https://sourceware.org/bugzilla/show_bug.cgi?id=32330
Bug ID: 32330
Summary: Stack overflow due to recursive call of
d_print_comp_inner and d_print_comp functions
Product: binutils
Version: 2.43
Status: UNCONFIRMED
Severity: normal
Priority: P2
Component: binutils
Assignee: unassigned at sourceware dot org
Reporter: jaehoon.jang at kaist dot ac.kr
Target Milestone: ---
Created attachment 15770
--> https://sourceware.org/bugzilla/attachment.cgi?id=15770&action=edit
poc file to trigger this bug
Environment
I tested by reducing the stack size to 2048 (ulimit -s 2048)
However, when I tested it in various environments, I confirmed that it occurs
even at 4096.
When I tested related bugs (CVE-2018-17985, CVE-2018-18484, etc.) on the same
stack size, the bug was not triggered and the defense was well done. However, I
think the PoC I uploaded needs a patch because it causes the bug.
What's unusual about this `poc1` file is that it outputs strings like "long
double", "unsigned int", etc. I think this is not the intended behavior. It
would be a good idea to review this issue while solving the stack overflow
issue.
# uname -a
Linux 63ad81720171 5.15.0-107-generic #117-Ubuntu SMP Fri Apr 26 12:26:49 UTC
2024 x86_64 x86_64 x86_64 GNU/Linux
# git clone https://github.com/bminor/binutils-gdb.git
# cd binutils-gdb
# clang --version
clang version 12.0.0 (https://github.com/llvm/llvm-project.git
6de4865545da73687dd6d28d153cd345ed5e7918)
Target: x86_64-unknown-linux-gnu
Thread model: posix
InstalledDir: /usr/local/bin
# CC="clang -g -fsanitize=address" CXX="clang++ -g -fsanitize=address"
./configure
# CC="clang -g -fsanitize=address" CXX="clang++ -g -fsanitize=address" make -j
4
# binutils/nm-new --version
GNU nm (GNU Binutils) 2.43.50.20241101
Copyright (C) 2024 Free Software Foundation, Inc.
This program is free software; you may redistribute it under the terms of
the GNU General Public License version 3 or (at your option) any later version.
This program has absolutely no warranty.
# binutils/nm-new -C poc1
eeeeeec1 A ZZZZe(long double, long double, long double, long double, long
double, long double, long double, long double, unsigned short const volatile,
long double, long double, long double, long double _Complex _Imaginary, long
double, long double, long double, long double, long double, long double long
double (long double (long double _Complex _Complex&, long double, long double,
long double, long double, long double, long double restrict const, long double,
unsigned int) &::* restrict const)(long double _Complex _Complex&, long double,
long double, long double, long double, long double, long double restrict const,
long double, unsigned int) &::*, long double, long double, long double)
eeeeeec1 A ZZZZe(long double, long double, long double, long double, long
double, long double, long double, long double, unsigned short const volatile,
long double, long double, long double, long double _Complex _Imaginary, long
double, long double, long double, long double, long double, long double long
double (long double (long double _Complex _Complex&, long double, long double,
long double, long double, long double, long double restrict const, long double,
unsigned int) &::* restrict const)(long double _Complex _Complex&, long double,
long double, long double, long double, long double, long double restrict const,
long double, unsigned int) &::*, long double, long double, long double)
eeeeeec1 A ZZZZe(long double, long double, long double, long double, long
double, long double, long double, long double, unsigned short const volatile,
long double, long double, long double, long double _Complex _Imaginary, long
double, long double, long double, long double, long double, long double long
double (long double (long double _Complex _Complex&, long double, long double,
long double, long double, long double, long double restrict const, long double,
unsigned int) &::* restrict const)(long double _Complex _Complex&, long double,
long double, long double, long double, long double, long double restrict const,
long double, unsigned int) &::*, long double, long double, long double)
eeeeeec1 A ZZZZe(long double, long double, long double, long double, long
double, long double, long double, long double, unsigned short const volatile,
long double, long double, long double, long double _Complex _Imaginary, long
double, long double, long double, long double, long double, long double long
double (long double (long double _Complex _Complex&, long double, long double,
long double, long double, long double, long double restrict const, long double,
unsigned int) &::* restrict const)(long double _Complex _Complex&, long double,
long double, long double, long double, long double, long double restrict const,
long double, unsigned int) &::*, long double, long double, long double)
eeeeeec1 A ZZZZe(long double, long double, long double, long double, long
double, long double, long double, long double, unsigned short const volatile,
long double, long double, long double, long double _Complex _Imaginary, long
double, long double, long double, long double, long double, long double long
double (long double (long double _Complex _Complex&, long double, long double,
long double, long double, long double, long double restrict const, long double,
unsigned int) &::* restrict const)(long double _Complex _Complex&, long double,
long double, long double, long double, long double, long double restrict const,
long double, unsigned int) &::*, long double, long double, long double)
00000000 A ZZZZe(long double, long double, long double, long double, long
double, long double, long double, long double, unsigned short const volatile,
long double, long double, long double, long double _Complex _Imaginary, long
double, long double, long double, long double, long double, long double long
double (long double (long double _Complex _Complex&, long double, long double,
long double, long double, long double, long double restrict const, long double,
unsigned int) &::* restrict const)(long double _Complex _Complex&, long double,
long double, long double, long double, long double, long double restrict const,
long double, unsigned int) &::*, long double, long double, long double)
eeeeeec1 A _Z5ZZZZeeeeeeeeeVKteeeGCeeeeeeKrMFeRCCeeeeeeKreeREeeee
eeeeeec1 A
_Z5ZZZZeeeeeeeeeVKteeeGCeeeeeeKrMFeRCCeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeezeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeKreejREeeee
eeeeeec1 A ZZZZe(long double, long double, long double, long double, long
double, long double, long double, long double, unsigned short const volatile,
long double, long double, long double, long double _Complex _Imaginary, long
double, long double, long double, long double, long double, long double, long
double, long double, long double, long double, long double, long double, long
double, long double, long double, long double, long double, long double, long
double, long double, long double, long double, long double, long double, long
double, long double, long double, long double, long double, long double, long
double, long double, long double, long double, long double, long double, long
double, long double, long double, long double, long double, long double, long
double, long double, long double, long double, long double, long double, long
double, long double, long double, long double, long double, long double, long
double, long double, long double, long double, long double, long double, long
double, long double, long double, long double, long double, long double, long
double, long double, long double, long double, long double, long double, long
double, long double, long double, long double, long double, long double, long
double, long double, long double, long double, long double, long double, long
double, long double, long double, long double, long double, long double, long
double, long double, long double, long double, long double, long double, long
double, long double, long double, long double, long double, long double, long
double, long double, long double, long double, long double, long double, long
double, long double, long double, long double, long double, long double, long
double, long double, long double, long double, long double, long double, long
double, long double, long double, long double, long double, long double, long
double, long double, long double, long double, long double, long double, long
double, long double, long double, long double, long double, long double, long
double, long double, long double, long double, long double, long double, long
double, long double, long double, long double, long double, long double, long
double, long double, long double, long double, long double, long double, long
double, long double, long double, long double, long double, long double, long
double, long double, long double, long double, long double, long double, long
double, long double, long double, long double, long double, long double, long
double, long double, long double, long double, long double, long double, long
double, long double, long double, long double, long double, long double, long
double, long double, long double, long double, long double, long double, long
double, long double, long double, long double, long double, long double, long
double, long double, long double, long double, long double, long double, long
double, long double, long double, long double, long double, long double, long
double, long double, long double, long double, long double, long double, long
double, long double, long double, long double, long double, long double, long
double, long double, long double, long double, long double, long double, long
double, long double, long double, long double, long double, long double, long
double, long double, long double, long double, long double, long double, long
double, long double, long double, long double, long double, long double, long
double, long double, long double, long double, long double, long double, long
double, long double, long double, long double, long double, long double, long
double, long double, long double, long double, long double, long double, long
double, long double, long double, long double, long double, long double, long
double, long double, long double, long double, long double, long double, long
double, long double, long double, long double, long double, long double, long
double, long double, long double, long double, long double, long double, long
double, long double, long double, long double, long double, long double, long
double, long double, long double, long double, long double, long double, long
double, long double, long double, long double, long double, long double, long
double, long double, long double, long double, long double, long double, long
double, long double, long double, long double, long double, long double, long
double, long double, long double, long double, long double, long double, long
double, long double, long double, long double, long double, long double, long
double, long double, long double, long double, long double, long double, long
double, long double, long double, long double, long double, long double, long
double, long double, long double, long double, long double, long double, long
double, long double, long double, long double, long double, long double, long
double, long double, long double, long double, long double, long double, long
double, long double, long double, long double, long double, long double, long
double, long double, long double, long double, long double, long double, long
double, long double, long double, long double, long double, long double, long
double, long double, long double, long double, long double, long double, long
double, long double, long double, long double, long double, long double, long
double, long double, long double, long double, long double, long double, long
double, long double, long double, long double, long double, long double, long
double, long double, long double, long double, long double, long double, long
double, long double, long double, long double, long double, long double, long
double, long double, long double, long double, long double, long double, long
double, long double, long double, long double, long double, long double, long
double, long double, long double, long double, long double, long double, long
double, long double, long double, long double, long double, long double, long
double, long double, long double, long double, long double, long double, long
double, long double, long double, long double, long double, long double, long
double, long double, long double, long double, long double, long double, long
double, long double, long double, long double, long double, long double, long
double, long double, long double, long double, long double, long double, long
double, long double, long double, long double, long double, long double, long
double, long double, long double, long double, long double, long double, long
double, long double, long double, long double, long double, long double, long
double, long double, long double, long double, long double, long double, long
double, long double, long double, long double, long double, long double, long
double, long double, long double, long double, long double, long double, long
double, long double, long double, long double, long double, long double, long
double, long double, long double, long double, long double, long double, long
double, long double, long double, long double, long double, long double, long
double, long double, long double, long double, long double, long double, long
double, long double, long double, long double, long double, long double, long
double, long double, long double, long double, long double, long double, long
double, long double, long double, long double, long double, long double, long
double, long double, long double, long double, long double, long double, long
double, long double, long double, long double, long double, long double, long
double, long double, long double, long double, long double, long double, long
double, long double, long double, long double, long double, long double, long
double, long double, long double, long double, long double, long double, long
double, long double, long double, long double, long double, long double, long
double, long double, long double, long double, long double, long double, long
double, long double, long double, long double, long double, long double, long
double, long double, long double, long double, long double, long double, long
double, long double, long double, long double, long double, long double, long
double, long double, long double, long double, long double, long double, long
double, long double, long double, long double, long double, long double, long
double, long double, long double, long double, long double, long double, long
double, long double, long double, long double, long double, long double, long
double, long double, long double, long double, long double, long double, long
double, long double, long double, long double, long double, long double, long
double, long double, long double, long double, long double, long double, long
double, long double, long double, long double, long double, long double, long
double, long double, long double, long double, long double, long double, long
double, long double, long double, long double, long double, long double, long
double, long double, long double, long double, long double, long double, long
double, long double, long double, long double, long double, long double, long
double, long double, long double, long double, long double, long double, long
double, long double, long double, long double, long double, long double, long
double, long double, long double, long double, long double, long double, long
double, long double, long double, long double, long double, long double, long
double, long double, long double, long double, long double, long double, long
double, long double, long double, long double, long double, long double, long
double, long double, long double, long double, long double, long double, long
double, long double, long double, long double, long double, long double, long
double, long double, long double, long double, long double, long double, long
double long double (long double (long double _Complex _Complex&, long double,
long double, long double, long double, long double, long double restrict const,
long double, unsigned int) &::* restrict const)(long double _Complex _Complex&,
long double, long double, long double, long double, long double, long double
restrict const, long double, unsigned int) &::*, long double, long double, long
double)
eeeeeec1 A
deeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeReeeeeeeeeeeeeeeeeeqeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeXeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeee
root@63ad81720171:/tmp/binutils-gdb# ulimit -s 2048
root@63ad81720171:/tmp/binutils-gdb# binutils/nm-new -C
../d_print_comp_inner/poc1
eeeeeec1 A ZZZZe(long double, long double, long double, long double, long
double, long double, long double, long double, unsigned short const volatile,
long double, long double, long double, long double _Complex _Imaginary, long
double, long double, long double, long double, long double, long double long
double (long double (long double _Complex _Complex&, long double, long double,
long double, long double, long double, long double restrict const, long double,
unsigned int) &::* restrict const)(long double _Complex _Complex&, long double,
long double, long double, long double, long double, long double restrict const,
long double, unsigned int) &::*, long double, long double, long double)
eeeeeec1 A ZZZZe(long double, long double, long double, long double, long
double, long double, long double, long double, unsigned short const volatile,
long double, long double, long double, long double _Complex _Imaginary, long
double, long double, long double, long double, long double, long double long
double (long double (long double _Complex _Complex&, long double, long double,
long double, long double, long double, long double restrict const, long double,
unsigned int) &::* restrict const)(long double _Complex _Complex&, long double,
long double, long double, long double, long double, long double restrict const,
long double, unsigned int) &::*, long double, long double, long double)
eeeeeec1 A ZZZZe(long double, long double, long double, long double, long
double, long double, long double, long double, unsigned short const volatile,
long double, long double, long double, long double _Complex _Imaginary, long
double, long double, long double, long double, long double, long double long
double (long double (long double _Complex _Complex&, long double, long double,
long double, long double, long double, long double restrict const, long double,
unsigned int) &::* restrict const)(long double _Complex _Complex&, long double,
long double, long double, long double, long double, long double restrict const,
long double, unsigned int) &::*, long double, long double, long double)
eeeeeec1 A ZZZZe(long double, long double, long double, long double, long
double, long double, long double, long double, unsigned short const volatile,
long double, long double, long double, long double _Complex _Imaginary, long
double, long double, long double, long double, long double, long double long
double (long double (long double _Complex _Complex&, long double, long double,
long double, long double, long double, long double restrict const, long double,
unsigned int) &::* restrict const)(long double _Complex _Complex&, long double,
long double, long double, long double, long double, long double restrict const,
long double, unsigned int) &::*, long double, long double, long double)
eeeeeec1 A ZZZZe(long double, long double, long double, long double, long
double, long double, long double, long double, unsigned short const volatile,
long double, long double, long double, long double _Complex _Imaginary, long
double, long double, long double, long double, long double, long double long
double (long double (long double _Complex _Complex&, long double, long double,
long double, long double, long double, long double restrict const, long double,
unsigned int) &::* restrict const)(long double _Complex _Complex&, long double,
long double, long double, long double, long double, long double restrict const,
long double, unsigned int) &::*, long double, long double, long double)
00000000 A ZZZZe(long double, long double, long double, long double, long
double, long double, long double, long double, unsigned short const volatile,
long double, long double, long double, long double _Complex _Imaginary, long
double, long double, long double, long double, long double, long double long
double (long double (long double _Complex _Complex&, long double, long double,
long double, long double, long double, long double restrict const, long double,
unsigned int) &::* restrict const)(long double _Complex _Complex&, long double,
long double, long double, long double, long double, long double restrict const,
long double, unsigned int) &::*, long double, long double, long double)
eeeeeec1 A _Z5ZZZZeeeeeeeeeVKteeeGCeeeeeeKrMFeRCCeeeeeeKreeREeeee
eeeeeec1 A
_Z5ZZZZeeeeeeeeeVKteeeGCeeeeeeKrMFeRCCeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeezeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeKreejREeeee
AddressSanitizer:DEADLYSIGNAL
=================================================================
==153641==ERROR: AddressSanitizer: stack-overflow on address 0x7fff047f2a00 (pc
0x000000752ff5 bp 0x7fff047f3c70 sp 0x7fff047f2a00 T0)
#0 0x752ff5 in d_print_comp_inner
/tmp/binutils-gdb/libiberty/./cp-demangle.c:5071
#1 0x76481f in d_print_comp
/tmp/binutils-gdb/libiberty/./cp-demangle.c:6337:3
#2 0x76481f in d_print_comp_inner
/tmp/binutils-gdb/libiberty/./cp-demangle.c:5791:2
#3 0x766358 in d_print_comp
/tmp/binutils-gdb/libiberty/./cp-demangle.c:6337:3
#4 0x766358 in d_print_comp_inner
/tmp/binutils-gdb/libiberty/./cp-demangle.c:5803:4
#5 0x766358 in d_print_comp
/tmp/binutils-gdb/libiberty/./cp-demangle.c:6337:3
#6 0x766358 in d_print_comp_inner
/tmp/binutils-gdb/libiberty/./cp-demangle.c:5803:4
#7 0x766358 in d_print_comp
/tmp/binutils-gdb/libiberty/./cp-demangle.c:6337:3
#8 0x766358 in d_print_comp_inner
/tmp/binutils-gdb/libiberty/./cp-demangle.c:5803:4
#9 0x766358 in d_print_comp
/tmp/binutils-gdb/libiberty/./cp-demangle.c:6337:3
#10 0x766358 in d_print_comp_inner
/tmp/binutils-gdb/libiberty/./cp-demangle.c:5803:4
#11 0x766358 in d_print_comp
/tmp/binutils-gdb/libiberty/./cp-demangle.c:6337:3
#12 0x766358 in d_print_comp_inner
/tmp/binutils-gdb/libiberty/./cp-demangle.c:5803:4
#13 0x766358 in d_print_comp
/tmp/binutils-gdb/libiberty/./cp-demangle.c:6337:3
#14 0x766358 in d_print_comp_inner
/tmp/binutils-gdb/libiberty/./cp-demangle.c:5803:4
#15 0x766358 in d_print_comp
/tmp/binutils-gdb/libiberty/./cp-demangle.c:6337:3
#16 0x766358 in d_print_comp_inner
/tmp/binutils-gdb/libiberty/./cp-demangle.c:5803:4
#17 0x766358 in d_print_comp
/tmp/binutils-gdb/libiberty/./cp-demangle.c:6337:3
#18 0x766358 in d_print_comp_inner
/tmp/binutils-gdb/libiberty/./cp-demangle.c:5803:4
#19 0x766358 in d_print_comp
/tmp/binutils-gdb/libiberty/./cp-demangle.c:6337:3
#20 0x766358 in d_print_comp_inner
/tmp/binutils-gdb/libiberty/./cp-demangle.c:5803:4
#21 0x766358 in d_print_comp
/tmp/binutils-gdb/libiberty/./cp-demangle.c:6337:3
#22 0x766358 in d_print_comp_inner
/tmp/binutils-gdb/libiberty/./cp-demangle.c:5803:4
#23 0x766358 in d_print_comp
/tmp/binutils-gdb/libiberty/./cp-demangle.c:6337:3
#24 0x766358 in d_print_comp_inner
/tmp/binutils-gdb/libiberty/./cp-demangle.c:5803:4
#25 0x766358 in d_print_comp
/tmp/binutils-gdb/libiberty/./cp-demangle.c:6337:3
#26 0x766358 in d_print_comp_inner
/tmp/binutils-gdb/libiberty/./cp-demangle.c:5803:4
#27 0x766358 in d_print_comp
/tmp/binutils-gdb/libiberty/./cp-demangle.c:6337:3
#28 0x766358 in d_print_comp_inner
/tmp/binutils-gdb/libiberty/./cp-demangle.c:5803:4
#29 0x766358 in d_print_comp
/tmp/binutils-gdb/libiberty/./cp-demangle.c:6337:3
#30 0x766358 in d_print_comp_inner
/tmp/binutils-gdb/libiberty/./cp-demangle.c:5803:4
#31 0x766358 in d_print_comp
/tmp/binutils-gdb/libiberty/./cp-demangle.c:6337:3
#32 0x766358 in d_print_comp_inner
/tmp/binutils-gdb/libiberty/./cp-demangle.c:5803:4
#33 0x766358 in d_print_comp
/tmp/binutils-gdb/libiberty/./cp-demangle.c:6337:3
#34 0x766358 in d_print_comp_inner
/tmp/binutils-gdb/libiberty/./cp-demangle.c:5803:4
#35 0x766358 in d_print_comp
/tmp/binutils-gdb/libiberty/./cp-demangle.c:6337:3
#36 0x766358 in d_print_comp_inner
/tmp/binutils-gdb/libiberty/./cp-demangle.c:5803:4
#37 0x766358 in d_print_comp
/tmp/binutils-gdb/libiberty/./cp-demangle.c:6337:3
#38 0x766358 in d_print_comp_inner
/tmp/binutils-gdb/libiberty/./cp-demangle.c:5803:4
#39 0x766358 in d_print_comp
/tmp/binutils-gdb/libiberty/./cp-demangle.c:6337:3
#40 0x766358 in d_print_comp_inner
/tmp/binutils-gdb/libiberty/./cp-demangle.c:5803:4
#41 0x766358 in d_print_comp
/tmp/binutils-gdb/libiberty/./cp-demangle.c:6337:3
#42 0x766358 in d_print_comp_inner
/tmp/binutils-gdb/libiberty/./cp-demangle.c:5803:4
#43 0x766358 in d_print_comp
/tmp/binutils-gdb/libiberty/./cp-demangle.c:6337:3
#44 0x766358 in d_print_comp_inner
/tmp/binutils-gdb/libiberty/./cp-demangle.c:5803:4
#45 0x766358 in d_print_comp
/tmp/binutils-gdb/libiberty/./cp-demangle.c:6337:3
#46 0x766358 in d_print_comp_inner
/tmp/binutils-gdb/libiberty/./cp-demangle.c:5803:4
#47 0x766358 in d_print_comp
/tmp/binutils-gdb/libiberty/./cp-demangle.c:6337:3
#48 0x766358 in d_print_comp_inner
/tmp/binutils-gdb/libiberty/./cp-demangle.c:5803:4
#49 0x766358 in d_print_comp
/tmp/binutils-gdb/libiberty/./cp-demangle.c:6337:3
#50 0x766358 in d_print_comp_inner
/tmp/binutils-gdb/libiberty/./cp-demangle.c:5803:4
...
SUMMARY: AddressSanitizer: stack-overflow
/tmp/binutils-gdb/libiberty/./cp-demangle.c:5071 in d_print_comp_inner
==153641==ABORTING
```
--
You are receiving this mail because:
You are on the CC list for the bug.
