I wrote a quick fuzzer for libiberty’s demangler this morning. Here’s how to get and use it:
$ mkdir workdir $ cd workdir $ git clone git@github.com:gbenson/binutils-gdb.git src ... $ cd src $ git co demangler $ cd .. $ mkdir build $ cd build $ CFLAGS="-g -O0" ../src/configure --with-separate-debug-dir=/usr/lib/debug ... $ make ... $ ../src/fuzzer.sh ... + /home/gary/workdir/build/fuzzer ../src/fuzzer.sh: line 12: 22482 Segmentation fault (core dumped) $fuzzer # copy the executable and PID from the two lines above $ gdb -batch /home/gary/workdir/build/fuzzer core.22482 -ex "bt" ... Core was generated by `/home/gary/workdir/build/fuzzer'. Program terminated with signal SIGSEGV, Segmentation fault. #0 0x000000000040d5f2 in op_is_new_cast (op=0x7ffffac19930) at libiberty/cp-demangle.c:3064 3064 const char *code = op->u.s_operator.op->code; #0 0x000000000040d5f2 in op_is_new_cast (op=0x7ffffac19930) at libiberty/cp-demangle.c:3064 #1 0x000000000040dc6f in d_expression_1 (di=0x7ffffac19c90) at libiberty/cp-demangle.c:3232 #2 0x000000000040dfbc in d_expression (di=0x7ffffac19c90) at libiberty/cp-demangle.c:3315 #3 0x000000000040cff6 in d_array_type (di=0x7ffffac19c90) at libiberty/cp-demangle.c:2821 #4 0x000000000040c260 in cplus_demangle_type (di=0x7ffffac19c90) at libiberty/cp-demangle.c:2330 #5 0x000000000040cd70 in d_parmlist (di=0x7ffffac19c90) at libiberty/cp-demangle.c:2718 #6 0x000000000040ceb8 in d_bare_function_type (di=0x7ffffac19c90, has_return_type=0) at libiberty/cp-demangle.c:2772 #7 0x000000000040a9b2 in d_encoding (di=0x7ffffac19c90, top_level=1) at libiberty/cp-demangle.c:1287 #8 0x000000000040a6be in cplus_demangle_mangled_name (di=0x7ffffac19c90, top_level=1) at libiberty/cp-demangle.c:1164 #9 0x0000000000413131 in d_demangle_callback (mangled=0x7ffffac19ea0 "_Z1-Av23*;cG~Wo2Vu", options=259, callback=0x40ed11, opaque=0x7ffffac19d70) at libiberty/cp-demangle.c:5862 #10 0x0000000000413267 in d_demangle (mangled=0x7ffffac19ea0 "_Z1-Av23*;cG~Wo2Vu", options=259, palc=0x7ffffac19dd8) at libiberty/cp-demangle.c:5913 #11 0x00000000004132d6 in cplus_demangle_v3 (mangled=0x7ffffac19ea0 "_Z1-Av23*;cG~Wo2Vu", options=259) at libiberty/cp-demangle.c:6070 #12 0x0000000000401a87 in cplus_demangle (mangled=0x7ffffac19ea0 "_Z1-Av23*;cG~Wo2Vu", options=259) at libiberty/cplus-dem.c:858 #13 0x0000000000400ea0 in main (argc=1, argv=0x7ffffac1a0a8) at /home/gary/workdir/src/fuzzer.c:26
The symbol that crashed it is one frame up from the bottom of the backtrace.
