Re: [PATCH] libiberty: prevent buffer overflow when decoding user input
On Tue, 2021-10-12 at 15:40 -0400, Eric Gallager wrote: > On Tue, Oct 12, 2021 at 8:55 AM Luís Ferreira > wrote: > > > > On Fri, 2021-10-08 at 22:11 +0200, Iain Buclaw wrote: > > > Excerpts from Luís Ferreira's message of October 8, 2021 7:08 pm: > > > > On Fri, 2021-10-08 at 18:52 +0200, Iain Buclaw wrote: > > > > > Excerpts from Luís Ferreira's message of October 7, 2021 8:29 > > > > > pm: > > > > > > On Tue, 2021-10-05 at 21:49 -0400, Eric Gallager wrote: > > > > > > > > > > > > > > I can help with the autotools part if you can say how > > > > > > > precisely > > > > > > > you'd > > > > > > > like to use them to add address sanitization. And as for > > > > > > > the > > > > > > > OSS > > > > > > > fuzz part, I think someone tried setting up auto-fuzzing > > > > > > > for it > > > > > > > once, > > > > > > > but the main bottleneck was getting the bug reports that > > > > > > > it > > > > > > > generated > > > > > > > properly triaged, so if you could make sure the bug- > > > > > > > submitting > > > > > > > portion > > > > > > > of the process is properly streamlined, that'd probably > > > > > > > go a > > > > > > > long > > > > > > > way > > > > > > > towards helping it be useful. > > > > > > > > > > > > Bugs are normally reported by email or mailing list. Is > > > > > > there any > > > > > > writable mailing list to publish bugs or is it strictly > > > > > > needed to > > > > > > open > > > > > > an entry on bugzilla? > > > > > > > > > > > > > > > > Please open an issue on bugzilla, fixes towards it can then > > > > > be > > > > > referenced in the commit message/patch posted here. > > > > > > > > > > Iain. > > > > > > > > You mean for this current issue? The discussion was about > > > > future bug > > > > reports reported by the OSS fuzzer workers. I can also open an > > > > issue > > > > on > > > > the bugzilla for this issue, please clarify it and let me know > > > > :) > > > > > > > > > > 1. Open one for this issue. > > > > > > 2. Bugs found by the fuzzer would report to bugzilla. > > > https://gcc.gnu.org/bugs/ > > > > > > Iain. > > > > Cross referencing the created issue: > > https://gcc.gnu.org/bugzilla/show_bug.cgi?id=102702 > > > > -- > > Sincerely, > > Luís Ferreira @ lsferreira.net > > > > Right, I found the previous time someone tried to set up an > autofuzzer > to report bugs to GCC's Bugzilla; searching for bugs reported by > security-...@google.com on Bugzilla should find them: > https://gcc.gnu.org/bugzilla/buglist.cgi?email1=security-tps%40google.com_to1=1=1=1=1=substring_id=326459_format=advanced Good! Do you know how and where this is being handled? I didn't find anything related to GCC/libiberty on OSS fuzz repository. Existing resources on that can be useful to increment on top instead of designing something from scratch. I also took a look at the fuzzer included in GCC, but it doesn't include any heuristic. -- Sincerely, Luís Ferreira @ lsferreira.net signature.asc Description: This is a digitally signed message part
Re: [PATCH] libiberty: prevent buffer overflow when decoding user input
On Tue, Oct 12, 2021 at 8:55 AM Luís Ferreira wrote: > > On Fri, 2021-10-08 at 22:11 +0200, Iain Buclaw wrote: > > Excerpts from Luís Ferreira's message of October 8, 2021 7:08 pm: > > > On Fri, 2021-10-08 at 18:52 +0200, Iain Buclaw wrote: > > > > Excerpts from Luís Ferreira's message of October 7, 2021 8:29 pm: > > > > > On Tue, 2021-10-05 at 21:49 -0400, Eric Gallager wrote: > > > > > > > > > > > > I can help with the autotools part if you can say how precisely > > > > > > you'd > > > > > > like to use them to add address sanitization. And as for the > > > > > > OSS > > > > > > fuzz part, I think someone tried setting up auto-fuzzing for it > > > > > > once, > > > > > > but the main bottleneck was getting the bug reports that it > > > > > > generated > > > > > > properly triaged, so if you could make sure the bug-submitting > > > > > > portion > > > > > > of the process is properly streamlined, that'd probably go a > > > > > > long > > > > > > way > > > > > > towards helping it be useful. > > > > > > > > > > Bugs are normally reported by email or mailing list. Is there any > > > > > writable mailing list to publish bugs or is it strictly needed to > > > > > open > > > > > an entry on bugzilla? > > > > > > > > > > > > > Please open an issue on bugzilla, fixes towards it can then be > > > > referenced in the commit message/patch posted here. > > > > > > > > Iain. > > > > > > You mean for this current issue? The discussion was about future bug > > > reports reported by the OSS fuzzer workers. I can also open an issue > > > on > > > the bugzilla for this issue, please clarify it and let me know :) > > > > > > > 1. Open one for this issue. > > > > 2. Bugs found by the fuzzer would report to bugzilla. > > https://gcc.gnu.org/bugs/ > > > > Iain. > > Cross referencing the created issue: > https://gcc.gnu.org/bugzilla/show_bug.cgi?id=102702 > > -- > Sincerely, > Luís Ferreira @ lsferreira.net > Right, I found the previous time someone tried to set up an autofuzzer to report bugs to GCC's Bugzilla; searching for bugs reported by security-...@google.com on Bugzilla should find them: https://gcc.gnu.org/bugzilla/buglist.cgi?email1=security-tps%40google.com_to1=1=1=1=1=substring_id=326459_format=advanced
Re: [PATCH] libiberty: prevent buffer overflow when decoding user input
On Fri, 2021-10-08 at 22:11 +0200, Iain Buclaw wrote: > Excerpts from Luís Ferreira's message of October 8, 2021 7:08 pm: > > On Fri, 2021-10-08 at 18:52 +0200, Iain Buclaw wrote: > > > Excerpts from Luís Ferreira's message of October 7, 2021 8:29 pm: > > > > On Tue, 2021-10-05 at 21:49 -0400, Eric Gallager wrote: > > > > > > > > > > I can help with the autotools part if you can say how precisely > > > > > you'd > > > > > like to use them to add address sanitization. And as for the > > > > > OSS > > > > > fuzz part, I think someone tried setting up auto-fuzzing for it > > > > > once, > > > > > but the main bottleneck was getting the bug reports that it > > > > > generated > > > > > properly triaged, so if you could make sure the bug-submitting > > > > > portion > > > > > of the process is properly streamlined, that'd probably go a > > > > > long > > > > > way > > > > > towards helping it be useful. > > > > > > > > Bugs are normally reported by email or mailing list. Is there any > > > > writable mailing list to publish bugs or is it strictly needed to > > > > open > > > > an entry on bugzilla? > > > > > > > > > > Please open an issue on bugzilla, fixes towards it can then be > > > referenced in the commit message/patch posted here. > > > > > > Iain. > > > > You mean for this current issue? The discussion was about future bug > > reports reported by the OSS fuzzer workers. I can also open an issue > > on > > the bugzilla for this issue, please clarify it and let me know :) > > > > 1. Open one for this issue. > > 2. Bugs found by the fuzzer would report to bugzilla. > https://gcc.gnu.org/bugs/ > > Iain. Cross referencing the created issue: https://gcc.gnu.org/bugzilla/show_bug.cgi?id=102702 -- Sincerely, Luís Ferreira @ lsferreira.net signature.asc Description: This is a digitally signed message part
Re: [PATCH] libiberty: prevent buffer overflow when decoding user input
Excerpts from Luís Ferreira's message of October 8, 2021 7:08 pm: > On Fri, 2021-10-08 at 18:52 +0200, Iain Buclaw wrote: >> Excerpts from Luís Ferreira's message of October 7, 2021 8:29 pm: >> > On Tue, 2021-10-05 at 21:49 -0400, Eric Gallager wrote: >> > > >> > > I can help with the autotools part if you can say how precisely >> > > you'd >> > > like to use them to add address sanitization. And as for the OSS >> > > fuzz part, I think someone tried setting up auto-fuzzing for it >> > > once, >> > > but the main bottleneck was getting the bug reports that it >> > > generated >> > > properly triaged, so if you could make sure the bug-submitting >> > > portion >> > > of the process is properly streamlined, that'd probably go a long >> > > way >> > > towards helping it be useful. >> > >> > Bugs are normally reported by email or mailing list. Is there any >> > writable mailing list to publish bugs or is it strictly needed to >> > open >> > an entry on bugzilla? >> > >> >> Please open an issue on bugzilla, fixes towards it can then be >> referenced in the commit message/patch posted here. >> >> Iain. > > You mean for this current issue? The discussion was about future bug > reports reported by the OSS fuzzer workers. I can also open an issue on > the bugzilla for this issue, please clarify it and let me know :) > 1. Open one for this issue. 2. Bugs found by the fuzzer would report to bugzilla. https://gcc.gnu.org/bugs/ Iain.
Re: [PATCH] libiberty: prevent buffer overflow when decoding user input
On Fri, 2021-10-08 at 18:52 +0200, Iain Buclaw wrote: > Excerpts from Luís Ferreira's message of October 7, 2021 8:29 pm: > > On Tue, 2021-10-05 at 21:49 -0400, Eric Gallager wrote: > > > > > > I can help with the autotools part if you can say how precisely > > > you'd > > > like to use them to add address sanitization. And as for the OSS > > > fuzz part, I think someone tried setting up auto-fuzzing for it > > > once, > > > but the main bottleneck was getting the bug reports that it > > > generated > > > properly triaged, so if you could make sure the bug-submitting > > > portion > > > of the process is properly streamlined, that'd probably go a long > > > way > > > towards helping it be useful. > > > > Bugs are normally reported by email or mailing list. Is there any > > writable mailing list to publish bugs or is it strictly needed to > > open > > an entry on bugzilla? > > > > Please open an issue on bugzilla, fixes towards it can then be > referenced in the commit message/patch posted here. > > Iain. You mean for this current issue? The discussion was about future bug reports reported by the OSS fuzzer workers. I can also open an issue on the bugzilla for this issue, please clarify it and let me know :) -- Sincerely, Luís Ferreira @ lsferreira.net signature.asc Description: This is a digitally signed message part
Re: [PATCH] libiberty: prevent buffer overflow when decoding user input
Excerpts from Luís Ferreira's message of October 7, 2021 8:29 pm: > On Tue, 2021-10-05 at 21:49 -0400, Eric Gallager wrote: >> >> I can help with the autotools part if you can say how precisely you'd >> like to use them to add address sanitization. And as for the OSS >> fuzz part, I think someone tried setting up auto-fuzzing for it once, >> but the main bottleneck was getting the bug reports that it generated >> properly triaged, so if you could make sure the bug-submitting >> portion >> of the process is properly streamlined, that'd probably go a long way >> towards helping it be useful. > > Bugs are normally reported by email or mailing list. Is there any > writable mailing list to publish bugs or is it strictly needed to open > an entry on bugzilla? > Please open an issue on bugzilla, fixes towards it can then be referenced in the commit message/patch posted here. Iain.
Re: [PATCH] libiberty: prevent buffer overflow when decoding user input
On Tue, 2021-10-05 at 21:49 -0400, Eric Gallager wrote: > On Tue, Oct 5, 2021 at 1:28 PM Luís Ferreira > wrote: > > > > On Tue, 2021-10-05 at 09:00 -0600, Jeff Law wrote: > > > > > > > > > On 10/4/2021 10:52 AM, Luís Ferreira wrote: > > > > On Thu, 2021-09-23 at 09:50 -0600, Jeff Law wrote: > > > > > > > > > > On 9/23/2021 4:16 AM, ibuclaw--- via Gcc-patches wrote: > > > > > > > On 22/09/2021 03:10 Luís Ferreira > > > > > > > > > > > > > > wrote: > > > > > > > > > > > > > > > > > > > > > Currently a stack/heap overflow may happen if a crafted > > > > > > > mangle is > > > > > > > maliciously used to cause denial of service, such as > > > > > > > intentional > > > > > > > crashes > > > > > > > by accessing a reserved memory space. > > > > > > > > > > > > > Hi, > > > > > > > > > > > > Thanks for this. Is there a test that could trigger this > > > > > > code > > > > > > path? > > > > > I don't think Luis has commit privs, so I went ahead and > > > > > committed > > > > > this > > > > > patch. > > > > > > > > > > Yea, a testcase would be great. > > > > > > > > > > Jeff > > > > > > > > > Does the test suite runned against address sanitization? if > > > > yes, I > > > > can > > > > submit a patch to make this fail, otherwise it is hard to > > > > trigger a > > > > consistent crash for this issue. > > > Unfortunately, no it doesn't run with sanitization. If it's too > > > painful > > > to create a test, don't worry about it. It happens from time to > > > time. > > > > > > jeff > > > > I would like to add address sanitization if I knew how GCC > > autotools > > work but I think this is a better fit when I invest some time > > implementing something to OSS fuzz and build some infrastructure > > for > > fuzzing parts of the GCC. > > > > I can help with the autotools part if you can say how precisely you'd > like to use them to add address sanitization. And as for the OSS > fuzz part, I think someone tried setting up auto-fuzzing for it once, > but the main bottleneck was getting the bug reports that it generated > properly triaged, so if you could make sure the bug-submitting > portion > of the process is properly streamlined, that'd probably go a long way > towards helping it be useful. Bugs are normally reported by email or mailing list. Is there any writable mailing list to publish bugs or is it strictly needed to open an entry on bugzilla? -- Sincerely, Luís Ferreira @ lsferreira.net signature.asc Description: This is a digitally signed message part
Re: [PATCH] libiberty: prevent buffer overflow when decoding user input
On Tue, Oct 5, 2021 at 1:28 PM Luís Ferreira wrote: > > On Tue, 2021-10-05 at 09:00 -0600, Jeff Law wrote: > > > > > > On 10/4/2021 10:52 AM, Luís Ferreira wrote: > > > On Thu, 2021-09-23 at 09:50 -0600, Jeff Law wrote: > > > > > > > > On 9/23/2021 4:16 AM, ibuclaw--- via Gcc-patches wrote: > > > > > > On 22/09/2021 03:10 Luís Ferreira > > > > > > wrote: > > > > > > > > > > > > > > > > > > Currently a stack/heap overflow may happen if a crafted > > > > > > mangle is > > > > > > maliciously used to cause denial of service, such as > > > > > > intentional > > > > > > crashes > > > > > > by accessing a reserved memory space. > > > > > > > > > > > Hi, > > > > > > > > > > Thanks for this. Is there a test that could trigger this code > > > > > path? > > > > I don't think Luis has commit privs, so I went ahead and > > > > committed > > > > this > > > > patch. > > > > > > > > Yea, a testcase would be great. > > > > > > > > Jeff > > > > > > > Does the test suite runned against address sanitization? if yes, I > > > can > > > submit a patch to make this fail, otherwise it is hard to trigger a > > > consistent crash for this issue. > > Unfortunately, no it doesn't run with sanitization. If it's too > > painful > > to create a test, don't worry about it. It happens from time to > > time. > > > > jeff > > I would like to add address sanitization if I knew how GCC autotools > work but I think this is a better fit when I invest some time > implementing something to OSS fuzz and build some infrastructure for > fuzzing parts of the GCC. > I can help with the autotools part if you can say how precisely you'd like to use them to add address sanitization. And as for the OSS fuzz part, I think someone tried setting up auto-fuzzing for it once, but the main bottleneck was getting the bug reports that it generated properly triaged, so if you could make sure the bug-submitting portion of the process is properly streamlined, that'd probably go a long way towards helping it be useful. > -- > Sincerely, > Luís Ferreira @ lsferreira.net >
Re: [PATCH] libiberty: prevent buffer overflow when decoding user input
On Tue, 2021-10-05 at 09:00 -0600, Jeff Law wrote: > > > On 10/4/2021 10:52 AM, Luís Ferreira wrote: > > On Thu, 2021-09-23 at 09:50 -0600, Jeff Law wrote: > > > > > > On 9/23/2021 4:16 AM, ibuclaw--- via Gcc-patches wrote: > > > > > On 22/09/2021 03:10 Luís Ferreira > > > > > wrote: > > > > > > > > > > > > > > > Currently a stack/heap overflow may happen if a crafted > > > > > mangle is > > > > > maliciously used to cause denial of service, such as > > > > > intentional > > > > > crashes > > > > > by accessing a reserved memory space. > > > > > > > > > Hi, > > > > > > > > Thanks for this. Is there a test that could trigger this code > > > > path? > > > I don't think Luis has commit privs, so I went ahead and > > > committed > > > this > > > patch. > > > > > > Yea, a testcase would be great. > > > > > > Jeff > > > > > Does the test suite runned against address sanitization? if yes, I > > can > > submit a patch to make this fail, otherwise it is hard to trigger a > > consistent crash for this issue. > Unfortunately, no it doesn't run with sanitization. If it's too > painful > to create a test, don't worry about it. It happens from time to > time. > > jeff I would like to add address sanitization if I knew how GCC autotools work but I think this is a better fit when I invest some time implementing something to OSS fuzz and build some infrastructure for fuzzing parts of the GCC. -- Sincerely, Luís Ferreira @ lsferreira.net signature.asc Description: This is a digitally signed message part
Re: [PATCH] libiberty: prevent buffer overflow when decoding user input
On 10/4/2021 10:52 AM, Luís Ferreira wrote: On Thu, 2021-09-23 at 09:50 -0600, Jeff Law wrote: On 9/23/2021 4:16 AM, ibuclaw--- via Gcc-patches wrote: On 22/09/2021 03:10 Luís Ferreira wrote: Currently a stack/heap overflow may happen if a crafted mangle is maliciously used to cause denial of service, such as intentional crashes by accessing a reserved memory space. Hi, Thanks for this. Is there a test that could trigger this code path? I don't think Luis has commit privs, so I went ahead and committed this patch. Yea, a testcase would be great. Jeff Does the test suite runned against address sanitization? if yes, I can submit a patch to make this fail, otherwise it is hard to trigger a consistent crash for this issue. Unfortunately, no it doesn't run with sanitization. If it's too painful to create a test, don't worry about it. It happens from time to time. jeff
Re: [PATCH] libiberty: prevent buffer overflow when decoding user input
On Thu, 2021-09-23 at 09:50 -0600, Jeff Law wrote: > > > On 9/23/2021 4:16 AM, ibuclaw--- via Gcc-patches wrote: > > > On 22/09/2021 03:10 Luís Ferreira wrote: > > > > > > > > > Currently a stack/heap overflow may happen if a crafted mangle is > > > maliciously used to cause denial of service, such as intentional > > > crashes > > > by accessing a reserved memory space. > > > > > Hi, > > > > Thanks for this. Is there a test that could trigger this code > > path? > I don't think Luis has commit privs, so I went ahead and committed > this > patch. > > Yea, a testcase would be great. > > Jeff > Does the test suite runned against address sanitization? if yes, I can submit a patch to make this fail, otherwise it is hard to trigger a consistent crash for this issue. -- Sincerely, Luís Ferreira @ lsferreira.net signature.asc Description: This is a digitally signed message part
Re: [PATCH] libiberty: prevent buffer overflow when decoding user input
On 9/23/2021 4:16 AM, ibuclaw--- via Gcc-patches wrote: On 22/09/2021 03:10 Luís Ferreira wrote: Currently a stack/heap overflow may happen if a crafted mangle is maliciously used to cause denial of service, such as intentional crashes by accessing a reserved memory space. Hi, Thanks for this. Is there a test that could trigger this code path? I don't think Luis has commit privs, so I went ahead and committed this patch. Yea, a testcase would be great. Jeff
Re: [PATCH] libiberty: prevent buffer overflow when decoding user input
Hi, Here is an example of a crafted mangle that can cause heap buffer overflow. ``` fuzzer-results/crash-18b7f0799be49886550876b5ab6bb63e4231979b _D2FGWG4EQe 5f 44 32 46 47 57 47 34 34 34 34 34 34 34 34 34 |_D2FGWG4| 0010 34 34 34 34 34 34 34 34 45 51 65 0a |EQe.| 001c ``` Here is an example of a crafted mangle that can cause stack buffer overflow. ``` fuzzer-results/crash-79833f1c8ce510bbf138c0d5ad06a7fb11ce3bae _D8ee2_Qe 5f 44 38 65 65 32 5f 31 31 31 31 51 65 |_D8ee2_Qe| 000d ``` Even though this triggers an UB by reading/writing other memory space, I couldn't find a situation where this constantly fails, although, if running with an address + UB sanitizer this can be easily catched and replicated with some confidence. I didn't add this to the test suite because of that. On Thu, 2021-09-23 at 12:16 +0200, ibuc...@gdcproject.org wrote: > > On 22/09/2021 03:10 Luís Ferreira wrote: > > > > > > Currently a stack/heap overflow may happen if a crafted mangle is > > maliciously used to cause denial of service, such as intentional > > crashes > > by accessing a reserved memory space. > > > > Hi, > > Thanks for this. Is there a test that could trigger this code path? > > Iain. > > > > Signed-off-by: Luís Ferreira > > --- > > libiberty/d-demangle.c | 2 +- > > 1 file changed, 1 insertion(+), 1 deletion(-) > > > > diff --git a/libiberty/d-demangle.c b/libiberty/d-demangle.c > > index a2152cc65518..7ded3e2a2563 100644 > > --- a/libiberty/d-demangle.c > > +++ b/libiberty/d-demangle.c > > @@ -381,7 +381,7 @@ dlang_symbol_backref (string *decl, const char > > *mangled, > > > > /* Must point to a simple identifier. */ > > backref = dlang_number (backref, ); > > - if (backref == NULL) > > + if (backref == NULL || strlen(backref) < len) > > return NULL; > > > > backref = dlang_lname (decl, backref, len); -- Sincerely, Luís Ferreira @ lsferreira.net signature.asc Description: This is a digitally signed message part
Re: [PATCH] libiberty: prevent buffer overflow when decoding user input
> On 22/09/2021 03:10 Luís Ferreira wrote: > > > Currently a stack/heap overflow may happen if a crafted mangle is > maliciously used to cause denial of service, such as intentional > crashes > by accessing a reserved memory space. > Hi, Thanks for this. Is there a test that could trigger this code path? Iain. > Signed-off-by: Luís Ferreira > --- > libiberty/d-demangle.c | 2 +- > 1 file changed, 1 insertion(+), 1 deletion(-) > > diff --git a/libiberty/d-demangle.c b/libiberty/d-demangle.c > index a2152cc65518..7ded3e2a2563 100644 > --- a/libiberty/d-demangle.c > +++ b/libiberty/d-demangle.c > @@ -381,7 +381,7 @@ dlang_symbol_backref (string *decl, const char > *mangled, > >/* Must point to a simple identifier. */ >backref = dlang_number (backref, ); > - if (backref == NULL) > + if (backref == NULL || strlen(backref) < len) > return NULL; > >backref = dlang_lname (decl, backref, len);
[PATCH] libiberty: prevent buffer overflow when decoding user input
Currently a stack/heap overflow may happen if a crafted mangle is maliciously used to cause denial of service, such as intentional crashes by accessing a reserved memory space. Signed-off-by: Luís Ferreira --- libiberty/d-demangle.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libiberty/d-demangle.c b/libiberty/d-demangle.c index a2152cc65518..7ded3e2a2563 100644 --- a/libiberty/d-demangle.c +++ b/libiberty/d-demangle.c @@ -381,7 +381,7 @@ dlang_symbol_backref (string *decl, const char *mangled, /* Must point to a simple identifier. */ backref = dlang_number (backref, ); - if (backref == NULL) + if (backref == NULL || strlen(backref) < len) return NULL; backref = dlang_lname (decl, backref, len); signature.asc Description: This is a digitally signed message part