[Bug c++/99188] New: cxxfilt may exist a uaf

public inbox for gcc-bugs@sourceware.org
help / color / mirror / Atom feed

* [Bug c++/99188] New: cxxfilt may exist a uaf
@ 2021-02-22  3:04 zyt1024 at bupt dot edu.cn
  2021-02-22  3:06 ` [Bug c++/99188] " zyt1024 at bupt dot edu.cn
                   ` (8 more replies)
  0 siblings, 9 replies; 10+ messages in thread
From: zyt1024 at bupt dot edu.cn @ 2021-02-22  3:04 UTC (permalink / raw)
  To: gcc-bugs

https://gcc.gnu.org/bugzilla/show_bug.cgi?id=99188

            Bug ID: 99188
           Summary: cxxfilt may exist a uaf
           Product: gcc
           Version: unknown
            Status: UNCONFIRMED
          Severity: normal
          Priority: P3
         Component: c++
          Assignee: unassigned at gcc dot gnu.org
          Reporter: zyt1024 at bupt dot edu.cn
  Target Milestone: ---

In the version 2.26 of cxxfilt, Valgrind reports an invalid write of size.

# valgrind ./cxxfilt `cat
cxxfilt_12.29-12.30-24h-run3/error_level/level-2-double-54-g165.txt`
==23618== Memcheck, a memory error detector
==23618== Copyright (C) 2002-2017, and GNU GPL'd, by Julian Seward et al.
==23618== Using Valgrind-3.16.1 and LibVEX; rerun with -h for copyright info
==23618== Command: ./cxxfilt $_Q9AEKm__RQ3______xewx_x6_$$[G_O2_2C__:
==23618==
==23618== Invalid write of size 4
==23618==    at 0x813A8E5: register_Btype (cplus-dem.c:4319)
==23618==    by 0x8138B02: demangle_qualified (cplus-dem.c:3287)
==23618==    by 0x8139739: do_type (cplus-dem.c:3771)
==23618==    by 0x813A5B4: do_arg (cplus-dem.c:4231)
==23618==    by 0x813ADA9: demangle_args (cplus-dem.c:4514)
==23618==    by 0x8135A90: demangle_signature (cplus-dem.c:1642)
==23618==    by 0x8134D07: internal_cplus_demangle (cplus-dem.c:1203)
==23618==    by 0x8134466: cplus_demangle (cplus-dem.c:886)
==23618==    by 0x8049A23: demangle_it (cxxfilt.c:62)
==23618==    by 0x8049E21: main (cxxfilt.c:227)
==23618==  Address 0x0 is not stack'd, malloc'd or (recently) free'd
==23618==
==23618==
..

^ permalink raw reply	[flat|nested] 10+ messages in thread

* [Bug c++/99188] cxxfilt may exist a uaf
  2021-02-22  3:04 [Bug c++/99188] New: cxxfilt may exist a uaf zyt1024 at bupt dot edu.cn
@ 2021-02-22  3:06 ` zyt1024 at bupt dot edu.cn
  2021-02-22  9:53 ` [Bug demangler/99188] " marxin at gcc dot gnu.org
                   ` (7 subsequent siblings)
  8 siblings, 0 replies; 10+ messages in thread
From: zyt1024 at bupt dot edu.cn @ 2021-02-22  3:06 UTC (permalink / raw)
  To: gcc-bugs

https://gcc.gnu.org/bugzilla/show_bug.cgi?id=99188

--- Comment #1 from zhangyuntao <zyt1024 at bupt dot edu.cn> ---
(In reply to zhangyuntao from comment #0)
> In the version 2.26 of cxxfilt, Valgrind reports an invalid write of size 4.
> 
> # valgrind ./cxxfilt `cat
> cxxfilt_12.29-12.30-24h-run3/error_level/level-2-double-54-g165.txt`
> ==23618== Memcheck, a memory error detector
> ==23618== Copyright (C) 2002-2017, and GNU GPL'd, by Julian Seward et al.
> ==23618== Using Valgrind-3.16.1 and LibVEX; rerun with -h for copyright info
> ==23618== Command: ./cxxfilt $_Q9AEKm__RQ3______xewx_x6_$$[G_O2_2C__:
> ==23618==
> ==23618== Invalid write of size 4
> ==23618==    at 0x813A8E5: register_Btype (cplus-dem.c:4319)
> ==23618==    by 0x8138B02: demangle_qualified (cplus-dem.c:3287)
> ==23618==    by 0x8139739: do_type (cplus-dem.c:3771)
> ==23618==    by 0x813A5B4: do_arg (cplus-dem.c:4231)
> ==23618==    by 0x813ADA9: demangle_args (cplus-dem.c:4514)
> ==23618==    by 0x8135A90: demangle_signature (cplus-dem.c:1642)
> ==23618==    by 0x8134D07: internal_cplus_demangle (cplus-dem.c:1203)
> ==23618==    by 0x8134466: cplus_demangle (cplus-dem.c:886)
> ==23618==    by 0x8049A23: demangle_it (cxxfilt.c:62)
> ==23618==    by 0x8049E21: main (cxxfilt.c:227)
> ==23618==  Address 0x0 is not stack'd, malloc'd or (recently) free'd
> ==23618==
> ==23618==
> ..

^ permalink raw reply	[flat|nested] 10+ messages in thread

* [Bug demangler/99188] cxxfilt may exist a uaf
  2021-02-22  3:04 [Bug c++/99188] New: cxxfilt may exist a uaf zyt1024 at bupt dot edu.cn
  2021-02-22  3:06 ` [Bug c++/99188] " zyt1024 at bupt dot edu.cn
@ 2021-02-22  9:53 ` marxin at gcc dot gnu.org
  2021-02-22 10:00 ` zyt1024 at bupt dot edu.cn
                   ` (6 subsequent siblings)
  8 siblings, 0 replies; 10+ messages in thread
From: marxin at gcc dot gnu.org @ 2021-02-22  9:53 UTC (permalink / raw)
  To: gcc-bugs

https://gcc.gnu.org/bugzilla/show_bug.cgi?id=99188

Martin Liška <marxin at gcc dot gnu.org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
     Ever confirmed|0                           |1
                 CC|                            |marxin at gcc dot gnu.org
             Status|UNCONFIRMED                 |WAITING
   Last reconfirmed|                            |2021-02-22

--- Comment #2 from Martin Liška <marxin at gcc dot gnu.org> ---
Please attach the input.

^ permalink raw reply	[flat|nested] 10+ messages in thread

* [Bug demangler/99188] cxxfilt may exist a uaf
  2021-02-22  3:04 [Bug c++/99188] New: cxxfilt may exist a uaf zyt1024 at bupt dot edu.cn
  2021-02-22  3:06 ` [Bug c++/99188] " zyt1024 at bupt dot edu.cn
  2021-02-22  9:53 ` [Bug demangler/99188] " marxin at gcc dot gnu.org
@ 2021-02-22 10:00 ` zyt1024 at bupt dot edu.cn
  2021-02-22 10:09 ` marxin at gcc dot gnu.org
                   ` (5 subsequent siblings)
  8 siblings, 0 replies; 10+ messages in thread
From: zyt1024 at bupt dot edu.cn @ 2021-02-22 10:00 UTC (permalink / raw)
  To: gcc-bugs

https://gcc.gnu.org/bugzilla/show_bug.cgi?id=99188

--- Comment #3 from zhangyuntao <zyt1024 at bupt dot edu.cn> ---
Created attachment 50230
  --> https://gcc.gnu.org/bugzilla/attachment.cgi?id=50230&action=edit
PoC

^ permalink raw reply	[flat|nested] 10+ messages in thread

* [Bug demangler/99188] cxxfilt may exist a uaf
  2021-02-22  3:04 [Bug c++/99188] New: cxxfilt may exist a uaf zyt1024 at bupt dot edu.cn
                   ` (2 preceding siblings ...)
  2021-02-22 10:00 ` zyt1024 at bupt dot edu.cn
@ 2021-02-22 10:09 ` marxin at gcc dot gnu.org
  2021-02-22 12:53 ` zyt1024 at bupt dot edu.cn
                   ` (4 subsequent siblings)
  8 siblings, 0 replies; 10+ messages in thread
From: marxin at gcc dot gnu.org @ 2021-02-22 10:09 UTC (permalink / raw)
  To: gcc-bugs

https://gcc.gnu.org/bugzilla/show_bug.cgi?id=99188

Martin Liška <marxin at gcc dot gnu.org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
             Status|WAITING                     |NEW
           Keywords|                            |ice-on-invalid-code

--- Comment #4 from Martin Liška <marxin at gcc dot gnu.org> ---
Ok, the input is a garbage.

^ permalink raw reply	[flat|nested] 10+ messages in thread

* [Bug demangler/99188] cxxfilt may exist a uaf
  2021-02-22  3:04 [Bug c++/99188] New: cxxfilt may exist a uaf zyt1024 at bupt dot edu.cn
                   ` (3 preceding siblings ...)
  2021-02-22 10:09 ` marxin at gcc dot gnu.org
@ 2021-02-22 12:53 ` zyt1024 at bupt dot edu.cn
  2021-02-22 13:07 ` marxin at gcc dot gnu.org
                   ` (3 subsequent siblings)
  8 siblings, 0 replies; 10+ messages in thread
From: zyt1024 at bupt dot edu.cn @ 2021-02-22 12:53 UTC (permalink / raw)
  To: gcc-bugs

https://gcc.gnu.org/bugzilla/show_bug.cgi?id=99188

--- Comment #5 from zhangyuntao <zyt1024 at bupt dot edu.cn> ---
“Ok, the input is a garbage.” 
Do you mean the input is not a crash to cxxfilt? Why does the program crash?

^ permalink raw reply	[flat|nested] 10+ messages in thread

* [Bug demangler/99188] cxxfilt may exist a uaf
  2021-02-22  3:04 [Bug c++/99188] New: cxxfilt may exist a uaf zyt1024 at bupt dot edu.cn
                   ` (4 preceding siblings ...)
  2021-02-22 12:53 ` zyt1024 at bupt dot edu.cn
@ 2021-02-22 13:07 ` marxin at gcc dot gnu.org
  2021-12-06 15:59 ` matz at gcc dot gnu.org
                   ` (2 subsequent siblings)
  8 siblings, 0 replies; 10+ messages in thread
From: marxin at gcc dot gnu.org @ 2021-02-22 13:07 UTC (permalink / raw)
  To: gcc-bugs

https://gcc.gnu.org/bugzilla/show_bug.cgi?id=99188

--- Comment #6 from Martin Liška <marxin at gcc dot gnu.org> ---
(In reply to zhangyuntao from comment #5)
> “Ok, the input is a garbage.” 
> Do you mean the input is not a crash to cxxfilt? Why does the program crash?

It likely makes cxxfilt crashing. I'm just saying it's likely a product of a
fuzzer and it's very unlikely to be fixed.

^ permalink raw reply	[flat|nested] 10+ messages in thread

* [Bug demangler/99188] cxxfilt may exist a uaf
  2021-02-22  3:04 [Bug c++/99188] New: cxxfilt may exist a uaf zyt1024 at bupt dot edu.cn
                   ` (5 preceding siblings ...)
  2021-02-22 13:07 ` marxin at gcc dot gnu.org
@ 2021-12-06 15:59 ` matz at gcc dot gnu.org
  2021-12-14 14:47 ` nickc at gcc dot gnu.org
  2021-12-19 21:11 ` pmayorov at cloudlinux dot com
  8 siblings, 0 replies; 10+ messages in thread
From: matz at gcc dot gnu.org @ 2021-12-06 15:59 UTC (permalink / raw)
  To: gcc-bugs

https://gcc.gnu.org/bugzilla/show_bug.cgi?id=99188

Michael Matz <matz at gcc dot gnu.org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
         Resolution|---                         |FIXED
             Status|NEW                         |RESOLVED
                 CC|                            |matz at gcc dot gnu.org

--- Comment #7 from Michael Matz <matz at gcc dot gnu.org> ---
Actually, it _is_ fixed.  This problem report is about version 2.26, which is
many
years old.  Current versions don't have this problem, at the very least when
the problematic code was removed whole-sale in late 2018/early 2019.

^ permalink raw reply	[flat|nested] 10+ messages in thread

* [Bug demangler/99188] cxxfilt may exist a uaf
  2021-02-22  3:04 [Bug c++/99188] New: cxxfilt may exist a uaf zyt1024 at bupt dot edu.cn
                   ` (6 preceding siblings ...)
  2021-12-06 15:59 ` matz at gcc dot gnu.org
@ 2021-12-14 14:47 ` nickc at gcc dot gnu.org
  2021-12-19 21:11 ` pmayorov at cloudlinux dot com
  8 siblings, 0 replies; 10+ messages in thread
From: nickc at gcc dot gnu.org @ 2021-12-14 14:47 UTC (permalink / raw)
  To: gcc-bugs

https://gcc.gnu.org/bugzilla/show_bug.cgi?id=99188

Nick Clifton <nickc at gcc dot gnu.org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 CC|                            |nickc at gcc dot gnu.org

--- Comment #8 from Nick Clifton <nickc at gcc dot gnu.org> ---
(In reply to Michael Matz from comment #7)
> Actually, it _is_ fixed.  This problem report is about version 2.26, which
> is many
> years old.  Current versions don't have this problem, at the very least when
> the problematic code was removed whole-sale in late 2018/early 2019.

Just checked - the problem is fixed in 2.27 and all later versions....

^ permalink raw reply	[flat|nested] 10+ messages in thread

* [Bug demangler/99188] cxxfilt may exist a uaf
  2021-02-22  3:04 [Bug c++/99188] New: cxxfilt may exist a uaf zyt1024 at bupt dot edu.cn
                   ` (7 preceding siblings ...)
  2021-12-14 14:47 ` nickc at gcc dot gnu.org
@ 2021-12-19 21:11 ` pmayorov at cloudlinux dot com
  8 siblings, 0 replies; 10+ messages in thread
From: pmayorov at cloudlinux dot com @ 2021-12-19 21:11 UTC (permalink / raw)
  To: gcc-bugs

https://gcc.gnu.org/bugzilla/show_bug.cgi?id=99188

Pavel Mayorov <pmayorov at cloudlinux dot com> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 CC|                            |pmayorov at cloudlinux dot com

--- Comment #9 from Pavel Mayorov <pmayorov at cloudlinux dot com> ---
If it's still important for someone, then this is a duplicate of bug 67394
(CVE-2016-4487), which was solved by bug 70481 (CVE-2016-4488). So for version
2.26 use the patch
https://gcc.gnu.org/git/?p=gcc.git;a=patch;h=9e6edb946c0e9a2c530fbae3eeace148eca0de33.

^ permalink raw reply	[flat|nested] 10+ messages in thread

end of thread, other threads:[~2021-12-19 21:11 UTC | newest]

Thread overview: 10+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2021-02-22  3:04 [Bug c++/99188] New: cxxfilt may exist a uaf zyt1024 at bupt dot edu.cn
2021-02-22  3:06 ` [Bug c++/99188] " zyt1024 at bupt dot edu.cn
2021-02-22  9:53 ` [Bug demangler/99188] " marxin at gcc dot gnu.org
2021-02-22 10:00 ` zyt1024 at bupt dot edu.cn
2021-02-22 10:09 ` marxin at gcc dot gnu.org
2021-02-22 12:53 ` zyt1024 at bupt dot edu.cn
2021-02-22 13:07 ` marxin at gcc dot gnu.org
2021-12-06 15:59 ` matz at gcc dot gnu.org
2021-12-14 14:47 ` nickc at gcc dot gnu.org
2021-12-19 21:11 ` pmayorov at cloudlinux dot com

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).