Ghidra: demangler_gnu crashes with BAD_ACCESS in d_unqualified_name function

Created on 19 Jan 2020  路  2Comments  路  Source: NationalSecurityAgency/ghidra

Describe the bug

There is a memory access violation (BAD_ACCESS) in the d_unqualified_name function [1] of demangler_gnu, as demonstrated with the string "_ZN11951592242730AnimationOverlayHandlerImplD18446744073709551616Ev" . This leads to a segmentation fault when launching the demangler_gnu process.

[1]聽https://github.com/NationalSecurityAgency/ghidra/blob/6ae0c1ce239932882b7e4577d76ebd7d23779a09/GPL/DemanglerGnu/src/demangler_gnu/c/cp-demangle.c#L1486

To Reproduce
lldb ./GPL/DemanglerGnu/os/osx64/demangler_gnu _ZN11951592242730AnimationOverlayHandlerImplD18446744073709551616Ev

(lldb) target create "./GPL/DemanglerGnu/os/osx64/demangler_gnu"
Current executable set to './GPL/DemanglerGnu/os/osx64/demangler_gnu' (x86_64).
(lldb) settings set -- target.run-args "_ZN11951592242730AnimationOverlayHandlerImplD18446744073709551616Ev"
(lldb) r
Process 46162 launched: '/Users/marc/Downloads/ghidra_9.1.1_PUBLIC/GPL/DemanglerGnu/os/osx64/demangler_gnu' (x86_64)
Process 46162 stopped

  • thread #1, queue = 'com.apple.main-thread', stop reason = EXC_BAD_ACCESS (code=1, address=0x7ffea228f89d)
    frame #0: 0x0000000100009eab demangler_gnud_unqualified_name + 571 demangler_gnud_unqualified_name:
    -> 0x100009eab <+571>: movsx ecx, byte ptr [rax]
    0x100009eae <+574>: cmp ecx, 0x42
    0x100009eb1 <+577>: jne 0x100009ec8 ; <+600>
    0x100009eb7 <+583>: mov rdi, qword ptr [rbp - 0x10]
    Target 0: (demangler_gnu) stopped.
    (lldb) bt
  • thread #1, queue = 'com.apple.main-thread', stop reason = EXC_BAD_ACCESS (code=1, address=0x7ffea228f89d)

    • frame #0: 0x0000000100009eab demangler_gnud_unqualified_name + 571 frame #1: 0x000000010000a09f demangler_gnud_prefix + 255

      frame #2: 0x0000000100009986 demangler_gnud_nested_name + 166 frame #3: 0x000000010000901f demangler_gnud_name + 79

      frame #4: 0x00000001000023d1 demangler_gnud_encoding + 81 frame #5: 0x0000000100002279 demangler_gnucplus_demangle_mangled_name + 201

      frame #6: 0x000000010000826c demangler_gnud_demangle_callback + 556 frame #7: 0x0000000100007f91 demangler_gnud_demangle + 65

      frame #8: 0x0000000100007f3f demangler_gnucplus_demangle_v3 + 31 frame #9: 0x00000001000103cc demangler_gnucplus_demangle + 188

      frame #10: 0x0000000100011b42 demangler_gnudemangle_it + 130 frame #11: 0x000000010001164b demangler_gnumain + 507

      frame #12: 0x00007fff6b67c3d5 libdyld.dylibstart + 1 frame #13: 0x00007fff6b67c3d5 libdyld.dylibstart + 1

      (lldb) register read rax

      rax = 0x00007ffea228f89d

Expected behavior
No crash, return proper error return code.

Environment (please complete the following information):

  • OS: [e.g. macOS 10.14.6]
  • Java Version: [13.0.2]
  • Ghidra Version: [ 9.1.1]

Additional context
In the long run the Ghidra default demangler could be implemented in a language which does not allow memory faults when using attacker created mangled symbols.

Demangler Bug
Source
picture MarcSchoenefeld

All 2 comments

Related to #1195

The gnu demangler is a modifier version of well the gnu demangler. The issue may have existed within libiberty at some point. It may be solvable looking through the commit history in gcc.

astrelsky picture astrelsky on 19 Jan 2020

Our version of the gnu demangler is quite old, probably almost 10 years at this point. We intend to update it, but have not yet done so.

dragonmacher picture dragonmacher on 21 Jan 2020
👀2
Was this page helpful?
0 / 5 - 0 ratings

Related issues

Merculous picture Merculous  路  3Comments
Barakat picture Barakat  路  3Comments
tambry picture tambry  路  3Comments
astrelsky picture astrelsky  路  3Comments
rrivera1849 picture rrivera1849  路  3Comments