Bug 25078 - stack overflow in function find_abstract_instance
Summary: stack overflow in function find_abstract_instance
Status: RESOLVED FIXED
Alias: None
Product: binutils
Classification: Unclassified
Component: binutils (show other bugs)
Version: 2.34
: P2 normal
Target Milestone: 2.34
Assignee: Alan Modra
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2019-10-08 06:59 UTC by zjuchenyuan
Modified: 2019-10-24 09:44 UTC (History)
2 users (show)

See Also:
Host:
Target:
Build:
Last reconfirmed: 2019-10-08 00:00:00


Attachments
poc6 (10.16 KB, application/x-executable)
2019-10-08 06:59 UTC, zjuchenyuan
Details

Note You need to log in before you can comment on or make changes to this bug.
Description zjuchenyuan 2019-10-08 06:59:26 UTC
Created attachment 12031 [details]
poc6

```
# ./binutils-gdb/binutils/nm-new -A -a -l -S -s --special-syms --synthetic --with-symbol-versions -D poc6_stack-overflow_find_abstract_instance
ASAN:SIGSEGV
=================================================================
==7==ERROR: AddressSanitizer: stack-overflow on address 0x7fffff7fef28 (pc 0x000000692d37 bp 0x62200001c980 sp 0x7fffff7feee0 T0)
    #0 0x692d36 in find_abstract_instance dwarf2.c:2815
    #1 0x693e6a in find_abstract_instance dwarf2.c:2987
    #2 0x693e6a in find_abstract_instance dwarf2.c:2987
    #3 0x693e6a in find_abstract_instance dwarf2.c:2987
    #4 0x693e6a in find_abstract_instance dwarf2.c:2987
    #5 0x693e6a in find_abstract_instance dwarf2.c:2987
    #6 0x693e6a in find_abstract_instance dwarf2.c:2987
    #7 0x693e6a in find_abstract_instance dwarf2.c:2987
    #8 0x693e6a in find_abstract_instance dwarf2.c:2987
    #9 0x693e6a in find_abstract_instance dwarf2.c:2987
    #10 0x693e6a in find_abstract_instance dwarf2.c:2987
...
    #251 0x693e6a in find_abstract_instance dwarf2.c:2987

SUMMARY: AddressSanitizer: stack-overflow dwarf2.c:2815 find_abstract_instance
==7==ABORTING
```

Reproducible Docker image has been pushd to `zjuchenyuan/dockerized_poc:binutils-pocs`, Dockerfile:

```
FROM zjuchenyuan/afl
ENV AFL_USE_ASAN=1
RUN git clone git://sourceware.org/git/binutils-gdb.git --depth 50 &&\
    cd binutils-gdb &&\
    git checkout 816228ed09dc867fa16dc5458277d649885d98fe &&\
    ./configure --disable-shared &&\
    for i in bfd libiberty opcodes libctf; do cd $i; ./configure --disable-shared && make -j; cd ..; done  &&\
    cd binutils  &&\
    ./configure --disable-shared &&\
    make objdump nm-new size readelf cxxfilt

RUN apt install -y gdb &&\
    echo -e "set pagination off\nset confirm off" > /root/.gdbinit

ADD . /
RUN ./binutils-gdb/binutils/nm-new -A -a -l -S -s --special-syms --synthetic --with-symbol-versions -D poc6_stack-overflow_find_abstract_instance || exit 0
```
Comment 1 Alan Modra 2019-10-08 09:12:05 UTC
So I added simple infinite recursion detection to find_abstract_instace for PR22187.  Now someone has crafted a binary to get around that via mutual recursion.  Oh well, I suppose I should have closed the original bug as wont-fix or fixed the recursion properly.
Comment 2 cvs-commit@gcc.gnu.org 2019-10-08 13:59:18 UTC
The master branch has been updated by Alan Modra <amodra@sourceware.org>:

https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=063c511bd79281f33fd33f0964541a73511b9e2b

commit 063c511bd79281f33fd33f0964541a73511b9e2b
Author: Alan Modra <amodra@gmail.com>
Date:   Wed Oct 9 00:07:29 2019 +1030

    PR25078, stack overflow in function find_abstract_instance
    
    	PR 25078
    	* dwarf2.c (find_abstract_instance): Delete orig_info_ptr, add
    	recur_count.  Error on recur_count reaching 100 rather than
    	info_ptr matching orig_info_ptr.  Adjust calls.
Comment 3 Alan Modra 2019-10-08 14:11:13 UTC
Fixed.
Comment 4 Trupti Pardeshi 2019-10-23 11:35:24 UTC
Hello,

May I know if Binutils-2.31 is also affected and requires this fix? Any heads up will be appreciated.

Thank you in advance.

Best Regards,
Comment 5 Nick Clifton 2019-10-24 09:20:20 UTC
(In reply to Trupti Pardeshi from comment #4)
Hi Trupti,

> May I know if Binutils-2.31 is also affected and requires this fix?

Yes.  The 2.32 and 2.33 releases (and branches) are also affected too.
Currently the fix is only in the mainline development sources.

Cheers
  Nick
Comment 6 Trupti Pardeshi 2019-10-24 09:44:38 UTC
(In reply to Nick Clifton from comment #5)
> (In reply to Trupti Pardeshi from comment #4)
> Hi Trupti,
> 
> > May I know if Binutils-2.31 is also affected and requires this fix?
> 
> Yes.  The 2.32 and 2.33 releases (and branches) are also affected too.
> Currently the fix is only in the mainline development sources.
> 
> Cheers
>   Nick

Thank you so much Nick for the clarification. Appreciate your reply for mentioning 2.33 version as well. Thanks.