[Bug binutils/23008] Stack Overflow(Stack Exhaustion) in demangle related functions

[nickc at redhat dot com]

https://sourceware.org/bugzilla/show_bug.cgi?id=23008

Nick Clifton  changed:

   What|Removed |Added

 Status|UNCONFIRMED |RESOLVED
 Resolution|--- |FIXED

--- Comment #14 from Nick Clifton  ---
Fixed by recent merge with gcc libiberty sources.

-- 
You are receiving this mail because:
You are on the CC list for the bug.
___
bug-binutils mailing list
bug-binutils@gnu.org
https://lists.gnu.org/mailman/listinfo/bug-binutils

[Bug binutils/23008] Stack Overflow(Stack Exhaustion) in demangle related functions

[wuyuan5 at huawei dot com]

https://sourceware.org/bugzilla/show_bug.cgi?id=23008

--- Comment #13 from yuanwu  ---
Hi Dongliang,
  my question is "Does this vulnerability affects binutils 2.26 ".  so I run
your test program in Binutils version 2.26 ,the program result has no
stack-overflow.

  but using 2.29 branch sources，the program result also has no stack-overflow
(I am unable to reproduce this bug with the same linux system as you). so I am
not sure whether this vulnerability affects binutils 2.26. Looking forward to
your help
,thinks.
  my mother tongue is not English, sorry about my English , 
Cheers
  yuanwu

-- 
You are receiving this mail because:
You are on the CC list for the bug.
___
bug-binutils mailing list
bug-binutils@gnu.org
https://lists.gnu.org/mailman/listinfo/bug-binutils

[Bug binutils/23008] Stack Overflow(Stack Exhaustion) in demangle related functions

[wuyuan5 at huawei dot com]

https://sourceware.org/bugzilla/show_bug.cgi?id=23008

yuanwu  changed:

   What|Removed |Added

 CC||wuyuan5 at huawei dot com

--- Comment #12 from yuanwu  ---
Hi Dongliang,
  my question is "Does this vulnerability affects binutils 2.26 ".  so I run
your test program in Binutils version 2.26 ,the program result has no
stack-overflow.

  but using 2.29 branch sources，the program result also has no stack-overflow
(I am unable to reproduce this bug with the same linux system as you). so I am
not sure whether this vulnerability affects binutils 2.26. Looking forward to
your help
,thinks.
  my mother tongue is not English, sorry about my English , 
Cheers
  yuanwu

-- 
You are receiving this mail because:
You are on the CC list for the bug.
___
bug-binutils mailing list
bug-binutils@gnu.org
https://lists.gnu.org/mailman/listinfo/bug-binutils

[Bug binutils/23008] Stack Overflow(Stack Exhaustion) in demangle related functions

[matz at suse dot de]

https://sourceware.org/bugzilla/show_bug.cgi?id=23008

Michael Matz  changed:

   What|Removed |Added

 CC||matz at suse dot de

--- Comment #11 from Michael Matz  ---
All seems to work as designed.  The testcase contains a large number of 'F'
characters, and demangling each one of them entails:

5  0x005ec0f8 in demangle_nested_args (work=0x7fffd540,
mangled=0x7fffd2a0, 
declp=0x7f800050) at ../../libiberty/cplus-dem.c:4713
4713  result = demangle_args (work, mangled, declp);
#4  0x005ea8f9 in demangle_args (work=0x7fffd540,
mangled=0x7fffd2a0, declp=0x7f800050)
at ../../libiberty/cplus-dem.c:4659
4659  if (!do_arg (work, mangled, ))
#3  0x005eb99e in do_arg (work=0x7fffd540, mangled=0x7fffd2a0,
result=0x7f7ffbe0)
at ../../libiberty/cplus-dem.c:4332
4332  if (!do_type (work, mangled, work->previous_argument))
#2  0x005cbf15 in do_type (work=0x7fffd540, mangled=0x7fffd2a0,
result=0x603318d0)
at ../../libiberty/cplus-dem.c:3719
3719  if (!demangle_nested_args (work, mangled, )
#1  0x005ec0f8 in demangle_nested_args (work=0x7fffd540,
mangled=0x7fffd2a0, 
declp=0x7f7ff370) at ../../libiberty/cplus-dem.c:4713
4713  result = demangle_args (work, mangled, declp);

That progresses *mangled by one character.  When compiled with clang, the above
sequence of five calls needs 3296 bytes on the stack.  The testcase
contains more than 2542 'F' characters in a row, and together that needs more
than 8MB of stack, leading to the abort.

When compiled with GCC -fsanitize-address the above sequence only needs 912
bytes on stack (per 'F' character), so it progresses until 
(gdb) p *mangled
$10 = 0x78b6cc  'F' ...
before segfaulting due to stack overflow (with clang it only gets until
mbuffer+2550).

When compiled without sanitizer (with GCC) the above sequence of calls only
needs 400 bytes per stack.  The testcase contains 11586 'F' characters, so that
is within the normal stack limit and no problem occurs.

If the compiler is more clever (the above is with gcc-6 and -O0) then the
sequence of calls will need less stack space, and hence not reproduce the
problem.  I'm not sure if anything needs fixing, the demangler works as
designed, you ask it to demangle a nested structure that's 11000 levels deep,
and a stack overflow occurs.  As expected.

-- 
You are receiving this mail because:
You are on the CC list for the bug.
___
bug-binutils mailing list
bug-binutils@gnu.org
https://lists.gnu.org/mailman/listinfo/bug-binutils

[Bug binutils/23008] Stack Overflow(Stack Exhaustion) in demangle related functions

[mudongliangabcd at gmail dot com]

https://sourceware.org/bugzilla/show_bug.cgi?id=23008

--- Comment #10 from Dongliang Mu  ---
Hi, Nick:

Thank you for pointing out that issue. I have tested that issue on Debian
Stable(GCC + AddressSanitizer, and Clang + AddressSanitizer) and attached three
Dockerfiles to prove it is reproducible.

Now I will try to report this bug in GCC Bugzilla.

Finally, thanks for your good work, Nick.

-- 
You are receiving this mail because:
You are on the CC list for the bug.
___
bug-binutils mailing list
bug-binutils@gnu.org
https://lists.gnu.org/mailman/listinfo/bug-binutils

[Bug binutils/23008] Stack Overflow(Stack Exhaustion) in demangle related functions

[mudongliangabcd at gmail dot com]

https://sourceware.org/bugzilla/show_bug.cgi?id=23008

--- Comment #9 from Dongliang Mu  ---
Created attachment 10925
  --> https://sourceware.org/bugzilla/attachment.cgi?id=10925=edit
Dockerfile for Debian Stable (GCC with AddressSanitizer)

-- 
You are receiving this mail because:
You are on the CC list for the bug.
___
bug-binutils mailing list
bug-binutils@gnu.org
https://lists.gnu.org/mailman/listinfo/bug-binutils

[Bug binutils/23008] Stack Overflow(Stack Exhaustion) in demangle related functions

[mudongliangabcd at gmail dot com]

https://sourceware.org/bugzilla/show_bug.cgi?id=23008

Dongliang Mu  changed:

   What|Removed |Added

  Attachment #10921|Dockerfile for Ubuntu   |Dockerfile for Ubuntu
description|14.04(GCC AddressSanitizer) |14.04(GCC with
   ||AddressSanitizer)

-- 
You are receiving this mail because:
You are on the CC list for the bug.
___
bug-binutils mailing list
bug-binutils@gnu.org
https://lists.gnu.org/mailman/listinfo/bug-binutils

[Bug binutils/23008] Stack Overflow(Stack Exhaustion) in demangle related functions

[mudongliangabcd at gmail dot com]

https://sourceware.org/bugzilla/show_bug.cgi?id=23008

Dongliang Mu  changed:

   What|Removed |Added

  Attachment #10921|Dockerfile for Ubuntu 14.04 |Dockerfile for Ubuntu
description||14.04(GCC AddressSanitizer)

-- 
You are receiving this mail because:
You are on the CC list for the bug.
___
bug-binutils mailing list
bug-binutils@gnu.org
https://lists.gnu.org/mailman/listinfo/bug-binutils

[Bug binutils/23008] Stack Overflow(Stack Exhaustion) in demangle related functions

[mudongliangabcd at gmail dot com]

https://sourceware.org/bugzilla/show_bug.cgi?id=23008

Dongliang Mu  changed:

   What|Removed |Added

  Attachment #10922|Dockerfile for Debian   |Dockerfile for Debian
description|Stable  |Stable (Clang with
   ||AddressSanitizer)

-- 
You are receiving this mail because:
You are on the CC list for the bug.
___
bug-binutils mailing list
bug-binutils@gnu.org
https://lists.gnu.org/mailman/listinfo/bug-binutils

[Bug binutils/23008] Stack Overflow(Stack Exhaustion) in demangle related functions

[nickc at redhat dot com]

https://sourceware.org/bugzilla/show_bug.cgi?id=23008

--- Comment #7 from Nick Clifton  ---
Hi Dongliang,

> When I try to reproduce this problem with Address Sanitizer in GCC, there
> are some wired errors when I compiled binutils:

> /usr/bin/ld: ../bfd/.libs/libbfd.a(plugin.o): undefined reference to symbol
> 'dlsym@@GLIBC_2.2.5'

This is because the address sanitizer needs the "dl" library.  Change your
configure command line so that LDLFLAGS is defined as:

  LDFLAGS="-fsanitize=address -ldl"

That should fix the problem.

Cheers
  Nick

-- 
You are receiving this mail because:
You are on the CC list for the bug.
___
bug-binutils mailing list
bug-binutils@gnu.org
https://lists.gnu.org/mailman/listinfo/bug-binutils

[Bug binutils/23008] Stack Overflow(Stack Exhaustion) in demangle related functions

[mudongliangabcd at gmail dot com]

https://sourceware.org/bugzilla/show_bug.cgi?id=23008

--- Comment #6 from Dongliang Mu  ---
When I try to reproduce this problem with Address Sanitizer in GCC, there are
some wired errors when I compiled binutils:

```
/usr/bin/ld: ../bfd/.libs/libbfd.a(plugin.o): undefined reference to symbol
'dlsym@@GLIBC_2.2.5'
//lib/x86_64-linux-gnu/libdl.so.2: error adding symbols: DSO missing from
command line
collect2: error: ld returned 1 exit status
```
And "Dockerfile for Ubuntu 14.04" is related with Address Sanitizer in GCC,
"Dockerfile for Debian Stable" is related with Address Sanitizer in Clang.

-- 
You are receiving this mail because:
You are on the CC list for the bug.
___
bug-binutils mailing list
bug-binutils@gnu.org
https://lists.gnu.org/mailman/listinfo/bug-binutils

[Bug binutils/23008] Stack Overflow(Stack Exhaustion) in demangle related functions

[mudongliangabcd at gmail dot com]

https://sourceware.org/bugzilla/show_bug.cgi?id=23008

--- Comment #5 from Dongliang Mu  ---
Created attachment 10922
  --> https://sourceware.org/bugzilla/attachment.cgi?id=10922=edit
Dockerfile for Debian Stable

Dockerfile to prove it is reproducible with Address Sanitizer in clang

-- 
You are receiving this mail because:
You are on the CC list for the bug.
___
bug-binutils mailing list
bug-binutils@gnu.org
https://lists.gnu.org/mailman/listinfo/bug-binutils

[Bug binutils/23008] Stack Overflow(Stack Exhaustion) in demangle related functions

[mudongliangabcd at gmail dot com]

https://sourceware.org/bugzilla/show_bug.cgi?id=23008

--- Comment #4 from Dongliang Mu  ---
Created attachment 10921
  --> https://sourceware.org/bugzilla/attachment.cgi?id=10921=edit
Dockerfile for Ubuntu 14.04

Dockerfile for Ubuntu 14.04LTS to prove it is reproducible

-- 
You are receiving this mail because:
You are on the CC list for the bug.
___
bug-binutils mailing list
bug-binutils@gnu.org
https://lists.gnu.org/mailman/listinfo/bug-binutils

[Bug binutils/23008] Stack Overflow(Stack Exhaustion) in demangle related functions

[mudongliangabcd at gmail dot com]

https://sourceware.org/bugzilla/show_bug.cgi?id=23008

--- Comment #2 from Dongliang Mu  ---
Hi Nick,

first let me show my concrete instructions to convince you it is reproducible.
And then I will post it to GCC Bugzilla.

```
wget https://ftp.gnu.org/gnu/binutils/binutils-2.29.tar.gz
tar -xvf binutils-2.29.tar.gz 
cd binutils-2.29/
CC=clang CFLAGS="-g -fsanitize=address" LDFLAGS="-fsanitize=address"
./configure
make
cd binutils/
ls
./cxxfilt < ~/Downloads/poc
```
Then you will see :

```
ASAN:DEADLYSIGNAL
=
==25076==ERROR: AddressSanitizer: stack-overflow on address 0x7ffeaf715ff8 (pc
0x0042315c bp 0x7ffeaf716890 sp 0x7ffeaf716000 T0)
#0 0x42315b in __asan::asan_malloc(unsigned long,
__sanitizer::BufferedStackTrace*)
(/home/mdl/Downloads/binutils-2.29/binutils/cxxfilt+0x42315b)
#1 0x4d23cb in malloc
(/home/mdl/Downloads/binutils-2.29/binutils/cxxfilt+0x4d23cb)
#2 0x9289c7 in xmalloc
/home/mdl/Downloads/binutils-2.29/libiberty/./xmalloc.c:147:12
#3 0x8dfe15 in string_need
/home/mdl/Downloads/binutils-2.29/libiberty/./cplus-dem.c:4906:21
#4 0x8de7b8 in string_append
/home/mdl/Downloads/binutils-2.29/libiberty/./cplus-dem.c:4961:3
#5 0x8ebd1f in demangle_args
/home/mdl/Downloads/binutils-2.29/libiberty/./cplus-dem.c:4578:7
#6 0x8ee467 in demangle_nested_args
/home/mdl/Downloads/binutils-2.29/libiberty/./cplus-dem.c:4713:12
#7 0x8ce628 in do_type
/home/mdl/Downloads/binutils-2.29/libiberty/./cplus-dem.c:3719:9
#8 0x8edd4d in do_arg
/home/mdl/Downloads/binutils-2.29/libiberty/./cplus-dem.c:4332:8
#9 0x8eccac in demangle_args
/home/mdl/Downloads/binutils-2.29/libiberty/./cplus-dem.c:4659:9
#10 0x8ee467 in demangle_nested_args
/home/mdl/Downloads/binutils-2.29/libiberty/./cplus-dem.c:4713:12
#11 0x8ce628 in do_type
/home/mdl/Downloads/binutils-2.29/libiberty/./cplus-dem.c:3719:9
#12 0x8edd4d in do_arg
/home/mdl/Downloads/binutils-2.29/libiberty/./cplus-dem.c:4332:8
#13 0x8eccac in demangle_args
/home/mdl/Downloads/binutils-2.29/libiberty/./cplus-dem.c:4659:9
#14 0x8ee467 in demangle_nested_args
/home/mdl/Downloads/binutils-2.29/libiberty/./cplus-dem.c:4713:12
```

Originally I reproduced this issue in Ubuntu 14.04.5 LTS. Now I test and
successfully reproduce it in Debian Testing.

The same method to reproduce it in binutils-2.30. You will get the following
error message:

```
ASAN:DEADLYSIGNAL
=
==25373==ERROR: AddressSanitizer: stack-overflow on address 0x7fff177ecff8 (pc
0x008dfe9b bp 0x7fff177ed3b0 sp 0x7fff177ed000 T0)
#0 0x8dfe9a in demangle_args
/home/mdl/Downloads/binutils-2.30/libiberty/./cplus-dem.c:4578:22
#1 0x8e25e7 in demangle_nested_args
/home/mdl/Downloads/binutils-2.30/libiberty/./cplus-dem.c:4713:12
#2 0x8c27a8 in do_type
/home/mdl/Downloads/binutils-2.30/libiberty/./cplus-dem.c:3719:9
#3 0x8e1ecd in do_arg
/home/mdl/Downloads/binutils-2.30/libiberty/./cplus-dem.c:4332:8
#4 0x8e0e2c in demangle_args
/home/mdl/Downloads/binutils-2.30/libiberty/./cplus-dem.c:4659:9
#5 0x8e25e7 in demangle_nested_args
/home/mdl/Downloads/binutils-2.30/libiberty/./cplus-dem.c:4713:12
#6 0x8c27a8 in do_type
/home/mdl/Downloads/binutils-2.30/libiberty/./cplus-dem.c:3719:9
#7 0x8e1ecd in do_arg
/home/mdl/Downloads/binutils-2.30/libiberty/./cplus-dem.c:4332:8
#8 0x8e0e2c in demangle_args
/home/mdl/Downloads/binutils-2.30/libiberty/./cplus-dem.c:4659:9
#9 0x8e25e7 in demangle_nested_args
/home/mdl/Downloads/binutils-2.30/libiberty/./cplus-dem.c:4713:12
#10 0x8c27a8 in do_type
/home/mdl/Downloads/binutils-2.30/libiberty/./cplus-dem.c:3719:9
#11 0x8e1ecd in do_arg
/home/mdl/Downloads/binutils-2.30/libiberty/./cplus-dem.c:4332:8
#12 0x8e0e2c in demangle_args
/home/mdl/Downloads/binutils-2.30/libiberty/./cplus-dem.c:4659:9
#13 0x8e25e7 in demangle_nested_args
/home/mdl/Downloads/binutils-2.30/libiberty/./cplus-dem.c:4713:12
```

If you have any problem to reproduce this issue, please let me know.

-- 
You are receiving this mail because:
You are on the CC list for the bug.
___
bug-binutils mailing list
bug-binutils@gnu.org
https://lists.gnu.org/mailman/listinfo/bug-binutils

[Bug binutils/23008] Stack Overflow(Stack Exhaustion) in demangle related functions

[nickc at redhat dot com]

https://sourceware.org/bugzilla/show_bug.cgi?id=23008

Nick Clifton  changed:

   What|Removed |Added

 CC||nickc at redhat dot com

--- Comment #1 from Nick Clifton  ---
Hi Dongliang,

  Sorry - I am unable to reproduce this bug, even using 2.29 and/or the
  2.30 branch sources.

  Are you running on a machine with a small amount of memory ?  Or maybe
  you have a stack limit set ?

  Also I should note that since this problem appears to be associated with
  the C++ demangling functions provided by the libiberty library, you may
  want to report the problem on the GCC bugzilla system.  (The libiberty
  library is maintained by GCC, rather than by binutils).

Cheers
  Nick

-- 
You are receiving this mail because:
You are on the CC list for the bug.
___
bug-binutils mailing list
bug-binutils@gnu.org
https://lists.gnu.org/mailman/listinfo/bug-binutils