[Bug demangler/87675] Stack Overflow in function next_is_type_qual() in cp-demangle.c, as demonstrated by "nm -C"
https://gcc.gnu.org/bugzilla/show_bug.cgi?id=87675 --- Comment #4 from N1705695H at e dot ntu.edu.sg --- (In reply to Scott Gayou from comment #3) > My last comment was a bit confusing. I can reproduce 2/3 on a standard > system, and the other 1/3 requires dropping ulimit -s down a bit. (to 4096). Hi, I don't think you've made a clear analysis of the problem. This has nothing to do with how much stack memory you set up. No matter how big your stack memory is, it can still run out. The test case only give a small number of characters. As you can imagine, you can still run out of memory by giving a lot of characters. In detail, the program requires the amount of resource such as time, memory, power, etc. Memory exhaustion problems in the server can occur circumstantially when programs are provided with inputs that exhibit worst-case behavior. However, the high space complexity of the algorithm or poorly-designed programs consume much more memory than necessary under well-conceived inputs. In particular, stack memory is very limited. An attacker may use own function call or multiple functions to call each other, exhausting stack memory. In other words, no matter how large your stack memory is, it will always run out(by given more "Z" or "U"). No matter how big you set it up, it's ultimately limited. The problem itself is very difficult to fix. The problem is that C++ mangled names have a recursive structure. Simple restriction cycles are not necessarily good. Moreover, these examples give different stack frames. This is cause by giving different string input. Some are call itself. Some are call different function. In fact, it's hard to set recursive limits on every function. Recursion limit would not fix all of these hence they are different root cause(Loop calls involving six functions in a finite function stack frame).
[Bug demangler/87681] New: Recursive Stack Overflow within function d_name, d_encoding, and d_local_name in cp-demangle.c, as demonstrated by "nm -C"
https://gcc.gnu.org/bugzilla/show_bug.cgi?id=87681 Bug ID: 87681 Summary: Recursive Stack Overflow within function d_name, d_encoding, and d_local_name in cp-demangle.c, as demonstrated by "nm -C" Product: gcc Version: unknown Status: UNCONFIRMED Severity: normal Priority: P3 Component: demangler Assignee: unassigned at gcc dot gnu.org Reporter: N1705695H at e dot ntu.edu.sg Target Milestone: --- Created attachment 44876 --> https://gcc.gnu.org/bugzilla/attachment.cgi?id=44876=edit POC An issue was discovered in cp-demangle.c in GNU libiberty, as distributed in GNU Binutils 2.31. Stack Exhaustion occurs in the C++ demangling functions provided by libiberty, and there is a stack consumption problem caused by recursive stack frames: d_name, d_encoding, and d_local_name. Please use the "./nm -C $POC" to reproduce the bug. This result can trigger different Stack Overflow, you can try several times. To reproduce this bug. You need to build bintuils-2.31 with ASAN. Here is the compile Option. Another approach is to set the break Point and debug it, then see the back trace. > CC=clang LDFLAGS="-ldl" CFLAGS="-DFORTIFY_SOURCE=2 -fstack-protector-all > -fsanitize=undefined,address -fno-omit-frame-pointer -g -O0 -Wno-error" > ./configure --disable-shared --disable-gdb --disable-libdecnumber > --disable-sim The ASAN dumps the stack trace as follows: > AddressSanitizer:DEADLYSIGNAL > = > ==18186==ERROR: AddressSanitizer: stack-overflow on address 0x7ffeca00cf98 > (pc 0x008e8b7a bp 0x7ffeca00d080 sp 0x7ffeca00cfa0 T0) > #0 0x8e8b79 in d_name binutils-2.31/libiberty/./cp-demangle.c:1411:28 > #1 0x8dcc1d in d_encoding binutils-2.31/libiberty/./cp-demangle.c:1312:12 > #2 0x8ea4d3 in d_local_name > binutils-2.31/libiberty/./cp-demangle.c:3590:14 > #3 0x8e8b7e in d_name binutils-2.31/libiberty/./cp-demangle.c:1411:14 > #4 0x8dcc1d in d_encoding binutils-2.31/libiberty/./cp-demangle.c:1312:12 > #5 0x8ea4d3 in d_local_name > binutils-2.31/libiberty/./cp-demangle.c:3590:14 > #6 0x8e8b7e in d_name binutils-2.31/libiberty/./cp-demangle.c:1411:14 > #7 0x8dcc1d in d_encoding binutils-2.31/libiberty/./cp-demangle.c:1312:12 > #8 0x8ea4d3 in d_local_name > binutils-2.31/libiberty/./cp-demangle.c:3590:14 > #9 0x8e8b7e in d_name binutils-2.31/libiberty/./cp-demangle.c:1411:14 > #10 0x8dcc1d in d_encoding binutils-2.31/libiberty/./cp-demangle.c:1312:12 > #11 0x8ea4d3 in d_local_name > binutils-2.31/libiberty/./cp-demangle.c:3590:14 > #12 0x8e8b7e in d_name binutils-2.31/libiberty/./cp-demangle.c:1411:14 > #13 0x8dcc1d in d_encoding binutils-2.31/libiberty/./cp-demangle.c:1312:12 > #14 0x8ea4d3 in d_local_name > binutils-2.31/libiberty/./cp-demangle.c:3590:14 > #15 0x8e8b7e in d_name binutils-2.31/libiberty/./cp-demangle.c:1411:14 > #16 0x8dcc1d in d_encoding binutils-2.31/libiberty/./cp-demangle.c:1312:12 > #17 0x8ea4d3 in d_local_name > binutils-2.31/libiberty/./cp-demangle.c:3590:14 > ... > #246 0x8e8b7e in d_name binutils-2.31/libiberty/./cp-demangle.c:1411:14 > #247 0x8dcc1d in d_encoding > binutils-2.31/libiberty/./cp-demangle.c:1312:12 > #248 0x8ea4d3 in d_local_name > binutils-2.31/libiberty/./cp-demangle.c:3590:14 > #249 0x8e8b7e in d_name binutils-2.31/libiberty/./cp-demangle.c:1411:14 > SUMMARY: AddressSanitizer: stack-overflow > binutils-2.31/libiberty/./cp-demangle.c:1411:28 in d_name > ==19901==ABORTING > AAborted
[Bug demangler/87675] New: Stack Overflow in function next_is_type_qual() in cp-demangle.c, as demonstrated by "nm -C"
https://gcc.gnu.org/bugzilla/show_bug.cgi?id=87675 Bug ID: 87675 Summary: Stack Overflow in function next_is_type_qual() in cp-demangle.c, as demonstrated by "nm -C" Product: gcc Version: unknown Status: UNCONFIRMED Severity: normal Priority: P3 Component: demangler Assignee: unassigned at gcc dot gnu.org Reporter: N1705695H at e dot ntu.edu.sg Target Milestone: --- Created attachment 44874 --> https://gcc.gnu.org/bugzilla/attachment.cgi?id=44874=edit POC An issue was discovered in cp-demangle.c in GNU libiberty, as distributed in GNU Binutils 2.31. Stack Exhaustion occurs in the C++ demangling functions provided by libiberty, and there is a stack consumption problem caused by recursive stack frames: next_is_type_qua() and cplus_demangle_type() Please use the "./nm -C $POC" to reproduce the bug. This result can trigger different Stack Overflow, you can try several times. To reproduce this bug. You need to build bintuils-2.31 with ASAN. Here is the compile Option. Another approach is to set the break Point and debug it, as the stack overflow didn't crash the program. > CC=clang LDFLAGS="-ldl" CFLAGS="-DFORTIFY_SOURCE=2 -fstack-protector-all > -fsanitize=undefined,address -fno-omit-frame-pointer -g -O0 -Wno-error" > ./configure --disable-shared --disable-gdb --disable-libdecnumber > --disable-sim The ASAN dumps the stack trace as follows: > ASAN:DEADLYSIGNAL > = > ==9864==ERROR: AddressSanitizer: stack-overflow on address 0x7fff9e5c9f58 (pc > > 0x009684ac bp 0x sp 0x7fff9e5c9f58 T0) > #0 0x9684ab in next_is_type_qual cp-demangle.c:2290 > #1 0x9684ab in cplus_demangle_type cp-demangle.c:2387 > #2 0x9684ab in next_is_type_qual cp-demangle.c:2290 > #3 0x9684ab in cplus_demangle_type cp-demangle.c:2387 > #4 0x9684ab in next_is_type_qual cp-demangle.c:2290 > #5 0x9684ab in cplus_demangle_type cp-demangle.c:2387 > #6 0x9684ab in next_is_type_qual cp-demangle.c:2290 > #7 0x9684ab in cplus_demangle_type cp-demangle.c:2387 > #8 0x9684ab in next_is_type_qual cp-demangle.c:2290 > #9 0x9684ab in cplus_demangle_type cp-demangle.c:2387 > #10 0x9684ab in next_is_type_qual cp-demangle.c:2290 > #11 0x9684ab in cplus_demangle_type cp-demangle.c:2387 > #12 0x9684ab in next_is_type_qual cp-demangle.c:2290 > #13 0x9684ab in cplus_demangle_type cp-demangle.c:2387 > #14 0x9684ab in next_is_type_qual cp-demangle.c:2290 > #15 0x9684ab in cplus_demangle_type cp-demangle.c:2387 > #16 0x9684ab in next_is_type_qual cp-demangle.c:2290 > #17 0x9684ab in cplus_demangle_type cp-demangle.c:2387 > #18 0x9684ab in next_is_type_qual cp-demangle.c:2290 > #19 0x9684ab in cplus_demangle_type cp-demangle.c:2387 > #20 0x9684ab in next_is_type_qual cp-demangle.c:2290 > #21 0x9684ab in cplus_demangle_type cp-demangle.c:2387 > ... > # 0xc580c22 () > SUMMARY: AddressSanitizer: stack-overflow cp-demangle.c:2290 in > next_is_type_qual > ==9864==ABORTING > AAborted