[Bug binutils/23008] New: Stack Overflow(Stack Exhaustion) in demangle related functions

mudongliangabcd at gmail dot com Tue, 27 Mar 2018 10:33:32 -0700

https://sourceware.org/bugzilla/show_bug.cgi?id=23008


            Bug ID: 23008
           Summary: Stack Overflow(Stack Exhaustion) in demangle related
                    functions
           Product: binutils
           Version: 2.30
            Status: UNCONFIRMED
          Severity: normal
          Priority: P2
         Component: binutils
          Assignee: unassigned at sourceware dot org
          Reporter: mudongliangabcd at gmail dot com
  Target Milestone: ---

Created attachment 10917
  --> https://sourceware.org/bugzilla/attachment.cgi?id=10917&action=edit
PoC to trigger stack exhaustion

One Stack Exhausting issue found in binutils-2.29 and 2.30.

The configuration of binutils is :

CFLAGS="-g -fsanitize=address" LDFLAGS="-fsanitize=address" ./configure
make

The trigger method is :

cd <root directory of installation>
./binutils/cxxfilt < poc

Then you will see message log in binutils 2.29,

==3711==ERROR: AddressSanitizer: stack-overflow on address 0x7fffa0a43fc8 (pc
0x000000476e18 bp 0x7fffa0a44850 sp 0x7fffa0a43fd0 T0)
    #0 0x476e17 
(/home/jun/revision/testsuites/binutils-2.29/binutils/cxxfilt+0x476e17)
    #1 0x91170e 
(/home/jun/revision/testsuites/binutils-2.29/binutils/cxxfilt+0x91170e)
    #2 0x91f24e 
(/home/jun/revision/testsuites/binutils-2.29/binutils/cxxfilt+0x91f24e)
    #3 0x921a47 
(/home/jun/revision/testsuites/binutils-2.29/binutils/cxxfilt+0x921a47)
    #4 0x900f13 
(/home/jun/revision/testsuites/binutils-2.29/binutils/cxxfilt+0x900f13)
    #5 0x921316 
(/home/jun/revision/testsuites/binutils-2.29/binutils/cxxfilt+0x921316)
    #6 0x92020d 
(/home/jun/revision/testsuites/binutils-2.29/binutils/cxxfilt+0x92020d)
    #7 0x921a47 
(/home/jun/revision/testsuites/binutils-2.29/binutils/cxxfilt+0x921a47)
    #8 0x900f13 
(/home/jun/revision/testsuites/binutils-2.29/binutils/cxxfilt+0x900f13)
    #9 0x921316 
(/home/jun/revision/testsuites/binutils-2.29/binutils/cxxfilt+0x921316)
    #10 0x92020d 
(/home/jun/revision/testsuites/binutils-2.29/binutils/cxxfilt+0x92020d)
    #11 0x921a47 
(/home/jun/revision/testsuites/binutils-2.29/binutils/cxxfilt+0x921a47)
    #12 0x900f13 
(/home/jun/revision/testsuites/binutils-2.29/binutils/cxxfilt+0x900f13)
    #13 0x921316 
(/home/jun/revision/testsuites/binutils-2.29/binutils/cxxfilt+0x921316)
    #14 0x92020d 
(/home/jun/revision/testsuites/binutils-2.29/binutils/cxxfilt+0x92020d)
    #15 0x921a47 
(/home/jun/revision/testsuites/binutils-2.29/binutils/cxxfilt+0x921a47)
    #16 0x900f13 
(/home/jun/revision/testsuites/binutils-2.29/binutils/cxxfilt+0x900f13)
    ......

and message log in binutils 2.30:

Program received signal SIGSEGV, Segmentation fault.
0x00007ffff4e6040c in malloc () from /usr/lib/x86_64-linux-gnu/libasan.so.0
(gdb) info stack
#0  0x00007ffff4e6040c in malloc () from /usr/lib/x86_64-linux-gnu/libasan.so.0
#1  0x00000000006c7465 in xmalloc (size=32) at ./xmalloc.c:147
#2  0x000000000069f731 in string_need (s=0x7fffff7ff950, n=32) at
./cplus-dem.c:4906
#3  0x000000000069fc5a in string_append (p=0x7fffff7ff950, s=0x753f60 "(") at
./cplus-dem.c:4961
#4  0x000000000069cf75 in demangle_args (work=0x7fffffffe3b0,
mangled=0x7fffffffe2c0, declp=0x7fffff7ff950) at ./cplus-dem.c:4578
#5  0x000000000069da72 in demangle_nested_args (work=0x7fffffffe3b0,
mangled=0x7fffffffe2c0, declp=0x7fffff7ff950) at ./cplus-dem.c:4713
#6  0x0000000000697c48 in do_type (work=0x7fffffffe3b0, mangled=0x7fffffffe2c0,
result=0x6006000eb5d0) at ./cplus-dem.c:3719
#7  0x000000000069b798 in do_arg (work=0x7fffffffe3b0, mangled=0x7fffffffe2c0,
result=0x7fffff7ffb40) at ./cplus-dem.c:4332
#8  0x000000000069d60c in demangle_args (work=0x7fffffffe3b0,
mangled=0x7fffffffe2c0, declp=0x7fffff7ffcc0) at ./cplus-dem.c:4659
#9  0x000000000069da72 in demangle_nested_args (work=0x7fffffffe3b0,
mangled=0x7fffffffe2c0, declp=0x7fffff7ffcc0) at ./cplus-dem.c:4713
#10 0x0000000000697c48 in do_type (work=0x7fffffffe3b0, mangled=0x7fffffffe2c0,
result=0x6006000eb630) at ./cplus-dem.c:3719
#11 0x000000000069b798 in do_arg (work=0x7fffffffe3b0, mangled=0x7fffffffe2c0,
result=0x7fffff7ffeb0) at ./cplus-dem.c:4332
#12 0x000000000069d60c in demangle_args (work=0x7fffffffe3b0,
mangled=0x7fffffffe2c0, declp=0x7fffff800030) at ./cplus-dem.c:4659
#13 0x000000000069da72 in demangle_nested_args (work=0x7fffffffe3b0,
mangled=0x7fffffffe2c0, declp=0x7fffff800030) at ./cplus-dem.c:4713
#14 0x0000000000697c48 in do_type (work=0x7fffffffe3b0, mangled=0x7fffffffe2c0,
result=0x6006000eb690) at ./cplus-dem.c:3719

One interesting point: The address sanitizer in gcc is enabled, but it does not
detect this stack overflow/exhaustion in binutils-2.30. The same to the current
master branch in binutils git repo.

-- 
You are receiving this mail because:
You are on the CC list for the bug.
_______________________________________________
bug-binutils mailing list
bug-binutils@gnu.org
https://lists.gnu.org/mailman/listinfo/bug-binutils

[Bug binutils/23008] New: Stack Overflow(Stack Exhaustion) in demangle related functions

Reply via email to