public inbox for gcc-bugs@sourceware.org
help / color / mirror / Atom feed
* [Bug c++/99188] New: cxxfilt may exist a uaf
@ 2021-02-22 3:04 zyt1024 at bupt dot edu.cn
2021-02-22 3:06 ` [Bug c++/99188] " zyt1024 at bupt dot edu.cn
` (8 more replies)
0 siblings, 9 replies; 10+ messages in thread
From: zyt1024 at bupt dot edu.cn @ 2021-02-22 3:04 UTC (permalink / raw)
To: gcc-bugs
https://gcc.gnu.org/bugzilla/show_bug.cgi?id=99188
Bug ID: 99188
Summary: cxxfilt may exist a uaf
Product: gcc
Version: unknown
Status: UNCONFIRMED
Severity: normal
Priority: P3
Component: c++
Assignee: unassigned at gcc dot gnu.org
Reporter: zyt1024 at bupt dot edu.cn
Target Milestone: ---
In the version 2.26 of cxxfilt, Valgrind reports an invalid write of size.
# valgrind ./cxxfilt `cat
cxxfilt_12.29-12.30-24h-run3/error_level/level-2-double-54-g165.txt`
==23618== Memcheck, a memory error detector
==23618== Copyright (C) 2002-2017, and GNU GPL'd, by Julian Seward et al.
==23618== Using Valgrind-3.16.1 and LibVEX; rerun with -h for copyright info
==23618== Command: ./cxxfilt $_Q9AEKm__RQ3______xewx_x6_$$[G_O2_2C__:
==23618==
==23618== Invalid write of size 4
==23618== at 0x813A8E5: register_Btype (cplus-dem.c:4319)
==23618== by 0x8138B02: demangle_qualified (cplus-dem.c:3287)
==23618== by 0x8139739: do_type (cplus-dem.c:3771)
==23618== by 0x813A5B4: do_arg (cplus-dem.c:4231)
==23618== by 0x813ADA9: demangle_args (cplus-dem.c:4514)
==23618== by 0x8135A90: demangle_signature (cplus-dem.c:1642)
==23618== by 0x8134D07: internal_cplus_demangle (cplus-dem.c:1203)
==23618== by 0x8134466: cplus_demangle (cplus-dem.c:886)
==23618== by 0x8049A23: demangle_it (cxxfilt.c:62)
==23618== by 0x8049E21: main (cxxfilt.c:227)
==23618== Address 0x0 is not stack'd, malloc'd or (recently) free'd
==23618==
==23618==
..
^ permalink raw reply [flat|nested] 10+ messages in thread
* [Bug c++/99188] cxxfilt may exist a uaf
2021-02-22 3:04 [Bug c++/99188] New: cxxfilt may exist a uaf zyt1024 at bupt dot edu.cn
@ 2021-02-22 3:06 ` zyt1024 at bupt dot edu.cn
2021-02-22 9:53 ` [Bug demangler/99188] " marxin at gcc dot gnu.org
` (7 subsequent siblings)
8 siblings, 0 replies; 10+ messages in thread
From: zyt1024 at bupt dot edu.cn @ 2021-02-22 3:06 UTC (permalink / raw)
To: gcc-bugs
https://gcc.gnu.org/bugzilla/show_bug.cgi?id=99188
--- Comment #1 from zhangyuntao <zyt1024 at bupt dot edu.cn> ---
(In reply to zhangyuntao from comment #0)
> In the version 2.26 of cxxfilt, Valgrind reports an invalid write of size 4.
>
> # valgrind ./cxxfilt `cat
> cxxfilt_12.29-12.30-24h-run3/error_level/level-2-double-54-g165.txt`
> ==23618== Memcheck, a memory error detector
> ==23618== Copyright (C) 2002-2017, and GNU GPL'd, by Julian Seward et al.
> ==23618== Using Valgrind-3.16.1 and LibVEX; rerun with -h for copyright info
> ==23618== Command: ./cxxfilt $_Q9AEKm__RQ3______xewx_x6_$$[G_O2_2C__:
> ==23618==
> ==23618== Invalid write of size 4
> ==23618== at 0x813A8E5: register_Btype (cplus-dem.c:4319)
> ==23618== by 0x8138B02: demangle_qualified (cplus-dem.c:3287)
> ==23618== by 0x8139739: do_type (cplus-dem.c:3771)
> ==23618== by 0x813A5B4: do_arg (cplus-dem.c:4231)
> ==23618== by 0x813ADA9: demangle_args (cplus-dem.c:4514)
> ==23618== by 0x8135A90: demangle_signature (cplus-dem.c:1642)
> ==23618== by 0x8134D07: internal_cplus_demangle (cplus-dem.c:1203)
> ==23618== by 0x8134466: cplus_demangle (cplus-dem.c:886)
> ==23618== by 0x8049A23: demangle_it (cxxfilt.c:62)
> ==23618== by 0x8049E21: main (cxxfilt.c:227)
> ==23618== Address 0x0 is not stack'd, malloc'd or (recently) free'd
> ==23618==
> ==23618==
> ..
^ permalink raw reply [flat|nested] 10+ messages in thread
* [Bug demangler/99188] cxxfilt may exist a uaf
2021-02-22 3:04 [Bug c++/99188] New: cxxfilt may exist a uaf zyt1024 at bupt dot edu.cn
2021-02-22 3:06 ` [Bug c++/99188] " zyt1024 at bupt dot edu.cn
@ 2021-02-22 9:53 ` marxin at gcc dot gnu.org
2021-02-22 10:00 ` zyt1024 at bupt dot edu.cn
` (6 subsequent siblings)
8 siblings, 0 replies; 10+ messages in thread
From: marxin at gcc dot gnu.org @ 2021-02-22 9:53 UTC (permalink / raw)
To: gcc-bugs
https://gcc.gnu.org/bugzilla/show_bug.cgi?id=99188
Martin Liška <marxin at gcc dot gnu.org> changed:
What |Removed |Added
----------------------------------------------------------------------------
Ever confirmed|0 |1
CC| |marxin at gcc dot gnu.org
Status|UNCONFIRMED |WAITING
Last reconfirmed| |2021-02-22
--- Comment #2 from Martin Liška <marxin at gcc dot gnu.org> ---
Please attach the input.
^ permalink raw reply [flat|nested] 10+ messages in thread
* [Bug demangler/99188] cxxfilt may exist a uaf
2021-02-22 3:04 [Bug c++/99188] New: cxxfilt may exist a uaf zyt1024 at bupt dot edu.cn
2021-02-22 3:06 ` [Bug c++/99188] " zyt1024 at bupt dot edu.cn
2021-02-22 9:53 ` [Bug demangler/99188] " marxin at gcc dot gnu.org
@ 2021-02-22 10:00 ` zyt1024 at bupt dot edu.cn
2021-02-22 10:09 ` marxin at gcc dot gnu.org
` (5 subsequent siblings)
8 siblings, 0 replies; 10+ messages in thread
From: zyt1024 at bupt dot edu.cn @ 2021-02-22 10:00 UTC (permalink / raw)
To: gcc-bugs
https://gcc.gnu.org/bugzilla/show_bug.cgi?id=99188
--- Comment #3 from zhangyuntao <zyt1024 at bupt dot edu.cn> ---
Created attachment 50230
--> https://gcc.gnu.org/bugzilla/attachment.cgi?id=50230&action=edit
PoC
^ permalink raw reply [flat|nested] 10+ messages in thread
* [Bug demangler/99188] cxxfilt may exist a uaf
2021-02-22 3:04 [Bug c++/99188] New: cxxfilt may exist a uaf zyt1024 at bupt dot edu.cn
` (2 preceding siblings ...)
2021-02-22 10:00 ` zyt1024 at bupt dot edu.cn
@ 2021-02-22 10:09 ` marxin at gcc dot gnu.org
2021-02-22 12:53 ` zyt1024 at bupt dot edu.cn
` (4 subsequent siblings)
8 siblings, 0 replies; 10+ messages in thread
From: marxin at gcc dot gnu.org @ 2021-02-22 10:09 UTC (permalink / raw)
To: gcc-bugs
https://gcc.gnu.org/bugzilla/show_bug.cgi?id=99188
Martin Liška <marxin at gcc dot gnu.org> changed:
What |Removed |Added
----------------------------------------------------------------------------
Status|WAITING |NEW
Keywords| |ice-on-invalid-code
--- Comment #4 from Martin Liška <marxin at gcc dot gnu.org> ---
Ok, the input is a garbage.
^ permalink raw reply [flat|nested] 10+ messages in thread
* [Bug demangler/99188] cxxfilt may exist a uaf
2021-02-22 3:04 [Bug c++/99188] New: cxxfilt may exist a uaf zyt1024 at bupt dot edu.cn
` (3 preceding siblings ...)
2021-02-22 10:09 ` marxin at gcc dot gnu.org
@ 2021-02-22 12:53 ` zyt1024 at bupt dot edu.cn
2021-02-22 13:07 ` marxin at gcc dot gnu.org
` (3 subsequent siblings)
8 siblings, 0 replies; 10+ messages in thread
From: zyt1024 at bupt dot edu.cn @ 2021-02-22 12:53 UTC (permalink / raw)
To: gcc-bugs
https://gcc.gnu.org/bugzilla/show_bug.cgi?id=99188
--- Comment #5 from zhangyuntao <zyt1024 at bupt dot edu.cn> ---
“Ok, the input is a garbage.”
Do you mean the input is not a crash to cxxfilt? Why does the program crash?
^ permalink raw reply [flat|nested] 10+ messages in thread
* [Bug demangler/99188] cxxfilt may exist a uaf
2021-02-22 3:04 [Bug c++/99188] New: cxxfilt may exist a uaf zyt1024 at bupt dot edu.cn
` (4 preceding siblings ...)
2021-02-22 12:53 ` zyt1024 at bupt dot edu.cn
@ 2021-02-22 13:07 ` marxin at gcc dot gnu.org
2021-12-06 15:59 ` matz at gcc dot gnu.org
` (2 subsequent siblings)
8 siblings, 0 replies; 10+ messages in thread
From: marxin at gcc dot gnu.org @ 2021-02-22 13:07 UTC (permalink / raw)
To: gcc-bugs
https://gcc.gnu.org/bugzilla/show_bug.cgi?id=99188
--- Comment #6 from Martin Liška <marxin at gcc dot gnu.org> ---
(In reply to zhangyuntao from comment #5)
> “Ok, the input is a garbage.”
> Do you mean the input is not a crash to cxxfilt? Why does the program crash?
It likely makes cxxfilt crashing. I'm just saying it's likely a product of a
fuzzer and it's very unlikely to be fixed.
^ permalink raw reply [flat|nested] 10+ messages in thread
* [Bug demangler/99188] cxxfilt may exist a uaf
2021-02-22 3:04 [Bug c++/99188] New: cxxfilt may exist a uaf zyt1024 at bupt dot edu.cn
` (5 preceding siblings ...)
2021-02-22 13:07 ` marxin at gcc dot gnu.org
@ 2021-12-06 15:59 ` matz at gcc dot gnu.org
2021-12-14 14:47 ` nickc at gcc dot gnu.org
2021-12-19 21:11 ` pmayorov at cloudlinux dot com
8 siblings, 0 replies; 10+ messages in thread
From: matz at gcc dot gnu.org @ 2021-12-06 15:59 UTC (permalink / raw)
To: gcc-bugs
https://gcc.gnu.org/bugzilla/show_bug.cgi?id=99188
Michael Matz <matz at gcc dot gnu.org> changed:
What |Removed |Added
----------------------------------------------------------------------------
Resolution|--- |FIXED
Status|NEW |RESOLVED
CC| |matz at gcc dot gnu.org
--- Comment #7 from Michael Matz <matz at gcc dot gnu.org> ---
Actually, it _is_ fixed. This problem report is about version 2.26, which is
many
years old. Current versions don't have this problem, at the very least when
the problematic code was removed whole-sale in late 2018/early 2019.
^ permalink raw reply [flat|nested] 10+ messages in thread
* [Bug demangler/99188] cxxfilt may exist a uaf
2021-02-22 3:04 [Bug c++/99188] New: cxxfilt may exist a uaf zyt1024 at bupt dot edu.cn
` (6 preceding siblings ...)
2021-12-06 15:59 ` matz at gcc dot gnu.org
@ 2021-12-14 14:47 ` nickc at gcc dot gnu.org
2021-12-19 21:11 ` pmayorov at cloudlinux dot com
8 siblings, 0 replies; 10+ messages in thread
From: nickc at gcc dot gnu.org @ 2021-12-14 14:47 UTC (permalink / raw)
To: gcc-bugs
https://gcc.gnu.org/bugzilla/show_bug.cgi?id=99188
Nick Clifton <nickc at gcc dot gnu.org> changed:
What |Removed |Added
----------------------------------------------------------------------------
CC| |nickc at gcc dot gnu.org
--- Comment #8 from Nick Clifton <nickc at gcc dot gnu.org> ---
(In reply to Michael Matz from comment #7)
> Actually, it _is_ fixed. This problem report is about version 2.26, which
> is many
> years old. Current versions don't have this problem, at the very least when
> the problematic code was removed whole-sale in late 2018/early 2019.
Just checked - the problem is fixed in 2.27 and all later versions....
^ permalink raw reply [flat|nested] 10+ messages in thread
* [Bug demangler/99188] cxxfilt may exist a uaf
2021-02-22 3:04 [Bug c++/99188] New: cxxfilt may exist a uaf zyt1024 at bupt dot edu.cn
` (7 preceding siblings ...)
2021-12-14 14:47 ` nickc at gcc dot gnu.org
@ 2021-12-19 21:11 ` pmayorov at cloudlinux dot com
8 siblings, 0 replies; 10+ messages in thread
From: pmayorov at cloudlinux dot com @ 2021-12-19 21:11 UTC (permalink / raw)
To: gcc-bugs
https://gcc.gnu.org/bugzilla/show_bug.cgi?id=99188
Pavel Mayorov <pmayorov at cloudlinux dot com> changed:
What |Removed |Added
----------------------------------------------------------------------------
CC| |pmayorov at cloudlinux dot com
--- Comment #9 from Pavel Mayorov <pmayorov at cloudlinux dot com> ---
If it's still important for someone, then this is a duplicate of bug 67394
(CVE-2016-4487), which was solved by bug 70481 (CVE-2016-4488). So for version
2.26 use the patch
https://gcc.gnu.org/git/?p=gcc.git;a=patch;h=9e6edb946c0e9a2c530fbae3eeace148eca0de33.
^ permalink raw reply [flat|nested] 10+ messages in thread
end of thread, other threads:[~2021-12-19 21:11 UTC | newest]
Thread overview: 10+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2021-02-22 3:04 [Bug c++/99188] New: cxxfilt may exist a uaf zyt1024 at bupt dot edu.cn
2021-02-22 3:06 ` [Bug c++/99188] " zyt1024 at bupt dot edu.cn
2021-02-22 9:53 ` [Bug demangler/99188] " marxin at gcc dot gnu.org
2021-02-22 10:00 ` zyt1024 at bupt dot edu.cn
2021-02-22 10:09 ` marxin at gcc dot gnu.org
2021-02-22 12:53 ` zyt1024 at bupt dot edu.cn
2021-02-22 13:07 ` marxin at gcc dot gnu.org
2021-12-06 15:59 ` matz at gcc dot gnu.org
2021-12-14 14:47 ` nickc at gcc dot gnu.org
2021-12-19 21:11 ` pmayorov at cloudlinux dot com
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).