[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Bug binutils/32333] New: nm recursive stack overflow (d_name, cp-demang
From: |
jaehoon.jang at kaist dot ac.kr |
Subject: |
[Bug binutils/32333] New: nm recursive stack overflow (d_name, cp-demangle.c:1483) |
Date: |
Fri, 01 Nov 2024 15:32:32 +0000 |
https://sourceware.org/bugzilla/show_bug.cgi?id=32333
Bug ID: 32333
Summary: nm recursive stack overflow (d_name,
cp-demangle.c:1483)
Product: binutils
Version: 2.43
Status: UNCONFIRMED
Severity: normal
Priority: P2
Component: binutils
Assignee: unassigned at sourceware dot org
Reporter: jaehoon.jang at kaist dot ac.kr
Target Milestone: ---
Created attachment 15773
--> https://sourceware.org/bugzilla/attachment.cgi?id=15773&action=edit
poc
Stack overflow due to recursive call of d_name, d_encoding and d_local_name
functions
Environment
[NOTICE] I tested by reducing the stack size to 256 (ulimit -s 256)
When I tested related bugs (CVE-2018-17985, CVE-2018-18484, etc.) on the same
stack size, the bug was not triggered and the defense was well done. However, I
think the PoC I uploaded needs a patch because it causes the bug.
# uname -a
Linux 63ad81720171 5.15.0-107-generic #117-Ubuntu SMP Fri Apr 26 12:26:49 UTC
2024 x86_64 x86_64 x86_64 GNU/Linux
# git clone https://github.com/bminor/binutils-gdb.git
# cd binutils-gdb
# clang --version
clang version 12.0.0 (https://github.com/llvm/llvm-project.git
6de4865545da73687dd6d28d153cd345ed5e7918)
Target: x86_64-unknown-linux-gnu
Thread model: posix
InstalledDir: /usr/local/bin
# CC="clang -g -fsanitize=address" CXX="clang++ -g -fsanitize=address"
./configure
# CC="clang -g -fsanitize=address" CXX="clang++ -g -fsanitize=address" make -j
4
# binutils/nm-new --version
GNU nm (GNU Binutils) 2.43.50.20241101
Copyright (C) 2024 Free Software Foundation, Inc.
This program is free software; you may redistribute it under the terms of
the GNU General Public License version 3 or (at your option) any later version.
This program has absolutely no warranty.
# # binutils/nm-new -C ../d_local_name/poc1
00000000 A 3
000000d1 A _ZZZ5ZZZZZCxxxx
000000d1 A _ZZZ5ZZZZZCxxxx
000000d1 A _ZZZ5ZZZZZZZZZZZZZsZvE7Z_eeeeeeeeeeee]eee}eeeeeeeeeexx
000000d1 A _ZZZ5ZZZZZZZZZZZZZsZvEZZ_eeeexxxxxxxxxxxxxxxxxx
000000d1 A _ZZZ5ZZZZZZZZZZZZZsZvEZZ_eeeexxxxxxxxxxxxxxxxx
000000d1 A _ZZZ5ZZZZZZZZZZZZ^sZvE2Z_eeeeeeeeeeeexxxx
0000000b A
_ZZZ5ZZZZZZZZZZZeZsZvE7Z_eeeeeeeeeeee]eeeeeeeeeeeeeeeeeeeeeeeeeeeZZZZeeeeeeeeeeeeeZZZZZZZZ@
000000d1 A _ZZZ5ZZZZZexxxx
000000d1 A _ZZZ5ZZZZZexxxx
AddressSanitizer:DEADLYSIGNAL
=================================================================
==153650==ERROR: AddressSanitizer: stack-overflow on address 0x7fff975daff0 (pc
0x000000745bef bp 0x7fff975db060 sp 0x7fff975dafc0 T0)
#0 0x745bef in d_name /tmp/binutils-gdb/libiberty/./cp-demangle.c:1483
#1 0x7374c0 in d_encoding
/tmp/binutils-gdb/libiberty/./cp-demangle.c:1388:12
#2 0x745fd2 in d_local_name
/tmp/binutils-gdb/libiberty/./cp-demangle.c:3848:14
#3 0x745fd2 in d_name /tmp/binutils-gdb/libiberty/./cp-demangle.c:1496:12
#4 0x7374c0 in d_encoding
/tmp/binutils-gdb/libiberty/./cp-demangle.c:1388:12
#5 0x745fd2 in d_local_name
/tmp/binutils-gdb/libiberty/./cp-demangle.c:3848:14
#6 0x745fd2 in d_name /tmp/binutils-gdb/libiberty/./cp-demangle.c:1496:12
#7 0x7374c0 in d_encoding
/tmp/binutils-gdb/libiberty/./cp-demangle.c:1388:12
#8 0x745fd2 in d_local_name
/tmp/binutils-gdb/libiberty/./cp-demangle.c:3848:14
#9 0x745fd2 in d_name /tmp/binutils-gdb/libiberty/./cp-demangle.c:1496:12
#10 0x7374c0 in d_encoding
/tmp/binutils-gdb/libiberty/./cp-demangle.c:1388:12
#11 0x745fd2 in d_local_name
/tmp/binutils-gdb/libiberty/./cp-demangle.c:3848:14
#12 0x745fd2 in d_name /tmp/binutils-gdb/libiberty/./cp-demangle.c:1496:12
#13 0x7374c0 in d_encoding
/tmp/binutils-gdb/libiberty/./cp-demangle.c:1388:12
#14 0x745fd2 in d_local_name
/tmp/binutils-gdb/libiberty/./cp-demangle.c:3848:14
#15 0x745fd2 in d_name /tmp/binutils-gdb/libiberty/./cp-demangle.c:1496:12
#16 0x7374c0 in d_encoding
/tmp/binutils-gdb/libiberty/./cp-demangle.c:1388:12
#17 0x745fd2 in d_local_name
/tmp/binutils-gdb/libiberty/./cp-demangle.c:3848:14
#18 0x745fd2 in d_name /tmp/binutils-gdb/libiberty/./cp-demangle.c:1496:12
#19 0x7374c0 in d_encoding
/tmp/binutils-gdb/libiberty/./cp-demangle.c:1388:12
#20 0x745fd2 in d_local_name
/tmp/binutils-gdb/libiberty/./cp-demangle.c:3848:14
#21 0x745fd2 in d_name /tmp/binutils-gdb/libiberty/./cp-demangle.c:1496:12
#22 0x7374c0 in d_encoding
/tmp/binutils-gdb/libiberty/./cp-demangle.c:1388:12
#23 0x745fd2 in d_local_name
/tmp/binutils-gdb/libiberty/./cp-demangle.c:3848:14
#24 0x745fd2 in d_name /tmp/binutils-gdb/libiberty/./cp-demangle.c:1496:12
#25 0x7374c0 in d_encoding
/tmp/binutils-gdb/libiberty/./cp-demangle.c:1388:12
#26 0x745fd2 in d_local_name
/tmp/binutils-gdb/libiberty/./cp-demangle.c:3848:14
#27 0x745fd2 in d_name /tmp/binutils-gdb/libiberty/./cp-demangle.c:1496:12
#28 0x7374c0 in d_encoding
/tmp/binutils-gdb/libiberty/./cp-demangle.c:1388:12
#29 0x745fd2 in d_local_name
/tmp/binutils-gdb/libiberty/./cp-demangle.c:3848:14
#30 0x745fd2 in d_name /tmp/binutils-gdb/libiberty/./cp-demangle.c:1496:12
#31 0x7374c0 in d_encoding
/tmp/binutils-gdb/libiberty/./cp-demangle.c:1388:12
#32 0x745fd2 in d_local_name
/tmp/binutils-gdb/libiberty/./cp-demangle.c:3848:14
#33 0x745fd2 in d_name /tmp/binutils-gdb/libiberty/./cp-demangle.c:1496:12
#34 0x7374c0 in d_encoding
/tmp/binutils-gdb/libiberty/./cp-demangle.c:1388:12
#35 0x745fd2 in d_local_name
/tmp/binutils-gdb/libiberty/./cp-demangle.c:3848:14
#36 0x745fd2 in d_name /tmp/binutils-gdb/libiberty/./cp-demangle.c:1496:12
#37 0x7374c0 in d_encoding
/tmp/binutils-gdb/libiberty/./cp-demangle.c:1388:12
#38 0x745fd2 in d_local_name
/tmp/binutils-gdb/libiberty/./cp-demangle.c:3848:14
#39 0x745fd2 in d_name /tmp/binutils-gdb/libiberty/./cp-demangle.c:1496:12
#40 0x7374c0 in d_encoding
/tmp/binutils-gdb/libiberty/./cp-demangle.c:1388:12
#41 0x745fd2 in d_local_name
/tmp/binutils-gdb/libiberty/./cp-demangle.c:3848:14
#42 0x745fd2 in d_name /tmp/binutils-gdb/libiberty/./cp-demangle.c:1496:12
#43 0x7374c0 in d_encoding
/tmp/binutils-gdb/libiberty/./cp-demangle.c:1388:12
#44 0x745fd2 in d_local_name
/tmp/binutils-gdb/libiberty/./cp-demangle.c:3848:14
#45 0x745fd2 in d_name /tmp/binutils-gdb/libiberty/./cp-demangle.c:1496:12
#46 0x7374c0 in d_encoding
/tmp/binutils-gdb/libiberty/./cp-demangle.c:1388:12
#47 0x745fd2 in d_local_name
/tmp/binutils-gdb/libiberty/./cp-demangle.c:3848:14
#48 0x745fd2 in d_name /tmp/binutils-gdb/libiberty/./cp-demangle.c:1496:12
#49 0x7374c0 in d_encoding
/tmp/binutils-gdb/libiberty/./cp-demangle.c:1388:12
#50 0x745fd2 in d_local_name
/tmp/binutils-gdb/libiberty/./cp-demangle.c:3848:14
...
SUMMARY: AddressSanitizer: stack-overflow
/tmp/binutils-gdb/libiberty/./cp-demangle.c:1483 in d_name
==153650==ABORTING
--
You are receiving this mail because:
You are on the CC list for the bug.
- [Bug binutils/32333] New: nm recursive stack overflow (d_name, cp-demangle.c:1483),
jaehoon.jang at kaist dot ac.kr <=