On Wed, Aug 29, 2018 at 9:41 AM, David Malcolm <dmalc...@redhat.com> wrote:
> On Fri, 2018-06-22 at 15:44 -0600, Jeff Law wrote:
>> On 03/03/2018 05:48 AM, David Malcolm wrote:
>> > PR demangler/84668 reports this failure of c++filt (found by
>> > fuzzing):
>> >
>> > $ c++filt '______H5z5555555555_____H5z55555555555555555555555'
>> > c++filt: out of memory allocating 18446744071696285694 bytes after
>> > a total of 135168 bytes
>> >
>> > internal_cplus_demangle handles the "H5" as a template with 5
>> > arguments;
>> > the "z5555555555" is handled as a template parameter length of
>> > 5555555555, though this is truncated to 32-bits to 1260588259:
>> >
>> > (gdb) p /x 5555555555
>> > $19 = 0x14b230ce3
>> >
>> > (gdb) p /x r
>> > $18 = 0x4b230ce3
>> >
>> > (gdb) p r
>> > $17 = 1260588259
>> >
>> > demangle_template_template_parm repeatedly calls do_type for each
>> > of
>> > these 1.2 billion template params, and each call attempts to handle
>> > the
>> > "_", but hits this within demangle_fund_type:
>> >
>> > 3996 /* Now pick off the fundamental type. There can be
>> > only one. */
>> > 3997
>> > 3998 switch (**mangled)
>> > 3999 {
>> > 4000 case '\0':
>> > 4001 case '_':
>> > 4002 break;
>> >
>> > and thus returns true for success. It does this without consuming
>> > any
>> > of the input string.
>> >
>> > At each iteration, it appends ", ", leading to the construction of
>> > a string of the form:
>> >
>> > "____<template <, , , , , , , , , , , , , , , , , , , , , , , , ,
>> > "
>> >
>> > and eventually the allocation fails.
>> >
>> > It seems like a bug for demangle_template_template_parm to be able
>> > to
>> > arbitrarily grow like this without consuming the input string (or
>> > failing).
>> >
>> > This patch fixes the issue by making the NIL / '_' cases quoted
>> > above be
>> > a failure, thus ending the iteration. I'm not sure if this is the
>> > correct behavior (I'm new to this code), but none of the existing
>> > testcases
>> > are affected.
>> >
>> > Successfully bootstrapped®rtested on x86_64-pc-linux-gnu.
>> >
>> > OK for trunk?
>> >
>> > libiberty/ChangeLog:
>> > PR demangler/84668
>> > * cplus-dem.c (demangle_fund_type) <'\0', '_'>: Fail.
>> > * testsuite/demangle-expected: Add test.
>>
>> I kept hoping someone else would chime in here :(
>>
>> You should probably ping Jason directly. He's more likely to know if
>> we can blindly return a failure at this point.
>>
>> Jeff
>
> Thanks.
>
> Jason, any thoughts?
The patch is OK.
I'll note that this is the demangler for the GCC 2.x mangling scheme,
so we might consider tearing it out at this point rather than continue
to harden it against fuzzing.
Jason
