https://gcc.gnu.org/bugzilla/show_bug.cgi?id=70909
Bug ID: 70909
Summary: Libiberty Demangler segfaults (4)
Product: gcc
Version: unknown
Status: UNCONFIRMED
Severity: normal
Priority: P3
Component: c++
Assignee: unassigned at gcc dot gnu.org
Reporter: boehme.marcel at gmail dot com
Target Milestone: ---
A stack overflow in the libiberty demangler library causes its host
applications to crash. The stack contains return addresses that are not mapped
in the inferior's process address space and/or the stack pointer is pointing to
a location outside the default stack region. These conditions likely indicate
stack corruption, which is generally considered exploitable.
How to reproduce:
$ valgind c++filt _Z1MA_aMMMMA_MMA_MMMMMMMMSt1MS_o11T0000000000t2M0oooozoooo
==80066== Stack overflow in thread 1: can't grow stack to 0xffe801ff8
==80066==
==80066== Process terminating with default action of signal 11 (SIGSEGV):
dumping core
==80066== Access not within mapped region at address 0xFFE801FF8
==80066== at 0x78CAA4: d_print_comp_inner (cp-demangle.c:4332)
This specific stack overflow has not been reported but with a bit of searching
it seems to be linked to the open bugs PR61460, PR68700, PR67738, PR68383,
PR70517, PR61805, PR62279, and the meta bug PR67264. The prepared patch
addresses all of these.
Analysis: The method d_print_comp in cp-demangle.c recursively constructs the
d_print_info dpi from the demangle_component dc. The method d_print_comp_inner
traverses dc as a graph. Now, dc can be a graph with cycles leading to infinite
recursion in several distinct cases.
This vulnerability was found with a more efficient version of AFL.
