Bug 22009 - Excessive memory allocation resulting from memory leakge due to incorrect handling of input file
Summary: Excessive memory allocation resulting from memory leakge due to incorrect han...
Alias: None
Product: binutils
Classification: Unclassified
Component: binutils (show other bugs)
Version: 2.29
: P2 normal
Target Milestone: ---
Assignee: Not yet assigned to anyone
Depends on:
Reported: 2017-08-25 16:39 UTC by Adhokshaj Mishra
Modified: 2019-01-01 21:18 UTC (History)
4 users (show)

See Also:
Last reconfirmed:

Payload file which was passed to objdump (185 bytes, application/octet-stream)
2017-08-25 16:39 UTC, Adhokshaj Mishra
Partial trace from ltrace (35.90 KB, text/plain)
2017-08-25 18:55 UTC, Adhokshaj Mishra
Massif output (6.67 KB, text/plain)
2017-08-25 18:57 UTC, Adhokshaj Mishra

Note You need to log in before you can comment on or make changes to this bug.
Description Adhokshaj Mishra 2017-08-25 16:39:48 UTC
Created attachment 10367 [details]
Payload file which was passed to objdump

When objdump is invoked with a specially crafted file, it goes on memeory allocation spree until it cannot allocate it anymore, and then it crashes.


./objdump -x -C ./payload

Backtrace (soon after issue starts)

#0  0x00007f929418a015 in __strstr_sse2_unaligned () from /usr/lib/libc.so.6
#1  0x000055555570a1b1 in arm_pt (work=0x7fffffffdae0, mangled=0x555555ae32a5 "A______", 'w' <repeats 193 times>..., n=0x15558, anchor=0x7fffffffd5a8, args=0x7fffffffd5b0)
    at ./cplus-dem.c:2392
#2  0x000055555570a623 in demangle_arm_hp_template (work=0x7fffffffdae0, mangled=0x7fffffffd828, n=0x15558, declp=0x7fffffffd6a0) at ./cplus-dem.c:2507
#3  0x000055555570aa00 in demangle_class_name (work=0x7fffffffdae0, mangled=0x7fffffffd828, declp=0x7fffffffd6a0) at ./cplus-dem.c:2614
#4  0x000055555570dc4b in demangle_fund_type (work=0x7fffffffdae0, mangled=0x7fffffffd828, result=0x555555a67240) at ./cplus-dem.c:4118
#5  0x000055555570d240 in do_type (work=0x7fffffffdae0, mangled=0x7fffffffd828, result=0x555555a67240) at ./cplus-dem.c:3907
#6  0x000055555570e2db in do_arg (work=0x7fffffffdae0, mangled=0x7fffffffd828, result=0x7fffffffd830) at ./cplus-dem.c:4332
#7  0x000055555570ebd4 in demangle_args (work=0x7fffffffdae0, mangled=0x7fffffffda60, declp=0x7fffffffda90) at ./cplus-dem.c:4641
#8  0x0000555555708a7c in demangle_signature (work=0x7fffffffdae0, mangled=0x7fffffffda60, declp=0x7fffffffda90) at ./cplus-dem.c:1732
#9  0x000055555570adb2 in iterate_demangle_function (work=0x7fffffffdae0, mangled=0x7fffffffda60, declp=0x7fffffffda90, 
    scan=0x555555a8bc21 "__87384A______", 'w' <repeats 186 times>...) at ./cplus-dem.c:2743
#10 0x000055555570b619 in demangle_prefix (work=0x7fffffffdae0, mangled=0x7fffffffda60, declp=0x7fffffffda90) at ./cplus-dem.c:2971
#11 0x000055555570793b in internal_cplus_demangle (work=0x7fffffffdae0, mangled=0x555555aa11a7 "20A__K\377\060\060\060#\344\300") at ./cplus-dem.c:1253
#12 0x0000555555706ea7 in cplus_demangle (mangled=0x555555a8bc20 "\236__87384A______", 'w' <repeats 185 times>..., options=0x3) at ./cplus-dem.c:918
#13 0x0000555555617a6c in bfd_demangle (abfd=0x555555a67000, name=0x555555a8bc20 "\236__87384A______", 'w' <repeats 185 times>..., options=0x3) at bfd.c:1961
#14 0x00005555555b9355 in dump_symbols (abfd=0x555555a67000, dynamic=0x0) at ./objdump.c:3163
#15 0x00005555555ba0df in dump_bfd (abfd=0x555555a67000) at ./objdump.c:3532
#16 0x00005555555ba342 in display_object_bfd (abfd=0x555555a67000) at ./objdump.c:3603
#17 0x00005555555ba596 in display_any_bfd (file=0x555555a67000, level=0x0) at ./objdump.c:3692
#18 0x00005555555ba60b in display_file (filename=0x7fffffffe248 "../../test/payload", target=0x0, last_file=0x1) at ./objdump.c:3713
#19 0x00005555555baf36 in main (argc=0x4, argv=0x7fffffffde88) at ./objdump.c:4015
#20 0x00007f929410f4ca in __libc_start_main () from /usr/lib/libc.so.6
#21 0x00005555555b24da in _start ()

Input file: attached herewith

NOTE: I am still investigating it in depth, and will share more details as soon as I get something.
Comment 1 Adhokshaj Mishra 2017-08-25 18:55:35 UTC
Created attachment 10368 [details]
Partial trace from ltrace

This partial trace output from ltrace

ltrace -o trace.txt ./objdump -x -C ./payload 2>&1 > /dev/null
Comment 2 Adhokshaj Mishra 2017-08-25 18:57:14 UTC
Created attachment 10369 [details]
Massif output

Output from valgrind massif for 30s run.

valgrind --tool=massif ./objdump -x -C ./payload
Comment 3 Nick Clifton 2017-09-01 10:53:38 UTC
Hi Adhokshaj,

  This is a bug in the C++ demangler, which is part of the libiberty sources.
  These sources are managed by the GCC project, so please could you refile
  this bug report with the GCC bugzilla system ?  Thanks.

Comment 4 Adhokshaj Mishra 2017-09-05 09:56:14 UTC
Sure. Will do that.
Comment 5 Andreas K. Huettel 2017-12-09 22:22:11 UTC
Could you add a link to the bug please?
Comment 6 Salvatore Bonaccorso 2019-01-01 21:18:05 UTC
Was this reported to the GCC bugzilla?