https://gcc.gnu.org/bugzilla/show_bug.cgi?id=87636
Bug ID: 87636
Summary: Infinite Recursive Stack Frames in cp-demangle.c in
libiberty(function cplus_demangle_type,
d_bare_function_type, d_function_type)
Product: gcc
Version: unknown
Status: UNCONFIRMED
Severity: normal
Priority: P3
Component: c++
Assignee: unassigned at gcc dot gnu.org
Reporter: wcventure at 126 dot com
Target Milestone: ---
Created attachment 44850
--> https://gcc.gnu.org/bugzilla/attachment.cgi?id=44850&action=edit
POC
Dear all,
The following new binutils Stack-Overflow in libiberty was found by a modified
version of the AFL fuzzer(MemFuzz). I have attached the crashing input and an
ASAN report. I have confirmed them with address sanitizer too.
In this issue, Stack Exhaustion occurs in the C++ demangling functions provided
by libiberty, and there are recursive stack frames in cp-demangle:
cplus_demangle_type, d_bare_function_type, d_function_type. This can occur
during the execution of "c++filt -t". I have also collected the different Stack
Overflow problem recently appeared in c++filt, which I will list later. There
may be some problems that need attention.
Please use the â./c++filt < $POC -tâ to reproduce the bug. (Remember to add
"-t" option and "<" Symbol)
Here is my compile Option.
CC=clang LDFLAGS="-ldl" CFLAGS="-DFORTIFY_SOURCE=2 -fstack-protector-all
-fsanitize=undefined,address -fno-omit-frame-pointer -g -O0 -Wno-error"
./configure --disable-shared --disable-gdb --disable-libdecnumber --disable-sim
--prefix=$PWD/build/
> ASAN:DEADLYSIGNAL
> =================================================================
> ==28168==ERROR: AddressSanitizer: stack-overflow on address 0x7ffdfcdedf28
> (pc 0x000002081a20 bp 0x7ffdfcdee0f0 sp 0x7ffdfcdedf28 T0)
> #0 0x2081a1f in cplus_demangle_type
> binutils-gdb/libiberty/./cp-demangle.c:2367
> #1 0x20c622b in d_bare_function_type
> binutils-gdb/libiberty/./cp-demangle.c:2932:21
> #2 0x209f2df in d_function_type
> binutils-gdb/libiberty/./cp-demangle.c:2856:9
> #3 0x2086c1b in cplus_demangle_type
> binutils-gdb/libiberty/./cp-demangle.c:2443:13
> #4 0x20c622b in d_bare_function_type
> binutils-gdb/libiberty/./cp-demangle.c:2932:21
> #5 0x209f2df in d_function_type
> binutils-gdb/libiberty/./cp-demangle.c:2856:9
> #6 0x2086c1b in cplus_demangle_type
> binutils-gdb/libiberty/./cp-demangle.c:2443:13
> #7 0x20c622b in d_bare_function_type
> binutils-gdb/libiberty/./cp-demangle.c:2932:21
> #8 0x209f2df in d_function_type
> binutils-gdb/libiberty/./cp-demangle.c:2856:9
> #9 0x2086c1b in cplus_demangle_type
> binutils-gdb/libiberty/./cp-demangle.c:2443:13
> #10 0x20c622b in d_bare_function_type
> binutils-gdb/libiberty/./cp-demangle.c:2932:21
> #11 0x209f2df in d_function_type
> binutils-gdb/libiberty/./cp-demangle.c:2856:9
> #12 0x2086c1b in cplus_demangle_type
> binutils-gdb/libiberty/./cp-demangle.c:2443:13
> #13 0x20c622b in d_bare_function_type
> binutils-gdb/libiberty/./cp-demangle.c:2932:21
> #14 0x209f2df in d_function_type
> binutils-gdb/libiberty/./cp-demangle.c:2856:9
> #15 0x2086c1b in cplus_demangle_type
> binutils-gdb/libiberty/./cp-demangle.c:2443:13
> #16 0x20c622b in d_bare_function_type
> binutils-gdb/libiberty/./cp-demangle.c:2932:21
> #17 0x209f2df in d_function_type
> binutils-gdb/libiberty/./cp-demangle.c:2856:9
> ...
> #250 0x20c622b in d_bare_function_type
> binutils-gdb/libiberty/./cp-demangle.c:2932:21
> #251 0x209f2df in d_function_type
> binutils-gdb/libiberty/./cp-demangle.c:2856:9
>
> SUMMARY: AddressSanitizer: stack-overflow
> binutils-gdb/libiberty/./cp-demangle.c:2367 in cplus_demangle_type
We do fuzz testing on the 15th OCT commit verison of
binutils(dc86962bf15e7b8dfdcebc17d83b9b48be0bd9cb). And we have also confirmed
this in the release version 2.31.
Please use the â./c++filt < $POC -tâ to reproduce the bug. (Remember to add
"-t" option and "<" Symbol)
