Bug 23863

Summary: binutils-2.31.1 stack buffer overflow in nm -C
Product: binutils Reporter: mmmtoxic
Component: binutilsAssignee: Not yet assigned to anyone <unassigned>
Status: RESOLVED FIXED    
Severity: normal CC: nickc
Priority: P2    
Version: 2.31   
Target Milestone: ---   
Host: Target:
Build: Last reconfirmed:
Attachments: nm -C crash_file
attachment-106890-0.html

Description mmmtoxic 2018-11-06 02:48:49 UTC
Created attachment 11384 [details]
nm -C crash_file

A stack buffer overflow found in binutils-2.31.1, trigged by "nm -C crash_file", running on Ubuntu 16.04 64-bit. It was found by AFL.

The error information is as follows:

==83901==ERROR: AddressSanitizer: stack-overflow on address 0x7fff50701ff0 (pc 0x7f36458d326e bp 0x000000000020 sp 0x7fff50701fe0 T0)
    #0 0x7f36458d326d  (/usr/lib/x86_64-linux-gnu/libasan.so.2+0xb026d)
    #1 0x7f36458d2d67  (/usr/lib/x86_64-linux-gnu/libasan.so.2+0xafd67)
    #2 0x7f3645845f4f  (/usr/lib/x86_64-linux-gnu/libasan.so.2+0x22f4f)
    #3 0x7f36458bb5d2 in malloc (/usr/lib/x86_64-linux-gnu/libasan.so.2+0x985d2)
    #4 0x696530 in xmalloc xmalloc.c:147
    #5 0x66f713 in string_need cplus-dem.c:4906
    #6 0x66fbcf in string_append cplus-dem.c:4961
    #7 0x66d5d2 in demangle_args cplus-dem.c:4578
    #8 0x66e0f0 in demangle_nested_args cplus-dem.c:4713
    #9 0x668a0a in do_type cplus-dem.c:3719
    #10 0x66c0ee in do_arg cplus-dem.c:4332
    #11 0x66dc1f in demangle_args cplus-dem.c:4659
    #12 0x66e0f0 in demangle_nested_args cplus-dem.c:4713
    #13 0x668a0a in do_type cplus-dem.c:3719
    #14 0x66c0ee in do_arg cplus-dem.c:4332
    #15 0x66dc1f in demangle_args cplus-dem.c:4659
    #16 0x66e0f0 in demangle_nested_args cplus-dem.c:4713
    #17 0x668a0a in do_type cplus-dem.c:3719
    #18 0x66c0ee in do_arg cplus-dem.c:4332
    #19 0x66dc1f in demangle_args cplus-dem.c:4659
    #20 0x66e0f0 in demangle_nested_args cplus-dem.c:4713
    #21 0x668a0a in do_type cplus-dem.c:3719
    #22 0x66c0ee in do_arg cplus-dem.c:4332
    #23 0x66dc1f in demangle_args cplus-dem.c:4659
    #24 0x66e0f0 in demangle_nested_args cplus-dem.c:4713
    #25 0x668a0a in do_type cplus-dem.c:3719
    #26 0x66c0ee in do_arg cplus-dem.c:4332
    #27 0x66dc1f in demangle_args cplus-dem.c:4659
    #28 0x66e0f0 in demangle_nested_args cplus-dem.c:4713
    #29 0x668a0a in do_type cplus-dem.c:3719
    #30 0x66c0ee in do_arg cplus-dem.c:4332
    #31 0x66dc1f in demangle_args cplus-dem.c:4659
    #32 0x66e0f0 in demangle_nested_args cplus-dem.c:4713
    #33 0x668a0a in do_type cplus-dem.c:3719
    #34 0x66c0ee in do_arg cplus-dem.c:4332
    #35 0x66dc1f in demangle_args cplus-dem.c:4659
    #36 0x66e0f0 in demangle_nested_args cplus-dem.c:4713
    #37 0x668a0a in do_type cplus-dem.c:3719
    #38 0x66c0ee in do_arg cplus-dem.c:4332
    #39 0x66dc1f in demangle_args cplus-dem.c:4659
    #40 0x66e0f0 in demangle_nested_args cplus-dem.c:4713
    #41 0x668a0a in do_type cplus-dem.c:3719
    #42 0x66c0ee in do_arg cplus-dem.c:4332
    #43 0x66dc1f in demangle_args cplus-dem.c:4659
    #44 0x66e0f0 in demangle_nested_args cplus-dem.c:4713
    #45 0x668a0a in do_type cplus-dem.c:3719
    #46 0x66c0ee in do_arg cplus-dem.c:4332
    #47 0x66dc1f in demangle_args cplus-dem.c:4659
    #48 0x66e0f0 in demangle_nested_args cplus-dem.c:4713
    #49 0x668a0a in do_type cplus-dem.c:3719
    #50 0x66c0ee in do_arg cplus-dem.c:4332
    #51 0x66dc1f in demangle_args cplus-dem.c:4659
    #52 0x66e0f0 in demangle_nested_args cplus-dem.c:4713
    #53 0x668a0a in do_type cplus-dem.c:3719
    #54 0x66c0ee in do_arg cplus-dem.c:4332
    #55 0x66dc1f in demangle_args cplus-dem.c:4659
    #56 0x66e0f0 in demangle_nested_args cplus-dem.c:4713
    #57 0x668a0a in do_type cplus-dem.c:3719
    #58 0x66c0ee in do_arg cplus-dem.c:4332
    #59 0x66dc1f in demangle_args cplus-dem.c:4659
    #60 0x66e0f0 in demangle_nested_args cplus-dem.c:4713
    #61 0x668a0a in do_type cplus-dem.c:3719
    #62 0x66c0ee in do_arg cplus-dem.c:4332
    #63 0x66dc1f in demangle_args cplus-dem.c:4659
    #64 0x66e0f0 in demangle_nested_args cplus-dem.c:4713
    #65 0x668a0a in do_type cplus-dem.c:3719
    #66 0x66c0ee in do_arg cplus-dem.c:4332
    #67 0x66dc1f in demangle_args cplus-dem.c:4659
    #68 0x66e0f0 in demangle_nested_args cplus-dem.c:4713
    #69 0x668a0a in do_type cplus-dem.c:3719
    #70 0x66c0ee in do_arg cplus-dem.c:4332
    #71 0x66dc1f in demangle_args cplus-dem.c:4659
    #72 0x66e0f0 in demangle_nested_args cplus-dem.c:4713
    #73 0x668a0a in do_type cplus-dem.c:3719
    #74 0x66c0ee in do_arg cplus-dem.c:4332
    #75 0x66dc1f in demangle_args cplus-dem.c:4659
    #76 0x66e0f0 in demangle_nested_args cplus-dem.c:4713
    #77 0x668a0a in do_type cplus-dem.c:3719
    #78 0x66c0ee in do_arg cplus-dem.c:4332
    #79 0x66dc1f in demangle_args cplus-dem.c:4659
    #80 0x66e0f0 in demangle_nested_args cplus-dem.c:4713
    #81 0x668a0a in do_type cplus-dem.c:3719
    #82 0x66c0ee in do_arg cplus-dem.c:4332
    #83 0x66dc1f in demangle_args cplus-dem.c:4659
    #84 0x66e0f0 in demangle_nested_args cplus-dem.c:4713
    #85 0x668a0a in do_type cplus-dem.c:3719
    #86 0x66c0ee in do_arg cplus-dem.c:4332
    #87 0x66dc1f in demangle_args cplus-dem.c:4659
    #88 0x66e0f0 in demangle_nested_args cplus-dem.c:4713
    #89 0x668a0a in do_type cplus-dem.c:3719
    #90 0x66c0ee in do_arg cplus-dem.c:4332
    #91 0x66dc1f in demangle_args cplus-dem.c:4659
    #92 0x66e0f0 in demangle_nested_args cplus-dem.c:4713
    #93 0x668a0a in do_type cplus-dem.c:3719
    #94 0x66c0ee in do_arg cplus-dem.c:4332
    #95 0x66dc1f in demangle_args cplus-dem.c:4659
    #96 0x66e0f0 in demangle_nested_args cplus-dem.c:4713
    #97 0x668a0a in do_type cplus-dem.c:3719
    #98 0x66c0ee in do_arg cplus-dem.c:4332
    #99 0x66dc1f in demangle_args cplus-dem.c:4659
    #100 0x66e0f0 in demangle_nested_args cplus-dem.c:4713
    #101 0x668a0a in do_type cplus-dem.c:3719
    #102 0x66c0ee in do_arg cplus-dem.c:4332
    #103 0x66dc1f in demangle_args cplus-dem.c:4659
    #104 0x66e0f0 in demangle_nested_args cplus-dem.c:4713
    #105 0x668a0a in do_type cplus-dem.c:3719
    #106 0x66c0ee in do_arg cplus-dem.c:4332
    #107 0x66dc1f in demangle_args cplus-dem.c:4659
    #108 0x66e0f0 in demangle_nested_args cplus-dem.c:4713
    #109 0x668a0a in do_type cplus-dem.c:3719
    #110 0x66c0ee in do_arg cplus-dem.c:4332
    #111 0x66dc1f in demangle_args cplus-dem.c:4659
    #112 0x66e0f0 in demangle_nested_args cplus-dem.c:4713
    #113 0x668a0a in do_type cplus-dem.c:3719
    #114 0x66c0ee in do_arg cplus-dem.c:4332
    #115 0x66dc1f in demangle_args cplus-dem.c:4659
    #116 0x66e0f0 in demangle_nested_args cplus-dem.c:4713
    #117 0x668a0a in do_type cplus-dem.c:3719
    #118 0x66c0ee in do_arg cplus-dem.c:4332
    #119 0x66dc1f in demangle_args cplus-dem.c:4659
    #120 0x66e0f0 in demangle_nested_args cplus-dem.c:4713
    #121 0x668a0a in do_type cplus-dem.c:3719
    #122 0x66c0ee in do_arg cplus-dem.c:4332
    #123 0x66dc1f in demangle_args cplus-dem.c:4659
    #124 0x66e0f0 in demangle_nested_args cplus-dem.c:4713
    #125 0x668a0a in do_type cplus-dem.c:3719
    #126 0x66c0ee in do_arg cplus-dem.c:4332
    #127 0x66dc1f in demangle_args cplus-dem.c:4659
    #128 0x66e0f0 in demangle_nested_args cplus-dem.c:4713
    #129 0x668a0a in do_type cplus-dem.c:3719
    #130 0x66c0ee in do_arg cplus-dem.c:4332
    #131 0x66dc1f in demangle_args cplus-dem.c:4659
    #132 0x66e0f0 in demangle_nested_args cplus-dem.c:4713
    #133 0x668a0a in do_type cplus-dem.c:3719
    #134 0x66c0ee in do_arg cplus-dem.c:4332
    #135 0x66dc1f in demangle_args cplus-dem.c:4659
    #136 0x66e0f0 in demangle_nested_args cplus-dem.c:4713
    #137 0x668a0a in do_type cplus-dem.c:3719
    #138 0x66c0ee in do_arg cplus-dem.c:4332
    #139 0x66dc1f in demangle_args cplus-dem.c:4659
    #140 0x66e0f0 in demangle_nested_args cplus-dem.c:4713
    #141 0x668a0a in do_type cplus-dem.c:3719
    #142 0x66c0ee in do_arg cplus-dem.c:4332
    #143 0x66dc1f in demangle_args cplus-dem.c:4659
    #144 0x66e0f0 in demangle_nested_args cplus-dem.c:4713
    #145 0x668a0a in do_type cplus-dem.c:3719
    #146 0x66c0ee in do_arg cplus-dem.c:4332
    #147 0x66dc1f in demangle_args cplus-dem.c:4659
    #148 0x66e0f0 in demangle_nested_args cplus-dem.c:4713
    #149 0x668a0a in do_type cplus-dem.c:3719
    #150 0x66c0ee in do_arg cplus-dem.c:4332
    #151 0x66dc1f in demangle_args cplus-dem.c:4659
    #152 0x66e0f0 in demangle_nested_args cplus-dem.c:4713
    #153 0x668a0a in do_type cplus-dem.c:3719
    #154 0x66c0ee in do_arg cplus-dem.c:4332
    #155 0x66dc1f in demangle_args cplus-dem.c:4659
    #156 0x66e0f0 in demangle_nested_args cplus-dem.c:4713
    #157 0x668a0a in do_type cplus-dem.c:3719
    #158 0x66c0ee in do_arg cplus-dem.c:4332
    #159 0x66dc1f in demangle_args cplus-dem.c:4659
    #160 0x66e0f0 in demangle_nested_args cplus-dem.c:4713
    #161 0x668a0a in do_type cplus-dem.c:3719
    #162 0x66c0ee in do_arg cplus-dem.c:4332
    #163 0x66dc1f in demangle_args cplus-dem.c:4659
    #164 0x66e0f0 in demangle_nested_args cplus-dem.c:4713
    #165 0x668a0a in do_type cplus-dem.c:3719
    #166 0x66c0ee in do_arg cplus-dem.c:4332
    #167 0x66dc1f in demangle_args cplus-dem.c:4659
    #168 0x66e0f0 in demangle_nested_args cplus-dem.c:4713
    #169 0x668a0a in do_type cplus-dem.c:3719
    #170 0x66c0ee in do_arg cplus-dem.c:4332
    #171 0x66dc1f in demangle_args cplus-dem.c:4659
    #172 0x66e0f0 in demangle_nested_args cplus-dem.c:4713
    #173 0x668a0a in do_type cplus-dem.c:3719
    #174 0x66c0ee in do_arg cplus-dem.c:4332
    #175 0x66dc1f in demangle_args cplus-dem.c:4659
    #176 0x66e0f0 in demangle_nested_args cplus-dem.c:4713
    #177 0x668a0a in do_type cplus-dem.c:3719
    #178 0x66c0ee in do_arg cplus-dem.c:4332
    #179 0x66dc1f in demangle_args cplus-dem.c:4659
    #180 0x66e0f0 in demangle_nested_args cplus-dem.c:4713
    #181 0x668a0a in do_type cplus-dem.c:3719
    #182 0x66c0ee in do_arg cplus-dem.c:4332
    #183 0x66dc1f in demangle_args cplus-dem.c:4659
    #184 0x66e0f0 in demangle_nested_args cplus-dem.c:4713
    #185 0x668a0a in do_type cplus-dem.c:3719
    #186 0x66c0ee in do_arg cplus-dem.c:4332
    #187 0x66dc1f in demangle_args cplus-dem.c:4659
    #188 0x66e0f0 in demangle_nested_args cplus-dem.c:4713
    #189 0x668a0a in do_type cplus-dem.c:3719
    #190 0x66c0ee in do_arg cplus-dem.c:4332
    #191 0x66dc1f in demangle_args cplus-dem.c:4659
    #192 0x66e0f0 in demangle_nested_args cplus-dem.c:4713
    #193 0x668a0a in do_type cplus-dem.c:3719
    #194 0x66c0ee in do_arg cplus-dem.c:4332
    #195 0x66dc1f in demangle_args cplus-dem.c:4659
    #196 0x66e0f0 in demangle_nested_args cplus-dem.c:4713
    #197 0x668a0a in do_type cplus-dem.c:3719
    #198 0x66c0ee in do_arg cplus-dem.c:4332
    #199 0x66dc1f in demangle_args cplus-dem.c:4659
    #200 0x66e0f0 in demangle_nested_args cplus-dem.c:4713
    #201 0x668a0a in do_type cplus-dem.c:3719
    #202 0x66c0ee in do_arg cplus-dem.c:4332
    #203 0x66dc1f in demangle_args cplus-dem.c:4659
    #204 0x66e0f0 in demangle_nested_args cplus-dem.c:4713
    #205 0x668a0a in do_type cplus-dem.c:3719
    #206 0x66c0ee in do_arg cplus-dem.c:4332
    #207 0x66dc1f in demangle_args cplus-dem.c:4659
    #208 0x66e0f0 in demangle_nested_args cplus-dem.c:4713
    #209 0x668a0a in do_type cplus-dem.c:3719
    #210 0x66c0ee in do_arg cplus-dem.c:4332
    #211 0x66dc1f in demangle_args cplus-dem.c:4659
    #212 0x66e0f0 in demangle_nested_args cplus-dem.c:4713
    #213 0x668a0a in do_type cplus-dem.c:3719
    #214 0x66c0ee in do_arg cplus-dem.c:4332
    #215 0x66dc1f in demangle_args cplus-dem.c:4659
    #216 0x66e0f0 in demangle_nested_args cplus-dem.c:4713
    #217 0x668a0a in do_type cplus-dem.c:3719
    #218 0x66c0ee in do_arg cplus-dem.c:4332
    #219 0x66dc1f in demangle_args cplus-dem.c:4659
    #220 0x66e0f0 in demangle_nested_args cplus-dem.c:4713
    #221 0x668a0a in do_type cplus-dem.c:3719
    #222 0x66c0ee in do_arg cplus-dem.c:4332
    #223 0x66dc1f in demangle_args cplus-dem.c:4659
    #224 0x66e0f0 in demangle_nested_args cplus-dem.c:4713
    #225 0x668a0a in do_type cplus-dem.c:3719
    #226 0x66c0ee in do_arg cplus-dem.c:4332
    #227 0x66dc1f in demangle_args cplus-dem.c:4659
    #228 0x66e0f0 in demangle_nested_args cplus-dem.c:4713
    #229 0x668a0a in do_type cplus-dem.c:3719
    #230 0x66c0ee in do_arg cplus-dem.c:4332
    #231 0x66dc1f in demangle_args cplus-dem.c:4659
    #232 0x66e0f0 in demangle_nested_args cplus-dem.c:4713
    #233 0x668a0a in do_type cplus-dem.c:3719
    #234 0x66c0ee in do_arg cplus-dem.c:4332
    #235 0x66dc1f in demangle_args cplus-dem.c:4659
    #236 0x66e0f0 in demangle_nested_args cplus-dem.c:4713
    #237 0x668a0a in do_type cplus-dem.c:3719
    #238 0x66c0ee in do_arg cplus-dem.c:4332
    #239 0x66dc1f in demangle_args cplus-dem.c:4659
    #240 0x66e0f0 in demangle_nested_args cplus-dem.c:4713
    #241 0x668a0a in do_type cplus-dem.c:3719
    #242 0x66c0ee in do_arg cplus-dem.c:4332
    #243 0x66dc1f in demangle_args cplus-dem.c:4659
    #244 0x66e0f0 in demangle_nested_args cplus-dem.c:4713
    #245 0x668a0a in do_type cplus-dem.c:3719
    #246 0x66c0ee in do_arg cplus-dem.c:4332
    #247 0x66dc1f in demangle_args cplus-dem.c:4659
    #248 0x66e0f0 in demangle_nested_args cplus-dem.c:4713
    #249 0x668a0a in do_type cplus-dem.c:3719
    #250 0x66c0ee in do_arg cplus-dem.c:4332
    #251 0x66dc1f in demangle_args cplus-dem.c:4659

SUMMARY: AddressSanitizer: stack-overflow ??:0 ??
Comment 1 Nick Clifton 2018-11-06 17:35:33 UTC
Hi mmmtoxic,

  Thanks for reporting this problem.  Unfortunately the issue is in the
  name demangling code in the libiberty library, which is actually part
  of gcc, rather than the binutils.  (It is used in binutils, but not
  maintained here).  So please could you report the bug to gcc.

  I should also point out that it is quite possible that this problem
  will not be fixed, as it has already been reported (to gcc) several 
  times before.  The underlying issue is that the name mangling format
  allows for infinite recursion, and so it is always possible to 
  construct an artificially mangled name that will require an infinite
  amout of stack space in order to demangle properly.

Cheers
  Nick
Comment 2 mmmtoxic 2018-11-07 05:26:03 UTC
Created attachment 11385 [details]
attachment-106890-0.html

OK, thanks for your reply!

nickc at redhat dot com <sourceware-bugzilla@sourceware.org> 于2018年11月7日周三
上午1:35写道:

> https://sourceware.org/bugzilla/show_bug.cgi?id=23863
>
> Nick Clifton <nickc at redhat dot com> changed:
>
>            What    |Removed                     |Added
>
> ----------------------------------------------------------------------------
>                  CC|                            |nickc at redhat dot com
>
> --- Comment #1 from Nick Clifton <nickc at redhat dot com> ---
> Hi mmmtoxic,
>
>   Thanks for reporting this problem.  Unfortunately the issue is in the
>   name demangling code in the libiberty library, which is actually part
>   of gcc, rather than the binutils.  (It is used in binutils, but not
>   maintained here).  So please could you report the bug to gcc.
>
>   I should also point out that it is quite possible that this problem
>   will not be fixed, as it has already been reported (to gcc) several
>   times before.  The underlying issue is that the name mangling format
>   allows for infinite recursion, and so it is always possible to
>   construct an artificially mangled name that will require an infinite
>   amout of stack space in order to demangle properly.
>
> Cheers
>   Nick
>
> --
> You are receiving this mail because:
> You reported the bug.
Comment 3 Nick Clifton 2018-12-07 13:40:08 UTC
Fixed by recent merge with gcc libiberty sources.