* [PATCH] libiberty: prevent buffer overflow when decoding user input @ 2021-09-22 1:10 Luís Ferreira 2021-09-23 10:16 ` ibuclaw 0 siblings, 1 reply; 15+ messages in thread From: Luís Ferreira @ 2021-09-22 1:10 UTC (permalink / raw) To: gcc-patches [-- Attachment #1: Type: text/plain, Size: 810 bytes --] Currently a stack/heap overflow may happen if a crafted mangle is maliciously used to cause denial of service, such as intentional crashes by accessing a reserved memory space. Signed-off-by: Luís Ferreira <contact@lsferreira.net> --- libiberty/d-demangle.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libiberty/d-demangle.c b/libiberty/d-demangle.c index a2152cc65518..7ded3e2a2563 100644 --- a/libiberty/d-demangle.c +++ b/libiberty/d-demangle.c @@ -381,7 +381,7 @@ dlang_symbol_backref (string *decl, const char *mangled, /* Must point to a simple identifier. */ backref = dlang_number (backref, &len); - if (backref == NULL) + if (backref == NULL || strlen(backref) < len) return NULL; backref = dlang_lname (decl, backref, len); [-- Attachment #2: This is a digitally signed message part --] [-- Type: application/pgp-signature, Size: 833 bytes --] ^ permalink raw reply [flat|nested] 15+ messages in thread
* Re: [PATCH] libiberty: prevent buffer overflow when decoding user input 2021-09-22 1:10 [PATCH] libiberty: prevent buffer overflow when decoding user input Luís Ferreira @ 2021-09-23 10:16 ` ibuclaw 2021-09-23 15:40 ` Luís Ferreira 2021-09-23 15:50 ` Jeff Law 0 siblings, 2 replies; 15+ messages in thread From: ibuclaw @ 2021-09-23 10:16 UTC (permalink / raw) To: lsferreira, Luís Ferreira, gcc-patches > On 22/09/2021 03:10 Luís Ferreira <contact@lsferreira.net> wrote: > > > Currently a stack/heap overflow may happen if a crafted mangle is > maliciously used to cause denial of service, such as intentional > crashes > by accessing a reserved memory space. > Hi, Thanks for this. Is there a test that could trigger this code path? Iain. > Signed-off-by: Luís Ferreira <contact@lsferreira.net> > --- > libiberty/d-demangle.c | 2 +- > 1 file changed, 1 insertion(+), 1 deletion(-) > > diff --git a/libiberty/d-demangle.c b/libiberty/d-demangle.c > index a2152cc65518..7ded3e2a2563 100644 > --- a/libiberty/d-demangle.c > +++ b/libiberty/d-demangle.c > @@ -381,7 +381,7 @@ dlang_symbol_backref (string *decl, const char > *mangled, > > /* Must point to a simple identifier. */ > backref = dlang_number (backref, &len); > - if (backref == NULL) > + if (backref == NULL || strlen(backref) < len) > return NULL; > > backref = dlang_lname (decl, backref, len); ^ permalink raw reply [flat|nested] 15+ messages in thread
* Re: [PATCH] libiberty: prevent buffer overflow when decoding user input 2021-09-23 10:16 ` ibuclaw @ 2021-09-23 15:40 ` Luís Ferreira 2021-09-23 15:50 ` Jeff Law 1 sibling, 0 replies; 15+ messages in thread From: Luís Ferreira @ 2021-09-23 15:40 UTC (permalink / raw) To: ibuclaw, gcc-patches [-- Attachment #1: Type: text/plain, Size: 2156 bytes --] Hi, Here is an example of a crafted mangle that can cause heap buffer overflow. ``` fuzzer-results/crash-18b7f0799be49886550876b5ab6bb63e4231979b _D2FGWG44444444444444444EQe 00000000 5f 44 32 46 47 57 47 34 34 34 34 34 34 34 34 34 |_D2FGWG444444444| 00000010 34 34 34 34 34 34 34 34 45 51 65 0a |44444444EQe.| 0000001c ``` Here is an example of a crafted mangle that can cause stack buffer overflow. ``` fuzzer-results/crash-79833f1c8ce510bbf138c0d5ad06a7fb11ce3bae _D8ee2_1111Qe 00000000 5f 44 38 65 65 32 5f 31 31 31 31 51 65 |_D8ee2_1111Qe| 0000000d ``` Even though this triggers an UB by reading/writing other memory space, I couldn't find a situation where this constantly fails, although, if running with an address + UB sanitizer this can be easily catched and replicated with some confidence. I didn't add this to the test suite because of that. On Thu, 2021-09-23 at 12:16 +0200, ibuclaw@gdcproject.org wrote: > > On 22/09/2021 03:10 Luís Ferreira <contact@lsferreira.net> wrote: > > > > > > Currently a stack/heap overflow may happen if a crafted mangle is > > maliciously used to cause denial of service, such as intentional > > crashes > > by accessing a reserved memory space. > > > > Hi, > > Thanks for this. Is there a test that could trigger this code path? > > Iain. > > > > Signed-off-by: Luís Ferreira <contact@lsferreira.net> > > --- > > libiberty/d-demangle.c | 2 +- > > 1 file changed, 1 insertion(+), 1 deletion(-) > > > > diff --git a/libiberty/d-demangle.c b/libiberty/d-demangle.c > > index a2152cc65518..7ded3e2a2563 100644 > > --- a/libiberty/d-demangle.c > > +++ b/libiberty/d-demangle.c > > @@ -381,7 +381,7 @@ dlang_symbol_backref (string *decl, const char > > *mangled, > > > > /* Must point to a simple identifier. */ > > backref = dlang_number (backref, &len); > > - if (backref == NULL) > > + if (backref == NULL || strlen(backref) < len) > > return NULL; > > > > backref = dlang_lname (decl, backref, len); -- Sincerely, Luís Ferreira @ lsferreira.net [-- Attachment #2: This is a digitally signed message part --] [-- Type: application/pgp-signature, Size: 833 bytes --] ^ permalink raw reply [flat|nested] 15+ messages in thread
* Re: [PATCH] libiberty: prevent buffer overflow when decoding user input 2021-09-23 10:16 ` ibuclaw 2021-09-23 15:40 ` Luís Ferreira @ 2021-09-23 15:50 ` Jeff Law 2021-10-04 16:52 ` Luís Ferreira 1 sibling, 1 reply; 15+ messages in thread From: Jeff Law @ 2021-09-23 15:50 UTC (permalink / raw) To: ibuclaw, lsferreira, Luís Ferreira, gcc-patches On 9/23/2021 4:16 AM, ibuclaw--- via Gcc-patches wrote: >> On 22/09/2021 03:10 Luís Ferreira <contact@lsferreira.net> wrote: >> >> >> Currently a stack/heap overflow may happen if a crafted mangle is >> maliciously used to cause denial of service, such as intentional >> crashes >> by accessing a reserved memory space. >> > Hi, > > Thanks for this. Is there a test that could trigger this code path? I don't think Luis has commit privs, so I went ahead and committed this patch. Yea, a testcase would be great. Jeff ^ permalink raw reply [flat|nested] 15+ messages in thread
* Re: [PATCH] libiberty: prevent buffer overflow when decoding user input 2021-09-23 15:50 ` Jeff Law @ 2021-10-04 16:52 ` Luís Ferreira 2021-10-05 15:00 ` Jeff Law 0 siblings, 1 reply; 15+ messages in thread From: Luís Ferreira @ 2021-10-04 16:52 UTC (permalink / raw) To: Jeff Law, ibuclaw, gcc-patches [-- Attachment #1: Type: text/plain, Size: 895 bytes --] On Thu, 2021-09-23 at 09:50 -0600, Jeff Law wrote: > > > On 9/23/2021 4:16 AM, ibuclaw--- via Gcc-patches wrote: > > > On 22/09/2021 03:10 Luís Ferreira <contact@lsferreira.net> wrote: > > > > > > > > > Currently a stack/heap overflow may happen if a crafted mangle is > > > maliciously used to cause denial of service, such as intentional > > > crashes > > > by accessing a reserved memory space. > > > > > Hi, > > > > Thanks for this. Is there a test that could trigger this code > > path? > I don't think Luis has commit privs, so I went ahead and committed > this > patch. > > Yea, a testcase would be great. > > Jeff > Does the test suite runned against address sanitization? if yes, I can submit a patch to make this fail, otherwise it is hard to trigger a consistent crash for this issue. -- Sincerely, Luís Ferreira @ lsferreira.net [-- Attachment #2: This is a digitally signed message part --] [-- Type: application/pgp-signature, Size: 833 bytes --] ^ permalink raw reply [flat|nested] 15+ messages in thread
* Re: [PATCH] libiberty: prevent buffer overflow when decoding user input 2021-10-04 16:52 ` Luís Ferreira @ 2021-10-05 15:00 ` Jeff Law 2021-10-05 17:26 ` Luís Ferreira 0 siblings, 1 reply; 15+ messages in thread From: Jeff Law @ 2021-10-05 15:00 UTC (permalink / raw) To: Luís Ferreira, ibuclaw, gcc-patches On 10/4/2021 10:52 AM, Luís Ferreira wrote: > On Thu, 2021-09-23 at 09:50 -0600, Jeff Law wrote: >> >> On 9/23/2021 4:16 AM, ibuclaw--- via Gcc-patches wrote: >>>> On 22/09/2021 03:10 Luís Ferreira <contact@lsferreira.net> wrote: >>>> >>>> >>>> Currently a stack/heap overflow may happen if a crafted mangle is >>>> maliciously used to cause denial of service, such as intentional >>>> crashes >>>> by accessing a reserved memory space. >>>> >>> Hi, >>> >>> Thanks for this. Is there a test that could trigger this code >>> path? >> I don't think Luis has commit privs, so I went ahead and committed >> this >> patch. >> >> Yea, a testcase would be great. >> >> Jeff >> > Does the test suite runned against address sanitization? if yes, I can > submit a patch to make this fail, otherwise it is hard to trigger a > consistent crash for this issue. Unfortunately, no it doesn't run with sanitization. If it's too painful to create a test, don't worry about it. It happens from time to time. jeff ^ permalink raw reply [flat|nested] 15+ messages in thread
* Re: [PATCH] libiberty: prevent buffer overflow when decoding user input 2021-10-05 15:00 ` Jeff Law @ 2021-10-05 17:26 ` Luís Ferreira 2021-10-06 1:49 ` Eric Gallager 0 siblings, 1 reply; 15+ messages in thread From: Luís Ferreira @ 2021-10-05 17:26 UTC (permalink / raw) To: Jeff Law, ibuclaw, gcc-patches [-- Attachment #1: Type: text/plain, Size: 1550 bytes --] On Tue, 2021-10-05 at 09:00 -0600, Jeff Law wrote: > > > On 10/4/2021 10:52 AM, Luís Ferreira wrote: > > On Thu, 2021-09-23 at 09:50 -0600, Jeff Law wrote: > > > > > > On 9/23/2021 4:16 AM, ibuclaw--- via Gcc-patches wrote: > > > > > On 22/09/2021 03:10 Luís Ferreira <contact@lsferreira.net> > > > > > wrote: > > > > > > > > > > > > > > > Currently a stack/heap overflow may happen if a crafted > > > > > mangle is > > > > > maliciously used to cause denial of service, such as > > > > > intentional > > > > > crashes > > > > > by accessing a reserved memory space. > > > > > > > > > Hi, > > > > > > > > Thanks for this. Is there a test that could trigger this code > > > > path? > > > I don't think Luis has commit privs, so I went ahead and > > > committed > > > this > > > patch. > > > > > > Yea, a testcase would be great. > > > > > > Jeff > > > > > Does the test suite runned against address sanitization? if yes, I > > can > > submit a patch to make this fail, otherwise it is hard to trigger a > > consistent crash for this issue. > Unfortunately, no it doesn't run with sanitization. If it's too > painful > to create a test, don't worry about it. It happens from time to > time. > > jeff I would like to add address sanitization if I knew how GCC autotools work but I think this is a better fit when I invest some time implementing something to OSS fuzz and build some infrastructure for fuzzing parts of the GCC. -- Sincerely, Luís Ferreira @ lsferreira.net [-- Attachment #2: This is a digitally signed message part --] [-- Type: application/pgp-signature, Size: 833 bytes --] ^ permalink raw reply [flat|nested] 15+ messages in thread
* Re: [PATCH] libiberty: prevent buffer overflow when decoding user input 2021-10-05 17:26 ` Luís Ferreira @ 2021-10-06 1:49 ` Eric Gallager 2021-10-07 18:29 ` Luís Ferreira 0 siblings, 1 reply; 15+ messages in thread From: Eric Gallager @ 2021-10-06 1:49 UTC (permalink / raw) To: Luís Ferreira; +Cc: Jeff Law, ibuclaw, gcc-patches On Tue, Oct 5, 2021 at 1:28 PM Luís Ferreira <contact@lsferreira.net> wrote: > > On Tue, 2021-10-05 at 09:00 -0600, Jeff Law wrote: > > > > > > On 10/4/2021 10:52 AM, Luís Ferreira wrote: > > > On Thu, 2021-09-23 at 09:50 -0600, Jeff Law wrote: > > > > > > > > On 9/23/2021 4:16 AM, ibuclaw--- via Gcc-patches wrote: > > > > > > On 22/09/2021 03:10 Luís Ferreira <contact@lsferreira.net> > > > > > > wrote: > > > > > > > > > > > > > > > > > > Currently a stack/heap overflow may happen if a crafted > > > > > > mangle is > > > > > > maliciously used to cause denial of service, such as > > > > > > intentional > > > > > > crashes > > > > > > by accessing a reserved memory space. > > > > > > > > > > > Hi, > > > > > > > > > > Thanks for this. Is there a test that could trigger this code > > > > > path? > > > > I don't think Luis has commit privs, so I went ahead and > > > > committed > > > > this > > > > patch. > > > > > > > > Yea, a testcase would be great. > > > > > > > > Jeff > > > > > > > Does the test suite runned against address sanitization? if yes, I > > > can > > > submit a patch to make this fail, otherwise it is hard to trigger a > > > consistent crash for this issue. > > Unfortunately, no it doesn't run with sanitization. If it's too > > painful > > to create a test, don't worry about it. It happens from time to > > time. > > > > jeff > > I would like to add address sanitization if I knew how GCC autotools > work but I think this is a better fit when I invest some time > implementing something to OSS fuzz and build some infrastructure for > fuzzing parts of the GCC. > I can help with the autotools part if you can say how precisely you'd like to use them to add address sanitization. And as for the OSS fuzz part, I think someone tried setting up auto-fuzzing for it once, but the main bottleneck was getting the bug reports that it generated properly triaged, so if you could make sure the bug-submitting portion of the process is properly streamlined, that'd probably go a long way towards helping it be useful. > -- > Sincerely, > Luís Ferreira @ lsferreira.net > ^ permalink raw reply [flat|nested] 15+ messages in thread
* Re: [PATCH] libiberty: prevent buffer overflow when decoding user input 2021-10-06 1:49 ` Eric Gallager @ 2021-10-07 18:29 ` Luís Ferreira 2021-10-08 16:52 ` Iain Buclaw 0 siblings, 1 reply; 15+ messages in thread From: Luís Ferreira @ 2021-10-07 18:29 UTC (permalink / raw) To: Eric Gallager; +Cc: Jeff Law, ibuclaw, gcc-patches [-- Attachment #1: Type: text/plain, Size: 2575 bytes --] On Tue, 2021-10-05 at 21:49 -0400, Eric Gallager wrote: > On Tue, Oct 5, 2021 at 1:28 PM Luís Ferreira <contact@lsferreira.net> > wrote: > > > > On Tue, 2021-10-05 at 09:00 -0600, Jeff Law wrote: > > > > > > > > > On 10/4/2021 10:52 AM, Luís Ferreira wrote: > > > > On Thu, 2021-09-23 at 09:50 -0600, Jeff Law wrote: > > > > > > > > > > On 9/23/2021 4:16 AM, ibuclaw--- via Gcc-patches wrote: > > > > > > > On 22/09/2021 03:10 Luís Ferreira > > > > > > > <contact@lsferreira.net> > > > > > > > wrote: > > > > > > > > > > > > > > > > > > > > > Currently a stack/heap overflow may happen if a crafted > > > > > > > mangle is > > > > > > > maliciously used to cause denial of service, such as > > > > > > > intentional > > > > > > > crashes > > > > > > > by accessing a reserved memory space. > > > > > > > > > > > > > Hi, > > > > > > > > > > > > Thanks for this. Is there a test that could trigger this > > > > > > code > > > > > > path? > > > > > I don't think Luis has commit privs, so I went ahead and > > > > > committed > > > > > this > > > > > patch. > > > > > > > > > > Yea, a testcase would be great. > > > > > > > > > > Jeff > > > > > > > > > Does the test suite runned against address sanitization? if > > > > yes, I > > > > can > > > > submit a patch to make this fail, otherwise it is hard to > > > > trigger a > > > > consistent crash for this issue. > > > Unfortunately, no it doesn't run with sanitization. If it's too > > > painful > > > to create a test, don't worry about it. It happens from time to > > > time. > > > > > > jeff > > > > I would like to add address sanitization if I knew how GCC > > autotools > > work but I think this is a better fit when I invest some time > > implementing something to OSS fuzz and build some infrastructure > > for > > fuzzing parts of the GCC. > > > > I can help with the autotools part if you can say how precisely you'd > like to use them to add address sanitization. And as for the OSS > fuzz part, I think someone tried setting up auto-fuzzing for it once, > but the main bottleneck was getting the bug reports that it generated > properly triaged, so if you could make sure the bug-submitting > portion > of the process is properly streamlined, that'd probably go a long way > towards helping it be useful. Bugs are normally reported by email or mailing list. Is there any writable mailing list to publish bugs or is it strictly needed to open an entry on bugzilla? -- Sincerely, Luís Ferreira @ lsferreira.net [-- Attachment #2: This is a digitally signed message part --] [-- Type: application/pgp-signature, Size: 833 bytes --] ^ permalink raw reply [flat|nested] 15+ messages in thread
* Re: [PATCH] libiberty: prevent buffer overflow when decoding user input 2021-10-07 18:29 ` Luís Ferreira @ 2021-10-08 16:52 ` Iain Buclaw 2021-10-08 17:08 ` Luís Ferreira 0 siblings, 1 reply; 15+ messages in thread From: Iain Buclaw @ 2021-10-08 16:52 UTC (permalink / raw) To: Luís Ferreira, Eric Gallager; +Cc: gcc-patches, Jeff Law Excerpts from Luís Ferreira's message of October 7, 2021 8:29 pm: > On Tue, 2021-10-05 at 21:49 -0400, Eric Gallager wrote: >> >> I can help with the autotools part if you can say how precisely you'd >> like to use them to add address sanitization. And as for the OSS >> fuzz part, I think someone tried setting up auto-fuzzing for it once, >> but the main bottleneck was getting the bug reports that it generated >> properly triaged, so if you could make sure the bug-submitting >> portion >> of the process is properly streamlined, that'd probably go a long way >> towards helping it be useful. > > Bugs are normally reported by email or mailing list. Is there any > writable mailing list to publish bugs or is it strictly needed to open > an entry on bugzilla? > Please open an issue on bugzilla, fixes towards it can then be referenced in the commit message/patch posted here. Iain. ^ permalink raw reply [flat|nested] 15+ messages in thread
* Re: [PATCH] libiberty: prevent buffer overflow when decoding user input 2021-10-08 16:52 ` Iain Buclaw @ 2021-10-08 17:08 ` Luís Ferreira 2021-10-08 20:11 ` Iain Buclaw 0 siblings, 1 reply; 15+ messages in thread From: Luís Ferreira @ 2021-10-08 17:08 UTC (permalink / raw) To: Iain Buclaw, Eric Gallager; +Cc: gcc-patches, Jeff Law [-- Attachment #1: Type: text/plain, Size: 1319 bytes --] On Fri, 2021-10-08 at 18:52 +0200, Iain Buclaw wrote: > Excerpts from Luís Ferreira's message of October 7, 2021 8:29 pm: > > On Tue, 2021-10-05 at 21:49 -0400, Eric Gallager wrote: > > > > > > I can help with the autotools part if you can say how precisely > > > you'd > > > like to use them to add address sanitization. And as for the OSS > > > fuzz part, I think someone tried setting up auto-fuzzing for it > > > once, > > > but the main bottleneck was getting the bug reports that it > > > generated > > > properly triaged, so if you could make sure the bug-submitting > > > portion > > > of the process is properly streamlined, that'd probably go a long > > > way > > > towards helping it be useful. > > > > Bugs are normally reported by email or mailing list. Is there any > > writable mailing list to publish bugs or is it strictly needed to > > open > > an entry on bugzilla? > > > > Please open an issue on bugzilla, fixes towards it can then be > referenced in the commit message/patch posted here. > > Iain. You mean for this current issue? The discussion was about future bug reports reported by the OSS fuzzer workers. I can also open an issue on the bugzilla for this issue, please clarify it and let me know :) -- Sincerely, Luís Ferreira @ lsferreira.net [-- Attachment #2: This is a digitally signed message part --] [-- Type: application/pgp-signature, Size: 833 bytes --] ^ permalink raw reply [flat|nested] 15+ messages in thread
* Re: [PATCH] libiberty: prevent buffer overflow when decoding user input 2021-10-08 17:08 ` Luís Ferreira @ 2021-10-08 20:11 ` Iain Buclaw 2021-10-12 12:54 ` Luís Ferreira 0 siblings, 1 reply; 15+ messages in thread From: Iain Buclaw @ 2021-10-08 20:11 UTC (permalink / raw) To: Luís Ferreira, Eric Gallager; +Cc: gcc-patches, Jeff Law Excerpts from Luís Ferreira's message of October 8, 2021 7:08 pm: > On Fri, 2021-10-08 at 18:52 +0200, Iain Buclaw wrote: >> Excerpts from Luís Ferreira's message of October 7, 2021 8:29 pm: >> > On Tue, 2021-10-05 at 21:49 -0400, Eric Gallager wrote: >> > > >> > > I can help with the autotools part if you can say how precisely >> > > you'd >> > > like to use them to add address sanitization. And as for the OSS >> > > fuzz part, I think someone tried setting up auto-fuzzing for it >> > > once, >> > > but the main bottleneck was getting the bug reports that it >> > > generated >> > > properly triaged, so if you could make sure the bug-submitting >> > > portion >> > > of the process is properly streamlined, that'd probably go a long >> > > way >> > > towards helping it be useful. >> > >> > Bugs are normally reported by email or mailing list. Is there any >> > writable mailing list to publish bugs or is it strictly needed to >> > open >> > an entry on bugzilla? >> > >> >> Please open an issue on bugzilla, fixes towards it can then be >> referenced in the commit message/patch posted here. >> >> Iain. > > You mean for this current issue? The discussion was about future bug > reports reported by the OSS fuzzer workers. I can also open an issue on > the bugzilla for this issue, please clarify it and let me know :) > 1. Open one for this issue. 2. Bugs found by the fuzzer would report to bugzilla. https://gcc.gnu.org/bugs/ Iain. ^ permalink raw reply [flat|nested] 15+ messages in thread
* Re: [PATCH] libiberty: prevent buffer overflow when decoding user input 2021-10-08 20:11 ` Iain Buclaw @ 2021-10-12 12:54 ` Luís Ferreira 2021-10-12 19:40 ` Eric Gallager 0 siblings, 1 reply; 15+ messages in thread From: Luís Ferreira @ 2021-10-12 12:54 UTC (permalink / raw) To: Iain Buclaw, Eric Gallager; +Cc: gcc-patches, Jeff Law [-- Attachment #1: Type: text/plain, Size: 1832 bytes --] On Fri, 2021-10-08 at 22:11 +0200, Iain Buclaw wrote: > Excerpts from Luís Ferreira's message of October 8, 2021 7:08 pm: > > On Fri, 2021-10-08 at 18:52 +0200, Iain Buclaw wrote: > > > Excerpts from Luís Ferreira's message of October 7, 2021 8:29 pm: > > > > On Tue, 2021-10-05 at 21:49 -0400, Eric Gallager wrote: > > > > > > > > > > I can help with the autotools part if you can say how precisely > > > > > you'd > > > > > like to use them to add address sanitization. And as for the > > > > > OSS > > > > > fuzz part, I think someone tried setting up auto-fuzzing for it > > > > > once, > > > > > but the main bottleneck was getting the bug reports that it > > > > > generated > > > > > properly triaged, so if you could make sure the bug-submitting > > > > > portion > > > > > of the process is properly streamlined, that'd probably go a > > > > > long > > > > > way > > > > > towards helping it be useful. > > > > > > > > Bugs are normally reported by email or mailing list. Is there any > > > > writable mailing list to publish bugs or is it strictly needed to > > > > open > > > > an entry on bugzilla? > > > > > > > > > > Please open an issue on bugzilla, fixes towards it can then be > > > referenced in the commit message/patch posted here. > > > > > > Iain. > > > > You mean for this current issue? The discussion was about future bug > > reports reported by the OSS fuzzer workers. I can also open an issue > > on > > the bugzilla for this issue, please clarify it and let me know :) > > > > 1. Open one for this issue. > > 2. Bugs found by the fuzzer would report to bugzilla. > https://gcc.gnu.org/bugs/ > > Iain. Cross referencing the created issue: https://gcc.gnu.org/bugzilla/show_bug.cgi?id=102702 -- Sincerely, Luís Ferreira @ lsferreira.net [-- Attachment #2: This is a digitally signed message part --] [-- Type: application/pgp-signature, Size: 833 bytes --] ^ permalink raw reply [flat|nested] 15+ messages in thread
* Re: [PATCH] libiberty: prevent buffer overflow when decoding user input 2021-10-12 12:54 ` Luís Ferreira @ 2021-10-12 19:40 ` Eric Gallager 2021-10-12 20:25 ` Luís Ferreira 0 siblings, 1 reply; 15+ messages in thread From: Eric Gallager @ 2021-10-12 19:40 UTC (permalink / raw) To: lsferreira; +Cc: Iain Buclaw, gcc-patches, Jeff Law On Tue, Oct 12, 2021 at 8:55 AM Luís Ferreira <contact@lsferreira.net> wrote: > > On Fri, 2021-10-08 at 22:11 +0200, Iain Buclaw wrote: > > Excerpts from Luís Ferreira's message of October 8, 2021 7:08 pm: > > > On Fri, 2021-10-08 at 18:52 +0200, Iain Buclaw wrote: > > > > Excerpts from Luís Ferreira's message of October 7, 2021 8:29 pm: > > > > > On Tue, 2021-10-05 at 21:49 -0400, Eric Gallager wrote: > > > > > > > > > > > > I can help with the autotools part if you can say how precisely > > > > > > you'd > > > > > > like to use them to add address sanitization. And as for the > > > > > > OSS > > > > > > fuzz part, I think someone tried setting up auto-fuzzing for it > > > > > > once, > > > > > > but the main bottleneck was getting the bug reports that it > > > > > > generated > > > > > > properly triaged, so if you could make sure the bug-submitting > > > > > > portion > > > > > > of the process is properly streamlined, that'd probably go a > > > > > > long > > > > > > way > > > > > > towards helping it be useful. > > > > > > > > > > Bugs are normally reported by email or mailing list. Is there any > > > > > writable mailing list to publish bugs or is it strictly needed to > > > > > open > > > > > an entry on bugzilla? > > > > > > > > > > > > > Please open an issue on bugzilla, fixes towards it can then be > > > > referenced in the commit message/patch posted here. > > > > > > > > Iain. > > > > > > You mean for this current issue? The discussion was about future bug > > > reports reported by the OSS fuzzer workers. I can also open an issue > > > on > > > the bugzilla for this issue, please clarify it and let me know :) > > > > > > > 1. Open one for this issue. > > > > 2. Bugs found by the fuzzer would report to bugzilla. > > https://gcc.gnu.org/bugs/ > > > > Iain. > > Cross referencing the created issue: > https://gcc.gnu.org/bugzilla/show_bug.cgi?id=102702 > > -- > Sincerely, > Luís Ferreira @ lsferreira.net > Right, I found the previous time someone tried to set up an autofuzzer to report bugs to GCC's Bugzilla; searching for bugs reported by security-tps@google.com on Bugzilla should find them: https://gcc.gnu.org/bugzilla/buglist.cgi?email1=security-tps%40google.com&emailassigned_to1=1&emailcc1=1&emaillongdesc1=1&emailreporter1=1&emailtype1=substring&list_id=326459&query_format=advanced ^ permalink raw reply [flat|nested] 15+ messages in thread
* Re: [PATCH] libiberty: prevent buffer overflow when decoding user input 2021-10-12 19:40 ` Eric Gallager @ 2021-10-12 20:25 ` Luís Ferreira 0 siblings, 0 replies; 15+ messages in thread From: Luís Ferreira @ 2021-10-12 20:25 UTC (permalink / raw) To: Eric Gallager; +Cc: Iain Buclaw, gcc-patches, Jeff Law [-- Attachment #1: Type: text/plain, Size: 3142 bytes --] On Tue, 2021-10-12 at 15:40 -0400, Eric Gallager wrote: > On Tue, Oct 12, 2021 at 8:55 AM Luís Ferreira > <contact@lsferreira.net> wrote: > > > > On Fri, 2021-10-08 at 22:11 +0200, Iain Buclaw wrote: > > > Excerpts from Luís Ferreira's message of October 8, 2021 7:08 pm: > > > > On Fri, 2021-10-08 at 18:52 +0200, Iain Buclaw wrote: > > > > > Excerpts from Luís Ferreira's message of October 7, 2021 8:29 > > > > > pm: > > > > > > On Tue, 2021-10-05 at 21:49 -0400, Eric Gallager wrote: > > > > > > > > > > > > > > I can help with the autotools part if you can say how > > > > > > > precisely > > > > > > > you'd > > > > > > > like to use them to add address sanitization. And as for > > > > > > > the > > > > > > > OSS > > > > > > > fuzz part, I think someone tried setting up auto-fuzzing > > > > > > > for it > > > > > > > once, > > > > > > > but the main bottleneck was getting the bug reports that > > > > > > > it > > > > > > > generated > > > > > > > properly triaged, so if you could make sure the bug- > > > > > > > submitting > > > > > > > portion > > > > > > > of the process is properly streamlined, that'd probably > > > > > > > go a > > > > > > > long > > > > > > > way > > > > > > > towards helping it be useful. > > > > > > > > > > > > Bugs are normally reported by email or mailing list. Is > > > > > > there any > > > > > > writable mailing list to publish bugs or is it strictly > > > > > > needed to > > > > > > open > > > > > > an entry on bugzilla? > > > > > > > > > > > > > > > > Please open an issue on bugzilla, fixes towards it can then > > > > > be > > > > > referenced in the commit message/patch posted here. > > > > > > > > > > Iain. > > > > > > > > You mean for this current issue? The discussion was about > > > > future bug > > > > reports reported by the OSS fuzzer workers. I can also open an > > > > issue > > > > on > > > > the bugzilla for this issue, please clarify it and let me know > > > > :) > > > > > > > > > > 1. Open one for this issue. > > > > > > 2. Bugs found by the fuzzer would report to bugzilla. > > > https://gcc.gnu.org/bugs/ > > > > > > Iain. > > > > Cross referencing the created issue: > > https://gcc.gnu.org/bugzilla/show_bug.cgi?id=102702 > > > > -- > > Sincerely, > > Luís Ferreira @ lsferreira.net > > > > Right, I found the previous time someone tried to set up an > autofuzzer > to report bugs to GCC's Bugzilla; searching for bugs reported by > security-tps@google.com on Bugzilla should find them: > https://gcc.gnu.org/bugzilla/buglist.cgi?email1=security-tps%40google.com&emailassigned_to1=1&emailcc1=1&emaillongdesc1=1&emailreporter1=1&emailtype1=substring&list_id=326459&query_format=advanced Good! Do you know how and where this is being handled? I didn't find anything related to GCC/libiberty on OSS fuzz repository. Existing resources on that can be useful to increment on top instead of designing something from scratch. I also took a look at the fuzzer included in GCC, but it doesn't include any heuristic. -- Sincerely, Luís Ferreira @ lsferreira.net [-- Attachment #2: This is a digitally signed message part --] [-- Type: application/pgp-signature, Size: 833 bytes --] ^ permalink raw reply [flat|nested] 15+ messages in thread
end of thread, other threads:[~2021-10-12 20:25 UTC | newest] Thread overview: 15+ messages (download: mbox.gz / follow: Atom feed) -- links below jump to the message on this page -- 2021-09-22 1:10 [PATCH] libiberty: prevent buffer overflow when decoding user input Luís Ferreira 2021-09-23 10:16 ` ibuclaw 2021-09-23 15:40 ` Luís Ferreira 2021-09-23 15:50 ` Jeff Law 2021-10-04 16:52 ` Luís Ferreira 2021-10-05 15:00 ` Jeff Law 2021-10-05 17:26 ` Luís Ferreira 2021-10-06 1:49 ` Eric Gallager 2021-10-07 18:29 ` Luís Ferreira 2021-10-08 16:52 ` Iain Buclaw 2021-10-08 17:08 ` Luís Ferreira 2021-10-08 20:11 ` Iain Buclaw 2021-10-12 12:54 ` Luís Ferreira 2021-10-12 19:40 ` Eric Gallager 2021-10-12 20:25 ` Luís Ferreira
This is a public inbox, see mirroring instructions for how to clone and mirror all data and code used for this inbox; as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).