Bug 99935 - Stack exhaustion demangling rust mangled name
Summary: Stack exhaustion demangling rust mangled name
Status: RESOLVED FIXED
Alias: None
Product: gcc
Classification: Unclassified
Component: demangler (show other bugs)
Version: 11.0
: P3 normal
Target Milestone: ---
Assignee: Not yet assigned to anyone
URL:
Keywords:
: 98889 100968 101779 104185 104186 (view as bug list)
Depends on:
Blocks:
 
Reported: 2021-04-06 13:06 UTC by Nick Clifton
Modified: 2022-07-07 21:44 UTC (History)
4 users (show)

See Also:
Host:
Target:
Build:
Known to work:
Known to fail:
Last reconfirmed: 2022-01-22 00:00:00

Attachments
Proposed patch (832 bytes, patch)
2021-05-07 16:00 UTC, Nick Clifton 		Details | Diff
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Nick Clifton 2021-04-06 13:06:28 UTC 
The rust demangler can be pushed into an infinite loop, triggering stack exhaustion:

  %  cat pr27963
# Reproduced from binutils PR 27963.
# Note - the expected output is wrong.  It is just there as a placeholder.
--format=rust
_RIMBALO_suB_I__Z5printi
fred

  % valgrind ./testsuite/test-demangle < pr27963
[...]
==429737== Stack overflow in thread #1: can't grow stack to 0x1ffe001000
[...]
=429737== Stack overflow in thread #1: can't grow stack to 0x1ffe001000
==429737==    at 0x410BA7: demangle_path (rust-demangle.c:742)
[...]
Segmentation fault (core dumped)
Comment 1 Nick Clifton 2021-05-07 16:00:43 UTC 
Created attachment 50777 [details]
Proposed patch

Here is a possible patch for the problem, adding a recursion limit to the demangle_path() function.

Note - a variation of this bug appears to have been reported on the Ubuntu mailing lists with a different reproducer:

  https://bugs.launchpad.net/ubuntu/+source/binutils/+bug/1925348
Comment 2 Jonathan Wakely 2021-08-05 10:21:29 UTC 
This patch breaks MinGW, see PR 101779
Comment 3 Nick Clifton 2021-08-11 15:07:49 UTC 
(In reply to Jonathan Wakely from comment #2)
> This patch breaks MinGW, see PR 101779

But it can be fixed by:
  https://sourceware.org/bugzilla/show_bug.cgi?id=28207
Comment 4 Andrew Pinski 2022-01-22 17:54:25 UTC 
*** Bug 104185 has been marked as a duplicate of this bug. ***
Comment 5 Andrew Pinski 2022-01-22 17:54:36 UTC 
*** Bug 104186 has been marked as a duplicate of this bug. ***
Comment 6 Andrew Pinski 2022-01-22 17:54:55 UTC 
*** Bug 101779 has been marked as a duplicate of this bug. ***
Comment 7 Andrew Pinski 2022-01-22 17:55:04 UTC 
*** Bug 98889 has been marked as a duplicate of this bug. ***
Comment 8 Andrew Pinski 2022-01-22 17:55:43 UTC 
*** Bug 100968 has been marked as a duplicate of this bug. ***
Comment 9 Nick Clifton 2022-01-26 15:31:29 UTC 
A revised patch to fix this PR has been prroposed on gcc-patches:

  https://gcc.gnu.org/pipermail/gcc-patches/2022-January/589277.html
Comment 10 GCC Commits 2022-01-31 14:33:58 UTC 
The master branch has been updated by Nick Clifton <nickc@gcc.gnu.org>:

https://gcc.gnu.org/g:f10bec5ffa487ad3033ed5f38cfd0fc7d696deab

commit r12-6945-gf10bec5ffa487ad3033ed5f38cfd0fc7d696deab
Author: Nick Clifton <nickc@redhat.com>
Date:   Mon Jan 31 14:28:42 2022 +0000

    libiberty: Fix infinite recursion in rust demangler.
    
    libiberty/
            PR demangler/98886
            PR demangler/99935
            * rust-demangle.c (struct rust_demangler): Add a recursion
            counter.
            (demangle_path): Increment/decrement the recursion counter upon
            entry and exit.  Fail if the counter exceeds a fixed limit.
            (demangle_type): Likewise.
            (rust_demangle_callback): Initialise the recursion counter,
            disabling if requested by the option flags.
Comment 11 Nick Clifton 2022-02-01 10:57:59 UTC 
Fixed on mainline.