Bug 85304 - Segmentation fault
Summary: Segmentation fault
Status: UNCONFIRMED
Alias: None
Product: gcc
Classification: Unclassified
Component: demangler (show other bugs)
Version: unknown
: P3 normal
Target Milestone: ---
Assignee: Not yet assigned to anyone
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2018-04-09 17:36 UTC by 慕冬亮
Modified: 2021-03-09 08:59 UTC (History)
4 users (show)

See Also:
Host:
Target:
Build:
Known to work:
Known to fail:
Last reconfirmed:


Attachments
PoC to trigger segment fault (106 bytes, application/octet-stream)
2018-04-09 17:36 UTC, 慕冬亮
Details

Note You need to log in before you can comment on or make changes to this bug.
Description 慕冬亮 2018-04-09 17:36:35 UTC
Created attachment 43887 [details]
PoC to trigger segment fault

We found one segment fault in C++ Demangle Functions. From our simple analysis, one callq instruction exceed the range of stack region and then cxxfilt segments fault.

The triggering method is as follows:


```
mkdir obj_test
CFLAGS="-O2 -g -fstack-protector-all -fsanitize=address" ../configure --enable-shared=no --enable-static=yes
make
cd binutils
gdb ./cxxfilt
(gdb) r < poc_test
```

The corresponding Stack Trace in the gdb:

```
Program received signal SIGSEGV, Segmentation fault.
0x00007ffff4e5931d in ?? () from /usr/lib/x86_64-linux-gnu/libasan.so.0
(gdb) info stack
#0  0x00007ffff4e5931d in ?? () from /usr/lib/x86_64-linux-gnu/libasan.so.0
#1  0x00000000006a0126 in string_appendn (p=0x7fffffffe120, s=0x753f60 "(", n=1) at ./cplus-dem.c:4986
#2  0x000000000068db7d in demangle_expression (work=0x7fffffffe3b0, mangled=0x7fffffffe2c0, 
    s=0x7fffffffe120, tk=tk_integral) at ./cplus-dem.c:1860
#3  0x000000000068e20a in demangle_integral_value (work=0x7fffffffe3b0, mangled=0x7fffffffe2c0, 
    s=0x7fffffffe120) at ./cplus-dem.c:1916
#4  0x000000000068eef5 in demangle_template_value_parm (work=0x7fffffffe3b0, mangled=0x7fffffffe2c0, 
    s=0x7fffffffe120, tk=tk_integral) at ./cplus-dem.c:2069
#5  0x000000000068dfac in demangle_expression (work=0x7fffffffe3b0, mangled=0x7fffffffe2c0, 
    s=0x7fffffffe120, tk=tk_integral) at ./cplus-dem.c:1895
#6  0x000000000068e20a in demangle_integral_value (work=0x7fffffffe3b0, mangled=0x7fffffffe2c0, 
    s=0x7fffffffe120) at ./cplus-dem.c:1916
#7  0x000000000068eef5 in demangle_template_value_parm (work=0x7fffffffe3b0, mangled=0x7fffffffe2c0, 
    s=0x7fffffffe120, tk=tk_integral) at ./cplus-dem.c:2069
#8  0x000000000068dfac in demangle_expression (work=0x7fffffffe3b0, mangled=0x7fffffffe2c0, 
    s=0x7fffffffe120, tk=tk_integral) at ./cplus-dem.c:1895
#9  0x000000000068e20a in demangle_integral_value (work=0x7fffffffe3b0, mangled=0x7fffffffe2c0, 
    s=0x7fffffffe120) at ./cplus-dem.c:1916
#10 0x000000000068eef5 in demangle_template_value_parm (work=0x7fffffffe3b0, mangled=0x7fffffffe2c0, 
    s=0x7fffffffe120, tk=tk_integral) at ./cplus-dem.c:2069
#11 0x000000000068dfac in demangle_expression (work=0x7fffffffe3b0, mangled=0x7fffffffe2c0, 
    s=0x7fffffffe120, tk=tk_integral) at ./cplus-dem.c:1895
#12 0x000000000068e20a in demangle_integral_value (work=0x7fffffffe3b0, mangled=0x7fffffffe2c0, 
    s=0x7fffffffe120) at ./cplus-dem.c:1916
......
```

We will try to analyze more deeply to give a detailed report on this bug.
Comment 1 Michael Matz 2018-04-16 12:45:54 UTC
Similar to https://sourceware.org/bugzilla/show_bug.cgi?id=23008,
the testcase contains a mangled name with roughly 29000 successive 'E' characters.  Processing one 'E' character involves calling these three routines:

5  0x00000000004e8901 in demangle_expression (work=0x7fffffffd810, mangled=0x7fffffffd710, 
    s=0x7fffffffd540, tk=tk_integral) at ../../libiberty/cplus-dem.c:1895
1895          success = demangle_template_value_parm (work, mangled, s, tk);
(gdb) 
#4  0x00000000004e98cb in demangle_template_value_parm (work=0x7fffffffd810, mangled=0x7fffffffd710, 
    s=0x7fffffffd540, tk=tk_integral) at ../../libiberty/cplus-dem.c:2069
2069        success = demangle_integral_value (work, mangled, s);
(gdb) 
#3  0x00000000004e8b82 in demangle_integral_value (work=0x7fffffffd810, mangled=0x7fffffffd710, 
    s=0x7fffffffd540) at ../../libiberty/cplus-dem.c:1916
1916        success = demangle_expression (work, mangled, s, tk_integral);

That advances *mangled by one character and uses 496 bytes of stack while
doing that (when compiled by gcc-6 with address sanitizer).  The linux default
stack of 8 MB is good for 16893 of the E characters until stack overflow occurs.
Without sanitizer we need less stack per recursion level, so that the testcase
doesn't cause a proplem (but just increasing the number of 'E' will make
it segfault there as well).

It seems all is working as designed, you request it to demangle a recursive
structure of > 20000 levels deep and get what can be expected from that, a stack
overflow.
Comment 2 Carlo B. 2018-07-05 16:58:17 UTC
Hello Michael, any update for this issue? or do we have other sources to make it fixed? Thanks

Castro B.
https://alternatives.co/
Comment 3 Trupti Pardeshi 2020-05-20 11:35:35 UTC
Hi,

May I know whether this bug is fixed? And if fixed, in which version of binutils this fix has gone?

Any heads up will be appreciated.

Thanks in advance.

Best Regards,
Comment 4 Trupti Pardeshi 2020-07-17 11:51:01 UTC
(In reply to Trupti Pardeshi from comment #3)
> Hi,
> 
> May I know whether this bug is fixed? And if fixed, in which version of
> binutils this fix has gone?
> 
> Any heads up will be appreciated.
> 
> Thanks in advance.
> 
> Best Regards,

Can someone please answer above mentioned query? Many Thanks.
Comment 5 Nikhil 2020-11-18 04:37:47 UTC
Hi,

May I know whether this bug is fixed? And if fixed, in which version of binutils this fix has gone?

Any heads up will be appreciated.

Thanks in advance.

Best Regards,
Comment 6 Rakesh 2021-03-08 13:11:45 UTC
Hi,

Is this flaw fixed?

Thanks,
Rakesh
Comment 7 Rakesh 2021-03-09 08:59:23 UTC
Hi Team,

Is binutils-2.36 affected by  this flaw?

Thanks,
Rakesh