bug-binutils
[Top][All Lists]
Advanced

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Bug binutils/32333] New: nm recursive stack overflow (d_name, cp-demang


From: jaehoon.jang at kaist dot ac.kr
Subject: [Bug binutils/32333] New: nm recursive stack overflow (d_name, cp-demangle.c:1483)
Date: Fri, 01 Nov 2024 15:32:32 +0000

https://sourceware.org/bugzilla/show_bug.cgi?id=32333

            Bug ID: 32333
           Summary: nm recursive stack overflow (d_name,
                    cp-demangle.c:1483)
           Product: binutils
           Version: 2.43
            Status: UNCONFIRMED
          Severity: normal
          Priority: P2
         Component: binutils
          Assignee: unassigned at sourceware dot org
          Reporter: jaehoon.jang at kaist dot ac.kr
  Target Milestone: ---

Created attachment 15773
  --> https://sourceware.org/bugzilla/attachment.cgi?id=15773&action=edit
poc

Stack overflow due to recursive call of d_name, d_encoding and d_local_name
functions

Environment

[NOTICE] I tested by reducing the stack size to 256 (ulimit -s 256)
When I tested related bugs (CVE-2018-17985, CVE-2018-18484, etc.) on the same
stack size, the bug was not triggered and the defense was well done. However, I
think the PoC I uploaded needs a patch because it causes the bug.

# uname -a
Linux 63ad81720171 5.15.0-107-generic #117-Ubuntu SMP Fri Apr 26 12:26:49 UTC
2024 x86_64 x86_64 x86_64 GNU/Linux

# git clone https://github.com/bminor/binutils-gdb.git

# cd binutils-gdb

# clang --version
clang version 12.0.0 (https://github.com/llvm/llvm-project.git
6de4865545da73687dd6d28d153cd345ed5e7918)
Target: x86_64-unknown-linux-gnu
Thread model: posix
InstalledDir: /usr/local/bin

# CC="clang -g -fsanitize=address" CXX="clang++ -g -fsanitize=address"
./configure

# CC="clang -g -fsanitize=address" CXX="clang++ -g -fsanitize=address" make -j
4

# binutils/nm-new --version
GNU nm (GNU Binutils) 2.43.50.20241101
Copyright (C) 2024 Free Software Foundation, Inc.
This program is free software; you may redistribute it under the terms of
the GNU General Public License version 3 or (at your option) any later version.
This program has absolutely no warranty.

# # binutils/nm-new -C ../d_local_name/poc1
00000000 A 3
000000d1 A _ZZZ5ZZZZZCxxxx
000000d1 A _ZZZ5ZZZZZCxxxx
000000d1 A _ZZZ5ZZZZZZZZZZZZZsZvE7Z_eeeeeeeeeeee]eee}eeeeeeeeeexx
000000d1 A _ZZZ5ZZZZZZZZZZZZZsZvEZZ_eeeexxxxxxxxxxxxxxxxxx
000000d1 A _ZZZ5ZZZZZZZZZZZZZsZvEZZ_eeeexxxxxxxxxxxxxxxxx
000000d1 A _ZZZ5ZZZZZZZZZZZZ^sZvE2Z_eeeeeeeeeeeexxxx
0000000b A
_ZZZ5ZZZZZZZZZZZeZsZvE7Z_eeeeeeeeeeee]eeeeeeeeeeeeeeeeeeeeeeeeeeeZZZZeeeeeeeeeeeeeZZZZZZZZ@
000000d1 A _ZZZ5ZZZZZexxxx
000000d1 A _ZZZ5ZZZZZexxxx
AddressSanitizer:DEADLYSIGNAL
=================================================================
==153650==ERROR: AddressSanitizer: stack-overflow on address 0x7fff975daff0 (pc
0x000000745bef bp 0x7fff975db060 sp 0x7fff975dafc0 T0)
    #0 0x745bef in d_name /tmp/binutils-gdb/libiberty/./cp-demangle.c:1483
    #1 0x7374c0 in d_encoding
/tmp/binutils-gdb/libiberty/./cp-demangle.c:1388:12
    #2 0x745fd2 in d_local_name
/tmp/binutils-gdb/libiberty/./cp-demangle.c:3848:14
    #3 0x745fd2 in d_name /tmp/binutils-gdb/libiberty/./cp-demangle.c:1496:12
    #4 0x7374c0 in d_encoding
/tmp/binutils-gdb/libiberty/./cp-demangle.c:1388:12
    #5 0x745fd2 in d_local_name
/tmp/binutils-gdb/libiberty/./cp-demangle.c:3848:14
    #6 0x745fd2 in d_name /tmp/binutils-gdb/libiberty/./cp-demangle.c:1496:12
    #7 0x7374c0 in d_encoding
/tmp/binutils-gdb/libiberty/./cp-demangle.c:1388:12
    #8 0x745fd2 in d_local_name
/tmp/binutils-gdb/libiberty/./cp-demangle.c:3848:14
    #9 0x745fd2 in d_name /tmp/binutils-gdb/libiberty/./cp-demangle.c:1496:12
    #10 0x7374c0 in d_encoding
/tmp/binutils-gdb/libiberty/./cp-demangle.c:1388:12
    #11 0x745fd2 in d_local_name
/tmp/binutils-gdb/libiberty/./cp-demangle.c:3848:14
    #12 0x745fd2 in d_name /tmp/binutils-gdb/libiberty/./cp-demangle.c:1496:12
    #13 0x7374c0 in d_encoding
/tmp/binutils-gdb/libiberty/./cp-demangle.c:1388:12
    #14 0x745fd2 in d_local_name
/tmp/binutils-gdb/libiberty/./cp-demangle.c:3848:14
    #15 0x745fd2 in d_name /tmp/binutils-gdb/libiberty/./cp-demangle.c:1496:12
    #16 0x7374c0 in d_encoding
/tmp/binutils-gdb/libiberty/./cp-demangle.c:1388:12
    #17 0x745fd2 in d_local_name
/tmp/binutils-gdb/libiberty/./cp-demangle.c:3848:14
    #18 0x745fd2 in d_name /tmp/binutils-gdb/libiberty/./cp-demangle.c:1496:12
    #19 0x7374c0 in d_encoding
/tmp/binutils-gdb/libiberty/./cp-demangle.c:1388:12
    #20 0x745fd2 in d_local_name
/tmp/binutils-gdb/libiberty/./cp-demangle.c:3848:14
    #21 0x745fd2 in d_name /tmp/binutils-gdb/libiberty/./cp-demangle.c:1496:12
    #22 0x7374c0 in d_encoding
/tmp/binutils-gdb/libiberty/./cp-demangle.c:1388:12
    #23 0x745fd2 in d_local_name
/tmp/binutils-gdb/libiberty/./cp-demangle.c:3848:14
    #24 0x745fd2 in d_name /tmp/binutils-gdb/libiberty/./cp-demangle.c:1496:12
    #25 0x7374c0 in d_encoding
/tmp/binutils-gdb/libiberty/./cp-demangle.c:1388:12
    #26 0x745fd2 in d_local_name
/tmp/binutils-gdb/libiberty/./cp-demangle.c:3848:14
    #27 0x745fd2 in d_name /tmp/binutils-gdb/libiberty/./cp-demangle.c:1496:12
    #28 0x7374c0 in d_encoding
/tmp/binutils-gdb/libiberty/./cp-demangle.c:1388:12
    #29 0x745fd2 in d_local_name
/tmp/binutils-gdb/libiberty/./cp-demangle.c:3848:14
    #30 0x745fd2 in d_name /tmp/binutils-gdb/libiberty/./cp-demangle.c:1496:12
    #31 0x7374c0 in d_encoding
/tmp/binutils-gdb/libiberty/./cp-demangle.c:1388:12
    #32 0x745fd2 in d_local_name
/tmp/binutils-gdb/libiberty/./cp-demangle.c:3848:14
    #33 0x745fd2 in d_name /tmp/binutils-gdb/libiberty/./cp-demangle.c:1496:12
    #34 0x7374c0 in d_encoding
/tmp/binutils-gdb/libiberty/./cp-demangle.c:1388:12
    #35 0x745fd2 in d_local_name
/tmp/binutils-gdb/libiberty/./cp-demangle.c:3848:14
    #36 0x745fd2 in d_name /tmp/binutils-gdb/libiberty/./cp-demangle.c:1496:12
    #37 0x7374c0 in d_encoding
/tmp/binutils-gdb/libiberty/./cp-demangle.c:1388:12
    #38 0x745fd2 in d_local_name
/tmp/binutils-gdb/libiberty/./cp-demangle.c:3848:14
    #39 0x745fd2 in d_name /tmp/binutils-gdb/libiberty/./cp-demangle.c:1496:12
    #40 0x7374c0 in d_encoding
/tmp/binutils-gdb/libiberty/./cp-demangle.c:1388:12
    #41 0x745fd2 in d_local_name
/tmp/binutils-gdb/libiberty/./cp-demangle.c:3848:14
    #42 0x745fd2 in d_name /tmp/binutils-gdb/libiberty/./cp-demangle.c:1496:12
    #43 0x7374c0 in d_encoding
/tmp/binutils-gdb/libiberty/./cp-demangle.c:1388:12
    #44 0x745fd2 in d_local_name
/tmp/binutils-gdb/libiberty/./cp-demangle.c:3848:14
    #45 0x745fd2 in d_name /tmp/binutils-gdb/libiberty/./cp-demangle.c:1496:12
    #46 0x7374c0 in d_encoding
/tmp/binutils-gdb/libiberty/./cp-demangle.c:1388:12
    #47 0x745fd2 in d_local_name
/tmp/binutils-gdb/libiberty/./cp-demangle.c:3848:14
    #48 0x745fd2 in d_name /tmp/binutils-gdb/libiberty/./cp-demangle.c:1496:12
    #49 0x7374c0 in d_encoding
/tmp/binutils-gdb/libiberty/./cp-demangle.c:1388:12
    #50 0x745fd2 in d_local_name
/tmp/binutils-gdb/libiberty/./cp-demangle.c:3848:14
    ...
SUMMARY: AddressSanitizer: stack-overflow
/tmp/binutils-gdb/libiberty/./cp-demangle.c:1483 in d_name
==153650==ABORTING

-- 
You are receiving this mail because:
You are on the CC list for the bug.


reply via email to

[Prev in Thread] Current Thread [Next in Thread]