Bugzilla – Bug 987633
VUL-1: CVE-2016-6131: crash: libiberty demangler segfaults
Last modified: 2021-02-18 05:24:40 UTC
+++ This bug was initially created as a clone of Bug #987552 +++ https://gcc.gnu.org/bugzilla/show_bug.cgi?id=71696 Another vulnerability in GNU Libiberty was found that impacts the security of binary analysis tools, such as Valgrind, GDB, Binutils (e.g., objdump, nm, ..), Gcov, or other LibBFD-based tools. An attacker might modify a program binary such that it executes malicious code upon *analysis* of the binary (e.g., to find whether it is malicious in the first place) or during the attempt to reverse-engineer an untrusted binary. Workaround: Until the patches propagate to the vulnerable tools, switch off default demangling! E.g., $ echo "set demangle-style none" >> ~/.gdbinit $ echo "--demangle=no" >> ~/.valgrindrc A stackoverflow in the libiberty demangler causes its host application to crash on a tainted branch instruction. The problem is caused by a self-reference in a mangled type string that is "remembered" for later reference. This leads to an infinite recursion during the demangling. * GDB exploitable classifies the stack overflow as exploitable. * Bug Report: https://gcc.gnu.org/bugzilla/show_bug.cgi?id=71696 * Patch under review: https://gcc.gnu.org/ml/gcc-patches/2016-06/msg02030.html From patch submission: The attached patch fixes the stack overflow in the demangler due to cycles in the references of “remembered” mangled types (https://gcc.gnu.org/bugzilla/show_bug.cgi?id=71696). The methods demangle_signature and do_arg in cplus-dem.c allow to “remember” mangled type names that can later be referenced and will also be demangled. The method demangle_args demangles those types following any references. So, if there is a cycle in the referencing (or in the simplest case a self-reference), the method enters infinite recursion. The patch tracks the mangled types that are currently being demangled in a new variable called work->proctypevec. If a referenced type is currently being demangled, the demangling is marked as not successful. Bootstrapped and regression tested on x86_64-pc-linux-gnu. Test case added to libiberty/testsuite/demangler-expected and checked PR71696 is resolved. References: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-6131 http://seclists.org/oss-sec/2016/q2/633 http://people.canonical.com/~ubuntu-security/cve/2016/CVE-2016-6131.html
openSUSE:12.3/crash/crash-6.0.7.tar.gz.contents/crash-6.0.7/gdb-7.3.1.tar.gz.contents/gdb-7.3.1/libiberty/ChangeLog 1501: (work_stuff_copy_to_from): Use XNEWVEC insteand of xmalloc(). 1911: work_stuff_copy_to_from, delete_non_B_K_work_stuff, 3234: (work_stuff_copy_to_from): Cast return of xmalloc to char **. 4417: * cplus-dem.c (work_stuff_copy_to_from): New. openSUSE:12.3/crash/crash-6.0.7.tar.gz.contents/crash-6.0.7/gdb-7.3.1.tar.gz.contents/gdb-7.3.1/libiberty/cplus-dem.c 335:static void work_stuff_copy_to_from (struct work_stuff *, struct work_stuff *); 1232:work_stuff_copy_to_from (struct work_stuff *to, struct work_stuff *from) 2641: work_stuff_copy_to_from (&work_init, work); 2662: work_stuff_copy_to_from (work, &work_init); openSUSE:13.1/crash/crash-7.0.2.tar.gz.contents/crash-7.0.2/gdb-7.6.tar.gz.contents/gdb-7.6/libiberty/ChangeLog 1874: (work_stuff_copy_to_from): Use XNEWVEC insteand of xmalloc(). 2284: work_stuff_copy_to_from, delete_non_B_K_work_stuff, 3607: (work_stuff_copy_to_from): Cast return of xmalloc to char **. 4790: * cplus-dem.c (work_stuff_copy_to_from): New. openSUSE:13.1/crash/crash-7.0.2.tar.gz.contents/crash-7.0.2/gdb-7.6.tar.gz.contents/gdb-7.6/libiberty/cplus-dem.c 335:static void work_stuff_copy_to_from (struct work_stuff *, struct work_stuff *); 1232:work_stuff_copy_to_from (struct work_stuff *to, struct work_stuff *from) 2640: work_stuff_copy_to_from (&work_init, work); 2661: work_stuff_copy_to_from (work, &work_init); openSUSE:13.2/crash/crash-7.0.8.tar.gz.contents/crash-7.0.8/gdb-7.6.tar.gz.contents/gdb-7.6/libiberty/ChangeLog 1874: (work_stuff_copy_to_from): Use XNEWVEC insteand of xmalloc(). 2284: work_stuff_copy_to_from, delete_non_B_K_work_stuff, 3607: (work_stuff_copy_to_from): Cast return of xmalloc to char **. 4790: * cplus-dem.c (work_stuff_copy_to_from): New. openSUSE:13.2/crash/crash-7.0.8.tar.gz.contents/crash-7.0.8/gdb-7.6.tar.gz.contents/gdb-7.6/libiberty/cplus-dem.c 335:static void work_stuff_copy_to_from (struct work_stuff *, struct work_stuff *); 1232:work_stuff_copy_to_from (struct work_stuff *to, struct work_stuff *from) 2640: work_stuff_copy_to_from (&work_init, work); 2661: work_stuff_copy_to_from (work, &work_init);
Security impact of this is marginal. Not requesting an update, may be fixed with a future maintenance update.
bugbot adjusting priority
We have an update running, can you include the fix?
This bug has still not been addressed, could you please look into it?