[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Bug binutils/32332] New: nm recursive stack overflow (d_bare_function_t
From: |
jaehoon.jang at kaist dot ac.kr |
Subject: |
[Bug binutils/32332] New: nm recursive stack overflow (d_bare_function_type, cp-demangle.c:3113) |
Date: |
Fri, 01 Nov 2024 15:31:23 +0000 |
https://sourceware.org/bugzilla/show_bug.cgi?id=32332
Bug ID: 32332
Summary: nm recursive stack overflow (d_bare_function_type,
cp-demangle.c:3113)
Product: binutils
Version: 2.43
Status: UNCONFIRMED
Severity: normal
Priority: P2
Component: binutils
Assignee: unassigned at sourceware dot org
Reporter: jaehoon.jang at kaist dot ac.kr
Target Milestone: ---
Created attachment 15772
--> https://sourceware.org/bugzilla/attachment.cgi?id=15772&action=edit
poc
Stack overflow due to recursive call of d_bare_function_type, d_function_type
and cplus_demangle_type functions
Environment
[NOTICE] I tested by reducing the stack size to 256 (ulimit -s 256)
When I tested related bugs (CVE-2018-17985, CVE-2018-18484, etc.) on the same
stack size, the bug was not triggered and the defense was well done. However, I
think the PoC I uploaded needs a patch because it causes the bug.
# uname -a
Linux 63ad81720171 5.15.0-107-generic #117-Ubuntu SMP Fri Apr 26 12:26:49 UTC
2024 x86_64 x86_64 x86_64 GNU/Linux
# git clone https://github.com/bminor/binutils-gdb.git
# cd binutils-gdb
# clang --version
clang version 12.0.0 (https://github.com/llvm/llvm-project.git
6de4865545da73687dd6d28d153cd345ed5e7918)
Target: x86_64-unknown-linux-gnu
Thread model: posix
InstalledDir: /usr/local/bin
# CC="clang -g -fsanitize=address" CXX="clang++ -g -fsanitize=address"
./configure
# CC="clang -g -fsanitize=address" CXX="clang++ -g -fsanitize=address" make -j
4
# binutils/nm-new --version
GNU nm (GNU Binutils) 2.43.50.20241101
Copyright (C) 2024 Free Software Foundation, Inc.
This program is free software; you may redistribute it under the terms of
the GNU General Public License version 3 or (at your option) any later version.
This program has absolutely no warranty.
# binutils/nm-new -C ../cplus_demangle_type/poc1
00000000 A
FFFFFFoeeFFFFFFFeeeeeeeeeeeeePFFFFFFFFFFZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZeeeeeeeeeeeeeeeeeeeeeeeeeeeefeee&e`eeeR\eeeeeeeeeee%eseeeeeeeeZZZZZZe
00000000 A ZZZZZZZZZZZZZZZZZZZZZZZZZ9ZZJmeeee]eeVeCgeeeQZZZZZZZZZZZZZZZZZZd
000000d1 A _:ZZ5pZZZZexxx
000000d1 A _:ZZ5pZZZZexxx
000000d1 A _ZGAT_
000000d1 A _ZGdT_
00000000 A _ZGdT_
00000000 A _ZTAX_
00000000 A _ZTAX_
000000d1 A
_ZTAX_ZZZZZZZZZZZZZZZZZZZZcZZZZZZZZZZZZZZZZZyZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZHZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZeeeeeeexxxh
00000000 A
_ZZZ9ZZZmeeeeeeeeeeKgeeeQscssssrssssssssssssssoeeR1RRRRRRRRRRF}eeeeeeCeeR
00000000 A _ZZZZZZZTAX_
00000000 A _ZZZZZZZZZZZZZZZZZZZEeeeeeeeeeeeeeeesZZd
000000d1 A
_ZZcvErZ_eeZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZOZZZZZZZZZZZZZZZZZZZZZZZZZZZ^ZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZeeeeeeexxxh
AddressSanitizer:DEADLYSIGNAL
=================================================================
==153644==ERROR: AddressSanitizer: stack-overflow on address 0x7fffb7b73f70 (pc
0x00000073c25f bp 0x7fffb7b74030 sp 0x7fffb7b73f60 T0)
#0 0x73c25f in cplus_demangle_type
/tmp/binutils-gdb/libiberty/./cp-demangle.c:2551
#1 0x74205d in d_bare_function_type
/tmp/binutils-gdb/libiberty/./cp-demangle.c:3113:21
#2 0x74205d in d_function_type
/tmp/binutils-gdb/libiberty/./cp-demangle.c:3033:13
#3 0x73d2d8 in cplus_demangle_type
/tmp/binutils-gdb/libiberty/./cp-demangle.c:2627:13
#4 0x74205d in d_bare_function_type
/tmp/binutils-gdb/libiberty/./cp-demangle.c:3113:21
#5 0x74205d in d_function_type
/tmp/binutils-gdb/libiberty/./cp-demangle.c:3033:13
#6 0x73d2d8 in cplus_demangle_type
/tmp/binutils-gdb/libiberty/./cp-demangle.c:2627:13
#7 0x74205d in d_bare_function_type
/tmp/binutils-gdb/libiberty/./cp-demangle.c:3113:21
#8 0x74205d in d_function_type
/tmp/binutils-gdb/libiberty/./cp-demangle.c:3033:13
#9 0x73d2d8 in cplus_demangle_type
/tmp/binutils-gdb/libiberty/./cp-demangle.c:2627:13
#10 0x74205d in d_bare_function_type
/tmp/binutils-gdb/libiberty/./cp-demangle.c:3113:21
#11 0x74205d in d_function_type
/tmp/binutils-gdb/libiberty/./cp-demangle.c:3033:13
#12 0x73d2d8 in cplus_demangle_type
/tmp/binutils-gdb/libiberty/./cp-demangle.c:2627:13
#13 0x74205d in d_bare_function_type
/tmp/binutils-gdb/libiberty/./cp-demangle.c:3113:21
#14 0x74205d in d_function_type
/tmp/binutils-gdb/libiberty/./cp-demangle.c:3033:13
#15 0x73d2d8 in cplus_demangle_type
/tmp/binutils-gdb/libiberty/./cp-demangle.c:2627:13
#16 0x74205d in d_bare_function_type
/tmp/binutils-gdb/libiberty/./cp-demangle.c:3113:21
#17 0x74205d in d_function_type
/tmp/binutils-gdb/libiberty/./cp-demangle.c:3033:13
#18 0x73d2d8 in cplus_demangle_type
/tmp/binutils-gdb/libiberty/./cp-demangle.c:2627:13
#19 0x74205d in d_bare_function_type
/tmp/binutils-gdb/libiberty/./cp-demangle.c:3113:21
#20 0x74205d in d_function_type
/tmp/binutils-gdb/libiberty/./cp-demangle.c:3033:13
#21 0x73d2d8 in cplus_demangle_type
/tmp/binutils-gdb/libiberty/./cp-demangle.c:2627:13
#22 0x74205d in d_bare_function_type
/tmp/binutils-gdb/libiberty/./cp-demangle.c:3113:21
#23 0x74205d in d_function_type
/tmp/binutils-gdb/libiberty/./cp-demangle.c:3033:13
#24 0x73d2d8 in cplus_demangle_type
/tmp/binutils-gdb/libiberty/./cp-demangle.c:2627:13
#25 0x74205d in d_bare_function_type
/tmp/binutils-gdb/libiberty/./cp-demangle.c:3113:21
#26 0x74205d in d_function_type
/tmp/binutils-gdb/libiberty/./cp-demangle.c:3033:13
#27 0x73d2d8 in cplus_demangle_type
/tmp/binutils-gdb/libiberty/./cp-demangle.c:2627:13
#28 0x74205d in d_bare_function_type
/tmp/binutils-gdb/libiberty/./cp-demangle.c:3113:21
#29 0x74205d in d_function_type
/tmp/binutils-gdb/libiberty/./cp-demangle.c:3033:13
#30 0x73d2d8 in cplus_demangle_type
/tmp/binutils-gdb/libiberty/./cp-demangle.c:2627:13
#31 0x74205d in d_bare_function_type
/tmp/binutils-gdb/libiberty/./cp-demangle.c:3113:21
#32 0x74205d in d_function_type
/tmp/binutils-gdb/libiberty/./cp-demangle.c:3033:13
#33 0x73d2d8 in cplus_demangle_type
/tmp/binutils-gdb/libiberty/./cp-demangle.c:2627:13
#34 0x74205d in d_bare_function_type
/tmp/binutils-gdb/libiberty/./cp-demangle.c:3113:21
#35 0x74205d in d_function_type
/tmp/binutils-gdb/libiberty/./cp-demangle.c:3033:13
#36 0x73d2d8 in cplus_demangle_type
/tmp/binutils-gdb/libiberty/./cp-demangle.c:2627:13
#37 0x74205d in d_bare_function_type
/tmp/binutils-gdb/libiberty/./cp-demangle.c:3113:21
#38 0x74205d in d_function_type
/tmp/binutils-gdb/libiberty/./cp-demangle.c:3033:13
#39 0x73d2d8 in cplus_demangle_type
/tmp/binutils-gdb/libiberty/./cp-demangle.c:2627:13
#40 0x74205d in d_bare_function_type
/tmp/binutils-gdb/libiberty/./cp-demangle.c:3113:21
#41 0x74205d in d_function_type
/tmp/binutils-gdb/libiberty/./cp-demangle.c:3033:13
#42 0x73d2d8 in cplus_demangle_type
/tmp/binutils-gdb/libiberty/./cp-demangle.c:2627:13
#43 0x74205d in d_bare_function_type
/tmp/binutils-gdb/libiberty/./cp-demangle.c:3113:21
#44 0x74205d in d_function_type
/tmp/binutils-gdb/libiberty/./cp-demangle.c:3033:13
#45 0x73d2d8 in cplus_demangle_type
/tmp/binutils-gdb/libiberty/./cp-demangle.c:2627:13
#46 0x74205d in d_bare_function_type
/tmp/binutils-gdb/libiberty/./cp-demangle.c:3113:21
#47 0x74205d in d_function_type
/tmp/binutils-gdb/libiberty/./cp-demangle.c:3033:13
#48 0x73d2d8 in cplus_demangle_type
/tmp/binutils-gdb/libiberty/./cp-demangle.c:2627:13
#49 0x74205d in d_bare_function_type
/tmp/binutils-gdb/libiberty/./cp-demangle.c:3113:21
#50 0x74205d in d_function_type
/tmp/binutils-gdb/libiberty/./cp-demangle.c:3033:13
...
SUMMARY: AddressSanitizer: stack-overflow
/tmp/binutils-gdb/libiberty/./cp-demangle.c:2551 in cplus_demangle_type
==153644==ABORTING
--
You are receiving this mail because:
You are on the CC list for the bug.
- [Bug binutils/32332] New: nm recursive stack overflow (d_bare_function_type, cp-demangle.c:3113),
jaehoon.jang at kaist dot ac.kr <=