Bug 87333 - A stack overflow problem in cplus-dem.c in c++filt
Summary: A stack overflow problem in cplus-dem.c in c++filt
Status: UNCONFIRMED
Alias: None
Product: gcc
Classification: Unclassified
Component: demangler (show other bugs)
Version: unknown
: P3 normal
Target Milestone: ---
Assignee: Not yet assigned to anyone
URL:
Keywords: ice-on-invalid-code
Depends on:
Blocks:
 
Reported: 2018-09-17 13:11 UTC by Cheng Wen
Modified: 2021-07-22 21:29 UTC (History)
1 user (show)

See Also:
Host:
Target:
Build:
Known to work:
Known to fail:
Last reconfirmed:

Attachments
c++filt < POC (4.35 KB, application/x-zip-compressed)
2018-09-17 13:11 UTC, Cheng Wen 		Details
POC1 (14.80 KB, text/html)
2018-09-18 10:09 UTC, Cheng Wen 		Details
POC2 (14.79 KB, text/html)
2018-09-18 10:09 UTC, Cheng Wen 		Details
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Cheng Wen 2018-09-17 13:11:46 UTC 
Created attachment 44704 [details]
c++filt < POC

We have found some stack overflow in c++filt of the latest binutils code base. Here are the POC files with different kinds of stack overflow.

Please use the “c++filt < POC ” to reproduce the bug.
Please check it and debug it.
Thank you very much.


ASAN output:

(1)binutils-2.31/build/bin$ ./c++filt < POC1

ASAN:DEADLYSIGNAL
=================================================================
==7555==ERROR: AddressSanitizer: stack-overflow on address 0x7fffefbe1f48 (pc 0x0000009566e8 bp 0x7fffefbe2140 sp 0x7fffefbe1f48 T0)
    #0 0x9566e7  (/mnt/d/Project/binutils-2.31/build/bin/c++filt+0x9566e7)
    #1 0xcccf00  (/mnt/d/Project/binutils-2.31/build/bin/c++filt+0xcccf00)

SUMMARY: AddressSanitizer: stack-overflow (/mnt/d/Project/binutils-2.31/build/bin/c++filt+0x9566e7) 
==7555==ABORTING
Aborted (core dumped)

(2)binutils-2.31/build/bin$ ./c++filt < POC2

ASAN:DEADLYSIGNAL
=================================================================
==14325==ERROR: AddressSanitizer: stack-overflow on address 0x7fffdbe5dff8 (pc 0x7f9d75b4364f bp 0x000000000018 sp 0x7fffdbe5dfe0 T0)
    #0 0x7f9d75b4364e  (/usr/lib/x86_64-linux-gnu/libasan.so.4+0x10364e)
    #1 0x7f9d75b43137  (/usr/lib/x86_64-linux-gnu/libasan.so.4+0x103137)
    #2 0x7f9d75a682b1  (/usr/lib/x86_64-linux-gnu/libasan.so.4+0x282b1)
    #3 0x7f9d75b1eb5a in __interceptor_malloc (/usr/lib/x86_64-linux-gnu/libasan.so.4+0xdeb5a)
    #4 0x9cad7c in xmalloc xmalloc.c:147
    #5 0x8f22e0 in do_arg cplus-dem.c:4330
    #6 0x8f2d70 in demangle_args cplus-dem.c:4659
    #7 0x8d9039 in demangle_nested_args cplus-dem.c:4713
    #8 0x8d9039 in do_type cplus-dem.c:3719
    #9 0x8f1d39 in do_arg cplus-dem.c:4332
    #10 0x8f2d70 in demangle_args cplus-dem.c:4659
    #11 0x8d9039 in demangle_nested_args cplus-dem.c:4713
    #12 0x8d9039 in do_type cplus-dem.c:3719
    #13 0x8f1d39 in do_arg cplus-dem.c:4332
    #14 0x8f2d70 in demangle_args cplus-dem.c:4659
    #15 0x8d9039 in demangle_nested_args cplus-dem.c:4713
    #16 0x8d9039 in do_type cplus-dem.c:3719
    #17 0x8f1d39 in do_arg cplus-dem.c:4332
    #18 0x8f2d70 in demangle_args cplus-dem.c:4659
    #19 0x8d9039 in demangle_nested_args cplus-dem.c:4713
    #20 0x8d9039 in do_type cplus-dem.c:3719
Comment 1 Martin Liška 2018-09-18 08:08:54 UTC 
Is the input a valid C++ mangled name of not?
Comment 2 Cheng Wen 2018-09-18 09:10:12 UTC 
(In reply to Martin Liška from comment #1)
> Is the input a valid C++ mangled name of not?

Hi,
This input is obtained through fuzzing technology. Our fuzzer get some test cases by mutating a valid input. This can not guarantee that this is a valid C++ mangled name. 

The program c++filt accepts the test case I uploaded. And this test case can prove that c++filt have problems. When program c++filt executing this input, a stack-overflow problem occurs. Please check this input and try to fix this bug if necessary.

Thank you very much.
Comment 3 Cheng Wen 2018-09-18 10:09:16 UTC 
Created attachment 44716 [details]
POC1

I have the new POC to add.
Please use the “c++filt < $POC ” to reproduce the bug.
Please check it and debug it. Thank you.


POC1:
https://github.com/ntu-sec/pocs/blob/master/binutils-aff4a119/crashes/so_cplus-dem.c:4960_1

The ASAN dumps the stack trace as follows on POC1:
https://github.com/ntu-sec/pocs/blob/master/binutils-aff4a119/crashes/so_cplus-dem.c:4960_1.err.txt

AddressSanitizer:DEADLYSIGNAL
=================================================================
==24028==ERROR: AddressSanitizer: stack-overflow on address 0x7ffd854a7e18 (pc 0x000000497287 bp 0x7ffd854a8690 sp 0x7ffd854a7e20 T0)
    #0 0x497286 in __interceptor_strlen.part.30 (/home/hongxu/FOT/binutils/BUILD/install/bin/c++filt+0x497286)
    #1 0x8bdc7e in string_append /home/hongxu/FOT/binutils/BUILD/libiberty/../../libiberty/cplus-dem.c:4960:7
    #2 0x8cb7f5 in demangle_args /home/hongxu/FOT/binutils/BUILD/libiberty/../../libiberty/cplus-dem.c:4578:7
    #3 0x8cdff7 in demangle_nested_args /home/hongxu/FOT/binutils/BUILD/libiberty/../../libiberty/cplus-dem.c:4713:12
    #4 0x8ad46a in do_type /home/hongxu/FOT/binutils/BUILD/libiberty/../../libiberty/cplus-dem.c:3719:9
    #5 0x8cd8c6 in do_arg /home/hongxu/FOT/binutils/BUILD/libiberty/../../libiberty/cplus-dem.c:4332:8
    ...
    ...
    ...
    #244 0x8ad46a in do_type /home/hongxu/FOT/binutils/BUILD/libiberty/../../libiberty/cplus-dem.c:3719:9
    #245 0x8cd8c6 in do_arg /home/hongxu/FOT/binutils/BUILD/libiberty/../../libiberty/cplus-dem.c:4332:8
    #246 0x8cc7b4 in demangle_args /home/hongxu/FOT/binutils/BUILD/libiberty/../../libiberty/cplus-dem.c:4659:9
    #247 0x8cdff7 in demangle_nested_args /home/hongxu/FOT/binutils/BUILD/libiberty/../../libiberty/cplus-dem.c:4713:12
    #248 0x8ad46a in do_type /home/hongxu/FOT/binutils/BUILD/libiberty/../../libiberty/cplus-dem.c:3719:9
    #249 0x8cd8c6 in do_arg /home/hongxu/FOT/binutils/BUILD/libiberty/../../libiberty/cplus-dem.c:4332:8

SUMMARY: AddressSanitizer: stack-overflow (/home/hongxu/FOT/binutils/BUILD/install/bin/c++filt+0x497286) in __interceptor_strlen.part.30
==24028==ABORTING
Comment 4 Cheng Wen 2018-09-18 10:09:56 UTC 
Created attachment 44717 [details]
POC2

I have the new POC to add.
Please use the “c++filt < $POC ” to reproduce the bug.
Please check it and debug it. Thank you.

POC2:
https://github.com/ntu-sec/pocs/blob/master/binutils-aff4a119/crashes/so_cplus-dem.c:4960_2

The ASAN dumps the stack trace as follows on POC2:
https://github.com/ntu-sec/pocs/blob/master/binutils-aff4a119/crashes/so_cplus-dem.c:4960_2.err.txt

AddressSanitizer:DEADLYSIGNAL
=================================================================
==24101==ERROR: AddressSanitizer: stack-overflow on address 0x7ffcd22d1fd8 (pc 0x000000497287 bp 0x7ffcd22d2850 sp 0x7ffcd22d1fe0 T0)
    #0 0x497286 in __interceptor_strlen.part.30 (/home/hongxu/FOT/binutils/BUILD/install/bin/c++filt+0x497286)
    #1 0x8bdc7e in string_append /home/hongxu/FOT/binutils/BUILD/libiberty/../../libiberty/cplus-dem.c:4960:7
    #2 0x8cb7f5 in demangle_args /home/hongxu/FOT/binutils/BUILD/libiberty/../../libiberty/cplus-dem.c:4578:7
    #3 0x8cdff7 in demangle_nested_args /home/hongxu/FOT/binutils/BUILD/libiberty/../../libiberty/cplus-dem.c:4713:12
    #4 0x8ad46a in do_type /home/hongxu/FOT/binutils/BUILD/libiberty/../../libiberty/cplus-dem.c:3719:9
    #5 0x8cd8c6 in do_arg /home/hongxu/FOT/binutils/BUILD/libiberty/../../libiberty/cplus-dem.c:4332:8
    ...
    ...
    ...
    #245 0x8cd8c6 in do_arg /home/hongxu/FOT/binutils/BUILD/libiberty/../../libiberty/cplus-dem.c:4332:8
    #246 0x8cc7b4 in demangle_args /home/hongxu/FOT/binutils/BUILD/libiberty/../../libiberty/cplus-dem.c:4659:9
    #247 0x8cdff7 in demangle_nested_args /home/hongxu/FOT/binutils/BUILD/libiberty/../../libiberty/cplus-dem.c:4713:12
    #248 0x8ad46a in do_type /home/hongxu/FOT/binutils/BUILD/libiberty/../../libiberty/cplus-dem.c:3719:9
    #249 0x8cd8c6 in do_arg /home/hongxu/FOT/binutils/BUILD/libiberty/../../libiberty/cplus-dem.c:4332:8

SUMMARY: AddressSanitizer: stack-overflow (/home/hongxu/FOT/binutils/BUILD/install/bin/c++filt+0x497286) in __interceptor_strlen.part.30
==24101==ABORTING