[Bug c++/87636] Infinite Recursive Stack Frames in cp-demangle.c in libiberty(function cplus_demangle_type, d_bare_function_type, d_function_type)
https://gcc.gnu.org/bugzilla/show_bug.cgi?id=87636 Nick Clifton changed: What|Removed |Added Status|UNCONFIRMED |RESOLVED CC||nickc at gcc dot gnu.org Resolution|--- |FIXED --- Comment #4 from Nick Clifton --- Fixed by commit 266886.
[Bug c++/87636] Infinite Recursive Stack Frames in cp-demangle.c in libiberty(function cplus_demangle_type, d_bare_function_type, d_function_type)
https://gcc.gnu.org/bugzilla/show_bug.cgi?id=87636 --- Comment #3 from Nick Clifton --- Author: nickc Date: Fri Dec 7 10:33:30 2018 New Revision: 266886 URL: https://gcc.gnu.org/viewcvs?rev=266886=gcc=rev Log: Add a recursion limit to libiberty's demangling code. The limit is enabled by default, but can be disabled via a new demangling option. include * demangle.h (DMGL_NO_RECURSE_LIMIT): Define. (DEMANGLE_RECURSION_LIMIT): Define PR 87681 PR 87675 PR 87636 PR 87350 PR 87335 libiberty * cp-demangle.h (struct d_info): Add recursion_level field. * cp-demangle.c (d_function_type): Add recursion counter. If the recursion limit is reached and the check is not disabled, then return with a failure result. (cplus_demangle_init_info): Initialise the recursion_level field. (d_demangle_callback): If the recursion limit is enabled, check for a mangled string that is so long that there is not enough stack space for the local arrays. * cplus-dem.c (struct work): Add recursion_level field. (squangle_mop_up): Set the numb and numk fields to zero. (work_stuff_copy_to_from): Handle the case where a btypevec or ktypevec field is NULL. (demangle_nested_args): Add recursion counter. If the recursion limit is not disabled and reached, return with a failure result. Modified: trunk/include/ChangeLog trunk/include/demangle.h trunk/libiberty/ChangeLog trunk/libiberty/cp-demangle.c trunk/libiberty/cp-demangle.h trunk/libiberty/cplus-dem.c
[Bug c++/87636] Infinite Recursive Stack Frames in cp-demangle.c in libiberty(function cplus_demangle_type, d_bare_function_type, d_function_type)
https://gcc.gnu.org/bugzilla/show_bug.cgi?id=87636 --- Comment #2 from Cheng Wen --- This bug was discovered by NTU Cyber-Security-Lab, for fuzzing research work. If you have any questions, please let me know.
[Bug c++/87636] Infinite Recursive Stack Frames in cp-demangle.c in libiberty(function cplus_demangle_type, d_bare_function_type, d_function_type)
https://gcc.gnu.org/bugzilla/show_bug.cgi?id=87636 --- Comment #1 from Cheng Wen --- I have summarized the different recursive stack frames problem in c++filt. > This issue (In cp-demangle.c.c) > recursive stack frames: cplus_demangle_type, d_bare_function_type, > d_function_type I find that many people have reported similar problem, but it has not been completely fixed. For example: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-9138 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-9996 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-12641 > [CVE-2018-9138] (In cplus-dem.c) > recursive stack frames: demangle_nested_args, demangle_args, do_arg, and > do_type > [CVE-2018-9996] (In cplus-dem.c) > recursive stack frames: demangle_template_value_parm, > demangle_integral_value, and demangle_expression > [CVE-2018-12641] (In cplus-dem.c) > recursive stack frames: demangle_arm_hp_template, demangle_class_name, > demangle_fund_type, do_type, do_arg, demangle_args, and demangle_nested_args. In addition, there are still some practical problems that have not been successfully reproduced. For example: https://gcc.gnu.org/bugzilla/show_bug.cgi?id=85452 https://gcc.gnu.org/bugzilla/show_bug.cgi?id=87340 https://gcc.gnu.org/bugzilla/show_bug.cgi?id=87333 I tried to reproduce above problem on different machines. That may be your compilation options mismatch. You can try to use the compiler options that I provided. > CC=clang LDFLAGS="-ldl" CFLAGS="-DFORTIFY_SOURCE=2 -fstack-protector-all > -fsanitize=undefined,address -fno-omit-frame-pointer -g -O0 -Wno-error" > ./configure --disable-shared --disable-gdb --disable-libdecnumber > --disable-sim --prefix=$PWD/build/ > CC=clang CXX=clang++ CFLAGS="-fsanitize=address -fsanitize-recover=address > -ggdb" CXXFLAGS="-fsanitize=address -fsanitize-recover=address -ggdb" > LDFLAGS="-fsanitize=address" ./configure --prefix=$PWD/build/ Many of these problems have not been completely fixed. I think this problem may need attention.
