From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mx1.riseup.net (mx1.riseup.net [198.252.153.129]) by sourceware.org (Postfix) with ESMTPS id 28FD23858D34 for ; Thu, 23 Sep 2021 15:41:03 +0000 (GMT) DMARC-Filter: OpenDMARC Filter v1.4.1 sourceware.org 28FD23858D34 Received: from fews1.riseup.net (fews1-pn.riseup.net [10.0.1.83]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256 client-signature RSA-PSS (2048 bits) client-digest SHA256) (Client CN "fews1.riseup.net", Issuer "R3" (not verified)) by mx1.riseup.net (Postfix) with ESMTPS id 4HFfWy0f2ZzF44F; Thu, 23 Sep 2021 08:41:02 -0700 (PDT) X-Riseup-User-ID: A0719CE86A5F3739CA1C6BDAB9F27C399923237BF2146CBBDA08382F5FF5804A Received: from [127.0.0.1] (localhost [127.0.0.1]) by fews1.riseup.net (Postfix) with ESMTPSA id 4HFfWx14wmz5w50; Thu, 23 Sep 2021 08:41:00 -0700 (PDT) Message-ID: <460c1e4fd71f42b4b35bcc8911e9141d68b8d973.camel@riseup.net> Subject: Re: [PATCH] libiberty: prevent buffer overflow when decoding user input From: =?ISO-8859-1?Q?Lu=EDs?= Ferreira Reply-To: lsferreira@riseup.net To: ibuclaw@gdcproject.org, gcc-patches@gcc.gnu.org Date: Thu, 23 Sep 2021 16:40:57 +0100 In-Reply-To: <455464371.70186.1632392201366@office.mailbox.org> References: <455464371.70186.1632392201366@office.mailbox.org> Content-Type: multipart/signed; micalg="pgp-sha256"; protocol="application/pgp-signature"; boundary="=-ePeC1PJEBh9OcH+ue8uu" MIME-Version: 1.0 X-Spam-Status: No, score=-11.6 required=5.0 tests=BAYES_00, BODY_8BITS, DKIM_SIGNED, DKIM_VALID, DKIM_VALID_AU, DKIM_VALID_EF, GIT_PATCH_0, RCVD_IN_DNSWL_LOW, RCVD_IN_MSPIKE_H3, RCVD_IN_MSPIKE_WL, SPF_HELO_PASS, SPF_PASS, TXREP autolearn=ham autolearn_force=no version=3.4.4 X-Spam-Checker-Version: SpamAssassin 3.4.4 (2020-01-24) on server2.sourceware.org X-BeenThere: gcc-patches@gcc.gnu.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: Gcc-patches mailing list List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 23 Sep 2021 15:41:06 -0000 --=-ePeC1PJEBh9OcH+ue8uu Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable Hi, Here is an example of a crafted mangle that can cause heap buffer overflow. ``` fuzzer-results/crash-18b7f0799be49886550876b5ab6bb63e4231979b _D2FGWG44444444444444444EQe 00000000 5f 44 32 46 47 57 47 34 34 34 34 34 34 34 34 34=20 |_D2FGWG444444444| 00000010 34 34 34 34 34 34 34 34 45 51 65 0a =20 |44444444EQe.| 0000001c ``` Here is an example of a crafted mangle that can cause stack buffer overflow. ``` fuzzer-results/crash-79833f1c8ce510bbf138c0d5ad06a7fb11ce3bae _D8ee2_1111Qe 00000000 5f 44 38 65 65 32 5f 31 31 31 31 51 65 =20 |_D8ee2_1111Qe| 0000000d ``` Even though this triggers an UB by reading/writing other memory space, I couldn't find a situation where this constantly fails, although, if running with an address + UB sanitizer this can be easily catched and replicated with some confidence. I didn't add this to the test suite because of that. On Thu, 2021-09-23 at 12:16 +0200, ibuclaw@gdcproject.org wrote: > > On 22/09/2021 03:10 Lu=C3=ADs Ferreira wrote: > >=20 > > =C2=A0 > > Currently a stack/heap overflow may happen if a crafted mangle is > > maliciously used to cause denial of service, such as intentional > > crashes > > by accessing a reserved memory space. > >=20 >=20 > Hi, >=20 > Thanks for this.=C2=A0 Is there a test that could trigger this code path? >=20 > Iain. >=20 >=20 > > Signed-off-by: Lu=C3=ADs Ferreira > > --- > > =C2=A0libiberty/d-demangle.c | 2 +- > > =C2=A01 file changed, 1 insertion(+), 1 deletion(-) > >=20 > > diff --git a/libiberty/d-demangle.c b/libiberty/d-demangle.c > > index a2152cc65518..7ded3e2a2563 100644 > > --- a/libiberty/d-demangle.c > > +++ b/libiberty/d-demangle.c > > @@ -381,7 +381,7 @@ dlang_symbol_backref (string *decl, const char > > *mangled, > > =C2=A0 > > =C2=A0=C2=A0 /* Must point to a simple identifier.=C2=A0 */ > > =C2=A0=C2=A0 backref =3D dlang_number (backref, &len); > > -=C2=A0 if (backref =3D=3D NULL) > > +=C2=A0 if (backref =3D=3D NULL || strlen(backref) < len) > > =C2=A0=C2=A0=C2=A0=C2=A0 return NULL; > > =C2=A0 > > =C2=A0=C2=A0 backref =3D dlang_lname (decl, backref, len); --=20 Sincerely, Lu=C3=ADs Ferreira @ lsferreira.net --=-ePeC1PJEBh9OcH+ue8uu Content-Type: application/pgp-signature; name="signature.asc" Content-Description: This is a digitally signed message part Content-Transfer-Encoding: 7bit -----BEGIN PGP SIGNATURE----- iQIzBAABCAAdFiEE0nPfaWPZzvrMTlSVcwdQ1Ut6n2YFAmFMoAkACgkQcwdQ1Ut6 n2b6TxAAtmXXnmdbO4Xfoj2oK7lbCEobcqPV2AgmRVyD/9dUyBmKufrqwFdZJJKD fbfTr7XVd7tNqaYp/LcfYEVdP4TBf1dPPZPSFZCgZvuyg/5aiukIAmOrKpjOZZEj 2idIQU313pRMqVhDAUIUjtfIKc4VfOiH31xl5l/4RZXtwJs6n1D1qLVPe52n5ajY zPIgEuHhpMJz43pQ9UOkhJQQmgG/6Mi29KIdkk81xhiYFLlxjKNFHse2+GwkrNn3 wuk82V1EhxA9MyhVfCWdbCJxUlDkp/rzvRHYc9vaagdFPS0c2oKgySQxCwJiYqjK KJUu7i0KqSq1EUElhZf3j9Q8a4BjzKjbfQGvTIkE+HvYd/C07VUmD7QBOzJdNuYp g/aZxJ95OreQh7XuZEz/PwLjScCU5TDnMrYGB8C/DLPiRnjMQPvf8rwy0bCx1p+M e8kSGAPN6ktf0r1f8bmq/JAqeYH8lQdhmaAhnJGYXFiqkbhcFdNZz4MurYzRvbqD gQrlbPdr1+hosnNosXIU9RLSi5zxMjvyjMmtzZiTuE5xoBPmJmOOmNJ1u5G67zUA q2EWgcBJecoG03OGNYlHGFbdtoNR+6A2R0R4WwGjlef+/RxBugnA5Rx2yOSa878/ vZ6CtQE+KKE4hdJR48PMRYCkzcHbsqQLTRvppcMoQ7CQ9tyYAtI= =pgd1 -----END PGP SIGNATURE----- --=-ePeC1PJEBh9OcH+ue8uu--