[Bug demangler/88629] Regression lead to Heap-buffer-overflow problem in function d_expression_1 in cp-demangle.c, as demonstrated by c++filt
https://gcc.gnu.org/bugzilla/show_bug.cgi?id=88629 --- Comment #10 from Cheng Wen --- (In reply to Trupti Pardeshi from comment #9) This bug can be reproduced in the commit version ebb8004a18a3808d7197762faf3c5aaeae82371f. But now is fixed.
[Bug demangler/88629] Regression lead to Heap-buffer-overflow problem in function d_expression_1 in cp-demangle.c, as demonstrated by c++filt
https://gcc.gnu.org/bugzilla/show_bug.cgi?id=88629 --- Comment #8 from Cheng Wen --- (In reply to Trupti Pardeshi from comment #7) > commit ebb8004a18a3808d7197762faf3c5aaeae82371f > Author: GDB Administrator > Date: Wed Dec 19 00:00:21 2018 + > > Automatic date update in version.in
[Bug other/89394] libiberty :stack overflow in nm
https://gcc.gnu.org/bugzilla/show_bug.cgi?id=89394 --- Comment #5 from Cheng Wen --- So many similar cases and repetitive CVEs. This problem has been fixed before, but it has not been completely fixed. https://gcc.gnu.org/bugzilla/show_bug.cgi?id=85122 https://gcc.gnu.org/bugzilla/show_bug.cgi?id=85452 https://gcc.gnu.org/bugzilla/show_bug.cgi?id=87335 https://gcc.gnu.org/bugzilla/show_bug.cgi?id=87636 https://gcc.gnu.org/bugzilla/show_bug.cgi?id=87675 https://gcc.gnu.org/bugzilla/show_bug.cgi?id=87681
[Bug other/89394] libiberty :stack overflow in nm
https://gcc.gnu.org/bugzilla/show_bug.cgi?id=89394 Cheng Wen changed: What|Removed |Added CC||wcventure at 126 dot com --- Comment #4 from Cheng Wen --- This issue is similar to CVE-2018-18700 & CVE-2018-18701
[Bug demangler/88629] Heap-buffer-overflow problem in function d_expression_1 in cp-demangle.c, as demonstrated by c++filt
https://gcc.gnu.org/bugzilla/show_bug.cgi?id=88629 --- Comment #5 from Cheng Wen --- This bug got assigned CVE-2018-20712
[Bug demangler/88629] Heap-buffer-overflow problem in function d_expression_1 in cp-demangle.c, as demonstrated by c++filt
https://gcc.gnu.org/bugzilla/show_bug.cgi?id=88629 --- Comment #4 from Cheng Wen --- Hi, does anyone here to look at this bug?
[Bug demangler/88629] Heap-buffer-overflow problem in function d_expression_1 in cp-demangle.c, as demonstrated by c++filt
https://gcc.gnu.org/bugzilla/show_bug.cgi?id=88629 --- Comment #3 from Cheng Wen --- That 's because "d_advance (di, 2);" in function d_expression_1, it change di->n = di + 2; leading to buffer-over-flow problem. > 3353 d_advance (di, 2); > 3354 if (peek == 't') > 3355 type = cplus_demangle_type (di); > 3356 if (!d_peek_next_char (di)) > 3357 return NULL;
[Bug demangler/88629] Heap-buffer-overflow problem in function d_expression_1 in cp-demangle.c, as demonstrated by c++filt
https://gcc.gnu.org/bugzilla/show_bug.cgi?id=88629 --- Comment #1 from Cheng Wen --- Created attachment 45295 --> https://gcc.gnu.org/bugzilla/attachment.cgi?id=45295=edit POC2
[Bug demangler/88629] Heap-buffer-overflow problem in function d_expression_1 in cp-demangle.c, as demonstrated by c++filt
https://gcc.gnu.org/bugzilla/show_bug.cgi?id=88629 --- Comment #2 from Cheng Wen --- Created attachment 45296 --> https://gcc.gnu.org/bugzilla/attachment.cgi?id=45296=edit POC3
[Bug demangler/88629] New: Heap-buffer-overflow problem in function d_expression_1 in cp-demangle.c, as demonstrated by c++filt
https://gcc.gnu.org/bugzilla/show_bug.cgi?id=88629 Bug ID: 88629 Summary: Heap-buffer-overflow problem in function d_expression_1 in cp-demangle.c, as demonstrated by c++filt Product: gcc Version: unknown Status: UNCONFIRMED Severity: normal Priority: P3 Component: demangler Assignee: unassigned at gcc dot gnu.org Reporter: wcventure at 126 dot com Target Milestone: --- Created attachment 45294 --> https://gcc.gnu.org/bugzilla/attachment.cgi?id=45294=edit POC1 Hi, there. A Heap-buffer-overflow problem was discovered in function function d_expression_1 in cp-demangle.c of binutils latest code base, too. A crafted ELF input can cause segment faults and I have confirmed them with address sanitizer too. Please use the "./c++filt -t < $POC" to reproduce the bug. Note that this error only occurs in the last code base, maybe this is a regression error. I will show you the commit ID. > $ git log > commit ebb8004a18a3808d7197762faf3c5aaeae82371f > Author: GDB Administrator > Date: Wed Dec 19 00:00:21 2018 + > > Automatic date update in version.in The ASAN dumps the stack trace as follows: > = > ==83311==ERROR: AddressSanitizer: heap-buffer-overflow on address > 0x60200059 at pc 0x00ac9a4b bp 0x7ffeedce2490 sp 0x7ffeedce2488 > READ of size 1 at 0x60200059 thread T0 > #0 0xac9a4a in d_expression_1 > /binutils-gdb/libiberty/./cp-demangle.c:3356:12 > #1 0xab4724 in d_expression /binutils-gdb/libiberty/./cp-demangle.c:3531:9 > #2 0xaacdbe in cplus_demangle_type > /binutils-gdb/libiberty/./cp-demangle.c:2615:9 > #3 0xaaab09 in cplus_demangle_type > /binutils-gdb/libiberty/./cp-demangle.c:2411:10 > #4 0xaac400 in cplus_demangle_type > /binutils-gdb/libiberty/./cp-demangle.c:2568:26 > #5 0xaac400 in cplus_demangle_type > /binutils-gdb/libiberty/./cp-demangle.c:2568:26 > #6 0xab8dc1 in d_demangle_callback > /binutils-gdb/libiberty/./cp-demangle.c:6289:7 > #7 0xab7d4f in d_demangle /binutils-gdb/libiberty/./cp-demangle.c:6343:12 > #8 0xab7b66 in cplus_demangle_v3 > /binutils-gdb/libiberty/./cp-demangle.c:6500:10 > #9 0xa75571 in cplus_demangle /binutils-gdb/libiberty/./cplus-dem.c:881:13 > #10 0xa904ba in demangle_template_value_parm > /binutils-gdb/libiberty/./cplus-dem.c:2146:12 > #11 0xa8a190 in demangle_template > /binutils-gdb/libiberty/./cplus-dem.c:2331:14 > #12 0xa849c8 in demangle_signature > /binutils-gdb/libiberty/./cplus-dem.c:1709:18 > #13 0xa9715e in iterate_demangle_function > /binutils-gdb/libiberty/./cplus-dem.c:2761:14 > #14 0xa81759 in demangle_prefix > /binutils-gdb/libiberty/./cplus-dem.c:2989:14 > #15 0xa7a694 in internal_cplus_demangle > /binutils-gdb/libiberty/./cplus-dem.c:1254:14 > #16 0xa75cbb in cplus_demangle /binutils-gdb/libiberty/./cplus-dem.c:919:9 > #17 0x51518c in demangle_it /binutils-gdb/binutils/cxxfilt.c:66:12 > #18 0x5149e7 in main /binutils-gdb/binutils/cxxfilt.c:288:4 > #19 0x7f702142782f in __libc_start_main > (/lib/x86_64-linux-gnu/libc.so.6+0x2082f) > #20 0x41ab28 in _start (/binutils-gdb/build/bin/c++filt+0x41ab28) > > 0x60200059 is located 0 bytes to the right of 9-byte region > [0x60200050,0x60200059) > allocated by thread T0 here: > #0 0x4daa50 in malloc > /home/tangyun/Documents/Git/llvm-6.0.1/projects/compiler-rt/lib/asan/asan_malloc_linux.cc:88 > #1 0xb0740f in xmalloc /binutils-gdb/libiberty/./xmalloc.c:147:12 > #2 0xa903af in demangle_template_value_parm > /binutils-gdb/libiberty/./cplus-dem.c:2138:18 > #3 0xa8a190 in demangle_template > /binutils-gdb/libiberty/./cplus-dem.c:2331:14 > #4 0xa849c8 in demangle_signature > /binutils-gdb/libiberty/./cplus-dem.c:1709:18 > #5 0xa9715e in iterate_demangle_function > /binutils-gdb/libiberty/./cplus-dem.c:2761:14 > #6 0xa81759 in demangle_prefix > /binutils-gdb/libiberty/./cplus-dem.c:2989:14 > #7 0xa7a694 in internal_cplus_demangle > /binutils-gdb/libiberty/./cplus-dem.c:1254:14 > #8 0xa75cbb in cplus_demangle /binutils-gdb/libiberty/./cplus-dem.c:919:9 > #9 0x51518c in demangle_it /binutils-gdb/binutils/cxxfilt.c:66:12 > #10 0x5149e7 in main /binutils-gdb/binutils/cxxfilt.c:288:4 > #11 0x7f702142782f in __libc_start_main > (/lib/x86_64-linux-gnu/libc.so.6+0x2082f) > > SUMMARY: AddressSanitizer: heap-buffer-overflow > /binutils-gdb/libiberty/./cp-demangle.c:3356:12 in d_expression_1 > Shadow bytes around the buggy address: > 0x0c047fff7fb0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00
[Bug demangler/88539] A memory leak issue was discovered in cplus-dem.c
https://gcc.gnu.org/bugzilla/show_bug.cgi?id=88539 --- Comment #1 from Cheng Wen --- Created attachment 45256 --> https://gcc.gnu.org/bugzilla/attachment.cgi?id=45256=edit POC2
[Bug demangler/88539] New: A memory leak issue was discovered in cplus-dem.c
https://gcc.gnu.org/bugzilla/show_bug.cgi?id=88539 Bug ID: 88539 Summary: A memory leak issue was discovered in cplus-dem.c Product: gcc Version: unknown Status: UNCONFIRMED Severity: normal Priority: P3 Component: demangler Assignee: unassigned at gcc dot gnu.org Reporter: wcventure at 126 dot com Target Milestone: --- Created attachment 45255 --> https://gcc.gnu.org/bugzilla/attachment.cgi?id=45255=edit POC1 Hi there, A memory leak issue was discovered in cplus-dem.c, as distributed in GNU Binutils 2.31. In demangle_template function in cplus-dem.c, the are many heap allocations. But these heap allocations didn't deallocate in the end. Please use the "./cxxfilt -t < $POC" to reproduce the bug. To reproduce this bug. You need to build bintuils-2.31 with ASAN, setting following Command: > export ASAN_OPTIONS=abort_on_error=1:symbolize=1:detect_leaks=1 The Leak Sanitizer dumps the stack trace as follows: > = > ==16096==ERROR: LeakSanitizer: detected memory leaks > > Direct leak of 8 byte(s) in 1 object(s) allocated from: > #0 0x7f1c50822602 in malloc > (/usr/lib/x86_64-linux-gnu/libasan.so.2+0x98602) > #1 0x8247c9 in xmalloc xmalloc.c:147 > #2 0x7cf501 in demangle_template cplus-dem.c:2228 > #3 0x7cb3a5 in demangle_signature cplus-dem.c:1691 > #4 0x7d39fd in iterate_demangle_function cplus-dem.c:2743 > #5 0x7d5e9e in demangle_prefix cplus-dem.c:2971 > #6 0x7c6dfa in internal_cplus_demangle cplus-dem.c:1253 > #7 0x7c4464 in cplus_demangle cplus-dem.c:918 > #8 0x4033b3 in demangle_it binutils-2.31_ASAN/binutils/cxxfilt.c:62 > #9 0x403f1f in main binutils-2.31_ASAN/binutils/cxxfilt.c:276 > #10 0x7f1c4f4cf82f in __libc_start_main > (/lib/x86_64-linux-gnu/libc.so.6+0x2082f) > > Indirect leak of 2 byte(s) in 1 object(s) allocated from: > #0 0x7f1c50822602 in malloc > (/usr/lib/x86_64-linux-gnu/libasan.so.2+0x98602) > #1 0x8247c9 in xmalloc xmalloc.c:147 > #2 0x7d0439 in demangle_template cplus-dem.c:2327 > #3 0x7cb3a5 in demangle_signature cplus-dem.c:1691 > #4 0x7d39fd in iterate_demangle_function cplus-dem.c:2743 > #5 0x7d5e9e in demangle_prefix cplus-dem.c:2971 > #6 0x7c6dfa in internal_cplus_demangle cplus-dem.c:1253 > #7 0x7c4464 in cplus_demangle cplus-dem.c:918 > #8 0x4033b3 in demangle_it binutils-2.31_ASAN/binutils/cxxfilt.c:62 > #9 0x403f1f in main binutils-2.31_ASAN/binutils/cxxfilt.c:276 > #10 0x7f1c4f4cf82f in __libc_start_main > (/lib/x86_64-linux-gnu/libc.so.6+0x2082f) > > SUMMARY: AddressSanitizer: 10 byte(s) leaked in 2 allocation(s).
[Bug c++/87335] The stack overflow in function cplus_demangle_type in cp-demangle.c:2565 (c++filt -t)
https://gcc.gnu.org/bugzilla/show_bug.cgi?id=87335
--- Comment #11 from Cheng Wen ---
(In reply to Scott Gayou from comment #10)
> does NOT crash
That depends on your compilation options. Because stack memory is very small,
generally only 1M to 2M. You can debug it with GDB and see the backtrace.
> This looks to be another potentially duplicated CVE.
Unlike several other errors, this error is to call itself. In addition, This
problem was discovered earlier than those CVEs.
> All appear to be the same root cause.
Let's analyze the source code.
struct demangle_component *
cplus_demangle_type (struct d_info *di) {
switch (peek)
{
// ...
case 'F':
ret = d_function_type (di); break;
// ...
case 'P':
ret = d_make_comp (di, DEMANGLE_COMPONENT_POINTER,
cplus_demangle_type (di), NULL);
break;
case 'C':
ret = d_make_comp (di, DEMANGLE_COMPONENT_COMPLEX,
cplus_demangle_type (di), NULL);
break;
case 'G':
ret = d_make_comp (di, DEMANGLE_COMPONENT_IMAGINARY,
cplus_demangle_type (di), NULL);
break;
// ...
}
// ...
}
Intuitively, in some cases, function cplus_demangle_type shows the behavior of
recursive calls. When the function cplus_demangle_type receive character
'P'(The same as 'C' and 'G'), the cplus_demangle_type function making recursive
calls to itself(Line 13, 18, 23). Another situation is that the function
receive character 'F', then there's a recursed stack frame:
cplus_demangle_type, d_bare_function_type, d_function_type(Line 8, 32, 39).
So different stack memory exhaustion can lead to stack memory exhaustion DoS.
That depends on your compilation options. You can use my compilation options.
> CC=clang LDFLAGS="-ldl" CFLAGS="-DFORTIFY_SOURCE=2 -fstack-protector-all
> -fsanitize=undefined,address -fno-omit-frame-pointer -g -O0 -Wno-error"
> ./configure --disable-shared --disable-gdb --disable-libdecnumber
> --disable-sim
If you have any question, please let me know.
[Bug c++/87636] Infinite Recursive Stack Frames in cp-demangle.c in libiberty(function cplus_demangle_type, d_bare_function_type, d_function_type)
https://gcc.gnu.org/bugzilla/show_bug.cgi?id=87636 --- Comment #2 from Cheng Wen --- This bug was discovered by NTU Cyber-Security-Lab, for fuzzing research work. If you have any questions, please let me know.
[Bug c++/87636] Infinite Recursive Stack Frames in cp-demangle.c in libiberty(function cplus_demangle_type, d_bare_function_type, d_function_type)
https://gcc.gnu.org/bugzilla/show_bug.cgi?id=87636 --- Comment #1 from Cheng Wen --- I have summarized the different recursive stack frames problem in c++filt. > This issue (In cp-demangle.c.c) > recursive stack frames: cplus_demangle_type, d_bare_function_type, > d_function_type I find that many people have reported similar problem, but it has not been completely fixed. For example: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-9138 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-9996 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-12641 > [CVE-2018-9138] (In cplus-dem.c) > recursive stack frames: demangle_nested_args, demangle_args, do_arg, and > do_type > [CVE-2018-9996] (In cplus-dem.c) > recursive stack frames: demangle_template_value_parm, > demangle_integral_value, and demangle_expression > [CVE-2018-12641] (In cplus-dem.c) > recursive stack frames: demangle_arm_hp_template, demangle_class_name, > demangle_fund_type, do_type, do_arg, demangle_args, and demangle_nested_args. In addition, there are still some practical problems that have not been successfully reproduced. For example: https://gcc.gnu.org/bugzilla/show_bug.cgi?id=85452 https://gcc.gnu.org/bugzilla/show_bug.cgi?id=87340 https://gcc.gnu.org/bugzilla/show_bug.cgi?id=87333 I tried to reproduce above problem on different machines. That may be your compilation options mismatch. You can try to use the compiler options that I provided. > CC=clang LDFLAGS="-ldl" CFLAGS="-DFORTIFY_SOURCE=2 -fstack-protector-all > -fsanitize=undefined,address -fno-omit-frame-pointer -g -O0 -Wno-error" > ./configure --disable-shared --disable-gdb --disable-libdecnumber > --disable-sim --prefix=$PWD/build/ > CC=clang CXX=clang++ CFLAGS="-fsanitize=address -fsanitize-recover=address > -ggdb" CXXFLAGS="-fsanitize=address -fsanitize-recover=address -ggdb" > LDFLAGS="-fsanitize=address" ./configure --prefix=$PWD/build/ Many of these problems have not been completely fixed. I think this problem may need attention.
[Bug c++/87636] New: Infinite Recursive Stack Frames in cp-demangle.c in libiberty(function cplus_demangle_type, d_bare_function_type, d_function_type)
https://gcc.gnu.org/bugzilla/show_bug.cgi?id=87636 Bug ID: 87636 Summary: Infinite Recursive Stack Frames in cp-demangle.c in libiberty(function cplus_demangle_type, d_bare_function_type, d_function_type) Product: gcc Version: unknown Status: UNCONFIRMED Severity: normal Priority: P3 Component: c++ Assignee: unassigned at gcc dot gnu.org Reporter: wcventure at 126 dot com Target Milestone: --- Created attachment 44850 --> https://gcc.gnu.org/bugzilla/attachment.cgi?id=44850=edit POC Dear all, The following new binutils Stack-Overflow in libiberty was found by a modified version of the AFL fuzzer(MemFuzz). I have attached the crashing input and an ASAN report. I have confirmed them with address sanitizer too. In this issue, Stack Exhaustion occurs in the C++ demangling functions provided by libiberty, and there are recursive stack frames in cp-demangle: cplus_demangle_type, d_bare_function_type, d_function_type. This can occur during the execution of "c++filt -t". I have also collected the different Stack Overflow problem recently appeared in c++filt, which I will list later. There may be some problems that need attention. Please use the “./c++filt < $POC -t” to reproduce the bug. (Remember to add "-t" option and "<" Symbol) Here is my compile Option. CC=clang LDFLAGS="-ldl" CFLAGS="-DFORTIFY_SOURCE=2 -fstack-protector-all -fsanitize=undefined,address -fno-omit-frame-pointer -g -O0 -Wno-error" ./configure --disable-shared --disable-gdb --disable-libdecnumber --disable-sim --prefix=$PWD/build/ > ASAN:DEADLYSIGNAL > = > ==28168==ERROR: AddressSanitizer: stack-overflow on address 0x7ffdfcdedf28 > (pc 0x02081a20 bp 0x7ffdfcdee0f0 sp 0x7ffdfcdedf28 T0) > #0 0x2081a1f in cplus_demangle_type > binutils-gdb/libiberty/./cp-demangle.c:2367 > #1 0x20c622b in d_bare_function_type > binutils-gdb/libiberty/./cp-demangle.c:2932:21 > #2 0x209f2df in d_function_type > binutils-gdb/libiberty/./cp-demangle.c:2856:9 > #3 0x2086c1b in cplus_demangle_type > binutils-gdb/libiberty/./cp-demangle.c:2443:13 > #4 0x20c622b in d_bare_function_type > binutils-gdb/libiberty/./cp-demangle.c:2932:21 > #5 0x209f2df in d_function_type > binutils-gdb/libiberty/./cp-demangle.c:2856:9 > #6 0x2086c1b in cplus_demangle_type > binutils-gdb/libiberty/./cp-demangle.c:2443:13 > #7 0x20c622b in d_bare_function_type > binutils-gdb/libiberty/./cp-demangle.c:2932:21 > #8 0x209f2df in d_function_type > binutils-gdb/libiberty/./cp-demangle.c:2856:9 > #9 0x2086c1b in cplus_demangle_type > binutils-gdb/libiberty/./cp-demangle.c:2443:13 > #10 0x20c622b in d_bare_function_type > binutils-gdb/libiberty/./cp-demangle.c:2932:21 > #11 0x209f2df in d_function_type > binutils-gdb/libiberty/./cp-demangle.c:2856:9 > #12 0x2086c1b in cplus_demangle_type > binutils-gdb/libiberty/./cp-demangle.c:2443:13 > #13 0x20c622b in d_bare_function_type > binutils-gdb/libiberty/./cp-demangle.c:2932:21 > #14 0x209f2df in d_function_type > binutils-gdb/libiberty/./cp-demangle.c:2856:9 > #15 0x2086c1b in cplus_demangle_type > binutils-gdb/libiberty/./cp-demangle.c:2443:13 > #16 0x20c622b in d_bare_function_type > binutils-gdb/libiberty/./cp-demangle.c:2932:21 > #17 0x209f2df in d_function_type > binutils-gdb/libiberty/./cp-demangle.c:2856:9 > ... > #250 0x20c622b in d_bare_function_type > binutils-gdb/libiberty/./cp-demangle.c:2932:21 > #251 0x209f2df in d_function_type > binutils-gdb/libiberty/./cp-demangle.c:2856:9 > > SUMMARY: AddressSanitizer: stack-overflow > binutils-gdb/libiberty/./cp-demangle.c:2367 in cplus_demangle_type We do fuzz testing on the 15th OCT commit verison of binutils(dc86962bf15e7b8dfdcebc17d83b9b48be0bd9cb). And we have also confirmed this in the release version 2.31. Please use the “./c++filt < $POC -t” to reproduce the bug. (Remember to add "-t" option and "<" Symbol)
[Bug c++/87602] Integer Overflow in cplus-dem.c in c++filt in bintuils which leads to Undefined-behavior(OOM in this POC)
https://gcc.gnu.org/bugzilla/show_bug.cgi?id=87602
--- Comment #2 from Cheng Wen ---
I have further analyzed this bug. The variable n in function get_count (const
char **type, int *count) have an Integer overflow problem. The value pass to
the variable count.
> do
> {
> n *= 10;
> n += *p - '0';
> p++;
> }
> while (ISDIGIT ((unsigned char)*p));
> if (*p == '_')
> {
> *type = p + 1;
> *count = n;
> }
After that in XNEWVEC (char *, r); pass the *count as parameter
> work->tmpl_argvec = XNEWVEC (char *, r);
Finally malloc the negative size in /libiberty/./xmalloc.c:147:12.
[Bug c++/87602] Integer Overflow in cplus-dem.c in c++filt in bintuils which leads to Undefined-behavior(OOM in this POC)
https://gcc.gnu.org/bugzilla/show_bug.cgi?id=87602
Cheng Wen changed:
What|Removed |Added
Summary|Integer Overflow in |Integer Overflow in
|cplus-dem.c in c++filt in |cplus-dem.c in c++filt in
|bintuils|bintuils which leads to
||Undefined-behavior(OOM in
||this POC)
--- Comment #1 from Cheng Wen ---
In cplus-dem.c:3597
n *= 10;
n += *p - '0';
p++;
This testcase will set n = 7. 7 * 10 cannot be represented in
type 'int', which make n have a Integer overflow problem. This problem leads to
undefined-behavior.
I will show you the debug process as follow:
> $ gdb --args ./c++filt _rttt46__H766_
> (gdb) start
> Temporary breakpoint 1 at 0x4ea9a6: file cxxfilt.c, line 172.
> Starting program: /build/bin/c++filt _rttt46__H766__c
> [Thread debugging using libthread_db enabled]
> Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1".
> Temporary breakpoint 1, main (argc=2, argv=0x7fffdff8) at cxxfilt.c:172
> 172 {
> (gdb) b cplus-dem.c:3597
> Breakpoint 2 at 0x20171b4: file ./cplus-dem.c, line 3597.
> (gdb) c
> Continuing.
> Breakpoint 2, get_count (type=, count=) at
> ./cplus-dem.c:3597
> 3597 n *= 10;
> (gdb) n
> cplus-dem.c:3597:10: runtime error: signed integer overflow: 7 * 10
> cannot be represented in type 'int'
> SUMMARY: AddressSanitizer: undefined-behavior cplus-dem.c:3597:10 in
> 3598 n += *p - '0';
> (gdb) n
> 3599 p++;
[Bug c++/87602] New: Out of Memory problem caused by Integer Overflow in c++filt
https://gcc.gnu.org/bugzilla/show_bug.cgi?id=87602 Bug ID: 87602 Summary: Out of Memory problem caused by Integer Overflow in c++filt Product: gcc Version: unknown Status: UNCONFIRMED Severity: normal Priority: P3 Component: c++ Assignee: unassigned at gcc dot gnu.org Reporter: wcventure at 126 dot com Target Milestone: --- Created attachment 44830 --> https://gcc.gnu.org/bugzilla/attachment.cgi?id=44830=edit POC_input Hi. We are doing research on Fuzz testing. Our fuzzer caught an Out of Memory problem in program c++filt of the latest binutils(v2.31.1) code base, a malicious input of format strings will cause the LargeMmapAllocator faults and I have confirmed it with address sanitizer too. This Bug is caused by Integer Overflow. The way to reproduce the bug: I have provided the POC file and the input(_rttt46__H766__c). Please use the "./c++filt < $POC" to reproduce the bug. Another way to reproduce this bug is type "c++filt _rttt46__H766__c" directly. If you have any questions, please let me know. The ASAN dumps the stack trace as follows: cplus-dem.c:3597:10: runtime error: signed integer overflow: 7 * 10 cannot be represented in type 'int' SUMMARY: AddressSanitizer: undefined-behavior cplus-dem.c:3597:10 in ==13543==WARNING: AddressSanitizer failed to allocate 0xfffd6ff0 bytes ==13543==AddressSanitizer's allocator is terminating the process instead of returning 0 ==13543==If you don't like this behavior set allocator_may_return_null=1 ==13543==AddressSanitizer CHECK failed: /build/llvm-toolchain-3.8-_PD09B/llvm-toolchain-3.8-3.8/projects/compiler-rt/lib/sanitizer_common/sanitizer_allocator.cc:147 "((0)) )" (0x0, 0x0) #0 0x4c2a2d (/media/hjwang/01D3344861A8D2E0/wcventure/Project/binutils_latest_AFL_ASAN/build/bin/c++filt+0x4c2a2d) #1 0x4c9653 (/media/hjwang/01D3344861A8D2E0/wcventure/Project/binutils_latest_AFL_ASAN/build/bin/c++filt+0x4c9653) #2 0x4c71d6 (/media/hjwang/01D3344861A8D2E0/wcventure/Project/binutils_latest_AFL_ASAN/build/bin/c++filt+0x4c71d6) #3 0x41efec (/media/hjwang/01D3344861A8D2E0/wcventure/Project/binutils_latest_AFL_ASAN/build/bin/c++filt+0x41efec) #4 0x4b9401 (/media/hjwang/01D3344861A8D2E0/wcventure/Project/binutils_latest_AFL_ASAN/build/bin/c++filt+0x4b9401) #5 0x21e42be (/media/hjwang/01D3344861A8D2E0/wcventure/Project/binutils_latest_AFL_ASAN/build/bin/c++filt+0x21e42be) #6 0x1ffc3b7 (/media/hjwang/01D3344861A8D2E0/wcventure/Project/binutils_latest_AFL_ASAN/build/bin/c++filt+0x1ffc3b7) #7 0x1fe8a17 (/media/hjwang/01D3344861A8D2E0/wcventure/Project/binutils_latest_AFL_ASAN/build/bin/c++filt+0x1fe8a17) #8 0x2039f37 (/media/hjwang/01D3344861A8D2E0/wcventure/Project/binutils_latest_AFL_ASAN/build/bin/c++filt+0x2039f37) #9 0x1fcbb2c (/media/hjwang/01D3344861A8D2E0/wcventure/Project/binutils_latest_AFL_ASAN/build/bin/c++filt+0x1fcbb2c) #10 0x1fb8b23 (/media/hjwang/01D3344861A8D2E0/wcventure/Project/binutils_latest_AFL_ASAN/build/bin/c++filt+0x1fb8b23) #11 0x4eef03 (/media/hjwang/01D3344861A8D2E0/wcventure/Project/binutils_latest_AFL_ASAN/build/bin/c++filt+0x4eef03) #12 0x4ed203 (/media/hjwang/01D3344861A8D2E0/wcventure/Project/binutils_latest_AFL_ASAN/build/bin/c++filt+0x4ed203) #13 0x7f49e9d5182f (/lib/x86_64-linux-gnu/libc.so.6+0x2082f) #14 0x419318 (/media/hjwang/01D3344861A8D2E0/wcventure/Project/binutils_latest_AFL_ASAN/build/bin/c++filt+0x419318) Aborted
[Bug c++/87335] The stack overflow in function cplus_demangle_type in cp-demangle.c:2565 (c++filt -t)
https://gcc.gnu.org/bugzilla/show_bug.cgi?id=87335 --- Comment #9 from Cheng Wen --- (In reply to Jonathan Wakely from comment #8) Hi Jonathan, I debugged with this POC again. I still think it's a problem. I will show you the debug process as follow. > $ gdb ./c++filt > Reading symbols from ./c++filt...done. > (gdb) set args -t < POC-t > (gdb) b cp-demangle.c:2565 > Breakpoint 1 at 0x8d5227: file ./cp-demangle.c, line 2565. > (gdb) start > (gdb) c > Continuing. > Breakpoint 1, cplus_demangle_type (di=0x7fffd560) at ./cp-demangle.c:2565 > 2565 cplus_demangle_type (di), NULL); > (gdb) c > Continuing. > Breakpoint 1, cplus_demangle_type (di=0x7fffd560) at ./cp-demangle.c:2565 > 2565 cplus_demangle_type (di), NULL); > ... > ... > ... > (gdb) c > Continuing. > Breakpoint 1, cplus_demangle_type (di=0x7fffd560) at ./cp-demangle.c:2565 > 2565 cplus_demangle_type (di), NULL); > (gdb) bt > #0 cplus_demangle_type (di=0x7fffd560) at ./cp-demangle.c:2565 > #1 0x008d523d in cplus_demangle_type (di=0x7fffd560) at > ./cp-demangle.c:2565 > #2 0x008d523d in cplus_demangle_type (di=0x7fffd560) at > ./cp-demangle.c:2565 > #3 0x008d523d in cplus_demangle_type (di=0x7fffd560) at > ./cp-demangle.c:2565 > #4 0x008d523d in cplus_demangle_type (di=0x7fffd560) at > ./cp-demangle.c:2565 > ... > ... > ... > #456 0x008d523d in cplus_demangle_type (di=0x7fffd560) at > ./cp-demangle.c:2565 > #457 0x008d523d in cplus_demangle_type (di=0x7fffd560) at > ./cp-demangle.c:2565 > #458 0x008dd318 in d_demangle_callback (mangled=0x18b2e40 > 'P' ..., options=283, > callback=0x8dc110 , > opaque=0x7fffd860) at ./cp-demangle.c:6245 > #459 0x008dc84f in d_demangle (mangled=0x18b2e40 'P' > ..., options=283, > palc=0x7fffd9e0) at ./cp-demangle.c:6299 > #460 0x008dc696 in cplus_demangle_v3 (mangled=0x18b2e40 > 'P' ..., options=283) > at ./cp-demangle.c:6456 > #461 0x008b1cf4 in cplus_demangle (mangled=0x18b2e40 > 'P' ..., options=27) > at ./cplus-dem.c:880 > #462 0x00517676 in demangle_it (mangled_name=0x18b2e40 > 'P' ...) at cxxfilt.c:62 > #463 0x0051726a in main (argc=2, argv=0x7fffe008) at cxxfilt.c:276 Using gdb to debug it. I set a breakpoint in cp-demangle.c:2565. After reaching this breakpoint for any time. You can see the stack backtrace. This will consume a lot of stack memory. (Caution: the command such as "gdb --args ./c++filt -t < $POC" is not valid. Please use "gdb ./c++filt", then "set args -t < $POC") Thanks Cheng Wen
[Bug c++/87350] NULL-Pointer problem in cplus-dem.c when executing program c++filt
https://gcc.gnu.org/bugzilla/show_bug.cgi?id=87350 --- Comment #4 from Cheng Wen --- Yes. One input test case is "_GLOBAL_$D$__tf30___0__". Another input test case is "__thunk_0__0__$__H1". I see that you can you can reproduce this error. Do you know the reason for this bug?
[Bug c++/87335] The stack overflow in function cplus_demangle_type in cp-demangle.c:2565 (c++filt -t)
https://gcc.gnu.org/bugzilla/show_bug.cgi?id=87335 --- Comment #7 from Cheng Wen --- (In reply to Jonathan Wakely from comment #6) Considering the memory size of different machines, maybe more 'P' is needed to trigger this bug in the input.
[Bug c++/87333] A stack overflow problem for c++filt
https://gcc.gnu.org/bugzilla/show_bug.cgi?id=87333 --- Comment #4 from Cheng Wen --- Created attachment 44717 --> https://gcc.gnu.org/bugzilla/attachment.cgi?id=44717=edit POC2 I have the new POC to add. Please use the “c++filt < $POC ” to reproduce the bug. Please check it and debug it. Thank you. POC2: https://github.com/ntu-sec/pocs/blob/master/binutils-aff4a119/crashes/so_cplus-dem.c:4960_2 The ASAN dumps the stack trace as follows on POC2: https://github.com/ntu-sec/pocs/blob/master/binutils-aff4a119/crashes/so_cplus-dem.c:4960_2.err.txt AddressSanitizer:DEADLYSIGNAL = ==24101==ERROR: AddressSanitizer: stack-overflow on address 0x7ffcd22d1fd8 (pc 0x00497287 bp 0x7ffcd22d2850 sp 0x7ffcd22d1fe0 T0) #0 0x497286 in __interceptor_strlen.part.30 (/home/hongxu/FOT/binutils/BUILD/install/bin/c++filt+0x497286) #1 0x8bdc7e in string_append /home/hongxu/FOT/binutils/BUILD/libiberty/../../libiberty/cplus-dem.c:4960:7 #2 0x8cb7f5 in demangle_args /home/hongxu/FOT/binutils/BUILD/libiberty/../../libiberty/cplus-dem.c:4578:7 #3 0x8cdff7 in demangle_nested_args /home/hongxu/FOT/binutils/BUILD/libiberty/../../libiberty/cplus-dem.c:4713:12 #4 0x8ad46a in do_type /home/hongxu/FOT/binutils/BUILD/libiberty/../../libiberty/cplus-dem.c:3719:9 #5 0x8cd8c6 in do_arg /home/hongxu/FOT/binutils/BUILD/libiberty/../../libiberty/cplus-dem.c:4332:8 ... ... ... #245 0x8cd8c6 in do_arg /home/hongxu/FOT/binutils/BUILD/libiberty/../../libiberty/cplus-dem.c:4332:8 #246 0x8cc7b4 in demangle_args /home/hongxu/FOT/binutils/BUILD/libiberty/../../libiberty/cplus-dem.c:4659:9 #247 0x8cdff7 in demangle_nested_args /home/hongxu/FOT/binutils/BUILD/libiberty/../../libiberty/cplus-dem.c:4713:12 #248 0x8ad46a in do_type /home/hongxu/FOT/binutils/BUILD/libiberty/../../libiberty/cplus-dem.c:3719:9 #249 0x8cd8c6 in do_arg /home/hongxu/FOT/binutils/BUILD/libiberty/../../libiberty/cplus-dem.c:4332:8 SUMMARY: AddressSanitizer: stack-overflow (/home/hongxu/FOT/binutils/BUILD/install/bin/c++filt+0x497286) in __interceptor_strlen.part.30 ==24101==ABORTING
[Bug c++/87333] A stack overflow problem for c++filt
https://gcc.gnu.org/bugzilla/show_bug.cgi?id=87333 --- Comment #3 from Cheng Wen --- Created attachment 44716 --> https://gcc.gnu.org/bugzilla/attachment.cgi?id=44716=edit POC1 I have the new POC to add. Please use the “c++filt < $POC ” to reproduce the bug. Please check it and debug it. Thank you. POC1: https://github.com/ntu-sec/pocs/blob/master/binutils-aff4a119/crashes/so_cplus-dem.c:4960_1 The ASAN dumps the stack trace as follows on POC1: https://github.com/ntu-sec/pocs/blob/master/binutils-aff4a119/crashes/so_cplus-dem.c:4960_1.err.txt AddressSanitizer:DEADLYSIGNAL = ==24028==ERROR: AddressSanitizer: stack-overflow on address 0x7ffd854a7e18 (pc 0x00497287 bp 0x7ffd854a8690 sp 0x7ffd854a7e20 T0) #0 0x497286 in __interceptor_strlen.part.30 (/home/hongxu/FOT/binutils/BUILD/install/bin/c++filt+0x497286) #1 0x8bdc7e in string_append /home/hongxu/FOT/binutils/BUILD/libiberty/../../libiberty/cplus-dem.c:4960:7 #2 0x8cb7f5 in demangle_args /home/hongxu/FOT/binutils/BUILD/libiberty/../../libiberty/cplus-dem.c:4578:7 #3 0x8cdff7 in demangle_nested_args /home/hongxu/FOT/binutils/BUILD/libiberty/../../libiberty/cplus-dem.c:4713:12 #4 0x8ad46a in do_type /home/hongxu/FOT/binutils/BUILD/libiberty/../../libiberty/cplus-dem.c:3719:9 #5 0x8cd8c6 in do_arg /home/hongxu/FOT/binutils/BUILD/libiberty/../../libiberty/cplus-dem.c:4332:8 ... ... ... #244 0x8ad46a in do_type /home/hongxu/FOT/binutils/BUILD/libiberty/../../libiberty/cplus-dem.c:3719:9 #245 0x8cd8c6 in do_arg /home/hongxu/FOT/binutils/BUILD/libiberty/../../libiberty/cplus-dem.c:4332:8 #246 0x8cc7b4 in demangle_args /home/hongxu/FOT/binutils/BUILD/libiberty/../../libiberty/cplus-dem.c:4659:9 #247 0x8cdff7 in demangle_nested_args /home/hongxu/FOT/binutils/BUILD/libiberty/../../libiberty/cplus-dem.c:4713:12 #248 0x8ad46a in do_type /home/hongxu/FOT/binutils/BUILD/libiberty/../../libiberty/cplus-dem.c:3719:9 #249 0x8cd8c6 in do_arg /home/hongxu/FOT/binutils/BUILD/libiberty/../../libiberty/cplus-dem.c:4332:8 SUMMARY: AddressSanitizer: stack-overflow (/home/hongxu/FOT/binutils/BUILD/install/bin/c++filt+0x497286) in __interceptor_strlen.part.30 ==24028==ABORTING
[Bug c++/87335] The stack overflow in function cplus_demangle_type in cp-demangle.c:2565 (c++filt -t)
https://gcc.gnu.org/bugzilla/show_bug.cgi?id=87335 --- Comment #5 from Cheng Wen --- (In reply to Jonathan Wakely from comment #4) > Are you sure you attached the right file? When I try to demangle the > attachment it doesn't crash, the __cxa_demangle file returns -2, meaning the > name is not valid. That seems like the right result. I have tried to reproduce this bug on different machines. There are some questions to be confirmed. (1) Do you use the latest version of binutils(binutils-2.32/binutils-2.31)? I downloaded the package from here. https://www.gnu.org/software/binutils/ (2) Please confirm that you have used the option "-t". The command should be "./c++filt -t < $POC" (3) Do you confirm this POC with address sanitizer?
[Bug c++/87350] NULL-Pointer problem in cplus-dem.c when executing program c++filt
https://gcc.gnu.org/bugzilla/show_bug.cgi?id=87350 --- Comment #2 from Cheng Wen --- Created attachment 44715 --> https://gcc.gnu.org/bugzilla/attachment.cgi?id=44715=edit POC2
[Bug c++/87350] NULL-Pointer problem in cplus-dem.c when executing program c++filt
https://gcc.gnu.org/bugzilla/show_bug.cgi?id=87350 --- Comment #1 from Cheng Wen --- Created attachment 44714 --> https://gcc.gnu.org/bugzilla/attachment.cgi?id=44714=edit POC1
[Bug c++/87350] New: NULL-Pointer problem in cplus-dem.c when executing program c++filt
https://gcc.gnu.org/bugzilla/show_bug.cgi?id=87350 Bug ID: 87350 Summary: NULL-Pointer problem in cplus-dem.c when executing program c++filt Product: gcc Version: unknown Status: UNCONFIRMED Severity: normal Priority: P3 Component: c++ Assignee: unassigned at gcc dot gnu.org Reporter: wcventure at 126 dot com Target Milestone: --- Hi, Our fuzzer caught NULL-Pointer problems in c++filt of the latest binutils code base, those inputs will cause the segment faults and I have confirmed them with address sanitizer. Please use the “c++filt < $POC ” to reproduce the bug. Please check it and debug it. Thank you. The ASAN dumps the stack trace as follows on POC1: https://github.com/ntu-sec/pocs/blob/master/binutils-aff4a119/crashes/npd_r_cplus-dem.c:1345_1.err.txt AddressSanitizer:DEADLYSIGNAL = ==23610==ERROR: AddressSanitizer: SEGV on unknown address 0x (pc 0x7f67702435a1 bp 0x7ffe2a376680 sp 0x7ffe2a375e08 T0) ==23610==The signal is caused by a READ memory access. ==23610==Hint: address points to the zero page. #0 0x7f67702435a0 /build/glibc-OTsEL5/glibc-2.27/string/../sysdeps/x86_64/multiarch/strlen-avx2.S:59 #1 0x49728c in __interceptor_strlen.part.30 (/home/hongxu/FOT/binutils/BUILD/install/bin/c++filt+0x49728c) #2 0x8c9caa in work_stuff_copy_to_from /home/hongxu/FOT/binutils/BUILD/libiberty/../../libiberty/cplus-dem.c:1345:17 #3 0x8c553c in iterate_demangle_function /home/hongxu/FOT/binutils/BUILD/libiberty/../../libiberty/cplus-dem.c:2731:3 #4 0x8b77ec in demangle_prefix /home/hongxu/FOT/binutils/BUILD/libiberty/../../libiberty/cplus-dem.c:2971:14 #5 0x8b2d00 in internal_cplus_demangle /home/hongxu/FOT/binutils/BUILD/libiberty/../../libiberty/cplus-dem.c:1253:14 #6 0x8afe53 in cplus_demangle /home/hongxu/FOT/binutils/BUILD/libiberty/../../libiberty/cplus-dem.c:918:9 #7 0x513dd5 in demangle_it /home/hongxu/FOT/binutils/BUILD/binutils/../../binutils/cxxfilt.c:62:12 #8 0x5139c9 in main /home/hongxu/FOT/binutils/BUILD/binutils/../../binutils/cxxfilt.c:276:4 #9 0x7f67700d6b96 in __libc_start_main /build/glibc-OTsEL5/glibc-2.27/csu/../csu/libc-start.c:310 #10 0x41a989 in _start (/home/hongxu/FOT/binutils/BUILD/install/bin/c++filt+0x41a989) AddressSanitizer can not provide additional info. SUMMARY: AddressSanitizer: SEGV /build/glibc-OTsEL5/glibc-2.27/string/../sysdeps/x86_64/multiarch/strlen-avx2.S:59 ==23610==ABORTING The ASAN dumps the stack trace as follows on POC2: https://github.com/ntu-sec/pocs/blob/master/binutils-aff4a119/crashes/npd_r_cplus-dem.c:1360_1.err.txt AddressSanitizer:DEADLYSIGNAL = ==23847==ERROR: AddressSanitizer: SEGV on unknown address 0x (pc 0x008ca218 bp 0x7ffe44bfad50 sp 0x7ffe44bfaa10 T0) ==23847==The signal is caused by a READ memory access. ==23847==Hint: address points to the zero page. #0 0x8ca217 in work_stuff_copy_to_from /home/hongxu/FOT/binutils/BUILD/libiberty/../../libiberty/cplus-dem.c:1360:25 #1 0x8c553c in iterate_demangle_function /home/hongxu/FOT/binutils/BUILD/libiberty/../../libiberty/cplus-dem.c:2731:3 #2 0x8b77ec in demangle_prefix /home/hongxu/FOT/binutils/BUILD/libiberty/../../libiberty/cplus-dem.c:2971:14 #3 0x8b2d00 in internal_cplus_demangle /home/hongxu/FOT/binutils/BUILD/libiberty/../../libiberty/cplus-dem.c:1253:14 #4 0x8afe53 in cplus_demangle /home/hongxu/FOT/binutils/BUILD/libiberty/../../libiberty/cplus-dem.c:918:9 #5 0x513dd5 in demangle_it /home/hongxu/FOT/binutils/BUILD/binutils/../../binutils/cxxfilt.c:62:12 #6 0x5139c9 in main /home/hongxu/FOT/binutils/BUILD/binutils/../../binutils/cxxfilt.c:276:4 #7 0x7ff52abf2b96 in __libc_start_main /build/glibc-OTsEL5/glibc-2.27/csu/../csu/libc-start.c:310 #8 0x41a989 in _start (/home/hongxu/FOT/binutils/BUILD/install/bin/c++filt+0x41a989) AddressSanitizer can not provide additional info. SUMMARY: AddressSanitizer: SEGV /home/hongxu/FOT/binutils/BUILD/libiberty/../../libiberty/cplus-dem.c:1360:25 in work_stuff_copy_to_from ==23847==ABORTING
[Bug c++/87333] A stack overflow problem for c++filt
https://gcc.gnu.org/bugzilla/show_bug.cgi?id=87333 --- Comment #2 from Cheng Wen --- (In reply to Martin Liška from comment #1) > Is the input a valid C++ mangled name of not? Hi, This input is obtained through fuzzing technology. Our fuzzer get some test cases by mutating a valid input. This can not guarantee that this is a valid C++ mangled name. The program c++filt accepts the test case I uploaded. And this test case can prove that c++filt have problems. When program c++filt executing this input, a stack-overflow problem occurs. Please check this input and try to fix this bug if necessary. Thank you very much.
[Bug c++/87335] The stack overflow in function cplus_demangle_type in cp-demangle.c:2565 (c++filt -t)
https://gcc.gnu.org/bugzilla/show_bug.cgi?id=87335 --- Comment #2 from Cheng Wen --- (In reply to Martin Liška from comment #1) > Is the input a valid C++ mangled name of not? Hi, This input is obtained through fuzzing technology. Our fuzzer get some test cases by mutating a valid input. This can not guarantee that this is a valid C++ mangled name. The program c++filt accepts the test case I uploaded. And this test case can prove that c++filt have problems. When program c++filt executing this input, a stack-overflow problem occurs. Please check this input and try to fix this bug if necessary. Thank you very much.
[Bug c++/87335] New: The stack overflow in function cplus_demangle_type in cp-demangle.c:2565 (c++filt -t)
https://gcc.gnu.org/bugzilla/show_bug.cgi?id=87335 Bug ID: 87335 Summary: The stack overflow in function cplus_demangle_type in cp-demangle.c:2565 (c++filt -t) Product: gcc Version: unknown Status: UNCONFIRMED Severity: normal Priority: P3 Component: c++ Assignee: unassigned at gcc dot gnu.org Reporter: wcventure at 126 dot com Target Milestone: --- Created attachment 44706 --> https://gcc.gnu.org/bugzilla/attachment.cgi?id=44706=edit Stack_overflow_in_c++filt-t Hi, We have found a stack overflow in function cplus_demangle_type in cp-demangle.c:2565 in c++filt of the latest binutils code base. Here is the POC file. Please use the “c++filt -t < $POC ” to reproduce the bug. Thank you very much. Command:“c++filt -t < $POC ” (Please remember to use the option -t) AddressSanitizer:DEADLYSIGNAL = ==21814==ERROR: AddressSanitizer: stack-overflow on address 0x7ffcafaefbc0 (pc 0x008d3eb1 bp 0x7ffcafaf02d0 sp 0x7ffcafaefbc0 T0) #0 0x8d3eb0 in cplus_demangle_type /binutils-2.31/libiberty/./cp-demangle.c:2367 #1 0x8d523c in cplus_demangle_type /binutils-2.31/libiberty/./cp-demangle.c:2565:5 #2 0x8d523c in cplus_demangle_type /binutils-2.31/libiberty/./cp-demangle.c:2565:5 #3 0x8d523c in cplus_demangle_type /binutils-2.31/libiberty/./cp-demangle.c:2565:5 #4 0x8d523c in cplus_demangle_type /binutils-2.31/libiberty/./cp-demangle.c:2565:5 #5 0x8d523c in cplus_demangle_type /binutils-2.31/libiberty/./cp-demangle.c:2565:5 #6 0x8d523c in cplus_demangle_type /binutils-2.31/libiberty/./cp-demangle.c:2565:5 #7 0x8d523c in cplus_demangle_type /binutils-2.31/libiberty/./cp-demangle.c:2565:5 #8 0x8d523c in cplus_demangle_type /binutils-2.31/libiberty/./cp-demangle.c:2565:5 #9 0x8d523c in cplus_demangle_type /binutils-2.31/libiberty/./cp-demangle.c:2565:5 ... ... ... #246 0x8d523c in cplus_demangle_type /binutils-2.31/libiberty/./cp-demangle.c:2565:5 #247 0x8d523c in cplus_demangle_type /binutils-2.31/libiberty/./cp-demangle.c:2565:5 #248 0x8d523c in cplus_demangle_type /binutils-2.31/libiberty/./cp-demangle.c:2565:5 #249 0x8d523c in cplus_demangle_type /binutils-2.31/libiberty/./cp-demangle.c:2565:5 SUMMARY: AddressSanitizer: stack-overflow /binutils-2.31/libiberty/./cp-demangle.c:2367 in cplus_demangle_type ==21814==ABORTING Aborted
[Bug c++/87333] New: A stack overflow problem for c++filt
https://gcc.gnu.org/bugzilla/show_bug.cgi?id=87333 Bug ID: 87333 Summary: A stack overflow problem for c++filt Product: gcc Version: unknown Status: UNCONFIRMED Severity: normal Priority: P3 Component: c++ Assignee: unassigned at gcc dot gnu.org Reporter: wcventure at 126 dot com Target Milestone: --- Created attachment 44704 --> https://gcc.gnu.org/bugzilla/attachment.cgi?id=44704=edit c++filt < POC We have found some stack overflow in c++filt of the latest binutils code base. Here are the POC files with different kinds of stack overflow. Please use the “c++filt < POC ” to reproduce the bug. Please check it and debug it. Thank you very much. ASAN output: (1)binutils-2.31/build/bin$ ./c++filt < POC1 ASAN:DEADLYSIGNAL = ==7555==ERROR: AddressSanitizer: stack-overflow on address 0x7fffefbe1f48 (pc 0x009566e8 bp 0x7fffefbe2140 sp 0x7fffefbe1f48 T0) #0 0x9566e7 (/mnt/d/Project/binutils-2.31/build/bin/c++filt+0x9566e7) #1 0xcccf00 (/mnt/d/Project/binutils-2.31/build/bin/c++filt+0xcccf00) SUMMARY: AddressSanitizer: stack-overflow (/mnt/d/Project/binutils-2.31/build/bin/c++filt+0x9566e7) ==7555==ABORTING Aborted (core dumped) (2)binutils-2.31/build/bin$ ./c++filt < POC2 ASAN:DEADLYSIGNAL = ==14325==ERROR: AddressSanitizer: stack-overflow on address 0x7fffdbe5dff8 (pc 0x7f9d75b4364f bp 0x0018 sp 0x7fffdbe5dfe0 T0) #0 0x7f9d75b4364e (/usr/lib/x86_64-linux-gnu/libasan.so.4+0x10364e) #1 0x7f9d75b43137 (/usr/lib/x86_64-linux-gnu/libasan.so.4+0x103137) #2 0x7f9d75a682b1 (/usr/lib/x86_64-linux-gnu/libasan.so.4+0x282b1) #3 0x7f9d75b1eb5a in __interceptor_malloc (/usr/lib/x86_64-linux-gnu/libasan.so.4+0xdeb5a) #4 0x9cad7c in xmalloc xmalloc.c:147 #5 0x8f22e0 in do_arg cplus-dem.c:4330 #6 0x8f2d70 in demangle_args cplus-dem.c:4659 #7 0x8d9039 in demangle_nested_args cplus-dem.c:4713 #8 0x8d9039 in do_type cplus-dem.c:3719 #9 0x8f1d39 in do_arg cplus-dem.c:4332 #10 0x8f2d70 in demangle_args cplus-dem.c:4659 #11 0x8d9039 in demangle_nested_args cplus-dem.c:4713 #12 0x8d9039 in do_type cplus-dem.c:3719 #13 0x8f1d39 in do_arg cplus-dem.c:4332 #14 0x8f2d70 in demangle_args cplus-dem.c:4659 #15 0x8d9039 in demangle_nested_args cplus-dem.c:4713 #16 0x8d9039 in do_type cplus-dem.c:3719 #17 0x8f1d39 in do_arg cplus-dem.c:4332 #18 0x8f2d70 in demangle_args cplus-dem.c:4659 #19 0x8d9039 in demangle_nested_args cplus-dem.c:4713 #20 0x8d9039 in do_type cplus-dem.c:3719
