[Bug binutils/22886] New: Timeout at cplus-dem.c (73658672)

bug-binutils

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Bug binutils/22886] New: Timeout at cplus-dem.c (73658672)

From:	security-tps at google dot com
Subject:	[Bug binutils/22886] New: Timeout at cplus-dem.c (73658672)
Date:	Sat, 24 Feb 2018 00:17:19 +0000

https://sourceware.org/bugzilla/show_bug.cgi?id=22886

            Bug ID: 22886
           Summary: Timeout at cplus-dem.c (73658672)
           Product: binutils
           Version: 2.31 (HEAD)
            Status: UNCONFIRMED
          Severity: normal
          Priority: P2
         Component: binutils
          Assignee: unassigned at sourceware dot org
          Reporter: security-tps at google dot com
  Target Milestone: ---

Created attachment 10848
  --> https://sourceware.org/bugzilla/attachment.cgi?id=10848&action=edit
Dockerfile and poc

Hello binutils team,

As part of our fuzzing efforts at Google, we have identified an issue affecting
binutils (tested with revision * master
5bce538d6a6ec216bfbfa7484f356b396dd4da9e).

To reproduce, we are attaching a Dockerfile which compiles the project with
LLVM, taking advantage of the sanitizers that it offers. More information about
how to use the attached Dockerfile can be found here:
https://docs.docker.com/engine/reference/builder/

TL;DR instructions:
* `mkdir project`
* `cp Dockerfile.binutils /path/to/project/Dockerfile`
* `docker build --no-cache /path/to/project`
* `docker run --cap-add=SYS_PTRACE -it image_id_from_docker_build`

>From another terminal, outside the container:
`docker cp /path/to/attached/reproducer
running_container_hostname:/fuzzing/reproducer`
(reference: https://docs.docker.com/engine/reference/commandline/cp/)

And, back inside the container:
`/fuzzing/repro.sh /fuzzing/reproducer`

Alternatively, and depending on the bug, you could use gcc, valgrind or other
instrumentation tools to aid in the investigation. The sanitizer error that we
encountered is here:

```
INFO: Seed: 151352331
/fuzzing/binutils-gdb/build/demangle_fuzzer: Running 1 inputs 1 time(s) each.
Running: /tmp/poc
ALARM: working on the last Unit for 25 seconds
       and the timeout value is 25 (use -timeout=N to change)
==11== ERROR: libFuzzer: timeout after 25 seconds
    #0 0x4da793 in __sanitizer_print_stack_trace
(/fuzzing/binutils-gdb/build/demangle_fuzzer+0x4da793)
    #1 0x535e67 in fuzzer::Fuzzer::AlarmCallback()
(/fuzzing/binutils-gdb/build/demangle_fuzzer+0x535e67)
    #2 0x7f2984ebe0bf  (/lib/x86_64-linux-gnu/libpthread.so.0+0x110bf)
    #3 0x4edb08 in __sanitizer::StackDepotPut(__sanitizer::StackTrace)
(/fuzzing/binutils-gdb/build/demangle_fuzzer+0x4edb08)
    #4 0x424392 in __asan::asan_malloc(unsigned long,
__sanitizer::BufferedStackTrace*)
(/fuzzing/binutils-gdb/build/demangle_fuzzer+0x424392)
    #5 0x4cd464 in __interceptor_malloc
(/fuzzing/binutils-gdb/build/demangle_fuzzer+0x4cd464)
    #6 0x530a29 in xmalloc /fuzzing/binutils-gdb/libiberty/xmalloc.c:147:12
    #7 0x51175b in string_need
/fuzzing/binutils-gdb/libiberty/cplus-dem.c:4906:21
    #8 0x5111ee in string_appends
/fuzzing/binutils-gdb/libiberty/cplus-dem.c:4974:7
    #9 0x518327 in do_arg /fuzzing/binutils-gdb/libiberty/cplus-dem.c:4295:7
    #10 0x51767d in demangle_args
/fuzzing/binutils-gdb/libiberty/cplus-dem.c:4659:9
    #11 0x50e229 in demangle_signature
/fuzzing/binutils-gdb/libiberty/cplus-dem.c:1709:18
    #12 0x50bc20 in internal_cplus_demangle
/fuzzing/binutils-gdb/libiberty/cplus-dem.c:1257:14
    #13 0x50a98c in cplus_demangle
/fuzzing/binutils-gdb/libiberty/cplus-dem.c:918:9
    #14 0x50847d in LLVMFuzzerTestOneInput
/fuzzing/security-research-pocs/autofuzz/demangle_fuzzer.cc:11:21
    #15 0x53779c in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*,
unsigned long) (/fuzzing/binutils-gdb/build/demangle_fuzzer+0x53779c)
    #16 0x536f5e in fuzzer::Fuzzer::RunOne(unsigned char const*, unsigned long)
(/fuzzing/binutils-gdb/build/demangle_fuzzer+0x536f5e)
    #17 0x530dbd in fuzzer::RunOneTest(fuzzer::Fuzzer*, char const*)
(/fuzzing/binutils-gdb/build/demangle_fuzzer+0x530dbd)
    #18 0x53228f in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned char
const*, unsigned long)) (/fuzzing/binutils-gdb/build/demangle_fuzzer+0x53228f)
    #19 0x530c6c in main (/fuzzing/binutils-gdb/build/demangle_fuzzer+0x530c6c)
    #20 0x7f298450b2b0 in __libc_start_main
(/lib/x86_64-linux-gnu/libc.so.6+0x202b0)
    #21 0x41db69 in _start
(/fuzzing/binutils-gdb/build/demangle_fuzzer+0x41db69)

SUMMARY: libFuzzer: timeout

```

We will gladly work with you so you can successfully confirm and reproduce this
issue. Do let us know if you have any feedback surrounding the documentation.

Once you have reproduced the issue, we'd appreciate to learn your expected
timeline for an update to be released. With any fix, please attribute the
report
to "Google Autofuzz project".

We are also pleased to inform you that your project is eligible for inclusion
to
the OSS-Fuzz project, which can provide additional continuous fuzzing, and
encourage you to investigate integration options.

Don't hesitate to let us know if you have any questions!

Google AutoFuzz Team

-- 
You are receiving this mail because:
You are on the CC list for the bug.

[Prev in Thread]

Current Thread

[Next in Thread]

[Bug binutils/22886] New: Timeout at cplus-dem.c (73658672), security-tps at google dot com <=
- [Bug binutils/22886] Timeout at cplus-dem.c (73658672), amodra at gmail dot com, 2018/02/27

Prev by Date: [Bug gas/22871] Encode instructions of 64-bit operand without the REX_W bit
Next by Date: [Bug binutils/22887] New: null pointer dereference in aout_32_swap_std_reloc_out
Previous by thread: [Bug gold/22883] New: Gold mis-evaluates R_X86_64_PLT32 reloc
Next by thread: [Bug binutils/22886] Timeout at cplus-dem.c (73658672)
Index(es):
- Date
- Thread