| Summary: | stack overflow in function find_abstract_instance | ||
|---|---|---|---|
| Product: | binutils | Reporter: | zjuchenyuan <bugzilla.sourceware> |
| Component: | binutils | Assignee: | Alan Modra <amodra> |
| Status: | RESOLVED FIXED | ||
| Severity: | normal | CC: | nickc, trupti_pardeshi |
| Priority: | P2 | ||
| Version: | 2.34 | ||
| Target Milestone: | 2.34 | ||
| Host: | Target: | ||
| Build: | Last reconfirmed: | 2019-10-08 00:00:00 | |
| Attachments: | poc6 | ||
So I added simple infinite recursion detection to find_abstract_instace for PR22187. Now someone has crafted a binary to get around that via mutual recursion. Oh well, I suppose I should have closed the original bug as wont-fix or fixed the recursion properly. The master branch has been updated by Alan Modra <amodra@sourceware.org>: https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=063c511bd79281f33fd33f0964541a73511b9e2b commit 063c511bd79281f33fd33f0964541a73511b9e2b Author: Alan Modra <amodra@gmail.com> Date: Wed Oct 9 00:07:29 2019 +1030 PR25078, stack overflow in function find_abstract_instance PR 25078 * dwarf2.c (find_abstract_instance): Delete orig_info_ptr, add recur_count. Error on recur_count reaching 100 rather than info_ptr matching orig_info_ptr. Adjust calls. Fixed. Hello, May I know if Binutils-2.31 is also affected and requires this fix? Any heads up will be appreciated. Thank you in advance. Best Regards, (In reply to Trupti Pardeshi from comment #4) Hi Trupti, > May I know if Binutils-2.31 is also affected and requires this fix? Yes. The 2.32 and 2.33 releases (and branches) are also affected too. Currently the fix is only in the mainline development sources. Cheers Nick (In reply to Nick Clifton from comment #5) > (In reply to Trupti Pardeshi from comment #4) > Hi Trupti, > > > May I know if Binutils-2.31 is also affected and requires this fix? > > Yes. The 2.32 and 2.33 releases (and branches) are also affected too. > Currently the fix is only in the mainline development sources. > > Cheers > Nick Thank you so much Nick for the clarification. Appreciate your reply for mentioning 2.33 version as well. Thanks. |
Created attachment 12031 [details] poc6 ``` # ./binutils-gdb/binutils/nm-new -A -a -l -S -s --special-syms --synthetic --with-symbol-versions -D poc6_stack-overflow_find_abstract_instance ASAN:SIGSEGV ================================================================= ==7==ERROR: AddressSanitizer: stack-overflow on address 0x7fffff7fef28 (pc 0x000000692d37 bp 0x62200001c980 sp 0x7fffff7feee0 T0) #0 0x692d36 in find_abstract_instance dwarf2.c:2815 #1 0x693e6a in find_abstract_instance dwarf2.c:2987 #2 0x693e6a in find_abstract_instance dwarf2.c:2987 #3 0x693e6a in find_abstract_instance dwarf2.c:2987 #4 0x693e6a in find_abstract_instance dwarf2.c:2987 #5 0x693e6a in find_abstract_instance dwarf2.c:2987 #6 0x693e6a in find_abstract_instance dwarf2.c:2987 #7 0x693e6a in find_abstract_instance dwarf2.c:2987 #8 0x693e6a in find_abstract_instance dwarf2.c:2987 #9 0x693e6a in find_abstract_instance dwarf2.c:2987 #10 0x693e6a in find_abstract_instance dwarf2.c:2987 ... #251 0x693e6a in find_abstract_instance dwarf2.c:2987 SUMMARY: AddressSanitizer: stack-overflow dwarf2.c:2815 find_abstract_instance ==7==ABORTING ``` Reproducible Docker image has been pushd to `zjuchenyuan/dockerized_poc:binutils-pocs`, Dockerfile: ``` FROM zjuchenyuan/afl ENV AFL_USE_ASAN=1 RUN git clone git://sourceware.org/git/binutils-gdb.git --depth 50 &&\ cd binutils-gdb &&\ git checkout 816228ed09dc867fa16dc5458277d649885d98fe &&\ ./configure --disable-shared &&\ for i in bfd libiberty opcodes libctf; do cd $i; ./configure --disable-shared && make -j; cd ..; done &&\ cd binutils &&\ ./configure --disable-shared &&\ make objdump nm-new size readelf cxxfilt RUN apt install -y gdb &&\ echo -e "set pagination off\nset confirm off" > /root/.gdbinit ADD . / RUN ./binutils-gdb/binutils/nm-new -A -a -l -S -s --special-syms --synthetic --with-symbol-versions -D poc6_stack-overflow_find_abstract_instance || exit 0 ```