Re: [PATCH] libiberty: prevent buffer overflow when decoding user input

Thu, 23 Sep 2021 08:41:15 -0700 

Hi,

Here is an example of a crafted mangle that can cause heap buffer
overflow.

```
fuzzer-results/crash-18b7f0799be49886550876b5ab6bb63e4231979b
_D2FGWG44444444444444444EQe
00000000  5f 44 32 46 47 57 47 34  34 34 34 34 34 34 34 34 
|_D2FGWG444444444|
00000010  34 34 34 34 34 34 34 34  45 51 65 0a             
|44444444EQe.|
0000001c
```

Here is an example of a crafted mangle that can cause stack buffer
overflow.

```
fuzzer-results/crash-79833f1c8ce510bbf138c0d5ad06a7fb11ce3bae
_D8ee2_1111Qe
00000000  5f 44 38 65 65 32 5f 31  31 31 31 51 65          
|_D8ee2_1111Qe|
0000000d
```

Even though this triggers an UB by reading/writing other memory space,
I couldn't find a situation where this constantly fails, although, if
running with an address + UB sanitizer this can be easily catched and
replicated with some confidence. I didn't add this to the test suite
because of that.

On Thu, 2021-09-23 at 12:16 +0200, ibuc...@gdcproject.org wrote:
> > On 22/09/2021 03:10 Luís Ferreira <cont...@lsferreira.net> wrote:
> > 
> >  
> > Currently a stack/heap overflow may happen if a crafted mangle is
> > maliciously used to cause denial of service, such as intentional
> > crashes
> > by accessing a reserved memory space.
> > 
> 
> Hi,
> 
> Thanks for this.  Is there a test that could trigger this code path?
> 
> Iain.
> 
> 
> > Signed-off-by: Luís Ferreira <cont...@lsferreira.net>
> > ---
> >  libiberty/d-demangle.c | 2 +-
> >  1 file changed, 1 insertion(+), 1 deletion(-)
> > 
> > diff --git a/libiberty/d-demangle.c b/libiberty/d-demangle.c
> > index a2152cc65518..7ded3e2a2563 100644
> > --- a/libiberty/d-demangle.c
> > +++ b/libiberty/d-demangle.c
> > @@ -381,7 +381,7 @@ dlang_symbol_backref (string *decl, const char
> > *mangled,
> >  
> >    /* Must point to a simple identifier.  */
> >    backref = dlang_number (backref, &len);
> > -  if (backref == NULL)
> > +  if (backref == NULL || strlen(backref) < len)
> >      return NULL;
> >  
> >    backref = dlang_lname (decl, backref, len);

-- 
Sincerely,
Luís Ferreira @ lsferreira.net

Attachment: signature.asc
Description: This is a digitally signed message part

Reply via email to