[Bug demangler/100105] New: stack exhaust by recursion in cxxfilt demangler

Thu, 15 Apr 2021 13:35:30 -0700 

https://gcc.gnu.org/bugzilla/show_bug.cgi?id=100105

            Bug ID: 100105
           Summary: stack exhaust by recursion in cxxfilt demangler
           Product: gcc
           Version: unknown
            Status: UNCONFIRMED
          Severity: normal
          Priority: P3
         Component: demangler
          Assignee: unassigned at gcc dot gnu.org
          Reporter: rding at gatech dot edu
  Target Milestone: ---

Created attachment 50607
  --> https://gcc.gnu.org/bugzilla/attachment.cgi?id=50607&action=edit
PoC for the crash

Hi,

A stack exhaustion bug has been found for cxxfilt on the HEAD of the master
branch. I was pointed by the reply
(https://sourceware.org/bugzilla/show_bug.cgi?id=27737) to report it here since
the bug is from the demangler before imported into the codebase of Binutils.
The version information is as follows:

commit a15a276b46bf07323a1d270d7abece83ef1ea78f (HEAD -> master, origin/master,
origin/HEAD)
Author: Tom Tromey <tro...@adacore.com>
Date:   Thu Apr 15 10:14:11 2021 -0600

cxxfilt --version
GNU c++filt (GNU Binutils) 2.36.50.20210415
Copyright (C) 2021 Free Software Foundation, Inc.
This program is free software; you may redistribute it under the terms of
the GNU General Public License version 3 or (at your option) any later version.
This program has absolutely no warranty.

The configuration of Binutils is:

CC=/home/ren/tmp/afl-2.52b/afl-gcc CFLAGS="-g -fsanitize=address"
LDFLAGS="-fsanitize=address" ./configure --disable-gdb --disable-werror

CC=/home/ren/tmp/afl-2.52b/afl-gcc CFLAGS="-g -fsanitize=address"
LDFLAGS="-fsanitize=address" make

To trigger the bug:
./cxxfilt < poc
ASAN:DEADLYSIGNAL
=================================================================
==25277==ERROR: AddressSanitizer: stack-overflow on address 0x7fff13a95fb0 (pc
0x563d15ede61e bp 0x0fffe2752c2e sp 0x7fff13a95fb0 T0)
    #0 0x563d15ede61d in demangle_path rust-demangle.c:664
    #1 0x563d15edfcfd in demangle_path rust-demangle.c:774
    #2 0x563d15edfcfd in demangle_path rust-demangle.c:774
    #3 0x563d15edfcfd in demangle_path rust-demangle.c:774
    ...
    #248 0x563d15edfcfd in demangle_path rust-demangle.c:774
    #249 0x563d15edfcfd in demangle_path rust-demangle.c:774
    #250 0x563d15edfcfd in demangle_path rust-demangle.c:774

SUMMARY: AddressSanitizer: stack-overflow rust-demangle.c:664 in demangle_path
==25277==ABORTING

The triggering environment we see is on Ubuntu 18.04 (bionic), with gcc version
7.5.0.

Please find the PoC we provide in the attachment and let us know if you have
any trouble reproducing the crash. Thank you!

Credit:
Ren Ding (rd...@gatech.edu)
Hanqing Zhao (hanq...@gatech.edu)

Reply via email to