Bug 22009 - Excessive memory allocation resulting from memory leakge due to incorrect handling of input file
Summary: Excessive memory allocation resulting from memory leakge due to incorrect han...
Status: RESOLVED WONTFIX
Alias: None
Product: binutils
Classification: Unclassified
Component: binutils (show other bugs)
Version: 2.29
: P2 normal
Target Milestone: ---
Assignee: Not yet assigned to anyone
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2017-08-25 16:39 UTC by Adhokshaj Mishra
Modified: 2019-01-01 21:18 UTC (History)
4 users (show)

See Also:
Host:
Target:
Build:
Last reconfirmed:

Attachments
Payload file which was passed to objdump (185 bytes, application/octet-stream)
2017-08-25 16:39 UTC, Adhokshaj Mishra 		Details
Partial trace from ltrace (35.90 KB, text/plain)
2017-08-25 18:55 UTC, Adhokshaj Mishra 		Details
Massif output (6.67 KB, text/plain)
2017-08-25 18:57 UTC, Adhokshaj Mishra 		Details
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Adhokshaj Mishra 2017-08-25 16:39:48 UTC 
Created attachment 10367 [details]
Payload file which was passed to objdump

When objdump is invoked with a specially crafted file, it goes on memeory allocation spree until it cannot allocate it anymore, and then it crashes.

Command

./objdump -x -C ./payload

Backtrace (soon after issue starts)

#0  0x00007f929418a015 in __strstr_sse2_unaligned () from /usr/lib/libc.so.6
#1  0x000055555570a1b1 in arm_pt (work=0x7fffffffdae0, mangled=0x555555ae32a5 "A______", 'w' <repeats 193 times>..., n=0x15558, anchor=0x7fffffffd5a8, args=0x7fffffffd5b0)
    at ./cplus-dem.c:2392
#2  0x000055555570a623 in demangle_arm_hp_template (work=0x7fffffffdae0, mangled=0x7fffffffd828, n=0x15558, declp=0x7fffffffd6a0) at ./cplus-dem.c:2507
#3  0x000055555570aa00 in demangle_class_name (work=0x7fffffffdae0, mangled=0x7fffffffd828, declp=0x7fffffffd6a0) at ./cplus-dem.c:2614
#4  0x000055555570dc4b in demangle_fund_type (work=0x7fffffffdae0, mangled=0x7fffffffd828, result=0x555555a67240) at ./cplus-dem.c:4118
#5  0x000055555570d240 in do_type (work=0x7fffffffdae0, mangled=0x7fffffffd828, result=0x555555a67240) at ./cplus-dem.c:3907
#6  0x000055555570e2db in do_arg (work=0x7fffffffdae0, mangled=0x7fffffffd828, result=0x7fffffffd830) at ./cplus-dem.c:4332
#7  0x000055555570ebd4 in demangle_args (work=0x7fffffffdae0, mangled=0x7fffffffda60, declp=0x7fffffffda90) at ./cplus-dem.c:4641
#8  0x0000555555708a7c in demangle_signature (work=0x7fffffffdae0, mangled=0x7fffffffda60, declp=0x7fffffffda90) at ./cplus-dem.c:1732
#9  0x000055555570adb2 in iterate_demangle_function (work=0x7fffffffdae0, mangled=0x7fffffffda60, declp=0x7fffffffda90, 
    scan=0x555555a8bc21 "__87384A______", 'w' <repeats 186 times>...) at ./cplus-dem.c:2743
#10 0x000055555570b619 in demangle_prefix (work=0x7fffffffdae0, mangled=0x7fffffffda60, declp=0x7fffffffda90) at ./cplus-dem.c:2971
#11 0x000055555570793b in internal_cplus_demangle (work=0x7fffffffdae0, mangled=0x555555aa11a7 "20A__K\377\060\060\060#\344\300") at ./cplus-dem.c:1253
#12 0x0000555555706ea7 in cplus_demangle (mangled=0x555555a8bc20 "\236__87384A______", 'w' <repeats 185 times>..., options=0x3) at ./cplus-dem.c:918
#13 0x0000555555617a6c in bfd_demangle (abfd=0x555555a67000, name=0x555555a8bc20 "\236__87384A______", 'w' <repeats 185 times>..., options=0x3) at bfd.c:1961
#14 0x00005555555b9355 in dump_symbols (abfd=0x555555a67000, dynamic=0x0) at ./objdump.c:3163
#15 0x00005555555ba0df in dump_bfd (abfd=0x555555a67000) at ./objdump.c:3532
#16 0x00005555555ba342 in display_object_bfd (abfd=0x555555a67000) at ./objdump.c:3603
#17 0x00005555555ba596 in display_any_bfd (file=0x555555a67000, level=0x0) at ./objdump.c:3692
#18 0x00005555555ba60b in display_file (filename=0x7fffffffe248 "../../test/payload", target=0x0, last_file=0x1) at ./objdump.c:3713
#19 0x00005555555baf36 in main (argc=0x4, argv=0x7fffffffde88) at ./objdump.c:4015
#20 0x00007f929410f4ca in __libc_start_main () from /usr/lib/libc.so.6
#21 0x00005555555b24da in _start ()

Input file: attached herewith

NOTE: I am still investigating it in depth, and will share more details as soon as I get something.
Comment 1 Adhokshaj Mishra 2017-08-25 18:55:35 UTC 
Created attachment 10368 [details]
Partial trace from ltrace

This partial trace output from ltrace

ltrace -o trace.txt ./objdump -x -C ./payload 2>&1 > /dev/null
Comment 2 Adhokshaj Mishra 2017-08-25 18:57:14 UTC 
Created attachment 10369 [details]
Massif output

Output from valgrind massif for 30s run.

valgrind --tool=massif ./objdump -x -C ./payload
Comment 3 Nick Clifton 2017-09-01 10:53:38 UTC 
Hi Adhokshaj,

  This is a bug in the C++ demangler, which is part of the libiberty sources.
  These sources are managed by the GCC project, so please could you refile
  this bug report with the GCC bugzilla system ?  Thanks.

Cheers
  Nick
Comment 4 Adhokshaj Mishra 2017-09-05 09:56:14 UTC 
Sure. Will do that.
Comment 5 Andreas K. Huettel 2017-12-09 22:22:11 UTC 
Could you add a link to the bug please?
Comment 6 Salvatore Bonaccorso 2019-01-01 21:18:05 UTC 
Was this reported to the GCC bugzilla?