Bugzilla – Bug 987552
VUL-1: CVE-2016-6131: libiberty: Demangler segfaults (trackerbug)
Last modified: 2019-12-10 09:53:48 UTC
Created attachment 682931 [details]
patch under review
Another vulnerability in GNU Libiberty was found that impacts the security of binary analysis tools, such as Valgrind,
GDB, Binutils (e.g., objdump, nm, ..), Gcov, or other LibBFD-based tools. An attacker might modify a program binary
such that it executes malicious code upon *analysis* of the binary (e.g., to find whether it is malicious in the first
place) or during the attempt to reverse-engineer an untrusted binary.
Workaround: Until the patches propagate to the vulnerable tools, switch off default demangling! E.g.,
$ echo "set demangle-style none" >> ~/.gdbinit
$ echo "--demangle=no" >> ~/.valgrindrc
A stackoverflow in the libiberty demangler causes its host application to crash on a tainted branch instruction. The
problem is caused by a self-reference in a mangled type string that is "remembered" for later reference. This leads to
an infinite recursion during the demangling.
* GDB exploitable classifies the stack overflow as exploitable.
* Bug Report: https://gcc.gnu.org/bugzilla/show_bug.cgi?id=71696
* Patch under review: https://gcc.gnu.org/ml/gcc-patches/2016-06/msg02030.html
From patch submission:
The attached patch fixes the stack overflow in the demangler due to cycles in the references of “remembered” mangled types (https://gcc.gnu.org/bugzilla/show_bug.cgi?id=71696).
The methods demangle_signature and do_arg in cplus-dem.c allow to “remember” mangled type names that can later be referenced and will also be demangled. The method demangle_args demangles those types following any references. So, if there is a cycle in the referencing (or in the simplest case a self-reference), the method enters infinite recursion.
The patch tracks the mangled types that are currently being demangled in a new variable called work->proctypevec. If a referenced type is currently being demangled, the demangling is marked as not successful.
Bootstrapped and regression tested on x86_64-pc-linux-gnu. Test case added to libiberty/testsuite/demangler-expected and checked PR71696 is resolved.
bugbot adjusting priority
Security impact of this is marginal, not requesting update now.
Bugs tracking issues for packages embedding this lib:
bug 987631 binutils
bug 987633 crash
bug 987635 valgrind
bug 987637 gdb
bug 987644 gcc