From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from us-smtp-delivery-124.mimecast.com (us-smtp-delivery-124.mimecast.com [170.10.133.124]) by sourceware.org (Postfix) with ESMTPS id 49D5F3858D28 for ; Fri, 1 Jul 2022 15:12:52 +0000 (GMT) DMARC-Filter: OpenDMARC Filter v1.4.1 sourceware.org 49D5F3858D28 Received: from mimecast-mx02.redhat.com (mimecast-mx02.redhat.com [66.187.233.88]) by relay.mimecast.com with ESMTP with STARTTLS (version=TLSv1.2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id us-mta-610-H7hQ62g_M4yYhupEJVPv6Q-1; Fri, 01 Jul 2022 11:12:48 -0400 X-MC-Unique: H7hQ62g_M4yYhupEJVPv6Q-1 Received: from smtp.corp.redhat.com (int-mx09.intmail.prod.int.rdu2.redhat.com [10.11.54.9]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mimecast-mx02.redhat.com (Postfix) with ESMTPS id 83913802A5E; Fri, 1 Jul 2022 15:12:48 +0000 (UTC) Received: from comet.redhat.com (unknown [10.39.193.100]) by smtp.corp.redhat.com (Postfix) with ESMTPS id 08EA9492CA4; Fri, 1 Jul 2022 15:12:47 +0000 (UTC) From: Nick Clifton To: jeffreyalaw@gmail.com Cc: gcc-patches@gcc.gnu.org Subject: RFA: Another Rust demangler recursion limit Date: Fri, 01 Jul 2022 16:12:45 +0100 Message-ID: <87y1xcn9xu.fsf@redhat.com> MIME-Version: 1.0 X-Scanned-By: MIMEDefang 2.85 on 10.11.54.9 X-Mimecast-Spam-Score: 0 X-Mimecast-Originator: redhat.com Content-Type: multipart/mixed; boundary="=-=-=" X-Spam-Status: No, score=-10.0 required=5.0 tests=BAYES_00, DKIMWL_WL_HIGH, DKIM_SIGNED, DKIM_VALID, DKIM_VALID_AU, DKIM_VALID_EF, GIT_PATCH_0, RCVD_IN_DNSWL_NONE, SPF_HELO_NONE, SPF_NONE, TXREP, T_SCC_BODY_TEXT_LINE autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on server2.sourceware.org X-BeenThere: gcc-patches@gcc.gnu.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: Gcc-patches mailing list List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 01 Jul 2022 15:12:53 -0000 --=-=-= Content-Type: text/plain Hi Jeff, [I am sending this to your directly since you seem to be the only one reviewing these patches]. Hot on the heels of the fix for the recursion problem in demangle_const a binutils user has filed another PoC that exposes a problem in demangle_path_maybe_open_generics(): https://sourceware.org/bugzilla/show_bug.cgi?id=29312#c1 I have redirected them to file a bug report with the gcc system, but in the hopes of getting a fix in quickly I am also attaching a patch here. It just does the obvious thing of adding a recursion counter and limit to the function. Cheers Nick --=-=-= Content-Type: text/x-patch Content-Disposition: inline; filename=rust-demangle.c.patch diff --git a/libiberty/rust-demangle.c b/libiberty/rust-demangle.c index 36afcfae278..d6daf23af27 100644 --- a/libiberty/rust-demangle.c +++ b/libiberty/rust-demangle.c @@ -1082,6 +1082,18 @@ demangle_path_maybe_open_generics (struct rust_demangler *rdm) if (rdm->errored) return open; + if (rdm->recursion != RUST_NO_RECURSION_LIMIT) + { + ++ rdm->recursion; + if (rdm->recursion > RUST_MAX_RECURSION_COUNT) + { + /* FIXME: There ought to be a way to report + that the recursion limit has been reached. */ + rdm->errored = 1; + goto end_of_func; + } + } + if (eat (rdm, 'B')) { backref = parse_integer_62 (rdm); @@ -1107,6 +1119,11 @@ demangle_path_maybe_open_generics (struct rust_demangler *rdm) } else demangle_path (rdm, 0); + + end_of_func: + if (rdm->recursion != RUST_NO_RECURSION_LIMIT) + -- rdm->recursion; + return open; } --=-=-=--