[Bug binutils/23008] Stack Overflow(Stack Exhaustion) in demangle related functions
https://sourceware.org/bugzilla/show_bug.cgi?id=23008 Nick Clifton changed: What|Removed |Added Status|UNCONFIRMED |RESOLVED Resolution|--- |FIXED --- Comment #14 from Nick Clifton --- Fixed by recent merge with gcc libiberty sources. -- You are receiving this mail because: You are on the CC list for the bug. ___ bug-binutils mailing list bug-binutils@gnu.org https://lists.gnu.org/mailman/listinfo/bug-binutils
[Bug binutils/23008] Stack Overflow(Stack Exhaustion) in demangle related functions
https://sourceware.org/bugzilla/show_bug.cgi?id=23008 --- Comment #13 from yuanwu --- Hi Dongliang, my question is "Does this vulnerability affects binutils 2.26 ". so I run your test program in Binutils version 2.26 ,the program result has no stack-overflow. but using 2.29 branch sources,the program result also has no stack-overflow (I am unable to reproduce this bug with the same linux system as you). so I am not sure whether this vulnerability affects binutils 2.26. Looking forward to your help ,thinks. my mother tongue is not English, sorry about my English , Cheers yuanwu -- You are receiving this mail because: You are on the CC list for the bug. ___ bug-binutils mailing list bug-binutils@gnu.org https://lists.gnu.org/mailman/listinfo/bug-binutils
[Bug binutils/23008] Stack Overflow(Stack Exhaustion) in demangle related functions
https://sourceware.org/bugzilla/show_bug.cgi?id=23008 yuanwu changed: What|Removed |Added CC||wuyuan5 at huawei dot com --- Comment #12 from yuanwu --- Hi Dongliang, my question is "Does this vulnerability affects binutils 2.26 ". so I run your test program in Binutils version 2.26 ,the program result has no stack-overflow. but using 2.29 branch sources,the program result also has no stack-overflow (I am unable to reproduce this bug with the same linux system as you). so I am not sure whether this vulnerability affects binutils 2.26. Looking forward to your help ,thinks. my mother tongue is not English, sorry about my English , Cheers yuanwu -- You are receiving this mail because: You are on the CC list for the bug. ___ bug-binutils mailing list bug-binutils@gnu.org https://lists.gnu.org/mailman/listinfo/bug-binutils
[Bug binutils/23008] Stack Overflow(Stack Exhaustion) in demangle related functions
https://sourceware.org/bugzilla/show_bug.cgi?id=23008 Michael Matz changed: What|Removed |Added CC||matz at suse dot de --- Comment #11 from Michael Matz --- All seems to work as designed. The testcase contains a large number of 'F' characters, and demangling each one of them entails: 5 0x005ec0f8 in demangle_nested_args (work=0x7fffd540, mangled=0x7fffd2a0, declp=0x7f800050) at ../../libiberty/cplus-dem.c:4713 4713 result = demangle_args (work, mangled, declp); #4 0x005ea8f9 in demangle_args (work=0x7fffd540, mangled=0x7fffd2a0, declp=0x7f800050) at ../../libiberty/cplus-dem.c:4659 4659 if (!do_arg (work, mangled, )) #3 0x005eb99e in do_arg (work=0x7fffd540, mangled=0x7fffd2a0, result=0x7f7ffbe0) at ../../libiberty/cplus-dem.c:4332 4332 if (!do_type (work, mangled, work->previous_argument)) #2 0x005cbf15 in do_type (work=0x7fffd540, mangled=0x7fffd2a0, result=0x603318d0) at ../../libiberty/cplus-dem.c:3719 3719 if (!demangle_nested_args (work, mangled, ) #1 0x005ec0f8 in demangle_nested_args (work=0x7fffd540, mangled=0x7fffd2a0, declp=0x7f7ff370) at ../../libiberty/cplus-dem.c:4713 4713 result = demangle_args (work, mangled, declp); That progresses *mangled by one character. When compiled with clang, the above sequence of five calls needs 3296 bytes on the stack. The testcase contains more than 2542 'F' characters in a row, and together that needs more than 8MB of stack, leading to the abort. When compiled with GCC -fsanitize-address the above sequence only needs 912 bytes on stack (per 'F' character), so it progresses until (gdb) p *mangled $10 = 0x78b6cc'F' ... before segfaulting due to stack overflow (with clang it only gets until mbuffer+2550). When compiled without sanitizer (with GCC) the above sequence of calls only needs 400 bytes per stack. The testcase contains 11586 'F' characters, so that is within the normal stack limit and no problem occurs. If the compiler is more clever (the above is with gcc-6 and -O0) then the sequence of calls will need less stack space, and hence not reproduce the problem. I'm not sure if anything needs fixing, the demangler works as designed, you ask it to demangle a nested structure that's 11000 levels deep, and a stack overflow occurs. As expected. -- You are receiving this mail because: You are on the CC list for the bug. ___ bug-binutils mailing list bug-binutils@gnu.org https://lists.gnu.org/mailman/listinfo/bug-binutils
[Bug binutils/23008] Stack Overflow(Stack Exhaustion) in demangle related functions
https://sourceware.org/bugzilla/show_bug.cgi?id=23008 --- Comment #10 from Dongliang Mu --- Hi, Nick: Thank you for pointing out that issue. I have tested that issue on Debian Stable(GCC + AddressSanitizer, and Clang + AddressSanitizer) and attached three Dockerfiles to prove it is reproducible. Now I will try to report this bug in GCC Bugzilla. Finally, thanks for your good work, Nick. -- You are receiving this mail because: You are on the CC list for the bug. ___ bug-binutils mailing list bug-binutils@gnu.org https://lists.gnu.org/mailman/listinfo/bug-binutils
[Bug binutils/23008] Stack Overflow(Stack Exhaustion) in demangle related functions
https://sourceware.org/bugzilla/show_bug.cgi?id=23008 --- Comment #9 from Dongliang Mu --- Created attachment 10925 --> https://sourceware.org/bugzilla/attachment.cgi?id=10925=edit Dockerfile for Debian Stable (GCC with AddressSanitizer) -- You are receiving this mail because: You are on the CC list for the bug. ___ bug-binutils mailing list bug-binutils@gnu.org https://lists.gnu.org/mailman/listinfo/bug-binutils
[Bug binutils/23008] Stack Overflow(Stack Exhaustion) in demangle related functions
https://sourceware.org/bugzilla/show_bug.cgi?id=23008 Dongliang Mu changed: What|Removed |Added Attachment #10921|Dockerfile for Ubuntu |Dockerfile for Ubuntu description|14.04(GCC AddressSanitizer) |14.04(GCC with ||AddressSanitizer) -- You are receiving this mail because: You are on the CC list for the bug. ___ bug-binutils mailing list bug-binutils@gnu.org https://lists.gnu.org/mailman/listinfo/bug-binutils
[Bug binutils/23008] Stack Overflow(Stack Exhaustion) in demangle related functions
https://sourceware.org/bugzilla/show_bug.cgi?id=23008 Dongliang Mu changed: What|Removed |Added Attachment #10921|Dockerfile for Ubuntu 14.04 |Dockerfile for Ubuntu description||14.04(GCC AddressSanitizer) -- You are receiving this mail because: You are on the CC list for the bug. ___ bug-binutils mailing list bug-binutils@gnu.org https://lists.gnu.org/mailman/listinfo/bug-binutils
[Bug binutils/23008] Stack Overflow(Stack Exhaustion) in demangle related functions
https://sourceware.org/bugzilla/show_bug.cgi?id=23008 Dongliang Mu changed: What|Removed |Added Attachment #10922|Dockerfile for Debian |Dockerfile for Debian description|Stable |Stable (Clang with ||AddressSanitizer) -- You are receiving this mail because: You are on the CC list for the bug. ___ bug-binutils mailing list bug-binutils@gnu.org https://lists.gnu.org/mailman/listinfo/bug-binutils
[Bug binutils/23008] Stack Overflow(Stack Exhaustion) in demangle related functions
https://sourceware.org/bugzilla/show_bug.cgi?id=23008 --- Comment #7 from Nick Clifton --- Hi Dongliang, > When I try to reproduce this problem with Address Sanitizer in GCC, there > are some wired errors when I compiled binutils: > /usr/bin/ld: ../bfd/.libs/libbfd.a(plugin.o): undefined reference to symbol > 'dlsym@@GLIBC_2.2.5' This is because the address sanitizer needs the "dl" library. Change your configure command line so that LDLFLAGS is defined as: LDFLAGS="-fsanitize=address -ldl" That should fix the problem. Cheers Nick -- You are receiving this mail because: You are on the CC list for the bug. ___ bug-binutils mailing list bug-binutils@gnu.org https://lists.gnu.org/mailman/listinfo/bug-binutils
[Bug binutils/23008] Stack Overflow(Stack Exhaustion) in demangle related functions
https://sourceware.org/bugzilla/show_bug.cgi?id=23008 --- Comment #6 from Dongliang Mu --- When I try to reproduce this problem with Address Sanitizer in GCC, there are some wired errors when I compiled binutils: ``` /usr/bin/ld: ../bfd/.libs/libbfd.a(plugin.o): undefined reference to symbol 'dlsym@@GLIBC_2.2.5' //lib/x86_64-linux-gnu/libdl.so.2: error adding symbols: DSO missing from command line collect2: error: ld returned 1 exit status ``` And "Dockerfile for Ubuntu 14.04" is related with Address Sanitizer in GCC, "Dockerfile for Debian Stable" is related with Address Sanitizer in Clang. -- You are receiving this mail because: You are on the CC list for the bug. ___ bug-binutils mailing list bug-binutils@gnu.org https://lists.gnu.org/mailman/listinfo/bug-binutils
[Bug binutils/23008] Stack Overflow(Stack Exhaustion) in demangle related functions
https://sourceware.org/bugzilla/show_bug.cgi?id=23008 --- Comment #5 from Dongliang Mu --- Created attachment 10922 --> https://sourceware.org/bugzilla/attachment.cgi?id=10922=edit Dockerfile for Debian Stable Dockerfile to prove it is reproducible with Address Sanitizer in clang -- You are receiving this mail because: You are on the CC list for the bug. ___ bug-binutils mailing list bug-binutils@gnu.org https://lists.gnu.org/mailman/listinfo/bug-binutils
[Bug binutils/23008] Stack Overflow(Stack Exhaustion) in demangle related functions
https://sourceware.org/bugzilla/show_bug.cgi?id=23008 --- Comment #4 from Dongliang Mu --- Created attachment 10921 --> https://sourceware.org/bugzilla/attachment.cgi?id=10921=edit Dockerfile for Ubuntu 14.04 Dockerfile for Ubuntu 14.04LTS to prove it is reproducible -- You are receiving this mail because: You are on the CC list for the bug. ___ bug-binutils mailing list bug-binutils@gnu.org https://lists.gnu.org/mailman/listinfo/bug-binutils
[Bug binutils/23008] Stack Overflow(Stack Exhaustion) in demangle related functions
https://sourceware.org/bugzilla/show_bug.cgi?id=23008 --- Comment #2 from Dongliang Mu --- Hi Nick, first let me show my concrete instructions to convince you it is reproducible. And then I will post it to GCC Bugzilla. ``` wget https://ftp.gnu.org/gnu/binutils/binutils-2.29.tar.gz tar -xvf binutils-2.29.tar.gz cd binutils-2.29/ CC=clang CFLAGS="-g -fsanitize=address" LDFLAGS="-fsanitize=address" ./configure make cd binutils/ ls ./cxxfilt < ~/Downloads/poc ``` Then you will see : ``` ASAN:DEADLYSIGNAL = ==25076==ERROR: AddressSanitizer: stack-overflow on address 0x7ffeaf715ff8 (pc 0x0042315c bp 0x7ffeaf716890 sp 0x7ffeaf716000 T0) #0 0x42315b in __asan::asan_malloc(unsigned long, __sanitizer::BufferedStackTrace*) (/home/mdl/Downloads/binutils-2.29/binutils/cxxfilt+0x42315b) #1 0x4d23cb in malloc (/home/mdl/Downloads/binutils-2.29/binutils/cxxfilt+0x4d23cb) #2 0x9289c7 in xmalloc /home/mdl/Downloads/binutils-2.29/libiberty/./xmalloc.c:147:12 #3 0x8dfe15 in string_need /home/mdl/Downloads/binutils-2.29/libiberty/./cplus-dem.c:4906:21 #4 0x8de7b8 in string_append /home/mdl/Downloads/binutils-2.29/libiberty/./cplus-dem.c:4961:3 #5 0x8ebd1f in demangle_args /home/mdl/Downloads/binutils-2.29/libiberty/./cplus-dem.c:4578:7 #6 0x8ee467 in demangle_nested_args /home/mdl/Downloads/binutils-2.29/libiberty/./cplus-dem.c:4713:12 #7 0x8ce628 in do_type /home/mdl/Downloads/binutils-2.29/libiberty/./cplus-dem.c:3719:9 #8 0x8edd4d in do_arg /home/mdl/Downloads/binutils-2.29/libiberty/./cplus-dem.c:4332:8 #9 0x8eccac in demangle_args /home/mdl/Downloads/binutils-2.29/libiberty/./cplus-dem.c:4659:9 #10 0x8ee467 in demangle_nested_args /home/mdl/Downloads/binutils-2.29/libiberty/./cplus-dem.c:4713:12 #11 0x8ce628 in do_type /home/mdl/Downloads/binutils-2.29/libiberty/./cplus-dem.c:3719:9 #12 0x8edd4d in do_arg /home/mdl/Downloads/binutils-2.29/libiberty/./cplus-dem.c:4332:8 #13 0x8eccac in demangle_args /home/mdl/Downloads/binutils-2.29/libiberty/./cplus-dem.c:4659:9 #14 0x8ee467 in demangle_nested_args /home/mdl/Downloads/binutils-2.29/libiberty/./cplus-dem.c:4713:12 ``` Originally I reproduced this issue in Ubuntu 14.04.5 LTS. Now I test and successfully reproduce it in Debian Testing. The same method to reproduce it in binutils-2.30. You will get the following error message: ``` ASAN:DEADLYSIGNAL = ==25373==ERROR: AddressSanitizer: stack-overflow on address 0x7fff177ecff8 (pc 0x008dfe9b bp 0x7fff177ed3b0 sp 0x7fff177ed000 T0) #0 0x8dfe9a in demangle_args /home/mdl/Downloads/binutils-2.30/libiberty/./cplus-dem.c:4578:22 #1 0x8e25e7 in demangle_nested_args /home/mdl/Downloads/binutils-2.30/libiberty/./cplus-dem.c:4713:12 #2 0x8c27a8 in do_type /home/mdl/Downloads/binutils-2.30/libiberty/./cplus-dem.c:3719:9 #3 0x8e1ecd in do_arg /home/mdl/Downloads/binutils-2.30/libiberty/./cplus-dem.c:4332:8 #4 0x8e0e2c in demangle_args /home/mdl/Downloads/binutils-2.30/libiberty/./cplus-dem.c:4659:9 #5 0x8e25e7 in demangle_nested_args /home/mdl/Downloads/binutils-2.30/libiberty/./cplus-dem.c:4713:12 #6 0x8c27a8 in do_type /home/mdl/Downloads/binutils-2.30/libiberty/./cplus-dem.c:3719:9 #7 0x8e1ecd in do_arg /home/mdl/Downloads/binutils-2.30/libiberty/./cplus-dem.c:4332:8 #8 0x8e0e2c in demangle_args /home/mdl/Downloads/binutils-2.30/libiberty/./cplus-dem.c:4659:9 #9 0x8e25e7 in demangle_nested_args /home/mdl/Downloads/binutils-2.30/libiberty/./cplus-dem.c:4713:12 #10 0x8c27a8 in do_type /home/mdl/Downloads/binutils-2.30/libiberty/./cplus-dem.c:3719:9 #11 0x8e1ecd in do_arg /home/mdl/Downloads/binutils-2.30/libiberty/./cplus-dem.c:4332:8 #12 0x8e0e2c in demangle_args /home/mdl/Downloads/binutils-2.30/libiberty/./cplus-dem.c:4659:9 #13 0x8e25e7 in demangle_nested_args /home/mdl/Downloads/binutils-2.30/libiberty/./cplus-dem.c:4713:12 ``` If you have any problem to reproduce this issue, please let me know. -- You are receiving this mail because: You are on the CC list for the bug. ___ bug-binutils mailing list bug-binutils@gnu.org https://lists.gnu.org/mailman/listinfo/bug-binutils
[Bug binutils/23008] Stack Overflow(Stack Exhaustion) in demangle related functions
https://sourceware.org/bugzilla/show_bug.cgi?id=23008 Nick Clifton changed: What|Removed |Added CC||nickc at redhat dot com --- Comment #1 from Nick Clifton --- Hi Dongliang, Sorry - I am unable to reproduce this bug, even using 2.29 and/or the 2.30 branch sources. Are you running on a machine with a small amount of memory ? Or maybe you have a stack limit set ? Also I should note that since this problem appears to be associated with the C++ demangling functions provided by the libiberty library, you may want to report the problem on the GCC bugzilla system. (The libiberty library is maintained by GCC, rather than by binutils). Cheers Nick -- You are receiving this mail because: You are on the CC list for the bug. ___ bug-binutils mailing list bug-binutils@gnu.org https://lists.gnu.org/mailman/listinfo/bug-binutils