Hi, Here is an example of a crafted mangle that can cause heap buffer overflow.
``` fuzzer-results/crash-18b7f0799be49886550876b5ab6bb63e4231979b _D2FGWG44444444444444444EQe 00000000 5f 44 32 46 47 57 47 34 34 34 34 34 34 34 34 34 |_D2FGWG444444444| 00000010 34 34 34 34 34 34 34 34 45 51 65 0a |44444444EQe.| 0000001c ``` Here is an example of a crafted mangle that can cause stack buffer overflow. ``` fuzzer-results/crash-79833f1c8ce510bbf138c0d5ad06a7fb11ce3bae _D8ee2_1111Qe 00000000 5f 44 38 65 65 32 5f 31 31 31 31 51 65 |_D8ee2_1111Qe| 0000000d ``` Even though this triggers an UB by reading/writing other memory space, I couldn't find a situation where this constantly fails, although, if running with an address + UB sanitizer this can be easily catched and replicated with some confidence. I didn't add this to the test suite because of that. On Thu, 2021-09-23 at 12:16 +0200, ibuc...@gdcproject.org wrote: > > On 22/09/2021 03:10 Luís Ferreira <cont...@lsferreira.net> wrote: > > > > > > Currently a stack/heap overflow may happen if a crafted mangle is > > maliciously used to cause denial of service, such as intentional > > crashes > > by accessing a reserved memory space. > > > > Hi, > > Thanks for this. Is there a test that could trigger this code path? > > Iain. > > > > Signed-off-by: Luís Ferreira <cont...@lsferreira.net> > > --- > > libiberty/d-demangle.c | 2 +- > > 1 file changed, 1 insertion(+), 1 deletion(-) > > > > diff --git a/libiberty/d-demangle.c b/libiberty/d-demangle.c > > index a2152cc65518..7ded3e2a2563 100644 > > --- a/libiberty/d-demangle.c > > +++ b/libiberty/d-demangle.c > > @@ -381,7 +381,7 @@ dlang_symbol_backref (string *decl, const char > > *mangled, > > > > /* Must point to a simple identifier. */ > > backref = dlang_number (backref, &len); > > - if (backref == NULL) > > + if (backref == NULL || strlen(backref) < len) > > return NULL; > > > > backref = dlang_lname (decl, backref, len); -- Sincerely, Luís Ferreira @ lsferreira.net
signature.asc
Description: This is a digitally signed message part