https://sourceware.org/bugzilla/show_bug.cgi?id=32332
Bug ID: 32332 Summary: nm recursive stack overflow (d_bare_function_type, cp-demangle.c:3113) Product: binutils Version: 2.43 Status: UNCONFIRMED Severity: normal Priority: P2 Component: binutils Assignee: unassigned at sourceware dot org Reporter: jaehoon.jang at kaist dot ac.kr Target Milestone: --- Created attachment 15772 --> https://sourceware.org/bugzilla/attachment.cgi?id=15772&action=edit poc Stack overflow due to recursive call of d_bare_function_type, d_function_type and cplus_demangle_type functions Environment [NOTICE] I tested by reducing the stack size to 256 (ulimit -s 256) When I tested related bugs (CVE-2018-17985, CVE-2018-18484, etc.) on the same stack size, the bug was not triggered and the defense was well done. However, I think the PoC I uploaded needs a patch because it causes the bug. # uname -a Linux 63ad81720171 5.15.0-107-generic #117-Ubuntu SMP Fri Apr 26 12:26:49 UTC 2024 x86_64 x86_64 x86_64 GNU/Linux # git clone https://github.com/bminor/binutils-gdb.git # cd binutils-gdb # clang --version clang version 12.0.0 (https://github.com/llvm/llvm-project.git 6de4865545da73687dd6d28d153cd345ed5e7918) Target: x86_64-unknown-linux-gnu Thread model: posix InstalledDir: /usr/local/bin # CC="clang -g -fsanitize=address" CXX="clang++ -g -fsanitize=address" ./configure # CC="clang -g -fsanitize=address" CXX="clang++ -g -fsanitize=address" make -j 4 # binutils/nm-new --version GNU nm (GNU Binutils) 2.43.50.20241101 Copyright (C) 2024 Free Software Foundation, Inc. This program is free software; you may redistribute it under the terms of the GNU General Public License version 3 or (at your option) any later version. This program has absolutely no warranty. # binutils/nm-new -C ../cplus_demangle_type/poc1 00000000 A FFFFFFoeeFFFFFFFeeeeeeeeeeeeePFFFFFFFFFFZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZeeeeeeeeeeeeeeeeeeeeeeeeeeeefeee&e`eeeR\eeeeeeeeeee%eseeeeeeeeZZZZZZe 00000000 A ZZZZZZZZZZZZZZZZZZZZZZZZZ9ZZJmeeee]eeVeCgeeeQZZZZZZZZZZZZZZZZZZd 000000d1 A _:ZZ5pZZZZexxx 000000d1 A _:ZZ5pZZZZexxx 000000d1 A _ZGAT_ 000000d1 A _ZGdT_ 00000000 A _ZGdT_ 00000000 A _ZTAX_ 00000000 A _ZTAX_ 000000d1 A _ZTAX_ZZZZZZZZZZZZZZZZZZZZcZZZZZZZZZZZZZZZZZyZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZHZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZeeeeeeexxxh 00000000 A _ZZZ9ZZZmeeeeeeeeeeKgeeeQscssssrssssssssssssssoeeR1RRRRRRRRRRF}eeeeeeCeeR 00000000 A _ZZZZZZZTAX_ 00000000 A _ZZZZZZZZZZZZZZZZZZZEeeeeeeeeeeeeeeesZZd 000000d1 A _ZZcvErZ_eeZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZOZZZZZZZZZZZZZZZZZZZZZZZZZZZ^ZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZeeeeeeexxxh AddressSanitizer:DEADLYSIGNAL ================================================================= ==153644==ERROR: AddressSanitizer: stack-overflow on address 0x7fffb7b73f70 (pc 0x00000073c25f bp 0x7fffb7b74030 sp 0x7fffb7b73f60 T0) #0 0x73c25f in cplus_demangle_type /tmp/binutils-gdb/libiberty/./cp-demangle.c:2551 #1 0x74205d in d_bare_function_type /tmp/binutils-gdb/libiberty/./cp-demangle.c:3113:21 #2 0x74205d in d_function_type /tmp/binutils-gdb/libiberty/./cp-demangle.c:3033:13 #3 0x73d2d8 in cplus_demangle_type /tmp/binutils-gdb/libiberty/./cp-demangle.c:2627:13 #4 0x74205d in d_bare_function_type /tmp/binutils-gdb/libiberty/./cp-demangle.c:3113:21 #5 0x74205d in d_function_type /tmp/binutils-gdb/libiberty/./cp-demangle.c:3033:13 #6 0x73d2d8 in cplus_demangle_type /tmp/binutils-gdb/libiberty/./cp-demangle.c:2627:13 #7 0x74205d in d_bare_function_type /tmp/binutils-gdb/libiberty/./cp-demangle.c:3113:21 #8 0x74205d in d_function_type /tmp/binutils-gdb/libiberty/./cp-demangle.c:3033:13 #9 0x73d2d8 in cplus_demangle_type /tmp/binutils-gdb/libiberty/./cp-demangle.c:2627:13 #10 0x74205d in d_bare_function_type /tmp/binutils-gdb/libiberty/./cp-demangle.c:3113:21 #11 0x74205d in d_function_type /tmp/binutils-gdb/libiberty/./cp-demangle.c:3033:13 #12 0x73d2d8 in cplus_demangle_type /tmp/binutils-gdb/libiberty/./cp-demangle.c:2627:13 #13 0x74205d in d_bare_function_type /tmp/binutils-gdb/libiberty/./cp-demangle.c:3113:21 #14 0x74205d in d_function_type /tmp/binutils-gdb/libiberty/./cp-demangle.c:3033:13 #15 0x73d2d8 in cplus_demangle_type /tmp/binutils-gdb/libiberty/./cp-demangle.c:2627:13 #16 0x74205d in d_bare_function_type /tmp/binutils-gdb/libiberty/./cp-demangle.c:3113:21 #17 0x74205d in d_function_type /tmp/binutils-gdb/libiberty/./cp-demangle.c:3033:13 #18 0x73d2d8 in cplus_demangle_type /tmp/binutils-gdb/libiberty/./cp-demangle.c:2627:13 #19 0x74205d in d_bare_function_type /tmp/binutils-gdb/libiberty/./cp-demangle.c:3113:21 #20 0x74205d in d_function_type /tmp/binutils-gdb/libiberty/./cp-demangle.c:3033:13 #21 0x73d2d8 in cplus_demangle_type /tmp/binutils-gdb/libiberty/./cp-demangle.c:2627:13 #22 0x74205d in d_bare_function_type /tmp/binutils-gdb/libiberty/./cp-demangle.c:3113:21 #23 0x74205d in d_function_type /tmp/binutils-gdb/libiberty/./cp-demangle.c:3033:13 #24 0x73d2d8 in cplus_demangle_type /tmp/binutils-gdb/libiberty/./cp-demangle.c:2627:13 #25 0x74205d in d_bare_function_type /tmp/binutils-gdb/libiberty/./cp-demangle.c:3113:21 #26 0x74205d in d_function_type /tmp/binutils-gdb/libiberty/./cp-demangle.c:3033:13 #27 0x73d2d8 in cplus_demangle_type /tmp/binutils-gdb/libiberty/./cp-demangle.c:2627:13 #28 0x74205d in d_bare_function_type /tmp/binutils-gdb/libiberty/./cp-demangle.c:3113:21 #29 0x74205d in d_function_type /tmp/binutils-gdb/libiberty/./cp-demangle.c:3033:13 #30 0x73d2d8 in cplus_demangle_type /tmp/binutils-gdb/libiberty/./cp-demangle.c:2627:13 #31 0x74205d in d_bare_function_type /tmp/binutils-gdb/libiberty/./cp-demangle.c:3113:21 #32 0x74205d in d_function_type /tmp/binutils-gdb/libiberty/./cp-demangle.c:3033:13 #33 0x73d2d8 in cplus_demangle_type /tmp/binutils-gdb/libiberty/./cp-demangle.c:2627:13 #34 0x74205d in d_bare_function_type /tmp/binutils-gdb/libiberty/./cp-demangle.c:3113:21 #35 0x74205d in d_function_type /tmp/binutils-gdb/libiberty/./cp-demangle.c:3033:13 #36 0x73d2d8 in cplus_demangle_type /tmp/binutils-gdb/libiberty/./cp-demangle.c:2627:13 #37 0x74205d in d_bare_function_type /tmp/binutils-gdb/libiberty/./cp-demangle.c:3113:21 #38 0x74205d in d_function_type /tmp/binutils-gdb/libiberty/./cp-demangle.c:3033:13 #39 0x73d2d8 in cplus_demangle_type /tmp/binutils-gdb/libiberty/./cp-demangle.c:2627:13 #40 0x74205d in d_bare_function_type /tmp/binutils-gdb/libiberty/./cp-demangle.c:3113:21 #41 0x74205d in d_function_type /tmp/binutils-gdb/libiberty/./cp-demangle.c:3033:13 #42 0x73d2d8 in cplus_demangle_type /tmp/binutils-gdb/libiberty/./cp-demangle.c:2627:13 #43 0x74205d in d_bare_function_type /tmp/binutils-gdb/libiberty/./cp-demangle.c:3113:21 #44 0x74205d in d_function_type /tmp/binutils-gdb/libiberty/./cp-demangle.c:3033:13 #45 0x73d2d8 in cplus_demangle_type /tmp/binutils-gdb/libiberty/./cp-demangle.c:2627:13 #46 0x74205d in d_bare_function_type /tmp/binutils-gdb/libiberty/./cp-demangle.c:3113:21 #47 0x74205d in d_function_type /tmp/binutils-gdb/libiberty/./cp-demangle.c:3033:13 #48 0x73d2d8 in cplus_demangle_type /tmp/binutils-gdb/libiberty/./cp-demangle.c:2627:13 #49 0x74205d in d_bare_function_type /tmp/binutils-gdb/libiberty/./cp-demangle.c:3113:21 #50 0x74205d in d_function_type /tmp/binutils-gdb/libiberty/./cp-demangle.c:3033:13 ... SUMMARY: AddressSanitizer: stack-overflow /tmp/binutils-gdb/libiberty/./cp-demangle.c:2551 in cplus_demangle_type ==153644==ABORTING -- You are receiving this mail because: You are on the CC list for the bug.