Bug 359181 - Buffer Overflow during Demangling
Summary: Buffer Overflow during Demangling
Status: RESOLVED FIXED
Alias: None
Product: valgrind
Classification: Developer tools
Component: general (show other bugs)
Version: unspecified
Platform: Other All
: NOR crash
Target Milestone: ---
Assignee: Mark Wielaard
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2016-02-09 12:16 UTC by Marcel Böhme
Modified: 2016-09-13 19:06 UTC (History)
3 users (show)

See Also:
Latest Commit:
Version Fixed In:
Sentry Crash Report:


Attachments
Update libiberty demangler (88.12 KB, patch)
2016-09-10 12:18 UTC, Mark Wielaard
Details

Note You need to log in before you can comment on or make changes to this bug.
Description Marcel Böhme 2016-02-09 12:16:39 UTC
A buffer overflow in cplus-dem.c is caused when Valgrind tries to demangle specially crafted function arguments in the binary. Both the buffer size as well as the buffer content are controlled from the binary.

Upstream: https://gcc.gnu.org/bugzilla/show_bug.cgi?id=69687

Reproducible: Always

Steps to Reproduce:
$ cat compileme.c
#include<stdio.h>
#include<stdlib.h>

const char* ____________________X00020A___R0020A__U000R03000N99999999_020A__K000(){
  char *p;
  p = (char *) malloc(19);
  p = (char *) malloc(12);
  free(p);
  p = (char *) malloc(16);
  return "Hello World!";
}

int main()
{
   printf("%s\n",____________________X00020A___R0020A__U000R03000N99999999_020A__K000());
   return 0;
}

$ g++ compileme.c -o temp
$ sed -b s/Z68/_20/g temp > valgrindme
$ chmod u+x valgrindme
$ ./valgrindme
Hello World!
$ valgrind --leak-check=yes ./valgrindme
Comment 1 Florian Krohm 2016-02-10 09:00:49 UTC
Thanks for letting us know. We'll watch upstream as the bug is in their shop. We just pull in the code from the GCC demangler.
I believe that upstream is actually binutils rather than gcc as the demangling code is part of libiberty. If you don't get any response from gcc you might want to raise the bug there. 
BTW: the c++filt tool (part of binutils) has the same issue.
Comment 2 Mark Wielaard 2016-09-10 12:18:55 UTC
Created attachment 101012 [details]
Update libiberty demangler

This particular bug (and many more issues) has been fixed upstream now.

Update the libiberty demangler using the auxprogs/update-demangler
script. There were various extensions and bug fixes since our last
import. Add new D language demangler file d-demangle.c and update
the vg_libciface.h header with some new constructs used (strtol,
xmalloc_failed, xmemdup, XDELETEVEC, XDUPVEC).
Comment 3 Mark Wielaard 2016-09-13 19:06:34 UTC
valgrind svn r15951