem.c:886:9 #4 0x4f46ac in demangle_it /root/compiler1804/binutils-gdb-binutils-2_26_1/binutils/cxxfilt.c:62:12 #5 0x4f42ef in main /root/compiler1804/binutils-gdb-binutils-2_26_1/binutils/cxxfilt.c:227:4 #6 0x7f5e26e7bc86 in __libc_start_main /build/glibc-CVJwZb/glibc-2.27/csu/../csu/libc-start.c:310 #7 0x41bfc9 in _start (/root/compiler1804/binutils-gdb-binutils-2_26_1/obj-bc/bin/c++filt_asan+0x41bfc9) 0x6020001a is located 0 bytes to the right of 10-byte region [0x60200010,0x6020001a) allocated by thread T0 here: #0 0x4ae5e0 in malloc /root/LLVM/llvm/projects/compiler-rt/lib/asan/asan_malloc_linux.cpp:145 #1 0x6087d7 in xmalloc /root/compiler1804/binutils-gdb-binutils-2_26_1/libiberty/./xmalloc.c:147:12 #2 0x608909 in xstrdup /root/compiler1804/binutils-gdb-binutils-2_26_1/libiberty/./xstrdup.c:34:24 #3 0x600faf in buildargv /root/compiler1804/binutils-gdb-binutils-2_26_1/libiberty/./argv.c:271:17 #4 0x601382 in expandargv /root/compiler1804/binutils-gdb-binutils-2_26_1/libiberty/./argv.c:435:14 #5 0x4f4162 in main /root/compiler1804/binutils-gdb-binutils-2_26_1/binutils/cxxfilt.c:181:3 #6 0x7f5e26e7bc86 in __libc_start_main /build/glibc-CVJwZb/glibc-2.27/csu/../csu/libc-start.c:310 SUMMARY: AddressSanitizer: heap-buffer-overflow /root/LLVM/llvm/projects/compiler-rt/lib/asan/../sanitizer_common/sanitizer_common_interceptors.inc:372 in __interceptor_strlen.part.36 Shadow bytes around the buggy address: 0x0c047fff7fb0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0c047fff7fc0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0c047fff7fd0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0c047fff7fe0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0c047fff7ff0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 =>0x0c047fff8000: fa fa 00[02]fa fa 00 07 fa fa fd fa fa fa fd fa 0x0c047fff8010: fa fa fd fa fa fa fd fa fa fa fd fa fa fa fd
[Bug binutils/29707] binutils c++filt reads a file with the first character \x00, it will wait for input and cause the program to block.
https://sourceware.org/bugzilla/show_bug.cgi?id=29707 --- Comment #2 from 烽征战 --- Thanks for your patience! nickc at redhat dot com 于2022年10月21日周五 18:35写道: > https://sourceware.org/bugzilla/show_bug.cgi?id=29707 > > Nick Clifton changed: > >What|Removed |Added > > > Resolution|--- |NOTABUG > Status|UNCONFIRMED |RESOLVED > CC||nickc at redhat dot com > > --- Comment #1 from Nick Clifton --- > Hi, > > This is not a bug, it is expected behaviour. > > c++filt has two modes of operation. If it is given strings on its > command > line then it decodes them one at a time and then exits. If it is not > given any strings to decode then it reads from the standard input stream > and decodes each line until it sees an end-of-file marker. > > Command line options do not count as strings to decode, so running > "c++filt --types" for example will still cause the program to read from > the standard input. In addition c++file supports the @-file syntax, > allowing command line options and strings to decode to be placed into a > file and then passed to c++filt via a command line option of > @. > > So in your test case, running: "c++filt @c++filt/crash01_timeout" causes > the contents of c++filt/crash01_timeout to be read and processed. Since > the file is expected to contain text, not binary, any nul character > (\x00) > is treated as an end-of-file marker, and processing will stop at that > character. > > Hence when the first character of c++filt/crash01_timeout is a nul > character > the entire file is treated as if it were empty, and the logic in c++filt > sees that no strings were provided on the command line, and hence it > starts > to read from stdin, waiting for the user to provide input to decode. > > When the first character of c++filt/crash01_timeout is not a nul > character > the file is treated as having some contents which are passed back to > c++filt > to decode, and so once that is done c++filt terminates. > > Cheers > Nick > > -- > You are receiving this mail because: > You reported the bug. -- You are receiving this mail because: You are on the CC list for the bug.
[Bug binutils/29707] New: binutils c++filt reads a file with the first character \x00, it will wait for input and cause the program to block.
https://sourceware.org/bugzilla/show_bug.cgi?id=29707 Bug ID: 29707 Summary: binutils c++filt reads a file with the first character \x00, it will wait for input and cause the program to block. Product: binutils Version: unspecified Status: UNCONFIRMED Severity: normal Priority: P2 Component: binutils Assignee: unassigned at sourceware dot org Reporter: fengzhengzhan at gmail dot com Target Milestone: --- 1) Overview: When the first character of the file is \x00, c++filt reads the file and then waits for input causing the file to block. If \x00 appears in other locations in the file, the program is not affected. 2) Steps to Reproduce: > [Attack Vectors] > 1. Download the crash file from https://github.com/fengzhengzhan/FzzVul > 2. Executing the Command Line with c++filt @c++filt/crash01_timeout > 3. The program will block. Thank you. 3) Actual Results: Reading the first character of the file causes the program to block and wait for input. 4) Expected Results: Reads the characters in the file and immediately returns the parsed symbols. 5) Build Date & Hardware: Build 2022-10-20 on ubuntu 20.04 6) Additional Information: I have provided manual tracking reports. cxxfilt.c:199:7 cxxfilt.c:210:3 cxxfilt.c:218:22 cxxfilt.c:219:7 cxxfilt.c:230:16 cxxfilt.c:232:9 cxxfilt.c:0:0 cxxfilt.c:242:11 cxxfilt.c:248:11 cxxfilt.c:253:7 cxxfilt.c:254:11 cxxfilt.c:255:2 cxxfilt.c:227:3 cxxfilt.c:230:16 cxxfilt.c:232:9 -- You are receiving this mail because: You are on the CC list for the bug.