Security
Headlines
HeadlinesLatestCVEs

Headline

CVE-2019-9070: 24229 – nm: heap buffer overflow

An issue was discovered in GNU libiberty, as distributed in GNU Binutils 2.32. It is a heap-based buffer over-read in d_expression_1 in cp-demangle.c after many recursive calls.

CVE
Open in Source
#linux#debian

Created attachment 11612 [details] inputs that trigger bugs

  • Intel Xeon Gold 5118 processors and 256 GB memory
  • Linux n18-065-139 4.19.0-1-amd64 #1 SMP Debian 4.19.12-1 (2018-12-22) x86_64 GNU/Linux
  • clang version 4.0.0 (tags/RELEASE_400/final)
  • version: commit commit 388a192d73df7439bf375d8b8042bb53a6be9c60
  • run: nm -C input_file (We attached the inputs that trigger the bug)
  • asan report: ==2003322==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x60e0000000d8 at pc 0x0000008957c6 bp 0x7ffdf2e36340 sp 0x7ffdf2e36338 READ of size 1 at 0x60e0000000d8 thread T0 #0 0x8957c5 in d_expression_1 /mnt/raid/user/chenpeng/FuzzingBench/binutils/binutils-gdb/libiberty/cp-demangle.c:3356:12 #1 0x896370 in d_expression_1 /mnt/raid/user/chenpeng/FuzzingBench/binutils/binutils-gdb/libiberty/cp-demangle.c:3449:16 #2 0x896210 in d_expression_1 /mnt/raid/user/chenpeng/FuzzingBench/binutils/binutils-gdb/libiberty/cp-demangle.c:3438:15 #3 0x896210 in d_expression_1 /mnt/raid/user/chenpeng/FuzzingBench/binutils/binutils-gdb/libiberty/cp-demangle.c:3438:15 #4 0x896210 in d_expression_1 /mnt/raid/user/chenpeng/FuzzingBench/binutils/binutils-gdb/libiberty/cp-demangle.c:3438:15 #5 0x896210 in d_expression_1 /mnt/raid/user/chenpeng/FuzzingBench/binutils/binutils-gdb/libiberty/cp-demangle.c:3438:15 #6 0x896210 in d_expression_1 /mnt/raid/user/chenpeng/FuzzingBench/binutils/binutils-gdb/libiberty/cp-demangle.c:3438:15 #7 0x896210 in d_expression_1 /mnt/raid/user/chenpeng/FuzzingBench/binutils/binutils-gdb/libiberty/cp-demangle.c:3438:15 #8 0x896210 in d_expression_1 /mnt/raid/user/chenpeng/FuzzingBench/binutils/binutils-gdb/libiberty/cp-demangle.c:3438:15 #9 0x896210 in d_expression_1 /mnt/raid/user/chenpeng/FuzzingBench/binutils/binutils-gdb/libiberty/cp-demangle.c:3438:15 #10 0x896210 in d_expression_1 /mnt/raid/user/chenpeng/FuzzingBench/binutils/binutils-gdb/libiberty/cp-demangle.c:3438:15 #11 0x896210 in d_expression_1 /mnt/raid/user/chenpeng/FuzzingBench/binutils/binutils-gdb/libiberty/cp-demangle.c:3438:15 #12 0x896210 in d_expression_1 /mnt/raid/user/chenpeng/FuzzingBench/binutils/binutils-gdb/libiberty/cp-demangle.c:3438:15 #13 0x896210 in d_expression_1 /mnt/raid/user/chenpeng/FuzzingBench/binutils/binutils-gdb/libiberty/cp-demangle.c:3438:15 #14 0x896210 in d_expression_1 /mnt/raid/user/chenpeng/FuzzingBench/binutils/binutils-gdb/libiberty/cp-demangle.c:3438:15 #15 0x896370 in d_expression_1 /mnt/raid/user/chenpeng/FuzzingBench/binutils/binutils-gdb/libiberty/cp-demangle.c:3449:16 #16 0x896210 in d_expression_1 /mnt/raid/user/chenpeng/FuzzingBench/binutils/binutils-gdb/libiberty/cp-demangle.c:3438:15 #17 0x896210 in d_expression_1 /mnt/raid/user/chenpeng/FuzzingBench/binutils/binutils-gdb/libiberty/cp-demangle.c:3438:15 #18 0x896210 in d_expression_1 /mnt/raid/user/chenpeng/FuzzingBench/binutils/binutils-gdb/libiberty/cp-demangle.c:3438:15 #19 0x896210 in d_expression_1 /mnt/raid/user/chenpeng/FuzzingBench/binutils/binutils-gdb/libiberty/cp-demangle.c:3438:15 #20 0x896370 in d_expression_1 /mnt/raid/user/chenpeng/FuzzingBench/binutils/binutils-gdb/libiberty/cp-demangle.c:3449:16 #21 0x896210 in d_expression_1 /mnt/raid/user/chenpeng/FuzzingBench/binutils/binutils-gdb/libiberty/cp-demangle.c:3438:15 #22 0x896210 in d_expression_1 /mnt/raid/user/chenpeng/FuzzingBench/binutils/binutils-gdb/libiberty/cp-demangle.c:3438:15 #23 0x896210 in d_expression_1 /mnt/raid/user/chenpeng/FuzzingBench/binutils/binutils-gdb/libiberty/cp-demangle.c:3438:15 #24 0x896210 in d_expression_1 /mnt/raid/user/chenpeng/FuzzingBench/binutils/binutils-gdb/libiberty/cp-demangle.c:3438:15 #25 0x89610c in d_expression_1 /mnt/raid/user/chenpeng/FuzzingBench/binutils/binutils-gdb/libiberty/cp-demangle.c:3416:18 #26 0x896210 in d_expression_1 /mnt/raid/user/chenpeng/FuzzingBench/binutils/binutils-gdb/libiberty/cp-demangle.c:3438:15 #27 0x896210 in d_expression_1 /mnt/raid/user/chenpeng/FuzzingBench/binutils/binutils-gdb/libiberty/cp-demangle.c:3438:15 #28 0x896210 in d_expression_1 /mnt/raid/user/chenpeng/FuzzingBench/binutils/binutils-gdb/libiberty/cp-demangle.c:3438:15 #29 0x896210 in d_expression_1 /mnt/raid/user/chenpeng/FuzzingBench/binutils/binutils-gdb/libiberty/cp-demangle.c:3438:15 #30 0x896210 in d_expression_1 /mnt/raid/user/chenpeng/FuzzingBench/binutils/binutils-gdb/libiberty/cp-demangle.c:3438:15 #31 0x896210 in d_expression_1 /mnt/raid/user/chenpeng/FuzzingBench/binutils/binutils-gdb/libiberty/cp-demangle.c:3438:15 #32 0x896210 in d_expression_1 /mnt/raid/user/chenpeng/FuzzingBench/binutils/binutils-gdb/libiberty/cp-demangle.c:3438:15 #33 0x896210 in d_expression_1 /mnt/raid/user/chenpeng/FuzzingBench/binutils/binutils-gdb/libiberty/cp-demangle.c:3438:15 #34 0x896210 in d_expression_1 /mnt/raid/user/chenpeng/FuzzingBench/binutils/binutils-gdb/libiberty/cp-demangle.c:3438:15 #35 0x896210 in d_expression_1 /mnt/raid/user/chenpeng/FuzzingBench/binutils/binutils-gdb/libiberty/cp-demangle.c:3438:15 #36 0x896210 in d_expression_1 /mnt/raid/user/chenpeng/FuzzingBench/binutils/binutils-gdb/libiberty/cp-demangle.c:3438:15 #37 0x896210 in d_expression_1 /mnt/raid/user/chenpeng/FuzzingBench/binutils/binutils-gdb/libiberty/cp-demangle.c:3438:15 #38 0x896210 in d_expression_1 /mnt/raid/user/chenpeng/FuzzingBench/binutils/binutils-gdb/libiberty/cp-demangle.c:3438:15 #39 0x896210 in d_expression_1 /mnt/raid/user/chenpeng/FuzzingBench/binutils/binutils-gdb/libiberty/cp-demangle.c:3438:15 #40 0x896210 in d_expression_1 /mnt/raid/user/chenpeng/FuzzingBench/binutils/binutils-gdb/libiberty/cp-demangle.c:3438:15 #41 0x896210 in d_expression_1 /mnt/raid/user/chenpeng/FuzzingBench/binutils/binutils-gdb/libiberty/cp-demangle.c:3438:15 #42 0x896210 in d_expression_1 /mnt/raid/user/chenpeng/FuzzingBench/binutils/binutils-gdb/libiberty/cp-demangle.c:3438:15 #43 0x896210 in d_expression_1 /mnt/raid/user/chenpeng/FuzzingBench/binutils/binutils-gdb/libiberty/cp-demangle.c:3438:15 #44 0x896210 in d_expression_1 /mnt/raid/user/chenpeng/FuzzingBench/binutils/binutils-gdb/libiberty/cp-demangle.c:3438:15 #45 0x896210 in d_expression_1 /mnt/raid/user/chenpeng/FuzzingBench/binutils/binutils-gdb/libiberty/cp-demangle.c:3438:15 #46 0x896210 in d_expression_1 /mnt/raid/user/chenpeng/FuzzingBench/binutils/binutils-gdb/libiberty/cp-demangle.c:3438:15 #47 0x896210 in d_expression_1 /mnt/raid/user/chenpeng/FuzzingBench/binutils/binutils-gdb/libiberty/cp-demangle.c:3438:15 #48 0x896210 in d_expression_1 /mnt/raid/user/chenpeng/FuzzingBench/binutils/binutils-gdb/libiberty/cp-demangle.c:3438:15 #49 0x896210 in d_expression_1 /mnt/raid/user/chenpeng/FuzzingBench/binutils/binutils-gdb/libiberty/cp-demangle.c:3438:15 #50 0x896370 in d_expression_1 /mnt/raid/user/chenpeng/FuzzingBench/binutils/binutils-gdb/libiberty/cp-demangle.c:3449:16 #51 0x889158 in d_expression /mnt/raid/user/chenpeng/FuzzingBench/binutils/binutils-gdb/libiberty/cp-demangle.c:3531:9 #52 0x887a7d in d_array_type /mnt/raid/user/chenpeng/FuzzingBench/binutils/binutils-gdb/libiberty/cp-demangle.c:3011:13 #53 0x883aa8 in cplus_demangle_type /mnt/raid/user/chenpeng/FuzzingBench/binutils/binutils-gdb/libiberty/cp-demangle.c:2463:13 #54 0x893cf5 in d_parmlist /mnt/raid/user/chenpeng/FuzzingBench/binutils/binutils-gdb/libiberty/cp-demangle.c:2908:14 #55 0x88e7a5 in d_bare_function_type /mnt/raid/user/chenpeng/FuzzingBench/binutils/binutils-gdb/libiberty/cp-demangle.c:2962:8 #56 0x8828eb in d_encoding /mnt/raid/user/chenpeng/FuzzingBench/binutils/binutils-gdb/libiberty/cp-demangle.c:1343:16 #57 0x88200d in cplus_demangle_mangled_name /mnt/raid/user/chenpeng/FuzzingBench/binutils/binutils-gdb/libiberty/cp-demangle.c:1234:7 #58 0x88c408 in d_demangle_callback /mnt/raid/user/chenpeng/FuzzingBench/binutils/binutils-gdb/libiberty/cp-demangle.c:6292:7 #59 0x88b8e6 in d_demangle /mnt/raid/user/chenpeng/FuzzingBench/binutils/binutils-gdb/libiberty/cp-demangle.c:6343:12 #60 0x88b753 in cplus_demangle_v3 /mnt/raid/user/chenpeng/FuzzingBench/binutils/binutils-gdb/libiberty/cp-demangle.c:6500:10 #61 0x87f020 in cplus_demangle /mnt/raid/user/chenpeng/FuzzingBench/binutils/binutils-gdb/libiberty/cplus-dem.c:165:13 #62 0x517028 in bfd_demangle /mnt/raid/user/chenpeng/FuzzingBench/binutils/binutils-gdb/bfd/bfd.c:2254:9 #63 0x4f4214 in print_symname /mnt/raid/user/chenpeng/FuzzingBench/binutils/binutils-gdb/binutils/nm.c:423:19 #64 0x4f2e4e in print_symbol_info_bsd /mnt/raid/user/chenpeng/FuzzingBench/binutils/binutils-gdb/binutils/nm.c:1565:3 #65 0x4f9c36 in print_symbol /mnt/raid/user/chenpeng/FuzzingBench/binutils/binutils-gdb/binutils/nm.c:903:3 #66 0x4f7844 in print_symbols /mnt/raid/user/chenpeng/FuzzingBench/binutils/binutils-gdb/binutils/nm.c:1102:7 #67 0x4f5d3a in display_rel_file /mnt/raid/user/chenpeng/FuzzingBench/binutils/binutils-gdb/binutils/nm.c:1215:5 #68 0x4f2356 in display_file /mnt/raid/user/chenpeng/FuzzingBench/binutils/binutils-gdb/binutils/nm.c:1335:7 #69 0x4f1a97 in main /mnt/raid/user/chenpeng/FuzzingBench/binutils/binutils-gdb/binutils/nm.c:1816:12 #70 0x7f5777ae909a in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2409a) #71 0x41d5e9 in _start (/mnt/raid/user/chenpeng/FuzzingBench/build/asan/install/bin/nm+0x41d5e9)

0x60e0000000d8 is located 0 bytes to the right of 152-byte region [0x60e000000040,0x60e0000000d8) allocated by thread T0 here: #0 0x4c42dc in malloc /scratch/llvm/clang-4/xenial/final/llvm.src/projects/compiler-rt/lib/asan/asan_malloc_linux.cc:66:3 #1 0x52e4c5 in bfd_malloc /mnt/raid/user/chenpeng/FuzzingBench/binutils/binutils-gdb/bfd/libbfd.c:275:9 #2 0x516f6d in bfd_demangle /mnt/raid/user/chenpeng/FuzzingBench/binutils/binutils-gdb/bfd/bfd.c:2246:24 #3 0x4f4214 in print_symname /mnt/raid/user/chenpeng/FuzzingBench/binutils/binutils-gdb/binutils/nm.c:423:19 #4 0x4f2e4e in print_symbol_info_bsd /mnt/raid/user/chenpeng/FuzzingBench/binutils/binutils-gdb/binutils/nm.c:1565:3 #5 0x4f9c36 in print_symbol /mnt/raid/user/chenpeng/FuzzingBench/binutils/binutils-gdb/binutils/nm.c:903:3 #6 0x4f7844 in print_symbols /mnt/raid/user/chenpeng/FuzzingBench/binutils/binutils-gdb/binutils/nm.c:1102:7 #7 0x4f5d3a in display_rel_file /mnt/raid/user/chenpeng/FuzzingBench/binutils/binutils-gdb/binutils/nm.c:1215:5 #8 0x4f2356 in display_file /mnt/raid/user/chenpeng/FuzzingBench/binutils/binutils-gdb/binutils/nm.c:1335:7 #9 0x4f1a97 in main /mnt/raid/user/chenpeng/FuzzingBench/binutils/binutils-gdb/binutils/nm.c:1816:12 #10 0x7f5777ae909a in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2409a)

SUMMARY: AddressSanitizer: heap-buffer-overflow /mnt/raid/user/chenpeng/FuzzingBench/binutils/binutils-gdb/libiberty/cp-demangle.c:3356:12 in d_expression_1 Shadow bytes around the buggy address: 0x0c1c7fff7fc0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0c1c7fff7fd0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0c1c7fff7fe0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0c1c7fff7ff0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0c1c7fff8000: fa fa fa fa fa fa fa fa 00 00 00 00 00 00 00 00 =>0x0c1c7fff8010: 00 00 00 00 00 00 00 00 00 00 00[fa]fa fa fa fa 0x0c1c7fff8020: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c1c7fff8030: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c1c7fff8040: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c1c7fff8050: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c1c7fff8060: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa Shadow byte legend (one shadow byte represents 8 application bytes): Addressable: 00 Partially addressable: 01 02 03 04 05 06 07 Heap left redzone: fa Freed heap region: fd Stack left redzone: f1 Stack mid redzone: f2 Stack right redzone: f3 Stack after return: f5 Stack use after scope: f8 Global redzone: f9 Global init order: f6 Poisoned by user: f7 Container overflow: fc Array cookie: ac Intra object redzone: bb ASan internal: fe Left alloca redzone: ca Right alloca redzone: cb ==2003322==ABORTING

Comment 1 Nick Clifton 2019-02-18 16:53:26 UTC

Hi spinpx,

Thanks for reporting this bug. Unfortunately the problem is in the libiberty library which is maintained by the gcc project, rather than the binutils project. So please could you report this bug here:

https://gcc.gnu.org/bugzilla/enter_bug.cgi?product=gcc

Cheers Nick

Comment 3 spinpx 2019-02-19 09:08:00 UTC

It can be reproduced in commit c72e75a64030b0f6535a80481f37968ad55c333a (Feb 19 2019).

CVE: Latest News

CVE-2023-50976: Transactions API Authorization by oleiman · Pull Request #14969 · redpanda-data/redpanda
CVE
CVE-2023-6905
CVE
CVE-2023-6903
CVE
CVE-2023-6904
CVE
CVE-2023-3907
CVE