[Bug binutils/22710] New: Signed Integer Overflow (71889280)

bug-binutils

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Bug binutils/22710] New: Signed Integer Overflow (71889280)

From:	security-tps at google dot com
Subject:	[Bug binutils/22710] New: Signed Integer Overflow (71889280)
Date:	Mon, 15 Jan 2018 10:35:07 +0000

https://sourceware.org/bugzilla/show_bug.cgi?id=22710

            Bug ID: 22710
           Summary: Signed Integer Overflow (71889280)
           Product: binutils
           Version: 2.30 (HEAD)
            Status: UNCONFIRMED
          Severity: normal
          Priority: P2
         Component: binutils
          Assignee: unassigned at sourceware dot org
          Reporter: security-tps at google dot com
  Target Milestone: ---

Created attachment 10745
  --> https://sourceware.org/bugzilla/attachment.cgi?id=10745&action=edit
poc and dockerfile to reproduce

Hello binutils team,

As part of our fuzzing efforts at Google, we have identified an issue affecting
binutils (tested with revision * master
58807c48a5a317ad3e2d39a8755168a3d4d5fdf8).

To reproduce, we are attaching a Dockerfile which compiles the project with
LLVM, taking advantage of the sanitizers that it offers. More information about
how to use the attached Dockerfile can be found here:
https://docs.docker.com/engine/reference/builder/

TL;DR instructions:
* `mkdir project`
* `cp Dockerfile.binutils /path/to/project/Dockerfile`
* `docker build --no-cache /path/to/project`
* `docker run -it image_id_from_docker_build`

>From another terminal, outside the container:
`docker cp /path/to/attached/reproducer
running_container_hostname:/fuzzing/reproducer`
(reference: https://docs.docker.com/engine/reference/commandline/cp/)

And, back inside the container:
`/fuzzing/repro.sh /fuzzing/reproducer`

Alternatively, and depending on the bug, you could use gcc, valgrind or other
instrumentation tools to aid in the investigation. The sanitizer error that we
encountered is here:

```
INFO: Seed: 3029575691
/fuzzing/binutils-gdb/build/demangle_fuzzer: Running 1 inputs 1 time(s) each.
Running: /tmp/poc
/fuzzing/binutils-gdb/libiberty/cplus-dem.c:3597:10: runtime error: signed
integer overflow: 777777777 * 10 cannot be represented in type 'int'
SUMMARY: AddressSanitizer: undefined-behavior
/fuzzing/binutils-gdb/libiberty/cplus-dem.c:3597:10 in 

```

We will gladly work with you so you can successfully confirm and reproduce this
issue. Do let us know if you have any feedback surrounding the documentation.

Once you have reproduced the issue, we'd appreciate to learn your expected
timeline for an update to be released. With any fix, please attribute the
report
to "Google Autofuzz project".

We are also pleased to inform you that your project is eligible for inclusion
to
the OSS-Fuzz project, which can provide additional continuous fuzzing, and
encourage you to investigate integration options.

Don't hesitate to let us know if you have any questions!

Google AutoFuzz Team

-- 
You are receiving this mail because:
You are on the CC list for the bug.

[Prev in Thread]

Current Thread

[Next in Thread]

[Bug binutils/22710] New: Signed Integer Overflow (71889280), security-tps at google dot com <=

Prev by Date: [Bug ld/22706] New: bfd/elf32-sh.c fails asserts without additional information: sh4-unknown-linux-gnu-ld: BFD assertion fail bfd/elf32-sh.c:5171
Next by Date: [Bug binutils/22712] New: Stack Overflow (71959517)
Previous by thread: [Bug ld/22706] New: bfd/elf32-sh.c fails asserts without additional information: sh4-unknown-linux-gnu-ld: BFD assertion fail bfd/elf32-sh.c:5171
Next by thread: [Bug binutils/22712] New: Stack Overflow (71959517)
Index(es):
- Date
- Thread