OOM-Bug in cxxfilt (binuitils-2.30-15ubuntu1)

Bug #1763101 reported by Sergej Schumilo on 2018-04-11
256
This bug affects 1 person
Affects Status Importance Assigned to Milestone
binutils (Ubuntu)
Undecided
Unassigned

Bug Description

Dear all,
The following binutils cxxfilt OOM bug was found by a modified version of the kAFL fuzzer (https://github.com/RUB-SysSec/kAFL). I have attached the input and an ASAN report.

Steps to reproduce:

Build current verison of binutils:

```
pull-lp-source binutils
cd binutils-2.30
CC=clang CXX=clang++ CFLAGS="-fsanitize=address -fsanitize-recover=address -ggdb" CXXFLAGS="-fsanitize=address -fsanitize-recover=address -ggdb" LDFLAGS="-fsanitize=address" ./configure
CC=clang CXX=clang++ CFLAGS="-fsanitize=address -fsanitize-recover=address -ggdb" CXXFLAGS="-fsanitize=address
-fsanitize-recover=address -ggdb" LDFLAGS="-fsanitize=address" make
```

Run inputs under ASAN:

```
ASAN_OPTIONS=halt_on_error=false:allow_addr2line=true ./cxxfilt -t < oom
```

We can verify this issue for cxxfilt binuitils-2.30-15ubuntu1 (Ubuntu 16.04.4 LTS / sources from "pull-lp-source bintuils") on an Intel(R) Core(TM) i7-6700 CPU @ 3.40GHz server machine with 32GB RAM.

Credits: Sergej Schumilo, Cornelius Aschermann (both of Ruhr-Universität Bochum)

Best regards,
Sergej Schumilo

CVE References

Sergej Schumilo (schumilo) wrote :
Marc Deslauriers (mdeslaur) wrote :

Thanks for taking the time to report this bug and helping to make Ubuntu better.

Please report this issue to the upstream binutils developers by filing a bug at https://sourceware.org/bugzilla/

Once the binutils team has evaluated the issue, and a proper fix is available, we will release a security update for Ubuntu.

Sergej Schumilo (schumilo) wrote :
Seth Arnold (seth-arnold) wrote :

Reported to libiberty developers:
https://gcc.gnu.org/bugzilla/show_bug.cgi?id=85453

information type: Private Security → Public Security
Changed in binutils (Ubuntu):
status: New → Confirmed
Kamlesh Kumar (kamleshbhalui) wrote :

It is fixed in binutils 2.32.
should we backport it in 2.30?

Kamlesh Kumar (kamleshbhalui) wrote :

Here is the changelog which fix this.

2018-12-22 Jason Merrill <email address hidden>

        Remove support for demangling GCC 2.x era mangling schemes.
        * cplus-dem.c: Remove cplus_mangle_opname, cplus_demangle_opname,
        internal_cplus_demangle, and all subroutines.
        (libiberty_demanglers): Remove entries for ancient GNU (pre-3.0),
        Lucid, ARM, HP, and EDG demangling styles.
        (cplus_demangle): Remove 'work' variable. Don't call
        internal_cplus_demangle.

To post a comment you must log in.
This report contains Public Security information  Edit
Everyone can see this security related information.

Other bug subscribers

Bug attachments

Remote bug watches

Bug watches keep track of this bug in other bug trackers.