Message ID | f4f09ee47c03316cdcb7016223b9a4ff1a7dbe77.camel@lsferreira.net |
---|---|
State | New |
Headers |
Return-Path: <gcc-patches-bounces+patchwork=sourceware.org@gcc.gnu.org> X-Original-To: patchwork@sourceware.org Delivered-To: patchwork@sourceware.org Received: from server2.sourceware.org (localhost [IPv6:::1]) by sourceware.org (Postfix) with ESMTP id 5A61B385843B for <patchwork@sourceware.org>; Wed, 22 Sep 2021 01:10:54 +0000 (GMT) X-Original-To: gcc-patches@gcc.gnu.org Delivered-To: gcc-patches@gcc.gnu.org Received: from 1.mo177.mail-out.ovh.net (1.mo177.mail-out.ovh.net [178.33.107.143]) by sourceware.org (Postfix) with ESMTPS id A835A3858D39 for <gcc-patches@gcc.gnu.org>; Wed, 22 Sep 2021 01:10:37 +0000 (GMT) DMARC-Filter: OpenDMARC Filter v1.4.1 sourceware.org A835A3858D39 Authentication-Results: sourceware.org; dmarc=none (p=none dis=none) header.from=lsferreira.net Authentication-Results: sourceware.org; spf=pass smtp.mailfrom=lsferreira.net Received: from player714.ha.ovh.net (unknown [10.110.208.89]) by mo177.mail-out.ovh.net (Postfix) with ESMTP id 28F861723AF for <gcc-patches@gcc.gnu.org>; Wed, 22 Sep 2021 03:10:35 +0200 (CEST) Received: from lsferreira.net (252.131.62.94.rev.vodafone.pt [94.62.131.252]) (Authenticated sender: contact@lsferreira.net) by player714.ha.ovh.net (Postfix) with ESMTPSA id 5AA292252B618 for <gcc-patches@gcc.gnu.org>; Wed, 22 Sep 2021 01:10:35 +0000 (UTC) Authentication-Results: garm.ovh; auth=pass (GARM-105G006d95142cf-63cb-4cf5-97a9-cd4aaf4418f3, 51BCACF397A78435C2980B098EA17824B0F920D7) smtp.auth=contact@lsferreira.net X-OVh-ClientIp: 94.62.131.252 Message-ID: <f4f09ee47c03316cdcb7016223b9a4ff1a7dbe77.camel@lsferreira.net> Subject: [PATCH] libiberty: prevent buffer overflow when decoding user input From: =?iso-8859-1?q?Lu=EDs?= Ferreira <contact@lsferreira.net> To: gcc-patches@gcc.gnu.org Date: Wed, 22 Sep 2021 02:10:34 +0100 Content-Type: multipart/signed; micalg="pgp-sha512"; protocol="application/pgp-signature"; boundary="=-enlA0vbwlx0m/3VJKv9a" User-Agent: Evolution 3.40.4 MIME-Version: 1.0 X-Ovh-Tracer-Id: 9406612248975112215 X-VR-SPAMSTATE: OK X-VR-SPAMSCORE: 0 X-VR-SPAMCAUSE: gggruggvucftvghtrhhoucdtuddrgedvtddrudeiiedgfeekucetufdoteggodetrfdotffvucfrrhhofhhilhgvmecuqfggjfdpvefjgfevmfevgfenuceurghilhhouhhtmecuhedttdenucenucfjughrpefkuffhrhfvffgtfgggsehgtderredtreejnecuhfhrohhmpefnuhovshcuhfgvrhhrvghirhgruceotghonhhtrggttheslhhsfhgvrhhrvghirhgrrdhnvghtqeenucggtffrrghtthgvrhhnpeeutdduveehjeetheehtddvieffiedugfehgffhfeegtdfhvdegfeefieevveegkeenucfkpheptddrtddrtddrtddpleegrdeivddrudefuddrvdehvdenucevlhhushhtvghrufhiiigvpedtnecurfgrrhgrmhepmhhouggvpehsmhhtphdqohhuthdphhgvlhhopehplhgrhigvrhejudegrdhhrgdrohhvhhdrnhgvthdpihhnvghtpedtrddtrddtrddtpdhmrghilhhfrhhomheptghonhhtrggttheslhhsfhgvrhhrvghirhgrrdhnvghtpdhrtghpthhtohepghgttgdqphgrthgthhgvshesghgttgdrghhnuhdrohhrgh X-Spam-Status: No, score=-11.8 required=5.0 tests=BAYES_20, GIT_PATCH_0, KAM_DMARC_STATUS, RCVD_IN_DNSWL_NONE, RCVD_IN_MSPIKE_H2, SPF_HELO_NONE, SPF_PASS, TXREP autolearn=ham autolearn_force=no version=3.4.4 X-Spam-Checker-Version: SpamAssassin 3.4.4 (2020-01-24) on server2.sourceware.org X-BeenThere: gcc-patches@gcc.gnu.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: Gcc-patches mailing list <gcc-patches.gcc.gnu.org> List-Unsubscribe: <https://gcc.gnu.org/mailman/options/gcc-patches>, <mailto:gcc-patches-request@gcc.gnu.org?subject=unsubscribe> List-Archive: <https://gcc.gnu.org/pipermail/gcc-patches/> List-Post: <mailto:gcc-patches@gcc.gnu.org> List-Help: <mailto:gcc-patches-request@gcc.gnu.org?subject=help> List-Subscribe: <https://gcc.gnu.org/mailman/listinfo/gcc-patches>, <mailto:gcc-patches-request@gcc.gnu.org?subject=subscribe> Reply-To: lsferreira@riseup.net Errors-To: gcc-patches-bounces+patchwork=sourceware.org@gcc.gnu.org Sender: "Gcc-patches" <gcc-patches-bounces+patchwork=sourceware.org@gcc.gnu.org> |
Series |
libiberty: prevent buffer overflow when decoding user input
|
|
Commit Message
Luís Ferreira
Sept. 22, 2021, 1:10 a.m. UTC
Currently a stack/heap overflow may happen if a crafted mangle is
maliciously used to cause denial of service, such as intentional
crashes
by accessing a reserved memory space.
Signed-off-by: Luís Ferreira <contact@lsferreira.net>
---
libiberty/d-demangle.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
backref = dlang_lname (decl, backref, len);
Comments
> On 22/09/2021 03:10 Luís Ferreira <contact@lsferreira.net> wrote: > > > Currently a stack/heap overflow may happen if a crafted mangle is > maliciously used to cause denial of service, such as intentional > crashes > by accessing a reserved memory space. > Hi, Thanks for this. Is there a test that could trigger this code path? Iain. > Signed-off-by: Luís Ferreira <contact@lsferreira.net> > --- > libiberty/d-demangle.c | 2 +- > 1 file changed, 1 insertion(+), 1 deletion(-) > > diff --git a/libiberty/d-demangle.c b/libiberty/d-demangle.c > index a2152cc65518..7ded3e2a2563 100644 > --- a/libiberty/d-demangle.c > +++ b/libiberty/d-demangle.c > @@ -381,7 +381,7 @@ dlang_symbol_backref (string *decl, const char > *mangled, > > /* Must point to a simple identifier. */ > backref = dlang_number (backref, &len); > - if (backref == NULL) > + if (backref == NULL || strlen(backref) < len) > return NULL; > > backref = dlang_lname (decl, backref, len);
Hi, Here is an example of a crafted mangle that can cause heap buffer overflow. ``` fuzzer-results/crash-18b7f0799be49886550876b5ab6bb63e4231979b _D2FGWG44444444444444444EQe 00000000 5f 44 32 46 47 57 47 34 34 34 34 34 34 34 34 34 |_D2FGWG444444444| 00000010 34 34 34 34 34 34 34 34 45 51 65 0a |44444444EQe.| 0000001c ``` Here is an example of a crafted mangle that can cause stack buffer overflow. ``` fuzzer-results/crash-79833f1c8ce510bbf138c0d5ad06a7fb11ce3bae _D8ee2_1111Qe 00000000 5f 44 38 65 65 32 5f 31 31 31 31 51 65 |_D8ee2_1111Qe| 0000000d ``` Even though this triggers an UB by reading/writing other memory space, I couldn't find a situation where this constantly fails, although, if running with an address + UB sanitizer this can be easily catched and replicated with some confidence. I didn't add this to the test suite because of that. On Thu, 2021-09-23 at 12:16 +0200, ibuclaw@gdcproject.org wrote: > > On 22/09/2021 03:10 Luís Ferreira <contact@lsferreira.net> wrote: > > > > > > Currently a stack/heap overflow may happen if a crafted mangle is > > maliciously used to cause denial of service, such as intentional > > crashes > > by accessing a reserved memory space. > > > > Hi, > > Thanks for this. Is there a test that could trigger this code path? > > Iain. > > > > Signed-off-by: Luís Ferreira <contact@lsferreira.net> > > --- > > libiberty/d-demangle.c | 2 +- > > 1 file changed, 1 insertion(+), 1 deletion(-) > > > > diff --git a/libiberty/d-demangle.c b/libiberty/d-demangle.c > > index a2152cc65518..7ded3e2a2563 100644 > > --- a/libiberty/d-demangle.c > > +++ b/libiberty/d-demangle.c > > @@ -381,7 +381,7 @@ dlang_symbol_backref (string *decl, const char > > *mangled, > > > > /* Must point to a simple identifier. */ > > backref = dlang_number (backref, &len); > > - if (backref == NULL) > > + if (backref == NULL || strlen(backref) < len) > > return NULL; > > > > backref = dlang_lname (decl, backref, len);
On 9/23/2021 4:16 AM, ibuclaw--- via Gcc-patches wrote: >> On 22/09/2021 03:10 Luís Ferreira <contact@lsferreira.net> wrote: >> >> >> Currently a stack/heap overflow may happen if a crafted mangle is >> maliciously used to cause denial of service, such as intentional >> crashes >> by accessing a reserved memory space. >> > Hi, > > Thanks for this. Is there a test that could trigger this code path? I don't think Luis has commit privs, so I went ahead and committed this patch. Yea, a testcase would be great. Jeff
On Thu, 2021-09-23 at 09:50 -0600, Jeff Law wrote: > > > On 9/23/2021 4:16 AM, ibuclaw--- via Gcc-patches wrote: > > > On 22/09/2021 03:10 Luís Ferreira <contact@lsferreira.net> wrote: > > > > > > > > > Currently a stack/heap overflow may happen if a crafted mangle is > > > maliciously used to cause denial of service, such as intentional > > > crashes > > > by accessing a reserved memory space. > > > > > Hi, > > > > Thanks for this. Is there a test that could trigger this code > > path? > I don't think Luis has commit privs, so I went ahead and committed > this > patch. > > Yea, a testcase would be great. > > Jeff > Does the test suite runned against address sanitization? if yes, I can submit a patch to make this fail, otherwise it is hard to trigger a consistent crash for this issue.
On 10/4/2021 10:52 AM, Luís Ferreira wrote: > On Thu, 2021-09-23 at 09:50 -0600, Jeff Law wrote: >> >> On 9/23/2021 4:16 AM, ibuclaw--- via Gcc-patches wrote: >>>> On 22/09/2021 03:10 Luís Ferreira <contact@lsferreira.net> wrote: >>>> >>>> >>>> Currently a stack/heap overflow may happen if a crafted mangle is >>>> maliciously used to cause denial of service, such as intentional >>>> crashes >>>> by accessing a reserved memory space. >>>> >>> Hi, >>> >>> Thanks for this. Is there a test that could trigger this code >>> path? >> I don't think Luis has commit privs, so I went ahead and committed >> this >> patch. >> >> Yea, a testcase would be great. >> >> Jeff >> > Does the test suite runned against address sanitization? if yes, I can > submit a patch to make this fail, otherwise it is hard to trigger a > consistent crash for this issue. Unfortunately, no it doesn't run with sanitization. If it's too painful to create a test, don't worry about it. It happens from time to time. jeff
On Tue, 2021-10-05 at 09:00 -0600, Jeff Law wrote: > > > On 10/4/2021 10:52 AM, Luís Ferreira wrote: > > On Thu, 2021-09-23 at 09:50 -0600, Jeff Law wrote: > > > > > > On 9/23/2021 4:16 AM, ibuclaw--- via Gcc-patches wrote: > > > > > On 22/09/2021 03:10 Luís Ferreira <contact@lsferreira.net> > > > > > wrote: > > > > > > > > > > > > > > > Currently a stack/heap overflow may happen if a crafted > > > > > mangle is > > > > > maliciously used to cause denial of service, such as > > > > > intentional > > > > > crashes > > > > > by accessing a reserved memory space. > > > > > > > > > Hi, > > > > > > > > Thanks for this. Is there a test that could trigger this code > > > > path? > > > I don't think Luis has commit privs, so I went ahead and > > > committed > > > this > > > patch. > > > > > > Yea, a testcase would be great. > > > > > > Jeff > > > > > Does the test suite runned against address sanitization? if yes, I > > can > > submit a patch to make this fail, otherwise it is hard to trigger a > > consistent crash for this issue. > Unfortunately, no it doesn't run with sanitization. If it's too > painful > to create a test, don't worry about it. It happens from time to > time. > > jeff I would like to add address sanitization if I knew how GCC autotools work but I think this is a better fit when I invest some time implementing something to OSS fuzz and build some infrastructure for fuzzing parts of the GCC.
On Tue, Oct 5, 2021 at 1:28 PM Luís Ferreira <contact@lsferreira.net> wrote: > > On Tue, 2021-10-05 at 09:00 -0600, Jeff Law wrote: > > > > > > On 10/4/2021 10:52 AM, Luís Ferreira wrote: > > > On Thu, 2021-09-23 at 09:50 -0600, Jeff Law wrote: > > > > > > > > On 9/23/2021 4:16 AM, ibuclaw--- via Gcc-patches wrote: > > > > > > On 22/09/2021 03:10 Luís Ferreira <contact@lsferreira.net> > > > > > > wrote: > > > > > > > > > > > > > > > > > > Currently a stack/heap overflow may happen if a crafted > > > > > > mangle is > > > > > > maliciously used to cause denial of service, such as > > > > > > intentional > > > > > > crashes > > > > > > by accessing a reserved memory space. > > > > > > > > > > > Hi, > > > > > > > > > > Thanks for this. Is there a test that could trigger this code > > > > > path? > > > > I don't think Luis has commit privs, so I went ahead and > > > > committed > > > > this > > > > patch. > > > > > > > > Yea, a testcase would be great. > > > > > > > > Jeff > > > > > > > Does the test suite runned against address sanitization? if yes, I > > > can > > > submit a patch to make this fail, otherwise it is hard to trigger a > > > consistent crash for this issue. > > Unfortunately, no it doesn't run with sanitization. If it's too > > painful > > to create a test, don't worry about it. It happens from time to > > time. > > > > jeff > > I would like to add address sanitization if I knew how GCC autotools > work but I think this is a better fit when I invest some time > implementing something to OSS fuzz and build some infrastructure for > fuzzing parts of the GCC. > I can help with the autotools part if you can say how precisely you'd like to use them to add address sanitization. And as for the OSS fuzz part, I think someone tried setting up auto-fuzzing for it once, but the main bottleneck was getting the bug reports that it generated properly triaged, so if you could make sure the bug-submitting portion of the process is properly streamlined, that'd probably go a long way towards helping it be useful. > -- > Sincerely, > Luís Ferreira @ lsferreira.net >
On Tue, 2021-10-05 at 21:49 -0400, Eric Gallager wrote: > On Tue, Oct 5, 2021 at 1:28 PM Luís Ferreira <contact@lsferreira.net> > wrote: > > > > On Tue, 2021-10-05 at 09:00 -0600, Jeff Law wrote: > > > > > > > > > On 10/4/2021 10:52 AM, Luís Ferreira wrote: > > > > On Thu, 2021-09-23 at 09:50 -0600, Jeff Law wrote: > > > > > > > > > > On 9/23/2021 4:16 AM, ibuclaw--- via Gcc-patches wrote: > > > > > > > On 22/09/2021 03:10 Luís Ferreira > > > > > > > <contact@lsferreira.net> > > > > > > > wrote: > > > > > > > > > > > > > > > > > > > > > Currently a stack/heap overflow may happen if a crafted > > > > > > > mangle is > > > > > > > maliciously used to cause denial of service, such as > > > > > > > intentional > > > > > > > crashes > > > > > > > by accessing a reserved memory space. > > > > > > > > > > > > > Hi, > > > > > > > > > > > > Thanks for this. Is there a test that could trigger this > > > > > > code > > > > > > path? > > > > > I don't think Luis has commit privs, so I went ahead and > > > > > committed > > > > > this > > > > > patch. > > > > > > > > > > Yea, a testcase would be great. > > > > > > > > > > Jeff > > > > > > > > > Does the test suite runned against address sanitization? if > > > > yes, I > > > > can > > > > submit a patch to make this fail, otherwise it is hard to > > > > trigger a > > > > consistent crash for this issue. > > > Unfortunately, no it doesn't run with sanitization. If it's too > > > painful > > > to create a test, don't worry about it. It happens from time to > > > time. > > > > > > jeff > > > > I would like to add address sanitization if I knew how GCC > > autotools > > work but I think this is a better fit when I invest some time > > implementing something to OSS fuzz and build some infrastructure > > for > > fuzzing parts of the GCC. > > > > I can help with the autotools part if you can say how precisely you'd > like to use them to add address sanitization. And as for the OSS > fuzz part, I think someone tried setting up auto-fuzzing for it once, > but the main bottleneck was getting the bug reports that it generated > properly triaged, so if you could make sure the bug-submitting > portion > of the process is properly streamlined, that'd probably go a long way > towards helping it be useful. Bugs are normally reported by email or mailing list. Is there any writable mailing list to publish bugs or is it strictly needed to open an entry on bugzilla?
Excerpts from Luís Ferreira's message of October 7, 2021 8:29 pm: > On Tue, 2021-10-05 at 21:49 -0400, Eric Gallager wrote: >> >> I can help with the autotools part if you can say how precisely you'd >> like to use them to add address sanitization. And as for the OSS >> fuzz part, I think someone tried setting up auto-fuzzing for it once, >> but the main bottleneck was getting the bug reports that it generated >> properly triaged, so if you could make sure the bug-submitting >> portion >> of the process is properly streamlined, that'd probably go a long way >> towards helping it be useful. > > Bugs are normally reported by email or mailing list. Is there any > writable mailing list to publish bugs or is it strictly needed to open > an entry on bugzilla? > Please open an issue on bugzilla, fixes towards it can then be referenced in the commit message/patch posted here. Iain.
On Fri, 2021-10-08 at 18:52 +0200, Iain Buclaw wrote: > Excerpts from Luís Ferreira's message of October 7, 2021 8:29 pm: > > On Tue, 2021-10-05 at 21:49 -0400, Eric Gallager wrote: > > > > > > I can help with the autotools part if you can say how precisely > > > you'd > > > like to use them to add address sanitization. And as for the OSS > > > fuzz part, I think someone tried setting up auto-fuzzing for it > > > once, > > > but the main bottleneck was getting the bug reports that it > > > generated > > > properly triaged, so if you could make sure the bug-submitting > > > portion > > > of the process is properly streamlined, that'd probably go a long > > > way > > > towards helping it be useful. > > > > Bugs are normally reported by email or mailing list. Is there any > > writable mailing list to publish bugs or is it strictly needed to > > open > > an entry on bugzilla? > > > > Please open an issue on bugzilla, fixes towards it can then be > referenced in the commit message/patch posted here. > > Iain. You mean for this current issue? The discussion was about future bug reports reported by the OSS fuzzer workers. I can also open an issue on the bugzilla for this issue, please clarify it and let me know :)
Excerpts from Luís Ferreira's message of October 8, 2021 7:08 pm: > On Fri, 2021-10-08 at 18:52 +0200, Iain Buclaw wrote: >> Excerpts from Luís Ferreira's message of October 7, 2021 8:29 pm: >> > On Tue, 2021-10-05 at 21:49 -0400, Eric Gallager wrote: >> > > >> > > I can help with the autotools part if you can say how precisely >> > > you'd >> > > like to use them to add address sanitization. And as for the OSS >> > > fuzz part, I think someone tried setting up auto-fuzzing for it >> > > once, >> > > but the main bottleneck was getting the bug reports that it >> > > generated >> > > properly triaged, so if you could make sure the bug-submitting >> > > portion >> > > of the process is properly streamlined, that'd probably go a long >> > > way >> > > towards helping it be useful. >> > >> > Bugs are normally reported by email or mailing list. Is there any >> > writable mailing list to publish bugs or is it strictly needed to >> > open >> > an entry on bugzilla? >> > >> >> Please open an issue on bugzilla, fixes towards it can then be >> referenced in the commit message/patch posted here. >> >> Iain. > > You mean for this current issue? The discussion was about future bug > reports reported by the OSS fuzzer workers. I can also open an issue on > the bugzilla for this issue, please clarify it and let me know :) > 1. Open one for this issue. 2. Bugs found by the fuzzer would report to bugzilla. https://gcc.gnu.org/bugs/ Iain.
On Fri, 2021-10-08 at 22:11 +0200, Iain Buclaw wrote: > Excerpts from Luís Ferreira's message of October 8, 2021 7:08 pm: > > On Fri, 2021-10-08 at 18:52 +0200, Iain Buclaw wrote: > > > Excerpts from Luís Ferreira's message of October 7, 2021 8:29 pm: > > > > On Tue, 2021-10-05 at 21:49 -0400, Eric Gallager wrote: > > > > > > > > > > I can help with the autotools part if you can say how precisely > > > > > you'd > > > > > like to use them to add address sanitization. And as for the > > > > > OSS > > > > > fuzz part, I think someone tried setting up auto-fuzzing for it > > > > > once, > > > > > but the main bottleneck was getting the bug reports that it > > > > > generated > > > > > properly triaged, so if you could make sure the bug-submitting > > > > > portion > > > > > of the process is properly streamlined, that'd probably go a > > > > > long > > > > > way > > > > > towards helping it be useful. > > > > > > > > Bugs are normally reported by email or mailing list. Is there any > > > > writable mailing list to publish bugs or is it strictly needed to > > > > open > > > > an entry on bugzilla? > > > > > > > > > > Please open an issue on bugzilla, fixes towards it can then be > > > referenced in the commit message/patch posted here. > > > > > > Iain. > > > > You mean for this current issue? The discussion was about future bug > > reports reported by the OSS fuzzer workers. I can also open an issue > > on > > the bugzilla for this issue, please clarify it and let me know :) > > > > 1. Open one for this issue. > > 2. Bugs found by the fuzzer would report to bugzilla. > https://gcc.gnu.org/bugs/ > > Iain. Cross referencing the created issue: https://gcc.gnu.org/bugzilla/show_bug.cgi?id=102702
On Tue, Oct 12, 2021 at 8:55 AM Luís Ferreira <contact@lsferreira.net> wrote: > > On Fri, 2021-10-08 at 22:11 +0200, Iain Buclaw wrote: > > Excerpts from Luís Ferreira's message of October 8, 2021 7:08 pm: > > > On Fri, 2021-10-08 at 18:52 +0200, Iain Buclaw wrote: > > > > Excerpts from Luís Ferreira's message of October 7, 2021 8:29 pm: > > > > > On Tue, 2021-10-05 at 21:49 -0400, Eric Gallager wrote: > > > > > > > > > > > > I can help with the autotools part if you can say how precisely > > > > > > you'd > > > > > > like to use them to add address sanitization. And as for the > > > > > > OSS > > > > > > fuzz part, I think someone tried setting up auto-fuzzing for it > > > > > > once, > > > > > > but the main bottleneck was getting the bug reports that it > > > > > > generated > > > > > > properly triaged, so if you could make sure the bug-submitting > > > > > > portion > > > > > > of the process is properly streamlined, that'd probably go a > > > > > > long > > > > > > way > > > > > > towards helping it be useful. > > > > > > > > > > Bugs are normally reported by email or mailing list. Is there any > > > > > writable mailing list to publish bugs or is it strictly needed to > > > > > open > > > > > an entry on bugzilla? > > > > > > > > > > > > > Please open an issue on bugzilla, fixes towards it can then be > > > > referenced in the commit message/patch posted here. > > > > > > > > Iain. > > > > > > You mean for this current issue? The discussion was about future bug > > > reports reported by the OSS fuzzer workers. I can also open an issue > > > on > > > the bugzilla for this issue, please clarify it and let me know :) > > > > > > > 1. Open one for this issue. > > > > 2. Bugs found by the fuzzer would report to bugzilla. > > https://gcc.gnu.org/bugs/ > > > > Iain. > > Cross referencing the created issue: > https://gcc.gnu.org/bugzilla/show_bug.cgi?id=102702 > > -- > Sincerely, > Luís Ferreira @ lsferreira.net > Right, I found the previous time someone tried to set up an autofuzzer to report bugs to GCC's Bugzilla; searching for bugs reported by security-tps@google.com on Bugzilla should find them: https://gcc.gnu.org/bugzilla/buglist.cgi?email1=security-tps%40google.com&emailassigned_to1=1&emailcc1=1&emaillongdesc1=1&emailreporter1=1&emailtype1=substring&list_id=326459&query_format=advanced
On Tue, 2021-10-12 at 15:40 -0400, Eric Gallager wrote: > On Tue, Oct 12, 2021 at 8:55 AM Luís Ferreira > <contact@lsferreira.net> wrote: > > > > On Fri, 2021-10-08 at 22:11 +0200, Iain Buclaw wrote: > > > Excerpts from Luís Ferreira's message of October 8, 2021 7:08 pm: > > > > On Fri, 2021-10-08 at 18:52 +0200, Iain Buclaw wrote: > > > > > Excerpts from Luís Ferreira's message of October 7, 2021 8:29 > > > > > pm: > > > > > > On Tue, 2021-10-05 at 21:49 -0400, Eric Gallager wrote: > > > > > > > > > > > > > > I can help with the autotools part if you can say how > > > > > > > precisely > > > > > > > you'd > > > > > > > like to use them to add address sanitization. And as for > > > > > > > the > > > > > > > OSS > > > > > > > fuzz part, I think someone tried setting up auto-fuzzing > > > > > > > for it > > > > > > > once, > > > > > > > but the main bottleneck was getting the bug reports that > > > > > > > it > > > > > > > generated > > > > > > > properly triaged, so if you could make sure the bug- > > > > > > > submitting > > > > > > > portion > > > > > > > of the process is properly streamlined, that'd probably > > > > > > > go a > > > > > > > long > > > > > > > way > > > > > > > towards helping it be useful. > > > > > > > > > > > > Bugs are normally reported by email or mailing list. Is > > > > > > there any > > > > > > writable mailing list to publish bugs or is it strictly > > > > > > needed to > > > > > > open > > > > > > an entry on bugzilla? > > > > > > > > > > > > > > > > Please open an issue on bugzilla, fixes towards it can then > > > > > be > > > > > referenced in the commit message/patch posted here. > > > > > > > > > > Iain. > > > > > > > > You mean for this current issue? The discussion was about > > > > future bug > > > > reports reported by the OSS fuzzer workers. I can also open an > > > > issue > > > > on > > > > the bugzilla for this issue, please clarify it and let me know > > > > :) > > > > > > > > > > 1. Open one for this issue. > > > > > > 2. Bugs found by the fuzzer would report to bugzilla. > > > https://gcc.gnu.org/bugs/ > > > > > > Iain. > > > > Cross referencing the created issue: > > https://gcc.gnu.org/bugzilla/show_bug.cgi?id=102702 > > > > -- > > Sincerely, > > Luís Ferreira @ lsferreira.net > > > > Right, I found the previous time someone tried to set up an > autofuzzer > to report bugs to GCC's Bugzilla; searching for bugs reported by > security-tps@google.com on Bugzilla should find them: > https://gcc.gnu.org/bugzilla/buglist.cgi?email1=security-tps%40google.com&emailassigned_to1=1&emailcc1=1&emaillongdesc1=1&emailreporter1=1&emailtype1=substring&list_id=326459&query_format=advanced Good! Do you know how and where this is being handled? I didn't find anything related to GCC/libiberty on OSS fuzz repository. Existing resources on that can be useful to increment on top instead of designing something from scratch. I also took a look at the fuzzer included in GCC, but it doesn't include any heuristic.
diff --git a/libiberty/d-demangle.c b/libiberty/d-demangle.c index a2152cc65518..7ded3e2a2563 100644 --- a/libiberty/d-demangle.c +++ b/libiberty/d-demangle.c @@ -381,7 +381,7 @@ dlang_symbol_backref (string *decl, const char *mangled, /* Must point to a simple identifier. */ backref = dlang_number (backref, &len); - if (backref == NULL) + if (backref == NULL || strlen(backref) < len) return NULL;