From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: by sourceware.org (Postfix, from userid 48) id 2DC863858D1E; Sat, 1 Oct 2022 02:30:23 +0000 (GMT) DKIM-Filter: OpenDKIM Filter v2.11.0 sourceware.org 2DC863858D1E DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gcc.gnu.org; s=default; t=1664591423; bh=+tLOzcczavPhEZCZIk1P/x4IAn05fEcRA0cLSSXR+X0=; h=From:To:Subject:Date:From; b=VWwaDy/EjgXl3kMlk/RKA/LVYdzzRuw5dGMS0QjMvNmfaFUFwamRsICjz7m8JxrI/ F+NfnKUsmgVCHC9l1uIIBb4/Lth5q911MJPdiDkCE8dEq3YldrusKWIekSxNa9+VXg bCH8jKuJ1Acw32HWHJSIh4+cF7jJ6AKvrQw4fJQY= From: "bjchan9an at foxmail dot com" To: gcc-bugs@gcc.gnu.org Subject: [Bug demangler/107108] New: Uncontrolled stack recursion in rust-demangler.c Date: Sat, 01 Oct 2022 02:30:22 +0000 X-Bugzilla-Reason: CC X-Bugzilla-Type: new X-Bugzilla-Watch-Reason: None X-Bugzilla-Product: gcc X-Bugzilla-Component: demangler X-Bugzilla-Version: unknown X-Bugzilla-Keywords: X-Bugzilla-Severity: normal X-Bugzilla-Who: bjchan9an at foxmail dot com X-Bugzilla-Status: UNCONFIRMED X-Bugzilla-Resolution: X-Bugzilla-Priority: P3 X-Bugzilla-Assigned-To: unassigned at gcc dot gnu.org X-Bugzilla-Target-Milestone: --- X-Bugzilla-Flags: X-Bugzilla-Changed-Fields: bug_id short_desc product version bug_status bug_severity priority component assigned_to reporter target_milestone attachments.created Message-ID: Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable X-Bugzilla-URL: http://gcc.gnu.org/bugzilla/ Auto-Submitted: auto-generated MIME-Version: 1.0 List-Id: https://gcc.gnu.org/bugzilla/show_bug.cgi?id=3D107108 Bug ID: 107108 Summary: Uncontrolled stack recursion in rust-demangler.c Product: gcc Version: unknown Status: UNCONFIRMED Severity: normal Priority: P3 Component: demangler Assignee: unassigned at gcc dot gnu.org Reporter: bjchan9an at foxmail dot com Target Milestone: --- Created attachment 53647 --> https://gcc.gnu.org/bugzilla/attachment.cgi?id=3D53647&action=3Dedit nm-new poc file There is an uncontrolled stack recursion vulnerability in libiberty/rust-demangle.c in binutils-2.38, which allows stack consumption = in demangle_path_maybe_open_generics(). To reproduce this bug, build the binutils-2.38 release, use the poc file in attachments and run the following commands: ``` nm-new -C ./poc ``` The gdb crash trace is as follows: ``` Program received signal SIGSEGV, Segmentation fault. 0x00000000005f2a2d in demangle_path_maybe_open_generics (rdm=3D0x7fffffffe0= b8) at ../../libiberty/rust-demangle.c:1087 1087 backref =3D parse_integer_62 (rdm); (gdb) bt #0 0x00000000005f2a2d in demangle_path_maybe_open_generics (rdm=3D0x7fffffffe0b8) at ../../libiberty/rust-demangle.c:1087 #1 0x00000000005f2a6d in demangle_path_maybe_open_generics (rdm=3D0x7fffffffe0b8) at ../../libiberty/rust-demangle.c:1092 #2 0x00000000005f2a6d in demangle_path_maybe_open_generics (rdm=3D0x7fffffffe0b8) at ../../libiberty/rust-demangle.c:1092 #3 0x00000000005f2a6d in demangle_path_maybe_open_generics (rdm=3D0x7fffffffe0b8) at ../../libiberty/rust-demangle.c:1092 #4 0x00000000005f2a6d in demangle_path_maybe_open_generics (rdm=3D0x7fffffffe0b8) at ../../libiberty/rust-demangle.c:1092 #5 0x00000000005f2a6d in demangle_path_maybe_open_generics (rdm=3D0x7fffffffe0b8) at ../../libiberty/rust-demangle.c:1092 #6 0x00000000005f2a6d in demangle_path_maybe_open_generics (rdm=3D0x7fffffffe0b8) at ../../libiberty/rust-demangle.c:1092 #7 0x00000000005f2a6d in demangle_path_maybe_open_generics (rdm=3D0x7fffffffe0b8) at ../../libiberty/rust-demangle.c:1092 #8 0x00000000005f2a6d in demangle_path_maybe_open_generics (rdm=3D0x7fffffffe0b8) at ../../libiberty/rust-demangle.c:1092 #9 0x00000000005f2a6d in demangle_path_maybe_open_generics (rdm=3D0x7fffffffe0b8) at ../../libiberty/rust-demangle.c:1092 #10 0x00000000005f2a6d in demangle_path_maybe_open_generics (rdm=3D0x7fffffffe0b8) at ../../libiberty/rust-demangle.c:1092 #11 0x00000000005f2a6d in demangle_path_maybe_open_generics (rdm=3D0x7fffffffe0b8) at ../../libiberty/rust-demangle.c:1092 #12 0x00000000005f2a6d in demangle_path_maybe_open_generics (rdm=3D0x7fffffffe0b8) at ../../libiberty/rust-demangle.c:1092 ```=