[Bug binutils/32332] New: nm recursive stack overflow (d_bare_function_type, cp-demangle.c:3113)

jaehoon.jang at kaist dot ac.kr Fri, 01 Nov 2024 08:31:51 -0700

https://sourceware.org/bugzilla/show_bug.cgi?id=32332


            Bug ID: 32332
           Summary: nm recursive stack overflow (d_bare_function_type,
                    cp-demangle.c:3113)
           Product: binutils
           Version: 2.43
            Status: UNCONFIRMED
          Severity: normal
          Priority: P2
         Component: binutils
          Assignee: unassigned at sourceware dot org
          Reporter: jaehoon.jang at kaist dot ac.kr
  Target Milestone: ---

Created attachment 15772
  --> https://sourceware.org/bugzilla/attachment.cgi?id=15772&action=edit
poc

Stack overflow due to recursive call of d_bare_function_type, d_function_type
and cplus_demangle_type functions

Environment

[NOTICE] I tested by reducing the stack size to 256 (ulimit -s 256)
When I tested related bugs (CVE-2018-17985, CVE-2018-18484, etc.) on the same
stack size, the bug was not triggered and the defense was well done. However, I
think the PoC I uploaded needs a patch because it causes the bug.

# uname -a
Linux 63ad81720171 5.15.0-107-generic #117-Ubuntu SMP Fri Apr 26 12:26:49 UTC
2024 x86_64 x86_64 x86_64 GNU/Linux

# git clone https://github.com/bminor/binutils-gdb.git

# cd binutils-gdb

# clang --version
clang version 12.0.0 (https://github.com/llvm/llvm-project.git
6de4865545da73687dd6d28d153cd345ed5e7918)
Target: x86_64-unknown-linux-gnu
Thread model: posix
InstalledDir: /usr/local/bin

# CC="clang -g -fsanitize=address" CXX="clang++ -g -fsanitize=address"
./configure

# CC="clang -g -fsanitize=address" CXX="clang++ -g -fsanitize=address" make -j
4

# binutils/nm-new --version
GNU nm (GNU Binutils) 2.43.50.20241101
Copyright (C) 2024 Free Software Foundation, Inc.
This program is free software; you may redistribute it under the terms of
the GNU General Public License version 3 or (at your option) any later version.
This program has absolutely no warranty.

# binutils/nm-new -C ../cplus_demangle_type/poc1
00000000 A
FFFFFFoeeFFFFFFFeeeeeeeeeeeeePFFFFFFFFFFZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZeeeeeeeeeeeeeeeeeeeeeeeeeeeefeee&e`eeeR\eeeeeeeeeee%eseeeeeeeeZZZZZZe
00000000 A ZZZZZZZZZZZZZZZZZZZZZZZZZ9ZZJmeeee]eeVeCgeeeQZZZZZZZZZZZZZZZZZZd
000000d1 A _:ZZ5pZZZZexxx
000000d1 A _:ZZ5pZZZZexxx
000000d1 A _ZGAT_
000000d1 A _ZGdT_
00000000 A _ZGdT_
00000000 A _ZTAX_
00000000 A _ZTAX_
000000d1 A
_ZTAX_ZZZZZZZZZZZZZZZZZZZZcZZZZZZZZZZZZZZZZZyZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZHZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZeeeeeeexxxh
00000000 A
_ZZZ9ZZZmeeeeeeeeeeKgeeeQscssssrssssssssssssssoeeR1RRRRRRRRRRF}eeeeeeCeeR
00000000 A _ZZZZZZZTAX_
00000000 A _ZZZZZZZZZZZZZZZZZZZEeeeeeeeeeeeeeeesZZd
000000d1 A
_ZZcvErZ_eeZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZOZZZZZZZZZZZZZZZZZZZZZZZZZZZ^ZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZeeeeeeexxxh
AddressSanitizer:DEADLYSIGNAL
=================================================================
==153644==ERROR: AddressSanitizer: stack-overflow on address 0x7fffb7b73f70 (pc
0x00000073c25f bp 0x7fffb7b74030 sp 0x7fffb7b73f60 T0)
    #0 0x73c25f in cplus_demangle_type
/tmp/binutils-gdb/libiberty/./cp-demangle.c:2551
    #1 0x74205d in d_bare_function_type
/tmp/binutils-gdb/libiberty/./cp-demangle.c:3113:21
    #2 0x74205d in d_function_type
/tmp/binutils-gdb/libiberty/./cp-demangle.c:3033:13
    #3 0x73d2d8 in cplus_demangle_type
/tmp/binutils-gdb/libiberty/./cp-demangle.c:2627:13
    #4 0x74205d in d_bare_function_type
/tmp/binutils-gdb/libiberty/./cp-demangle.c:3113:21
    #5 0x74205d in d_function_type
/tmp/binutils-gdb/libiberty/./cp-demangle.c:3033:13
    #6 0x73d2d8 in cplus_demangle_type
/tmp/binutils-gdb/libiberty/./cp-demangle.c:2627:13
    #7 0x74205d in d_bare_function_type
/tmp/binutils-gdb/libiberty/./cp-demangle.c:3113:21
    #8 0x74205d in d_function_type
/tmp/binutils-gdb/libiberty/./cp-demangle.c:3033:13
    #9 0x73d2d8 in cplus_demangle_type
/tmp/binutils-gdb/libiberty/./cp-demangle.c:2627:13
    #10 0x74205d in d_bare_function_type
/tmp/binutils-gdb/libiberty/./cp-demangle.c:3113:21
    #11 0x74205d in d_function_type
/tmp/binutils-gdb/libiberty/./cp-demangle.c:3033:13
    #12 0x73d2d8 in cplus_demangle_type
/tmp/binutils-gdb/libiberty/./cp-demangle.c:2627:13
    #13 0x74205d in d_bare_function_type
/tmp/binutils-gdb/libiberty/./cp-demangle.c:3113:21
    #14 0x74205d in d_function_type
/tmp/binutils-gdb/libiberty/./cp-demangle.c:3033:13
    #15 0x73d2d8 in cplus_demangle_type
/tmp/binutils-gdb/libiberty/./cp-demangle.c:2627:13
    #16 0x74205d in d_bare_function_type
/tmp/binutils-gdb/libiberty/./cp-demangle.c:3113:21
    #17 0x74205d in d_function_type
/tmp/binutils-gdb/libiberty/./cp-demangle.c:3033:13
    #18 0x73d2d8 in cplus_demangle_type
/tmp/binutils-gdb/libiberty/./cp-demangle.c:2627:13
    #19 0x74205d in d_bare_function_type
/tmp/binutils-gdb/libiberty/./cp-demangle.c:3113:21
    #20 0x74205d in d_function_type
/tmp/binutils-gdb/libiberty/./cp-demangle.c:3033:13
    #21 0x73d2d8 in cplus_demangle_type
/tmp/binutils-gdb/libiberty/./cp-demangle.c:2627:13
    #22 0x74205d in d_bare_function_type
/tmp/binutils-gdb/libiberty/./cp-demangle.c:3113:21
    #23 0x74205d in d_function_type
/tmp/binutils-gdb/libiberty/./cp-demangle.c:3033:13
    #24 0x73d2d8 in cplus_demangle_type
/tmp/binutils-gdb/libiberty/./cp-demangle.c:2627:13
    #25 0x74205d in d_bare_function_type
/tmp/binutils-gdb/libiberty/./cp-demangle.c:3113:21
    #26 0x74205d in d_function_type
/tmp/binutils-gdb/libiberty/./cp-demangle.c:3033:13
    #27 0x73d2d8 in cplus_demangle_type
/tmp/binutils-gdb/libiberty/./cp-demangle.c:2627:13
    #28 0x74205d in d_bare_function_type
/tmp/binutils-gdb/libiberty/./cp-demangle.c:3113:21
    #29 0x74205d in d_function_type
/tmp/binutils-gdb/libiberty/./cp-demangle.c:3033:13
    #30 0x73d2d8 in cplus_demangle_type
/tmp/binutils-gdb/libiberty/./cp-demangle.c:2627:13
    #31 0x74205d in d_bare_function_type
/tmp/binutils-gdb/libiberty/./cp-demangle.c:3113:21
    #32 0x74205d in d_function_type
/tmp/binutils-gdb/libiberty/./cp-demangle.c:3033:13
    #33 0x73d2d8 in cplus_demangle_type
/tmp/binutils-gdb/libiberty/./cp-demangle.c:2627:13
    #34 0x74205d in d_bare_function_type
/tmp/binutils-gdb/libiberty/./cp-demangle.c:3113:21
    #35 0x74205d in d_function_type
/tmp/binutils-gdb/libiberty/./cp-demangle.c:3033:13
    #36 0x73d2d8 in cplus_demangle_type
/tmp/binutils-gdb/libiberty/./cp-demangle.c:2627:13
    #37 0x74205d in d_bare_function_type
/tmp/binutils-gdb/libiberty/./cp-demangle.c:3113:21
    #38 0x74205d in d_function_type
/tmp/binutils-gdb/libiberty/./cp-demangle.c:3033:13
    #39 0x73d2d8 in cplus_demangle_type
/tmp/binutils-gdb/libiberty/./cp-demangle.c:2627:13
    #40 0x74205d in d_bare_function_type
/tmp/binutils-gdb/libiberty/./cp-demangle.c:3113:21
    #41 0x74205d in d_function_type
/tmp/binutils-gdb/libiberty/./cp-demangle.c:3033:13
    #42 0x73d2d8 in cplus_demangle_type
/tmp/binutils-gdb/libiberty/./cp-demangle.c:2627:13
    #43 0x74205d in d_bare_function_type
/tmp/binutils-gdb/libiberty/./cp-demangle.c:3113:21
    #44 0x74205d in d_function_type
/tmp/binutils-gdb/libiberty/./cp-demangle.c:3033:13
    #45 0x73d2d8 in cplus_demangle_type
/tmp/binutils-gdb/libiberty/./cp-demangle.c:2627:13
    #46 0x74205d in d_bare_function_type
/tmp/binutils-gdb/libiberty/./cp-demangle.c:3113:21
    #47 0x74205d in d_function_type
/tmp/binutils-gdb/libiberty/./cp-demangle.c:3033:13
    #48 0x73d2d8 in cplus_demangle_type
/tmp/binutils-gdb/libiberty/./cp-demangle.c:2627:13
    #49 0x74205d in d_bare_function_type
/tmp/binutils-gdb/libiberty/./cp-demangle.c:3113:21
    #50 0x74205d in d_function_type
/tmp/binutils-gdb/libiberty/./cp-demangle.c:3033:13
    ...
SUMMARY: AddressSanitizer: stack-overflow
/tmp/binutils-gdb/libiberty/./cp-demangle.c:2551 in cplus_demangle_type
==153644==ABORTING

-- 
You are receiving this mail because:
You are on the CC list for the bug.

[Bug binutils/32332] New: nm recursive stack overflow (d_bare_function_type, cp-demangle.c:3113)

Reply via email to