https://gcc.gnu.org/bugzilla/show_bug.cgi?id=87636
Bug ID: 87636 Summary: Infinite Recursive Stack Frames in cp-demangle.c in libiberty(function cplus_demangle_type, d_bare_function_type, d_function_type) Product: gcc Version: unknown Status: UNCONFIRMED Severity: normal Priority: P3 Component: c++ Assignee: unassigned at gcc dot gnu.org Reporter: wcventure at 126 dot com Target Milestone: --- Created attachment 44850 --> https://gcc.gnu.org/bugzilla/attachment.cgi?id=44850&action=edit POC Dear all, The following new binutils Stack-Overflow in libiberty was found by a modified version of the AFL fuzzer(MemFuzz). I have attached the crashing input and an ASAN report. I have confirmed them with address sanitizer too. In this issue, Stack Exhaustion occurs in the C++ demangling functions provided by libiberty, and there are recursive stack frames in cp-demangle: cplus_demangle_type, d_bare_function_type, d_function_type. This can occur during the execution of "c++filt -t". I have also collected the different Stack Overflow problem recently appeared in c++filt, which I will list later. There may be some problems that need attention. Please use the â./c++filt < $POC -tâ to reproduce the bug. (Remember to add "-t" option and "<" Symbol) Here is my compile Option. CC=clang LDFLAGS="-ldl" CFLAGS="-DFORTIFY_SOURCE=2 -fstack-protector-all -fsanitize=undefined,address -fno-omit-frame-pointer -g -O0 -Wno-error" ./configure --disable-shared --disable-gdb --disable-libdecnumber --disable-sim --prefix=$PWD/build/ > ASAN:DEADLYSIGNAL > ================================================================= > ==28168==ERROR: AddressSanitizer: stack-overflow on address 0x7ffdfcdedf28 > (pc 0x000002081a20 bp 0x7ffdfcdee0f0 sp 0x7ffdfcdedf28 T0) > #0 0x2081a1f in cplus_demangle_type > binutils-gdb/libiberty/./cp-demangle.c:2367 > #1 0x20c622b in d_bare_function_type > binutils-gdb/libiberty/./cp-demangle.c:2932:21 > #2 0x209f2df in d_function_type > binutils-gdb/libiberty/./cp-demangle.c:2856:9 > #3 0x2086c1b in cplus_demangle_type > binutils-gdb/libiberty/./cp-demangle.c:2443:13 > #4 0x20c622b in d_bare_function_type > binutils-gdb/libiberty/./cp-demangle.c:2932:21 > #5 0x209f2df in d_function_type > binutils-gdb/libiberty/./cp-demangle.c:2856:9 > #6 0x2086c1b in cplus_demangle_type > binutils-gdb/libiberty/./cp-demangle.c:2443:13 > #7 0x20c622b in d_bare_function_type > binutils-gdb/libiberty/./cp-demangle.c:2932:21 > #8 0x209f2df in d_function_type > binutils-gdb/libiberty/./cp-demangle.c:2856:9 > #9 0x2086c1b in cplus_demangle_type > binutils-gdb/libiberty/./cp-demangle.c:2443:13 > #10 0x20c622b in d_bare_function_type > binutils-gdb/libiberty/./cp-demangle.c:2932:21 > #11 0x209f2df in d_function_type > binutils-gdb/libiberty/./cp-demangle.c:2856:9 > #12 0x2086c1b in cplus_demangle_type > binutils-gdb/libiberty/./cp-demangle.c:2443:13 > #13 0x20c622b in d_bare_function_type > binutils-gdb/libiberty/./cp-demangle.c:2932:21 > #14 0x209f2df in d_function_type > binutils-gdb/libiberty/./cp-demangle.c:2856:9 > #15 0x2086c1b in cplus_demangle_type > binutils-gdb/libiberty/./cp-demangle.c:2443:13 > #16 0x20c622b in d_bare_function_type > binutils-gdb/libiberty/./cp-demangle.c:2932:21 > #17 0x209f2df in d_function_type > binutils-gdb/libiberty/./cp-demangle.c:2856:9 > ... > #250 0x20c622b in d_bare_function_type > binutils-gdb/libiberty/./cp-demangle.c:2932:21 > #251 0x209f2df in d_function_type > binutils-gdb/libiberty/./cp-demangle.c:2856:9 > > SUMMARY: AddressSanitizer: stack-overflow > binutils-gdb/libiberty/./cp-demangle.c:2367 in cplus_demangle_type We do fuzz testing on the 15th OCT commit verison of binutils(dc86962bf15e7b8dfdcebc17d83b9b48be0bd9cb). And we have also confirmed this in the release version 2.31. Please use the â./c++filt < $POC -tâ to reproduce the bug. (Remember to add "-t" option and "<" Symbol)