Created attachment 43887 [details] PoC to trigger segment fault We found one segment fault in C++ Demangle Functions. From our simple analysis, one callq instruction exceed the range of stack region and then cxxfilt segments fault. The triggering method is as follows: ``` mkdir obj_test CFLAGS="-O2 -g -fstack-protector-all -fsanitize=address" ../configure --enable-shared=no --enable-static=yes make cd binutils gdb ./cxxfilt (gdb) r < poc_test ``` The corresponding Stack Trace in the gdb: ``` Program received signal SIGSEGV, Segmentation fault. 0x00007ffff4e5931d in ?? () from /usr/lib/x86_64-linux-gnu/libasan.so.0 (gdb) info stack #0 0x00007ffff4e5931d in ?? () from /usr/lib/x86_64-linux-gnu/libasan.so.0 #1 0x00000000006a0126 in string_appendn (p=0x7fffffffe120, s=0x753f60 "(", n=1) at ./cplus-dem.c:4986 #2 0x000000000068db7d in demangle_expression (work=0x7fffffffe3b0, mangled=0x7fffffffe2c0, s=0x7fffffffe120, tk=tk_integral) at ./cplus-dem.c:1860 #3 0x000000000068e20a in demangle_integral_value (work=0x7fffffffe3b0, mangled=0x7fffffffe2c0, s=0x7fffffffe120) at ./cplus-dem.c:1916 #4 0x000000000068eef5 in demangle_template_value_parm (work=0x7fffffffe3b0, mangled=0x7fffffffe2c0, s=0x7fffffffe120, tk=tk_integral) at ./cplus-dem.c:2069 #5 0x000000000068dfac in demangle_expression (work=0x7fffffffe3b0, mangled=0x7fffffffe2c0, s=0x7fffffffe120, tk=tk_integral) at ./cplus-dem.c:1895 #6 0x000000000068e20a in demangle_integral_value (work=0x7fffffffe3b0, mangled=0x7fffffffe2c0, s=0x7fffffffe120) at ./cplus-dem.c:1916 #7 0x000000000068eef5 in demangle_template_value_parm (work=0x7fffffffe3b0, mangled=0x7fffffffe2c0, s=0x7fffffffe120, tk=tk_integral) at ./cplus-dem.c:2069 #8 0x000000000068dfac in demangle_expression (work=0x7fffffffe3b0, mangled=0x7fffffffe2c0, s=0x7fffffffe120, tk=tk_integral) at ./cplus-dem.c:1895 #9 0x000000000068e20a in demangle_integral_value (work=0x7fffffffe3b0, mangled=0x7fffffffe2c0, s=0x7fffffffe120) at ./cplus-dem.c:1916 #10 0x000000000068eef5 in demangle_template_value_parm (work=0x7fffffffe3b0, mangled=0x7fffffffe2c0, s=0x7fffffffe120, tk=tk_integral) at ./cplus-dem.c:2069 #11 0x000000000068dfac in demangle_expression (work=0x7fffffffe3b0, mangled=0x7fffffffe2c0, s=0x7fffffffe120, tk=tk_integral) at ./cplus-dem.c:1895 #12 0x000000000068e20a in demangle_integral_value (work=0x7fffffffe3b0, mangled=0x7fffffffe2c0, s=0x7fffffffe120) at ./cplus-dem.c:1916 ...... ``` We will try to analyze more deeply to give a detailed report on this bug.
Similar to https://sourceware.org/bugzilla/show_bug.cgi?id=23008, the testcase contains a mangled name with roughly 29000 successive 'E' characters. Processing one 'E' character involves calling these three routines: 5 0x00000000004e8901 in demangle_expression (work=0x7fffffffd810, mangled=0x7fffffffd710, s=0x7fffffffd540, tk=tk_integral) at ../../libiberty/cplus-dem.c:1895 1895 success = demangle_template_value_parm (work, mangled, s, tk); (gdb) #4 0x00000000004e98cb in demangle_template_value_parm (work=0x7fffffffd810, mangled=0x7fffffffd710, s=0x7fffffffd540, tk=tk_integral) at ../../libiberty/cplus-dem.c:2069 2069 success = demangle_integral_value (work, mangled, s); (gdb) #3 0x00000000004e8b82 in demangle_integral_value (work=0x7fffffffd810, mangled=0x7fffffffd710, s=0x7fffffffd540) at ../../libiberty/cplus-dem.c:1916 1916 success = demangle_expression (work, mangled, s, tk_integral); That advances *mangled by one character and uses 496 bytes of stack while doing that (when compiled by gcc-6 with address sanitizer). The linux default stack of 8 MB is good for 16893 of the E characters until stack overflow occurs. Without sanitizer we need less stack per recursion level, so that the testcase doesn't cause a proplem (but just increasing the number of 'E' will make it segfault there as well). It seems all is working as designed, you request it to demangle a recursive structure of > 20000 levels deep and get what can be expected from that, a stack overflow.
Hello Michael, any update for this issue? or do we have other sources to make it fixed? Thanks Castro B. https://alternatives.co/
Hi, May I know whether this bug is fixed? And if fixed, in which version of binutils this fix has gone? Any heads up will be appreciated. Thanks in advance. Best Regards,
(In reply to Trupti Pardeshi from comment #3) > Hi, > > May I know whether this bug is fixed? And if fixed, in which version of > binutils this fix has gone? > > Any heads up will be appreciated. > > Thanks in advance. > > Best Regards, Can someone please answer above mentioned query? Many Thanks.
Hi, Is this flaw fixed? Thanks, Rakesh
Hi Team, Is binutils-2.36 affected by this flaw? Thanks, Rakesh