Bug 85304 - Segmentation fault
Summary: Segmentation fault
Status: UNCONFIRMED
Alias: None
Product: gcc
Classification: Unclassified
Component: demangler (show other bugs)
Version: unknown
: P3 normal
Target Milestone: ---
Assignee: Not yet assigned to anyone
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2018-04-09 17:36 UTC by 慕冬亮
Modified: 2021-03-09 08:59 UTC (History)
4 users (show)

See Also:
Host:
Target:
Build:
Known to work:
Known to fail:
Last reconfirmed:

Attachments
PoC to trigger segment fault (106 bytes, application/octet-stream)
2018-04-09 17:36 UTC, 慕冬亮 		Details
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description 慕冬亮 2018-04-09 17:36:35 UTC 
Created attachment 43887 [details]
PoC to trigger segment fault

We found one segment fault in C++ Demangle Functions. From our simple analysis, one callq instruction exceed the range of stack region and then cxxfilt segments fault.

The triggering method is as follows:


```
mkdir obj_test
CFLAGS="-O2 -g -fstack-protector-all -fsanitize=address" ../configure --enable-shared=no --enable-static=yes
make
cd binutils
gdb ./cxxfilt
(gdb) r < poc_test
```

The corresponding Stack Trace in the gdb:

```
Program received signal SIGSEGV, Segmentation fault.
0x00007ffff4e5931d in ?? () from /usr/lib/x86_64-linux-gnu/libasan.so.0
(gdb) info stack
#0  0x00007ffff4e5931d in ?? () from /usr/lib/x86_64-linux-gnu/libasan.so.0
#1  0x00000000006a0126 in string_appendn (p=0x7fffffffe120, s=0x753f60 "(", n=1) at ./cplus-dem.c:4986
#2  0x000000000068db7d in demangle_expression (work=0x7fffffffe3b0, mangled=0x7fffffffe2c0, 
    s=0x7fffffffe120, tk=tk_integral) at ./cplus-dem.c:1860
#3  0x000000000068e20a in demangle_integral_value (work=0x7fffffffe3b0, mangled=0x7fffffffe2c0, 
    s=0x7fffffffe120) at ./cplus-dem.c:1916
#4  0x000000000068eef5 in demangle_template_value_parm (work=0x7fffffffe3b0, mangled=0x7fffffffe2c0, 
    s=0x7fffffffe120, tk=tk_integral) at ./cplus-dem.c:2069
#5  0x000000000068dfac in demangle_expression (work=0x7fffffffe3b0, mangled=0x7fffffffe2c0, 
    s=0x7fffffffe120, tk=tk_integral) at ./cplus-dem.c:1895
#6  0x000000000068e20a in demangle_integral_value (work=0x7fffffffe3b0, mangled=0x7fffffffe2c0, 
    s=0x7fffffffe120) at ./cplus-dem.c:1916
#7  0x000000000068eef5 in demangle_template_value_parm (work=0x7fffffffe3b0, mangled=0x7fffffffe2c0, 
    s=0x7fffffffe120, tk=tk_integral) at ./cplus-dem.c:2069
#8  0x000000000068dfac in demangle_expression (work=0x7fffffffe3b0, mangled=0x7fffffffe2c0, 
    s=0x7fffffffe120, tk=tk_integral) at ./cplus-dem.c:1895
#9  0x000000000068e20a in demangle_integral_value (work=0x7fffffffe3b0, mangled=0x7fffffffe2c0, 
    s=0x7fffffffe120) at ./cplus-dem.c:1916
#10 0x000000000068eef5 in demangle_template_value_parm (work=0x7fffffffe3b0, mangled=0x7fffffffe2c0, 
    s=0x7fffffffe120, tk=tk_integral) at ./cplus-dem.c:2069
#11 0x000000000068dfac in demangle_expression (work=0x7fffffffe3b0, mangled=0x7fffffffe2c0, 
    s=0x7fffffffe120, tk=tk_integral) at ./cplus-dem.c:1895
#12 0x000000000068e20a in demangle_integral_value (work=0x7fffffffe3b0, mangled=0x7fffffffe2c0, 
    s=0x7fffffffe120) at ./cplus-dem.c:1916
......
```

We will try to analyze more deeply to give a detailed report on this bug.
Comment 1 Michael Matz 2018-04-16 12:45:54 UTC 
Similar to https://sourceware.org/bugzilla/show_bug.cgi?id=23008,
the testcase contains a mangled name with roughly 29000 successive 'E' characters.  Processing one 'E' character involves calling these three routines:

5  0x00000000004e8901 in demangle_expression (work=0x7fffffffd810, mangled=0x7fffffffd710, 
    s=0x7fffffffd540, tk=tk_integral) at ../../libiberty/cplus-dem.c:1895
1895          success = demangle_template_value_parm (work, mangled, s, tk);
(gdb) 
#4  0x00000000004e98cb in demangle_template_value_parm (work=0x7fffffffd810, mangled=0x7fffffffd710, 
    s=0x7fffffffd540, tk=tk_integral) at ../../libiberty/cplus-dem.c:2069
2069        success = demangle_integral_value (work, mangled, s);
(gdb) 
#3  0x00000000004e8b82 in demangle_integral_value (work=0x7fffffffd810, mangled=0x7fffffffd710, 
    s=0x7fffffffd540) at ../../libiberty/cplus-dem.c:1916
1916        success = demangle_expression (work, mangled, s, tk_integral);

That advances *mangled by one character and uses 496 bytes of stack while
doing that (when compiled by gcc-6 with address sanitizer).  The linux default
stack of 8 MB is good for 16893 of the E characters until stack overflow occurs.
Without sanitizer we need less stack per recursion level, so that the testcase
doesn't cause a proplem (but just increasing the number of 'E' will make
it segfault there as well).

It seems all is working as designed, you request it to demangle a recursive
structure of > 20000 levels deep and get what can be expected from that, a stack
overflow.
Comment 2 Carlo B. 2018-07-05 16:58:17 UTC 
Hello Michael, any update for this issue? or do we have other sources to make it fixed? Thanks

Castro B.
https://alternatives.co/
Comment 3 Trupti Pardeshi 2020-05-20 11:35:35 UTC 
Hi,

May I know whether this bug is fixed? And if fixed, in which version of binutils this fix has gone?

Any heads up will be appreciated.

Thanks in advance.

Best Regards,
Comment 4 Trupti Pardeshi 2020-07-17 11:51:01 UTC 
(In reply to Trupti Pardeshi from comment #3)
> Hi,
> 
> May I know whether this bug is fixed? And if fixed, in which version of
> binutils this fix has gone?
> 
> Any heads up will be appreciated.
> 
> Thanks in advance.
> 
> Best Regards,

Can someone please answer above mentioned query? Many Thanks.
Comment 5 Nikhil 2020-11-18 04:37:47 UTC 
Hi,

May I know whether this bug is fixed? And if fixed, in which version of binutils this fix has gone?

Any heads up will be appreciated.

Thanks in advance.

Best Regards,
Comment 6 Rakesh 2021-03-08 13:11:45 UTC 
Hi,

Is this flaw fixed?

Thanks,
Rakesh
Comment 7 Rakesh 2021-03-09 08:59:23 UTC 
Hi Team,

Is binutils-2.36 affected by  this flaw?

Thanks,
Rakesh