https://gcc.gnu.org/bugzilla/show_bug.cgi?id=85304
Bug ID: 85304
Summary: Segmentation fault
Product: gcc
Version: unknown
Status: UNCONFIRMED
Severity: normal
Priority: P3
Component: demangler
Assignee: unassigned at gcc dot gnu.org
Reporter: mudongliangabcd at gmail dot com
Target Milestone: ---
Created attachment 43887
--> https://gcc.gnu.org/bugzilla/attachment.cgi?id=43887&action=edit
PoC to trigger segment fault
We found one segment fault in C++ Demangle Functions. From our simple analysis,
one callq instruction exceed the range of stack region and then cxxfilt
segments fault.
The triggering method is as follows:
```
mkdir obj_test
CFLAGS="-O2 -g -fstack-protector-all -fsanitize=address" ../configure
--enable-shared=no --enable-static=yes
make
cd binutils
gdb ./cxxfilt
(gdb) r < poc_test
```
The corresponding Stack Trace in the gdb:
```
Program received signal SIGSEGV, Segmentation fault.
0x00007ffff4e5931d in ?? () from /usr/lib/x86_64-linux-gnu/libasan.so.0
(gdb) info stack
#0 0x00007ffff4e5931d in ?? () from /usr/lib/x86_64-linux-gnu/libasan.so.0
#1 0x00000000006a0126 in string_appendn (p=0x7fffffffe120, s=0x753f60 "(",
n=1) at ./cplus-dem.c:4986
#2 0x000000000068db7d in demangle_expression (work=0x7fffffffe3b0,
mangled=0x7fffffffe2c0,
s=0x7fffffffe120, tk=tk_integral) at ./cplus-dem.c:1860
#3 0x000000000068e20a in demangle_integral_value (work=0x7fffffffe3b0,
mangled=0x7fffffffe2c0,
s=0x7fffffffe120) at ./cplus-dem.c:1916
#4 0x000000000068eef5 in demangle_template_value_parm (work=0x7fffffffe3b0,
mangled=0x7fffffffe2c0,
s=0x7fffffffe120, tk=tk_integral) at ./cplus-dem.c:2069
#5 0x000000000068dfac in demangle_expression (work=0x7fffffffe3b0,
mangled=0x7fffffffe2c0,
s=0x7fffffffe120, tk=tk_integral) at ./cplus-dem.c:1895
#6 0x000000000068e20a in demangle_integral_value (work=0x7fffffffe3b0,
mangled=0x7fffffffe2c0,
s=0x7fffffffe120) at ./cplus-dem.c:1916
#7 0x000000000068eef5 in demangle_template_value_parm (work=0x7fffffffe3b0,
mangled=0x7fffffffe2c0,
s=0x7fffffffe120, tk=tk_integral) at ./cplus-dem.c:2069
#8 0x000000000068dfac in demangle_expression (work=0x7fffffffe3b0,
mangled=0x7fffffffe2c0,
s=0x7fffffffe120, tk=tk_integral) at ./cplus-dem.c:1895
#9 0x000000000068e20a in demangle_integral_value (work=0x7fffffffe3b0,
mangled=0x7fffffffe2c0,
s=0x7fffffffe120) at ./cplus-dem.c:1916
#10 0x000000000068eef5 in demangle_template_value_parm (work=0x7fffffffe3b0,
mangled=0x7fffffffe2c0,
s=0x7fffffffe120, tk=tk_integral) at ./cplus-dem.c:2069
#11 0x000000000068dfac in demangle_expression (work=0x7fffffffe3b0,
mangled=0x7fffffffe2c0,
s=0x7fffffffe120, tk=tk_integral) at ./cplus-dem.c:1895
#12 0x000000000068e20a in demangle_integral_value (work=0x7fffffffe3b0,
mangled=0x7fffffffe2c0,
s=0x7fffffffe120) at ./cplus-dem.c:1916
......
```
We will try to analyze more deeply to give a detailed report on this bug.
