Bug 987637 - VUL-1: CVE-2016-6131: gdb: libiberty emangler segfaults
VUL-1: CVE-2016-6131: gdb: libiberty emangler segfaults
Status: RESOLVED FIXED
Classification: Novell Products
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents
unspecified
Other Other
: P4 - Low : Minor
: ---
Assigned To: Michael Matz
Security Team bot
https://smash.suse.de/issue/170574/
CVSSv2:SUSE:CVE-2016-6131:1.9:(AV:L/A...
:
Depends on: CVE-2016-6131
Blocks:
  Show dependency treegraph
 
Reported: 2016-07-05 10:00 UTC by Andreas Stieger
Modified: 2023-02-08 16:51 UTC (History)
2 users (show)

See Also:
Found By: Security Response Team
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Andreas Stieger 2016-07-05 10:00:18 UTC
+++ This bug was initially created as a clone of Bug #987552 +++

https://gcc.gnu.org/bugzilla/show_bug.cgi?id=71696

Another vulnerability in GNU Libiberty was found that impacts the security of binary analysis tools, such as Valgrind, 
GDB, Binutils (e.g., objdump, nm, ..), Gcov, or other LibBFD-based tools. An attacker might modify a program binary 
such that it executes malicious code upon *analysis* of the binary (e.g., to find whether it is malicious in the first 
place) or during the attempt to reverse-engineer an untrusted binary.

Workaround: Until the patches propagate to the vulnerable tools, switch off default demangling! E.g.,
$ echo "set demangle-style none"  >>  ~/.gdbinit
$ echo "--demangle=no" >> ~/.valgrindrc

A stackoverflow in the libiberty demangler causes its host application to crash on a tainted branch instruction. The 
problem is caused by a self-reference in a mangled type string that is "remembered" for later reference. This leads to 
an infinite recursion during the demangling.
* GDB exploitable classifies the stack overflow as exploitable.
* Bug Report: https://gcc.gnu.org/bugzilla/show_bug.cgi?id=71696
* Patch under review: https://gcc.gnu.org/ml/gcc-patches/2016-06/msg02030.html


From patch submission:


The attached patch fixes the stack overflow in the demangler due to cycles in the references of “remembered” mangled types (https://gcc.gnu.org/bugzilla/show_bug.cgi?id=71696).

The methods demangle_signature and do_arg in cplus-dem.c allow to “remember” mangled type names that can later be referenced and will also be demangled. The method demangle_args demangles those types following any references. So, if there is a cycle in the referencing (or in the simplest case a self-reference), the method enters infinite recursion.

The patch tracks the mangled types that are currently being demangled in a new variable called work->proctypevec. If a referenced type is currently being demangled, the demangling is marked as not successful.

Bootstrapped and regression tested on x86_64-pc-linux-gnu. Test case added to libiberty/testsuite/demangler-expected and checked PR71696 is resolved.





References:
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-6131
http://seclists.org/oss-sec/2016/q2/633
http://people.canonical.com/~ubuntu-security/cve/2016/CVE-2016-6131.html
Comment 1 Andreas Stieger 2016-07-05 10:00:37 UTC
openSUSE:12.3/gdb/gdb-7.5.1.tar.bz2.contents/gdb-7.5.1/libiberty/cplus-dem.c
openSUSE:13.1/gdb/gdb-7.6.50.20130731-cvs.tar.bz2.contents/gdb-7.6.50.20130731-cvs/libiberty/cplus-dem.c
openSUSE:13.2/gdb/gdb-7.8.tar.bz2.contents/gdb-7.8/libiberty/cplus-dem.c
openSUSE:Factory/gdb/gdb-7.11.tar.bz2.contents/gdb-7.11/libiberty/cplus-dem.c
Comment 3 Andreas Stieger 2016-07-05 13:46:49 UTC
Security impact of this is marginal. Not requesting an update, may be fixed with a future maintenance update.
Comment 4 Swamp Workflow Management 2016-07-05 22:01:00 UTC
bugbot adjusting priority
Comment 6 Swamp Workflow Management 2016-09-16 16:12:41 UTC
SUSE-RU-2016:2326-1: An update that has three recommended fixes can now be installed.

Category: recommended (low)
Bug References: 944105,987637,994537
CVE References: 
Sources used:
SUSE Linux Enterprise Software Development Kit 12-SP1 (src):    gdb-7.11.1-8.38.1
SUSE Linux Enterprise Server 12-SP1 (src):    gdb-7.11.1-8.38.1
SUSE Linux Enterprise Desktop 12-SP1 (src):    gdb-7.11.1-8.38.1
Comment 7 Swamp Workflow Management 2016-09-26 09:09:36 UTC
openSUSE-RU-2016:2380-1: An update that has three recommended fixes can now be installed.

Category: recommended (low)
Bug References: 944105,987637,994537
CVE References: 
Sources used:
openSUSE Leap 42.1 (src):    gdb-7.11.1-16.1
Comment 9 Michael Matz 2023-02-08 16:51:14 UTC
Fixed since a long time.  (when libiberty, and hence binutils was affected: by version updates to binutils for sle-12 and sle-15 and sle-11 wontfix)