CVE Request: No demangling of untrusted binaries (2)

[Marcel Böhme <boehme.marcel () gmail com>]

Hi all,

Another vulnerability in GNU Libiberty was found that impacts the security of binary analysis tools, such as Valgrind, 
GDB, Binutils (e.g., objdump, nm, ..), Gcov, or other LibBFD-based tools. An attacker might modify a program binary 
such that it executes malicious code upon *analysis* of the binary (e.g., to find whether it is malicious in the first 
place) or during the attempt to reverse-engineer an untrusted binary.

Workaround: Until the patches propagate to the vulnerable tools, switch off default demangling! E.g.,
$ echo "set demangle-style none"  >>  ~/.gdbinit
$ echo "--demangle=no" >> ~/.valgrindrc

A stackoverflow in the libiberty demangler causes its host application to crash on a tainted branch instruction. The 
problem is caused by a self-reference in a mangled type string that is "remembered" for later reference. This leads to 
an infinite recursion during the demangling.
* GDB exploitable classifies the stack overflow as exploitable.
* Bug Report: https://gcc.gnu.org/bugzilla/show_bug.cgi?id=71696
* Patch under review: https://gcc.gnu.org/ml/gcc-patches/2016-06/msg02030.html

All vulnerabilities were found with a more efficient version of the AFL fuzzer, called AFLFast.

Update on the previously reported, related vulnerabilities:
CVE-2016-2226: Fixed in trunk
CVE-2016-4487: Fixed in trunk
CVE-2016-4488: Fixed in trunk
CVE-2016-4489: Fixed in trunk
CVE-2016-4490: Fixed in trunk
CVE-2016-4491: Patch under review
CVE-2016-4492: Patch accepted
CVE-2016-4493: Patch accepted

Best regards,
- Marcel

---
Marcel Böhme
Post-doctoral Research Fellow
TSUNAMi Security Research Center
National University of Singapore