Bug 987552 – VUL-1: CVE-2016-6131: libiberty: Demangler segfaults (trackerbug)

Bug 987552 - (CVE-2016-6131) VUL-1: CVE-2016-6131: libiberty: Demangler segfaults (trackerbug)

(CVE-2016-6131)
Summary:	VUL-1: CVE-2016-6131: libiberty: Demangler segfaults (trackerbug)

Status:	RESOLVED MOVED

Classification:	Novell Products
Product:	SUSE Security Incidents
Classification:	Novell Products
Component:	Incidents
Version:	unspecified
Hardware:	Other Other

Priority:	P3 - Medium Severity: Minor
Target Milestone:	---
Assigned To:	Security Team bot
QA Contact:	Security Team bot

URL:	https://smash.suse.de/issue/170574/
Whiteboard:	maint:planned:update
Keywords:

Depends on:
Blocks:	987631 987633 987637 987635 987644
	Show dependency tree / graph

Create test case

Clone This Bug

Reported:	2016-07-04 12:04 UTC by Andreas Stieger
Modified:	2019-12-10 09:53 UTC (History)
CC List:	1 user (show)

See Also:
Found By:	Security Response Team
Services Priority:
Business Priority:
Blocker:	---
Marketing QA Status:	---
IT Deployment:	---

Attachments
patch under review (5.50 KB, patch) 2016-07-04 12:04 UTC, Andreas Stieger	Details \| Diff
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Andreas Stieger 2016-07-04 12:04:46 UTC

Created attachment 682931 [details]
patch under review

https://gcc.gnu.org/bugzilla/show_bug.cgi?id=71696

Another vulnerability in GNU Libiberty was found that impacts the security of binary analysis tools, such as Valgrind, 
GDB, Binutils (e.g., objdump, nm, ..), Gcov, or other LibBFD-based tools. An attacker might modify a program binary 
such that it executes malicious code upon *analysis* of the binary (e.g., to find whether it is malicious in the first 
place) or during the attempt to reverse-engineer an untrusted binary.

Workaround: Until the patches propagate to the vulnerable tools, switch off default demangling! E.g.,
$ echo "set demangle-style none"  >>  ~/.gdbinit
$ echo "--demangle=no" >> ~/.valgrindrc

A stackoverflow in the libiberty demangler causes its host application to crash on a tainted branch instruction. The 
problem is caused by a self-reference in a mangled type string that is "remembered" for later reference. This leads to 
an infinite recursion during the demangling.
* GDB exploitable classifies the stack overflow as exploitable.
* Bug Report: https://gcc.gnu.org/bugzilla/show_bug.cgi?id=71696
* Patch under review: https://gcc.gnu.org/ml/gcc-patches/2016-06/msg02030.html


From patch submission:


The attached patch fixes the stack overflow in the demangler due to cycles in the references of “remembered” mangled types (https://gcc.gnu.org/bugzilla/show_bug.cgi?id=71696).

The methods demangle_signature and do_arg in cplus-dem.c allow to “remember” mangled type names that can later be referenced and will also be demangled. The method demangle_args demangles those types following any references. So, if there is a cycle in the referencing (or in the simplest case a self-reference), the method enters infinite recursion.

The patch tracks the mangled types that are currently being demangled in a new variable called work->proctypevec. If a referenced type is currently being demangled, the demangling is marked as not successful.

Bootstrapped and regression tested on x86_64-pc-linux-gnu. Test case added to libiberty/testsuite/demangler-expected and checked PR71696 is resolved.





References:
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-6131
http://seclists.org/oss-sec/2016/q2/633
http://people.canonical.com/~ubuntu-security/cve/2016/CVE-2016-6131.html

Comment 3 Swamp Workflow Management 2016-07-04 22:00:40 UTC

bugbot adjusting priority

Comment 4 Andreas Stieger 2016-07-05 13:50:53 UTC

Security impact of this is marginal, not requesting update now.
Bugs tracking issues for packages embedding this lib:

bug 987631 binutils
bug 987633 crash
bug 987635 valgrind
bug 987637 gdb
bug 987644 gcc

Closing tracker.