Bug 987552 - (CVE-2016-6131) VUL-1: CVE-2016-6131: libiberty: Demangler segfaults (trackerbug)
VUL-1: CVE-2016-6131: libiberty: Demangler segfaults (trackerbug)
Classification: Novell Products
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents
Other Other
: P3 - Medium : Minor
: ---
Assigned To: Security Team bot
Security Team bot
Depends on:
Blocks: 987631 987633 987637 987635 987644
  Show dependency treegraph
Reported: 2016-07-04 12:04 UTC by Andreas Stieger
Modified: 2019-12-10 09:53 UTC (History)
1 user (show)

See Also:
Found By: Security Response Team
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---

patch under review (5.50 KB, patch)
2016-07-04 12:04 UTC, Andreas Stieger
Details | Diff

Note You need to log in before you can comment on or make changes to this bug.
Description Andreas Stieger 2016-07-04 12:04:46 UTC
Created attachment 682931 [details]
patch under review


Another vulnerability in GNU Libiberty was found that impacts the security of binary analysis tools, such as Valgrind, 
GDB, Binutils (e.g., objdump, nm, ..), Gcov, or other LibBFD-based tools. An attacker might modify a program binary 
such that it executes malicious code upon *analysis* of the binary (e.g., to find whether it is malicious in the first 
place) or during the attempt to reverse-engineer an untrusted binary.

Workaround: Until the patches propagate to the vulnerable tools, switch off default demangling! E.g.,
$ echo "set demangle-style none"  >>  ~/.gdbinit
$ echo "--demangle=no" >> ~/.valgrindrc

A stackoverflow in the libiberty demangler causes its host application to crash on a tainted branch instruction. The 
problem is caused by a self-reference in a mangled type string that is "remembered" for later reference. This leads to 
an infinite recursion during the demangling.
* GDB exploitable classifies the stack overflow as exploitable.
* Bug Report: https://gcc.gnu.org/bugzilla/show_bug.cgi?id=71696
* Patch under review: https://gcc.gnu.org/ml/gcc-patches/2016-06/msg02030.html

From patch submission:

The attached patch fixes the stack overflow in the demangler due to cycles in the references of “remembered” mangled types (https://gcc.gnu.org/bugzilla/show_bug.cgi?id=71696).

The methods demangle_signature and do_arg in cplus-dem.c allow to “remember” mangled type names that can later be referenced and will also be demangled. The method demangle_args demangles those types following any references. So, if there is a cycle in the referencing (or in the simplest case a self-reference), the method enters infinite recursion.

The patch tracks the mangled types that are currently being demangled in a new variable called work->proctypevec. If a referenced type is currently being demangled, the demangling is marked as not successful.

Bootstrapped and regression tested on x86_64-pc-linux-gnu. Test case added to libiberty/testsuite/demangler-expected and checked PR71696 is resolved.

Comment 3 Swamp Workflow Management 2016-07-04 22:00:40 UTC
bugbot adjusting priority
Comment 4 Andreas Stieger 2016-07-05 13:50:53 UTC
Security impact of this is marginal, not requesting update now.
Bugs tracking issues for packages embedding this lib:

bug 987631 binutils
bug 987633 crash
bug 987635 valgrind
bug 987637 gdb
bug 987644 gcc

Closing tracker.