Bug 99935 - Stack exhaustion demangling rust mangled name
Summary: Stack exhaustion demangling rust mangled name
Status: RESOLVED FIXED
Alias: None
Product: gcc
Classification: Unclassified
Component: demangler (show other bugs)
Version: 11.0
: P3 normal
Target Milestone: ---
Assignee: Not yet assigned to anyone
URL:
Keywords:
: 98889 100968 101779 104185 104186 (view as bug list)
Depends on:
Blocks:
 
Reported: 2021-04-06 13:06 UTC by Nick Clifton
Modified: 2022-07-07 21:44 UTC (History)
4 users (show)

See Also:
Host:
Target:
Build:
Known to work:
Known to fail:
Last reconfirmed: 2022-01-22 00:00:00


Attachments
Proposed patch (832 bytes, patch)
2021-05-07 16:00 UTC, Nick Clifton
Details | Diff

Note You need to log in before you can comment on or make changes to this bug.
Description Nick Clifton 2021-04-06 13:06:28 UTC
The rust demangler can be pushed into an infinite loop, triggering stack exhaustion:

  %  cat pr27963
# Reproduced from binutils PR 27963.
# Note - the expected output is wrong.  It is just there as a placeholder.
--format=rust
_RIMBALO_suB_I__Z5printi
fred

  % valgrind ./testsuite/test-demangle < pr27963
[...]
==429737== Stack overflow in thread #1: can't grow stack to 0x1ffe001000
[...]
=429737== Stack overflow in thread #1: can't grow stack to 0x1ffe001000
==429737==    at 0x410BA7: demangle_path (rust-demangle.c:742)
[...]
Segmentation fault (core dumped)
Comment 1 Nick Clifton 2021-05-07 16:00:43 UTC
Created attachment 50777 [details]
Proposed patch

Here is a possible patch for the problem, adding a recursion limit to the demangle_path() function.

Note - a variation of this bug appears to have been reported on the Ubuntu mailing lists with a different reproducer:

  https://bugs.launchpad.net/ubuntu/+source/binutils/+bug/1925348
Comment 2 Jonathan Wakely 2021-08-05 10:21:29 UTC
This patch breaks MinGW, see PR 101779
Comment 3 Nick Clifton 2021-08-11 15:07:49 UTC
(In reply to Jonathan Wakely from comment #2)
> This patch breaks MinGW, see PR 101779

But it can be fixed by:
  https://sourceware.org/bugzilla/show_bug.cgi?id=28207
Comment 4 Andrew Pinski 2022-01-22 17:54:25 UTC
*** Bug 104185 has been marked as a duplicate of this bug. ***
Comment 5 Andrew Pinski 2022-01-22 17:54:36 UTC
*** Bug 104186 has been marked as a duplicate of this bug. ***
Comment 6 Andrew Pinski 2022-01-22 17:54:55 UTC
*** Bug 101779 has been marked as a duplicate of this bug. ***
Comment 7 Andrew Pinski 2022-01-22 17:55:04 UTC
*** Bug 98889 has been marked as a duplicate of this bug. ***
Comment 8 Andrew Pinski 2022-01-22 17:55:43 UTC
*** Bug 100968 has been marked as a duplicate of this bug. ***
Comment 9 Nick Clifton 2022-01-26 15:31:29 UTC
A revised patch to fix this PR has been prroposed on gcc-patches:

  https://gcc.gnu.org/pipermail/gcc-patches/2022-January/589277.html
Comment 10 GCC Commits 2022-01-31 14:33:58 UTC
The master branch has been updated by Nick Clifton <nickc@gcc.gnu.org>:

https://gcc.gnu.org/g:f10bec5ffa487ad3033ed5f38cfd0fc7d696deab

commit r12-6945-gf10bec5ffa487ad3033ed5f38cfd0fc7d696deab
Author: Nick Clifton <nickc@redhat.com>
Date:   Mon Jan 31 14:28:42 2022 +0000

    libiberty: Fix infinite recursion in rust demangler.
    
    libiberty/
            PR demangler/98886
            PR demangler/99935
            * rust-demangle.c (struct rust_demangler): Add a recursion
            counter.
            (demangle_path): Increment/decrement the recursion counter upon
            entry and exit.  Fail if the counter exceeds a fixed limit.
            (demangle_type): Likewise.
            (rust_demangle_callback): Initialise the recursion counter,
            disabling if requested by the option flags.
Comment 11 Nick Clifton 2022-02-01 10:57:59 UTC
Fixed on mainline.