Bugzilla – Bug 987631
VUL-1: CVE-2016-6131: binutils: libiberty demangler segfaults
Last modified: 2021-02-18 05:24:37 UTC
+++ This bug was initially created as a clone of Bug #987552 +++
Another vulnerability in GNU Libiberty was found that impacts the security of binary analysis tools, such as Valgrind,
GDB, Binutils (e.g., objdump, nm, ..), Gcov, or other LibBFD-based tools. An attacker might modify a program binary
such that it executes malicious code upon *analysis* of the binary (e.g., to find whether it is malicious in the first
place) or during the attempt to reverse-engineer an untrusted binary.
Workaround: Until the patches propagate to the vulnerable tools, switch off default demangling! E.g.,
$ echo "set demangle-style none" >> ~/.gdbinit
$ echo "--demangle=no" >> ~/.valgrindrc
A stackoverflow in the libiberty demangler causes its host application to crash on a tainted branch instruction. The
problem is caused by a self-reference in a mangled type string that is "remembered" for later reference. This leads to
an infinite recursion during the demangling.
* GDB exploitable classifies the stack overflow as exploitable.
* Bug Report: https://gcc.gnu.org/bugzilla/show_bug.cgi?id=71696
* Patch under review: https://gcc.gnu.org/ml/gcc-patches/2016-06/msg02030.html
From patch submission:
The attached patch fixes the stack overflow in the demangler due to cycles in the references of “remembered” mangled types (https://gcc.gnu.org/bugzilla/show_bug.cgi?id=71696).
The methods demangle_signature and do_arg in cplus-dem.c allow to “remember” mangled type names that can later be referenced and will also be demangled. The method demangle_args demangles those types following any references. So, if there is a cycle in the referencing (or in the simplest case a self-reference), the method enters infinite recursion.
The patch tracks the mangled types that are currently being demangled in a new variable called work->proctypevec. If a referenced type is currently being demangled, the demangling is marked as not successful.
Bootstrapped and regression tested on x86_64-pc-linux-gnu. Test case added to libiberty/testsuite/demangler-expected and checked PR71696 is resolved.
Security impact of this is marginal. Not requesting an update, may be fixed with a future maintenance update.
bugbot adjusting priority