Bug 87681 - Recursive Stack Overflow within function d_name, d_encoding, and d_local_name in cp-demangle.c, as demonstrated by "nm -C"
Summary: Recursive Stack Overflow within function d_name, d_encoding, and d_local_name...
Status: UNCONFIRMED
Alias: None
Product: gcc
Classification: Unclassified
Component: demangler (show other bugs)
Version: unknown
: P3 normal
Target Milestone: ---
Assignee: Not yet assigned to anyone
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2018-10-22 06:48 UTC by N1705695H
Modified: 2018-10-22 06:48 UTC (History)
0 users

See Also:
Host:
Target:
Build:
Known to work:
Known to fail:
Last reconfirmed:


Attachments
POC (80 bytes, text/plain)
2018-10-22 06:48 UTC, N1705695H
Details

Note You need to log in before you can comment on or make changes to this bug.
Description N1705695H 2018-10-22 06:48:08 UTC
Created attachment 44876 [details]
POC

An issue was discovered in cp-demangle.c in GNU libiberty, as distributed in GNU Binutils 2.31. Stack Exhaustion occurs in the C++ demangling functions provided by libiberty, and there is a stack consumption problem caused by recursive stack frames: d_name, d_encoding, and d_local_name.

Please use the "./nm -C $POC" to reproduce the bug. This result can trigger different Stack Overflow, you can try several times.


To reproduce this bug. You need to build bintuils-2.31 with ASAN. Here is the compile Option. Another approach is to set the break Point and debug it, then see the back trace.

> CC=clang LDFLAGS="-ldl" CFLAGS="-DFORTIFY_SOURCE=2 -fstack-protector-all -fsanitize=undefined,address -fno-omit-frame-pointer -g -O0 -Wno-error" ./configure --disable-shared --disable-gdb --disable-libdecnumber --disable-sim

The ASAN dumps the stack trace as follows:

> AddressSanitizer:DEADLYSIGNAL
> =================================================================
> ==18186==ERROR: AddressSanitizer: stack-overflow on address 0x7ffeca00cf98 (pc 0x0000008e8b7a bp 0x7ffeca00d080 sp 0x7ffeca00cfa0 T0)
>     #0 0x8e8b79 in d_name binutils-2.31/libiberty/./cp-demangle.c:1411:28
>     #1 0x8dcc1d in d_encoding binutils-2.31/libiberty/./cp-demangle.c:1312:12
>     #2 0x8ea4d3 in d_local_name binutils-2.31/libiberty/./cp-demangle.c:3590:14
>     #3 0x8e8b7e in d_name binutils-2.31/libiberty/./cp-demangle.c:1411:14
>     #4 0x8dcc1d in d_encoding binutils-2.31/libiberty/./cp-demangle.c:1312:12
>     #5 0x8ea4d3 in d_local_name binutils-2.31/libiberty/./cp-demangle.c:3590:14
>     #6 0x8e8b7e in d_name binutils-2.31/libiberty/./cp-demangle.c:1411:14
>     #7 0x8dcc1d in d_encoding binutils-2.31/libiberty/./cp-demangle.c:1312:12
>     #8 0x8ea4d3 in d_local_name binutils-2.31/libiberty/./cp-demangle.c:3590:14
>     #9 0x8e8b7e in d_name binutils-2.31/libiberty/./cp-demangle.c:1411:14
>     #10 0x8dcc1d in d_encoding binutils-2.31/libiberty/./cp-demangle.c:1312:12
>     #11 0x8ea4d3 in d_local_name binutils-2.31/libiberty/./cp-demangle.c:3590:14
>     #12 0x8e8b7e in d_name binutils-2.31/libiberty/./cp-demangle.c:1411:14
>     #13 0x8dcc1d in d_encoding binutils-2.31/libiberty/./cp-demangle.c:1312:12
>     #14 0x8ea4d3 in d_local_name binutils-2.31/libiberty/./cp-demangle.c:3590:14
>     #15 0x8e8b7e in d_name binutils-2.31/libiberty/./cp-demangle.c:1411:14
>     #16 0x8dcc1d in d_encoding binutils-2.31/libiberty/./cp-demangle.c:1312:12
>     #17 0x8ea4d3 in d_local_name binutils-2.31/libiberty/./cp-demangle.c:3590:14
>     ...
>     #246 0x8e8b7e in d_name binutils-2.31/libiberty/./cp-demangle.c:1411:14
>     #247 0x8dcc1d in d_encoding binutils-2.31/libiberty/./cp-demangle.c:1312:12
>     #248 0x8ea4d3 in d_local_name binutils-2.31/libiberty/./cp-demangle.c:3590:14
>     #249 0x8e8b7e in d_name binutils-2.31/libiberty/./cp-demangle.c:1411:14
>  SUMMARY: AddressSanitizer: stack-overflow binutils-2.31/libiberty/./cp-demangle.c:1411:28 in d_name
>  ==19901==ABORTING
>  00000000 AAborted