Created attachment 44850 [details] POC Dear all, The following new binutils Stack-Overflow in libiberty was found by a modified version of the AFL fuzzer(MemFuzz). I have attached the crashing input and an ASAN report. I have confirmed them with address sanitizer too. In this issue, Stack Exhaustion occurs in the C++ demangling functions provided by libiberty, and there are recursive stack frames in cp-demangle: cplus_demangle_type, d_bare_function_type, d_function_type. This can occur during the execution of "c++filt -t". I have also collected the different Stack Overflow problem recently appeared in c++filt, which I will list later. There may be some problems that need attention. Please use the “./c++filt < $POC -t” to reproduce the bug. (Remember to add "-t" option and "<" Symbol) Here is my compile Option. CC=clang LDFLAGS="-ldl" CFLAGS="-DFORTIFY_SOURCE=2 -fstack-protector-all -fsanitize=undefined,address -fno-omit-frame-pointer -g -O0 -Wno-error" ./configure --disable-shared --disable-gdb --disable-libdecnumber --disable-sim --prefix=$PWD/build/ > ASAN:DEADLYSIGNAL > ================================================================= > ==28168==ERROR: AddressSanitizer: stack-overflow on address 0x7ffdfcdedf28 (pc 0x000002081a20 bp 0x7ffdfcdee0f0 sp 0x7ffdfcdedf28 T0) > #0 0x2081a1f in cplus_demangle_type binutils-gdb/libiberty/./cp-demangle.c:2367 > #1 0x20c622b in d_bare_function_type binutils-gdb/libiberty/./cp-demangle.c:2932:21 > #2 0x209f2df in d_function_type binutils-gdb/libiberty/./cp-demangle.c:2856:9 > #3 0x2086c1b in cplus_demangle_type binutils-gdb/libiberty/./cp-demangle.c:2443:13 > #4 0x20c622b in d_bare_function_type binutils-gdb/libiberty/./cp-demangle.c:2932:21 > #5 0x209f2df in d_function_type binutils-gdb/libiberty/./cp-demangle.c:2856:9 > #6 0x2086c1b in cplus_demangle_type binutils-gdb/libiberty/./cp-demangle.c:2443:13 > #7 0x20c622b in d_bare_function_type binutils-gdb/libiberty/./cp-demangle.c:2932:21 > #8 0x209f2df in d_function_type binutils-gdb/libiberty/./cp-demangle.c:2856:9 > #9 0x2086c1b in cplus_demangle_type binutils-gdb/libiberty/./cp-demangle.c:2443:13 > #10 0x20c622b in d_bare_function_type binutils-gdb/libiberty/./cp-demangle.c:2932:21 > #11 0x209f2df in d_function_type binutils-gdb/libiberty/./cp-demangle.c:2856:9 > #12 0x2086c1b in cplus_demangle_type binutils-gdb/libiberty/./cp-demangle.c:2443:13 > #13 0x20c622b in d_bare_function_type binutils-gdb/libiberty/./cp-demangle.c:2932:21 > #14 0x209f2df in d_function_type binutils-gdb/libiberty/./cp-demangle.c:2856:9 > #15 0x2086c1b in cplus_demangle_type binutils-gdb/libiberty/./cp-demangle.c:2443:13 > #16 0x20c622b in d_bare_function_type binutils-gdb/libiberty/./cp-demangle.c:2932:21 > #17 0x209f2df in d_function_type binutils-gdb/libiberty/./cp-demangle.c:2856:9 > ... > #250 0x20c622b in d_bare_function_type binutils-gdb/libiberty/./cp-demangle.c:2932:21 > #251 0x209f2df in d_function_type binutils-gdb/libiberty/./cp-demangle.c:2856:9 > > SUMMARY: AddressSanitizer: stack-overflow binutils-gdb/libiberty/./cp-demangle.c:2367 in cplus_demangle_type We do fuzz testing on the 15th OCT commit verison of binutils(dc86962bf15e7b8dfdcebc17d83b9b48be0bd9cb). And we have also confirmed this in the release version 2.31. Please use the “./c++filt < $POC -t” to reproduce the bug. (Remember to add "-t" option and "<" Symbol)
I have summarized the different recursive stack frames problem in c++filt. > This issue (In cp-demangle.c.c) > recursive stack frames: cplus_demangle_type, d_bare_function_type, d_function_type I find that many people have reported similar problem, but it has not been completely fixed. For example: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-9138 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-9996 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-12641 > [CVE-2018-9138] (In cplus-dem.c) > recursive stack frames: demangle_nested_args, demangle_args, do_arg, and do_type > [CVE-2018-9996] (In cplus-dem.c) > recursive stack frames: demangle_template_value_parm, demangle_integral_value, and demangle_expression > [CVE-2018-12641] (In cplus-dem.c) > recursive stack frames: demangle_arm_hp_template, demangle_class_name, demangle_fund_type, do_type, do_arg, demangle_args, and demangle_nested_args. In addition, there are still some practical problems that have not been successfully reproduced. For example: https://gcc.gnu.org/bugzilla/show_bug.cgi?id=85452 https://gcc.gnu.org/bugzilla/show_bug.cgi?id=87340 https://gcc.gnu.org/bugzilla/show_bug.cgi?id=87333 I tried to reproduce above problem on different machines. That may be your compilation options mismatch. You can try to use the compiler options that I provided. > CC=clang LDFLAGS="-ldl" CFLAGS="-DFORTIFY_SOURCE=2 -fstack-protector-all -fsanitize=undefined,address -fno-omit-frame-pointer -g -O0 -Wno-error" ./configure --disable-shared --disable-gdb --disable-libdecnumber --disable-sim --prefix=$PWD/build/ > CC=clang CXX=clang++ CFLAGS="-fsanitize=address -fsanitize-recover=address -ggdb" CXXFLAGS="-fsanitize=address -fsanitize-recover=address -ggdb" LDFLAGS="-fsanitize=address" ./configure --prefix=$PWD/build/ Many of these problems have not been completely fixed. I think this problem may need attention.
This bug was discovered by NTU Cyber-Security-Lab, for fuzzing research work. If you have any questions, please let me know.
Author: nickc Date: Fri Dec 7 10:33:30 2018 New Revision: 266886 URL: https://gcc.gnu.org/viewcvs?rev=266886&root=gcc&view=rev Log: Add a recursion limit to libiberty's demangling code. The limit is enabled by default, but can be disabled via a new demangling option. include * demangle.h (DMGL_NO_RECURSE_LIMIT): Define. (DEMANGLE_RECURSION_LIMIT): Define PR 87681 PR 87675 PR 87636 PR 87350 PR 87335 libiberty * cp-demangle.h (struct d_info): Add recursion_level field. * cp-demangle.c (d_function_type): Add recursion counter. If the recursion limit is reached and the check is not disabled, then return with a failure result. (cplus_demangle_init_info): Initialise the recursion_level field. (d_demangle_callback): If the recursion limit is enabled, check for a mangled string that is so long that there is not enough stack space for the local arrays. * cplus-dem.c (struct work): Add recursion_level field. (squangle_mop_up): Set the numb and numk fields to zero. (work_stuff_copy_to_from): Handle the case where a btypevec or ktypevec field is NULL. (demangle_nested_args): Add recursion counter. If the recursion limit is not disabled and reached, return with a failure result. Modified: trunk/include/ChangeLog trunk/include/demangle.h trunk/libiberty/ChangeLog trunk/libiberty/cp-demangle.c trunk/libiberty/cp-demangle.h trunk/libiberty/cplus-dem.c
Fixed by commit 266886.