[Bug demangler/87675] New: Stack Overflow in function next_is_type_qual() in cp-demangle.c, as demonstrated by "nm -C"

N1705695H at e dot ntu.edu.sg gcc-bugzilla@gcc.gnu.org
Sun Oct 21 13:00:00 GMT 2018 

https://gcc.gnu.org/bugzilla/show_bug.cgi?id=87675

            Bug ID: 87675
           Summary: Stack Overflow in function next_is_type_qual() in
                    cp-demangle.c, as  demonstrated by "nm -C"
           Product: gcc
           Version: unknown
            Status: UNCONFIRMED
          Severity: normal
          Priority: P3
         Component: demangler
          Assignee: unassigned at gcc dot gnu.org
          Reporter: N1705695H at e dot ntu.edu.sg
  Target Milestone: ---

Created attachment 44874
  --> https://gcc.gnu.org/bugzilla/attachment.cgi?id=44874&action=edit
POC

An issue was discovered in cp-demangle.c in GNU libiberty, as distributed in
GNU Binutils 2.31. Stack Exhaustion occurs in the C++ demangling functions
provided by libiberty, and there is a stack consumption problem caused by
recursive stack frames: next_is_type_qua() and cplus_demangle_type()

Please use the "./nm -C $POC" to reproduce the bug. This result can trigger
different Stack Overflow, you can try several times.

To reproduce this bug. You need to build bintuils-2.31 with ASAN. Here is the
compile Option. Another approach is to set the break Point and debug it, as the
stack overflow didn't crash the program.

> CC=clang LDFLAGS="-ldl" CFLAGS="-DFORTIFY_SOURCE=2 -fstack-protector-all -fsanitize=undefined,address -fno-omit-frame-pointer -g -O0 -Wno-error" ./configure --disable-shared --disable-gdb --disable-libdecnumber --disable-sim

The ASAN dumps the stack trace as follows:

> ASAN:DEADLYSIGNAL
> =================================================================
> ==9864==ERROR: AddressSanitizer: stack-overflow on address 0x7fff9e5c9f58 (pc > 0x0000009684ac bp 0x000000000000 sp 0x7fff9e5c9f58 T0)
>     #0 0x9684ab in next_is_type_qual cp-demangle.c:2290
>     #1 0x9684ab in cplus_demangle_type cp-demangle.c:2387
>     #2 0x9684ab in next_is_type_qual cp-demangle.c:2290
>     #3 0x9684ab in cplus_demangle_type cp-demangle.c:2387
>     #4 0x9684ab in next_is_type_qual cp-demangle.c:2290
>     #5 0x9684ab in cplus_demangle_type cp-demangle.c:2387
>     #6 0x9684ab in next_is_type_qual cp-demangle.c:2290
>     #7 0x9684ab in cplus_demangle_type cp-demangle.c:2387
>     #8 0x9684ab in next_is_type_qual cp-demangle.c:2290
>     #9 0x9684ab in cplus_demangle_type cp-demangle.c:2387
>     #10 0x9684ab in next_is_type_qual cp-demangle.c:2290
>     #11 0x9684ab in cplus_demangle_type cp-demangle.c:2387
>     #12 0x9684ab in next_is_type_qual cp-demangle.c:2290
>     #13 0x9684ab in cplus_demangle_type cp-demangle.c:2387
>     #14 0x9684ab in next_is_type_qual cp-demangle.c:2290
>     #15 0x9684ab in cplus_demangle_type cp-demangle.c:2387
>     #16 0x9684ab in next_is_type_qual cp-demangle.c:2290
>     #17 0x9684ab in cplus_demangle_type cp-demangle.c:2387
>     #18 0x9684ab in next_is_type_qual cp-demangle.c:2290
>     #19 0x9684ab in cplus_demangle_type cp-demangle.c:2387
>     #20 0x9684ab in next_is_type_qual cp-demangle.c:2290
>     #21 0x9684ab in cplus_demangle_type cp-demangle.c:2387
>     ...
>     # 0xc5800000c22  (<unknown module>)

> SUMMARY: AddressSanitizer: stack-overflow cp-demangle.c:2290 in next_is_type_qual
> ==9864==ABORTING
> 00000000 AAborted

More information about the Gcc-bugs mailing list