30902 – nm: stack-overflow at rust-demangle.c:1572 in str_buf_append

Bug 30902 - nm: stack-overflow at rust-demangle.c:1572 in str_buf_append

Summary: nm: stack-overflow at rust-demangle.c:1572 in str_buf_append

Status:	RESOLVED INVALID

Alias:	None

Product:	binutils
Classification:	Unclassified
Component:	binutils (show other bugs)
Version:	2.42

Importance:	P2 normal
Target Milestone:	---
Assignee:	Not yet assigned to anyone

URL:
Keywords:

Depends on:
Blocks:

Reported:	2023-09-26 02:04 UTC by 曾信彥
Modified:	2023-10-02 09:01 UTC (History)
CC List:	1 user (show)

See Also:
Host:
Target:
Build:
Last reconfirmed:
Project(s) to access:
ssh public key:

Attachments
this poc with -C --no-recurse-limit arguments can crash nm-new in the latest version (4.74 KB, application/x-sharedlib) 2023-09-26 02:04 UTC, 曾信彥	Details
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description 曾信彥 2023-09-26 02:04:53 UTC

Created attachment 15135 [details]
this poc with -C --no-recurse-limit arguments can crash nm-new in the latest version

Summary:

A crash caused when using nm
AddressSanitizer reported it as stack-overflow

git commit, OS, Compiler and processor

git commit: be8e83130
gcc (Ubuntu 9.4.0-1ubuntu1~20.04.2) 9.4.0
g++ (Ubuntu 9.4.0-1ubuntu1~20.04.2) 9.4.0
Ubuntu 20.04.4 LTS
AMD Ryzen 5 3600X 6-Core Processor

Steps to reproduce:

$ cd binutils-gdb
$ export CFLAGS='-fsanitize=address -fsanitize-recover=address -g3'
$ export CXXFLAGS='-fsanitize=address -fsanitize-recover=address -g3'
$ make
$ binutils/nm-new -C --no-recurse-limit ./poc_0

AddressSanitizer report:

$ /home/pt/sytseng/binutils-gdb-asan/binutils/nm-new -C --no-recurse-limit ./poc_0

BFD: warning: ./pocs/poc_0 has a section extending past end of file
./pocs/poc_0: no group info for section '.note.gnu.build-id'
BFD: ./pocs/poc_0: invalid string offset 3724541951 >= 601 for section `.strtab'
BFD: ./pocs/poc_0: invalid string offset 15793920 >= 601 for section `.strtab'
BFD: ./pocs/poc_0: invalid string offset 4294967274 >= 601 for section `.strtab'
BFD: ./pocs/poc_0: invalid string offset 4227858432 >= 601 for section `.strtab'
BFD: ./pocs/poc_0: invalid string offset 8388608 >= 601 for section `.strtab'
BFD: ./pocs/poc_0: invalid string offset 6912 >= 601 for section `.strtab'
BFD: ./pocs/poc_0: invalid string offset 57089 >= 601 for section `.strtab'
BFD: ./pocs/poc_0: invalid string offset 32801 >= 601 for section `.strtab'
BFD: ./pocs/poc_0: invalid string offset 4294246637 >= 601 for section `.strtab'
BFD: ./pocs/poc_0: invalid string offset 268435814 >= 601 for section `.strtab'
BFD: ./pocs/poc_0: invalid string offset 4294902315 >= 601 for section `.strtab'
BFD: ./pocs/poc_0: .gnu.version_r invalid entry
AddressSanitizer:DEADLYSIGNAL
=================================================================
==1238816==ERROR: AddressSanitizer: stack-overflow on address 0x7ffcde5b0fa8 (pc 0x7f2360ffd379 bp 0x7ffcde5b1840 sp 0x7ffcde5b0fb0 T0)
    #0 0x7f2360ffd378 in __interceptor_memcpy ../../../../src/libsanitizer/sanitizer_common/sanitizer_common_interceptors.inc:790
    #1 0x55976bbcd71c in str_buf_append rust-demangle.c:1572
    #2 0x55976bbcd76c in str_buf_demangle_callback rust-demangle.c:1579
    #3 0x55976bbc6914 in print_str rust-demangle.c:279
    #4 0x55976bbc9e4f in demangle_type rust-demangle.c:924
    #5 0x55976bbc95f1 in demangle_path rust-demangle.c:759
    #6 0x55976bbca8ee in demangle_type rust-demangle.c:1062
    #7 0x55976bbca85c in demangle_type rust-demangle.c:1055
    #8 0x55976bbc9e9f in demangle_type rust-demangle.c:929
    #9 0x55976bbc95f1 in demangle_path rust-demangle.c:759
    #10 0x55976bbca8ee in demangle_type rust-demangle.c:1062
    #11 0x55976bbca85c in demangle_type rust-demangle.c:1055
    #12 0x55976bbc9e9f in demangle_type rust-demangle.c:929
    #13 0x55976bbc95f1 in demangle_path rust-demangle.c:759
    #14 0x55976bbca8ee in demangle_type rust-demangle.c:1062
    #15 0x55976bbca85c in demangle_type rust-demangle.c:1055
    #16 0x55976bbc9e9f in demangle_type rust-demangle.c:929
    #17 0x55976bbc95f1 in demangle_path rust-demangle.c:759
    #18 0x55976bbca8ee in demangle_type rust-demangle.c:1062
    #19 0x55976bbca85c in demangle_type rust-demangle.c:1055
    #20 0x55976bbc9e9f in demangle_type rust-demangle.c:929
    #21 0x55976bbc95f1 in demangle_path rust-demangle.c:759
    #22 0x55976bbca8ee in demangle_type rust-demangle.c:1062
    #23 0x55976bbca85c in demangle_type rust-demangle.c:1055
    #24 0x55976bbc9e9f in demangle_type rust-demangle.c:929
    #25 0x55976bbc95f1 in demangle_path rust-demangle.c:759
    #26 0x55976bbca8ee in demangle_type rust-demangle.c:1062
    #27 0x55976bbca85c in demangle_type rust-demangle.c:1055
    #28 0x55976bbc9e9f in demangle_type rust-demangle.c:929
    #29 0x55976bbc95f1 in demangle_path rust-demangle.c:759
    #30 0x55976bbca8ee in demangle_type rust-demangle.c:1062
    #31 0x55976bbca85c in demangle_type rust-demangle.c:1055
    #32 0x55976bbc9e9f in demangle_type rust-demangle.c:929
    #33 0x55976bbc95f1 in demangle_path rust-demangle.c:759
    #34 0x55976bbca8ee in demangle_type rust-demangle.c:1062
    #35 0x55976bbca85c in demangle_type rust-demangle.c:1055
    #36 0x55976bbc9e9f in demangle_type rust-demangle.c:929
    #37 0x55976bbc95f1 in demangle_path rust-demangle.c:759
    #38 0x55976bbca8ee in demangle_type rust-demangle.c:1062
    #39 0x55976bbca85c in demangle_type rust-demangle.c:1055
    #40 0x55976bbc9e9f in demangle_type rust-demangle.c:929
    #41 0x55976bbc95f1 in demangle_path rust-demangle.c:759
    #42 0x55976bbca8ee in demangle_type rust-demangle.c:1062
    #43 0x55976bbca85c in demangle_type rust-demangle.c:1055
    #44 0x55976bbc9e9f in demangle_type rust-demangle.c:929
    #45 0x55976bbc95f1 in demangle_path rust-demangle.c:759
    #46 0x55976bbca8ee in demangle_type rust-demangle.c:1062
    #47 0x55976bbca85c in demangle_type rust-demangle.c:1055
    #48 0x55976bbc9e9f in demangle_type rust-demangle.c:929
    #49 0x55976bbc95f1 in demangle_path rust-demangle.c:759
    #50 0x55976bbca8ee in demangle_type rust-demangle.c:1062
    #51 0x55976bbca85c in demangle_type rust-demangle.c:1055
    #52 0x55976bbc9e9f in demangle_type rust-demangle.c:929
    #53 0x55976bbc95f1 in demangle_path rust-demangle.c:759
    #54 0x55976bbca8ee in demangle_type rust-demangle.c:1062
    #55 0x55976bbca85c in demangle_type rust-demangle.c:1055
    #56 0x55976bbc9e9f in demangle_type rust-demangle.c:929
    #57 0x55976bbc95f1 in demangle_path rust-demangle.c:759
    #58 0x55976bbca8ee in demangle_type rust-demangle.c:1062
    #59 0x55976bbca85c in demangle_type rust-demangle.c:1055
    #60 0x55976bbc9e9f in demangle_type rust-demangle.c:929
    #61 0x55976bbc95f1 in demangle_path rust-demangle.c:759
    #62 0x55976bbca8ee in demangle_type rust-demangle.c:1062
    #63 0x55976bbca85c in demangle_type rust-demangle.c:1055
    #64 0x55976bbc9e9f in demangle_type rust-demangle.c:929
    #65 0x55976bbc95f1 in demangle_path rust-demangle.c:759
    #66 0x55976bbca8ee in demangle_type rust-demangle.c:1062
    #67 0x55976bbca85c in demangle_type rust-demangle.c:1055
    #68 0x55976bbc9e9f in demangle_type rust-demangle.c:929
    #69 0x55976bbc95f1 in demangle_path rust-demangle.c:759
    #70 0x55976bbca8ee in demangle_type rust-demangle.c:1062
    #71 0x55976bbca85c in demangle_type rust-demangle.c:1055
    #72 0x55976bbc9e9f in demangle_type rust-demangle.c:929
    #73 0x55976bbc95f1 in demangle_path rust-demangle.c:759
    #74 0x55976bbca8ee in demangle_type rust-demangle.c:1062
    #75 0x55976bbca85c in demangle_type rust-demangle.c:1055
    #76 0x55976bbc9e9f in demangle_type rust-demangle.c:929
    #77 0x55976bbc95f1 in demangle_path rust-demangle.c:759
    #78 0x55976bbca8ee in demangle_type rust-demangle.c:1062
    #79 0x55976bbca85c in demangle_type rust-demangle.c:1055
    #80 0x55976bbc9e9f in demangle_type rust-demangle.c:929
    #81 0x55976bbc95f1 in demangle_path rust-demangle.c:759
    #82 0x55976bbca8ee in demangle_type rust-demangle.c:1062
    #83 0x55976bbca85c in demangle_type rust-demangle.c:1055
    #84 0x55976bbc9e9f in demangle_type rust-demangle.c:929
    #85 0x55976bbc95f1 in demangle_path rust-demangle.c:759
    #86 0x55976bbca8ee in demangle_type rust-demangle.c:1062
    #87 0x55976bbca85c in demangle_type rust-demangle.c:1055
    #88 0x55976bbc9e9f in demangle_type rust-demangle.c:929
    #89 0x55976bbc95f1 in demangle_path rust-demangle.c:759
    #90 0x55976bbca8ee in demangle_type rust-demangle.c:1062
    #91 0x55976bbca85c in demangle_type rust-demangle.c:1055
    #92 0x55976bbc9e9f in demangle_type rust-demangle.c:929
    #93 0x55976bbc95f1 in demangle_path rust-demangle.c:759
    #94 0x55976bbca8ee in demangle_type rust-demangle.c:1062
    #95 0x55976bbca85c in demangle_type rust-demangle.c:1055
    #96 0x55976bbc9e9f in demangle_type rust-demangle.c:929
    #97 0x55976bbc95f1 in demangle_path rust-demangle.c:759
    #98 0x55976bbca8ee in demangle_type rust-demangle.c:1062
    #99 0x55976bbca85c in demangle_type rust-demangle.c:1055
    #100 0x55976bbc9e9f in demangle_type rust-demangle.c:929
    #101 0x55976bbc95f1 in demangle_path rust-demangle.c:759
    #102 0x55976bbca8ee in demangle_type rust-demangle.c:1062
    #103 0x55976bbca85c in demangle_type rust-demangle.c:1055
    #104 0x55976bbc9e9f in demangle_type rust-demangle.c:929
    #105 0x55976bbc95f1 in demangle_path rust-demangle.c:759
    #106 0x55976bbca8ee in demangle_type rust-demangle.c:1062
    #107 0x55976bbca85c in demangle_type rust-demangle.c:1055
    #108 0x55976bbc9e9f in demangle_type rust-demangle.c:929
    #109 0x55976bbc95f1 in demangle_path rust-demangle.c:759
    #110 0x55976bbca8ee in demangle_type rust-demangle.c:1062
    #111 0x55976bbca85c in demangle_type rust-demangle.c:1055
    #112 0x55976bbc9e9f in demangle_type rust-demangle.c:929
    #113 0x55976bbc95f1 in demangle_path rust-demangle.c:759
    #114 0x55976bbca8ee in demangle_type rust-demangle.c:1062
    #115 0x55976bbca85c in demangle_type rust-demangle.c:1055
    #116 0x55976bbc9e9f in demangle_type rust-demangle.c:929
    #117 0x55976bbc95f1 in demangle_path rust-demangle.c:759
    #118 0x55976bbca8ee in demangle_type rust-demangle.c:1062
    #119 0x55976bbca85c in demangle_type rust-demangle.c:1055
    #120 0x55976bbc9e9f in demangle_type rust-demangle.c:929
    #121 0x55976bbc95f1 in demangle_path rust-demangle.c:759
    #122 0x55976bbca8ee in demangle_type rust-demangle.c:1062
    #123 0x55976bbca85c in demangle_type rust-demangle.c:1055
    #124 0x55976bbc9e9f in demangle_type rust-demangle.c:929
    #125 0x55976bbc95f1 in demangle_path rust-demangle.c:759
    #126 0x55976bbca8ee in demangle_type rust-demangle.c:1062
    #127 0x55976bbca85c in demangle_type rust-demangle.c:1055
    #128 0x55976bbc9e9f in demangle_type rust-demangle.c:929
    #129 0x55976bbc95f1 in demangle_path rust-demangle.c:759
    #130 0x55976bbca8ee in demangle_type rust-demangle.c:1062
    #131 0x55976bbca85c in demangle_type rust-demangle.c:1055
    #132 0x55976bbc9e9f in demangle_type rust-demangle.c:929
    #133 0x55976bbc95f1 in demangle_path rust-demangle.c:759
    #134 0x55976bbca8ee in demangle_type rust-demangle.c:1062
    #135 0x55976bbca85c in demangle_type rust-demangle.c:1055
    #136 0x55976bbc9e9f in demangle_type rust-demangle.c:929
    #137 0x55976bbc95f1 in demangle_path rust-demangle.c:759
    #138 0x55976bbca8ee in demangle_type rust-demangle.c:1062
    #139 0x55976bbca85c in demangle_type rust-demangle.c:1055
    #140 0x55976bbc9e9f in demangle_type rust-demangle.c:929
    #141 0x55976bbc95f1 in demangle_path rust-demangle.c:759
    #142 0x55976bbca8ee in demangle_type rust-demangle.c:1062
    #143 0x55976bbca85c in demangle_type rust-demangle.c:1055
    #144 0x55976bbc9e9f in demangle_type rust-demangle.c:929
    #145 0x55976bbc95f1 in demangle_path rust-demangle.c:759
    #146 0x55976bbca8ee in demangle_type rust-demangle.c:1062
    #147 0x55976bbca85c in demangle_type rust-demangle.c:1055
    #148 0x55976bbc9e9f in demangle_type rust-demangle.c:929
    #149 0x55976bbc95f1 in demangle_path rust-demangle.c:759
    #150 0x55976bbca8ee in demangle_type rust-demangle.c:1062
    #151 0x55976bbca85c in demangle_type rust-demangle.c:1055
    #152 0x55976bbc9e9f in demangle_type rust-demangle.c:929
    #153 0x55976bbc95f1 in demangle_path rust-demangle.c:759
    #154 0x55976bbca8ee in demangle_type rust-demangle.c:1062
    #155 0x55976bbca85c in demangle_type rust-demangle.c:1055
    #156 0x55976bbc9e9f in demangle_type rust-demangle.c:929
    #157 0x55976bbc95f1 in demangle_path rust-demangle.c:759
    #158 0x55976bbca8ee in demangle_type rust-demangle.c:1062
    #159 0x55976bbca85c in demangle_type rust-demangle.c:1055
    #160 0x55976bbc9e9f in demangle_type rust-demangle.c:929
    #161 0x55976bbc95f1 in demangle_path rust-demangle.c:759
    #162 0x55976bbca8ee in demangle_type rust-demangle.c:1062
    #163 0x55976bbca85c in demangle_type rust-demangle.c:1055
    #164 0x55976bbc9e9f in demangle_type rust-demangle.c:929
    #165 0x55976bbc95f1 in demangle_path rust-demangle.c:759
    #166 0x55976bbca8ee in demangle_type rust-demangle.c:1062
    #167 0x55976bbca85c in demangle_type rust-demangle.c:1055
    #168 0x55976bbc9e9f in demangle_type rust-demangle.c:929
    #169 0x55976bbc95f1 in demangle_path rust-demangle.c:759
    #170 0x55976bbca8ee in demangle_type rust-demangle.c:1062
    #171 0x55976bbca85c in demangle_type rust-demangle.c:1055
    #172 0x55976bbc9e9f in demangle_type rust-demangle.c:929
    #173 0x55976bbc95f1 in demangle_path rust-demangle.c:759
    #174 0x55976bbca8ee in demangle_type rust-demangle.c:1062
    #175 0x55976bbca85c in demangle_type rust-demangle.c:1055
    #176 0x55976bbc9e9f in demangle_type rust-demangle.c:929
    #177 0x55976bbc95f1 in demangle_path rust-demangle.c:759
    #178 0x55976bbca8ee in demangle_type rust-demangle.c:1062
    #179 0x55976bbca85c in demangle_type rust-demangle.c:1055
    #180 0x55976bbc9e9f in demangle_type rust-demangle.c:929
    #181 0x55976bbc95f1 in demangle_path rust-demangle.c:759
    #182 0x55976bbca8ee in demangle_type rust-demangle.c:1062
    #183 0x55976bbca85c in demangle_type rust-demangle.c:1055
    #184 0x55976bbc9e9f in demangle_type rust-demangle.c:929
    #185 0x55976bbc95f1 in demangle_path rust-demangle.c:759
    #186 0x55976bbca8ee in demangle_type rust-demangle.c:1062
    #187 0x55976bbca85c in demangle_type rust-demangle.c:1055
    #188 0x55976bbc9e9f in demangle_type rust-demangle.c:929
    #189 0x55976bbc95f1 in demangle_path rust-demangle.c:759
    #190 0x55976bbca8ee in demangle_type rust-demangle.c:1062
    #191 0x55976bbca85c in demangle_type rust-demangle.c:1055
    #192 0x55976bbc9e9f in demangle_type rust-demangle.c:929
    #193 0x55976bbc95f1 in demangle_path rust-demangle.c:759
    #194 0x55976bbca8ee in demangle_type rust-demangle.c:1062
    #195 0x55976bbca85c in demangle_type rust-demangle.c:1055
    #196 0x55976bbc9e9f in demangle_type rust-demangle.c:929
    #197 0x55976bbc95f1 in demangle_path rust-demangle.c:759
    #198 0x55976bbca8ee in demangle_type rust-demangle.c:1062
    #199 0x55976bbca85c in demangle_type rust-demangle.c:1055
    #200 0x55976bbc9e9f in demangle_type rust-demangle.c:929
    #201 0x55976bbc95f1 in demangle_path rust-demangle.c:759
    #202 0x55976bbca8ee in demangle_type rust-demangle.c:1062
    #203 0x55976bbca85c in demangle_type rust-demangle.c:1055
    #204 0x55976bbc9e9f in demangle_type rust-demangle.c:929
    #205 0x55976bbc95f1 in demangle_path rust-demangle.c:759
    #206 0x55976bbca8ee in demangle_type rust-demangle.c:1062
    #207 0x55976bbca85c in demangle_type rust-demangle.c:1055
    #208 0x55976bbc9e9f in demangle_type rust-demangle.c:929
    #209 0x55976bbc95f1 in demangle_path rust-demangle.c:759
    #210 0x55976bbca8ee in demangle_type rust-demangle.c:1062
    #211 0x55976bbca85c in demangle_type rust-demangle.c:1055
    #212 0x55976bbc9e9f in demangle_type rust-demangle.c:929
    #213 0x55976bbc95f1 in demangle_path rust-demangle.c:759
    #214 0x55976bbca8ee in demangle_type rust-demangle.c:1062
    #215 0x55976bbca85c in demangle_type rust-demangle.c:1055
    #216 0x55976bbc9e9f in demangle_type rust-demangle.c:929
    #217 0x55976bbc95f1 in demangle_path rust-demangle.c:759
    #218 0x55976bbca8ee in demangle_type rust-demangle.c:1062
    #219 0x55976bbca85c in demangle_type rust-demangle.c:1055
    #220 0x55976bbc9e9f in demangle_type rust-demangle.c:929
    #221 0x55976bbc95f1 in demangle_path rust-demangle.c:759
    #222 0x55976bbca8ee in demangle_type rust-demangle.c:1062
    #223 0x55976bbca85c in demangle_type rust-demangle.c:1055
    #224 0x55976bbc9e9f in demangle_type rust-demangle.c:929
    #225 0x55976bbc95f1 in demangle_path rust-demangle.c:759
    #226 0x55976bbca8ee in demangle_type rust-demangle.c:1062
    #227 0x55976bbca85c in demangle_type rust-demangle.c:1055
    #228 0x55976bbc9e9f in demangle_type rust-demangle.c:929
    #229 0x55976bbc95f1 in demangle_path rust-demangle.c:759
    #230 0x55976bbca8ee in demangle_type rust-demangle.c:1062
    #231 0x55976bbca85c in demangle_type rust-demangle.c:1055
    #232 0x55976bbc9e9f in demangle_type rust-demangle.c:929
    #233 0x55976bbc95f1 in demangle_path rust-demangle.c:759
    #234 0x55976bbca8ee in demangle_type rust-demangle.c:1062
    #235 0x55976bbca85c in demangle_type rust-demangle.c:1055
    #236 0x55976bbc9e9f in demangle_type rust-demangle.c:929
    #237 0x55976bbc95f1 in demangle_path rust-demangle.c:759
    #238 0x55976bbca8ee in demangle_type rust-demangle.c:1062
    #239 0x55976bbca85c in demangle_type rust-demangle.c:1055
    #240 0x55976bbc9e9f in demangle_type rust-demangle.c:929
    #241 0x55976bbc95f1 in demangle_path rust-demangle.c:759
    #242 0x55976bbca8ee in demangle_type rust-demangle.c:1062
    #243 0x55976bbca85c in demangle_type rust-demangle.c:1055
    #244 0x55976bbc9e9f in demangle_type rust-demangle.c:929
    #245 0x55976bbc95f1 in demangle_path rust-demangle.c:759
    #246 0x55976bbca8ee in demangle_type rust-demangle.c:1062
    #247 0x55976bbca85c in demangle_type rust-demangle.c:1055
    #248 0x55976bbc9e9f in demangle_type rust-demangle.c:929

SUMMARY: AddressSanitizer: stack-overflow ../../../../src/libsanitizer/sanitizer_common/sanitizer_common_interceptors.inc:790 in __interceptor_memcpy
==1238816==ABORTING

Comment 1 Nick Clifton 2023-10-02 09:01:03 UTC

This is precisely the reason why nm defaults to enabling a recursion limit.  It is always possible to construct pathalogical name manglings that will exhibit this behaviour, so the tool protects itself by enforcing a recursion limit.

I am going to close this bug report.  If however you feel that it deserves more attention, please could you refile it with the GCC project - they are the maintainers of the libiberty library which performs name demangling, and it is code in this library which is being forced into a stack death spiral.