Bug 359181

Summary: Buffer Overflow during Demangling
Product: [Developer tools] valgrind Reporter: Marcel Böhme <boehme.marcel>
Component: generalAssignee: Mark Wielaard <mark>
Status: RESOLVED FIXED    
Severity: crash CC: flo2030, ivosh, mark
Priority: NOR    
Version: unspecified   
Target Milestone: ---   
Platform: Other   
OS: All   
Latest Commit: Version Fixed In:
Sentry Crash Report:
Attachments: Update libiberty demangler

Description Marcel Böhme 2016-02-09 12:16:39 UTC 
A buffer overflow in cplus-dem.c is caused when Valgrind tries to demangle specially crafted function arguments in the binary. Both the buffer size as well as the buffer content are controlled from the binary.

Upstream: https://gcc.gnu.org/bugzilla/show_bug.cgi?id=69687

Reproducible: Always

Steps to Reproduce:
$ cat compileme.c
#include<stdio.h>
#include<stdlib.h>

const char* ____________________X00020A___R0020A__U000R03000N99999999_020A__K000(){
  char *p;
  p = (char *) malloc(19);
  p = (char *) malloc(12);
  free(p);
  p = (char *) malloc(16);
  return "Hello World!";
}

int main()
{
   printf("%s\n",____________________X00020A___R0020A__U000R03000N99999999_020A__K000());
   return 0;
}

$ g++ compileme.c -o temp
$ sed -b s/Z68/_20/g temp > valgrindme
$ chmod u+x valgrindme
$ ./valgrindme
Hello World!
$ valgrind --leak-check=yes ./valgrindme
Comment 1 Florian Krohm 2016-02-10 09:00:49 UTC 
Thanks for letting us know. We'll watch upstream as the bug is in their shop. We just pull in the code from the GCC demangler.
I believe that upstream is actually binutils rather than gcc as the demangling code is part of libiberty. If you don't get any response from gcc you might want to raise the bug there. 
BTW: the c++filt tool (part of binutils) has the same issue.
Comment 2 Mark Wielaard 2016-09-10 12:18:55 UTC 
Created attachment 101012 [details]
Update libiberty demangler

This particular bug (and many more issues) has been fixed upstream now.

Update the libiberty demangler using the auxprogs/update-demangler
script. There were various extensions and bug fixes since our last
import. Add new D language demangler file d-demangle.c and update
the vg_libciface.h header with some new constructs used (strtol,
xmalloc_failed, xmemdup, XDELETEVEC, XDUPVEC).
Comment 3 Mark Wielaard 2016-09-13 19:06:34 UTC 
valgrind svn r15951