* RFA: libiberty: Add a limit on demangling qualifiers (PR 87241)
@ 2018-12-12 11:29 Nick Clifton
2018-12-12 20:31 ` Jason Merrill
0 siblings, 1 reply; 3+ messages in thread
From: Nick Clifton @ 2018-12-12 11:29 UTC (permalink / raw)
To: ian; +Cc: gcc-patches, redi
Hi Ian,
Sorry to bother you, but I have another libiberty demangler resource
exhaustion prevention patch to present. This one is for:
https://gcc.gnu.org/bugzilla/show_bug.cgi?id=87241
Jonathan Wakely reported that __cxa_demanlge() was returning a -2
result, but I did not see this. Instead I found that
consume_count_with_underscores() is returning a very large number
(because a very large value is encoded in the mangled string) and this
is resulting in many calls to remember_Ktype() which eventually
exhaust the amount of memory available.
The attached patch is a simplistic approach to solving this problem by
adding a hard upper limit on the number of qualifiers that will be
allowed by the demangler. I am not sure if this is the best approach
to solving the problem, but it is a simple one, and I would think one
that would not prevent the demangling of any real mangled names. The
limit does not have to be DEMANGLE_RECURSE_LIMIT of course. I just
chose that value because it was convenient and of a size that I
thought was appropriate.
I also did run the libiberty testsuite this time, with no failures
reported. :-)
OK to apply ?
Cheers
Nick
libiberty/ChangeLog
2018-12-12 Nick Clifton <nickc@redhat.com>
* cplus-dem.c (demangle_qualified): Add an upper limit on the
number of qualifiers supported, based upon the value of
DEMANGLE_RECURSE_LIMIT.
Index: libiberty/cplus-dem.c
===================================================================
--- libiberty/cplus-dem.c (revision 267043)
+++ libiberty/cplus-dem.c (working copy)
@@ -3443,6 +3443,17 @@
success = 0;
}
+ /* PR 87241: Catch malicious input that will try to trick this code into
+ allocating a ridiculous amount of memory via the remember_Ktype()
+ function.
+ The choice of DEMANGLE_RECURSION_LIMIT is somewhat arbitrary. Possibly
+ a better solution would be to track how much memory remember_Ktype
+ allocates and abort when some upper limit is reached. */
+ if (qualifiers > DEMANGLE_RECURSION_LIMIT)
+ /* FIXME: We ought to have some way to tell the user that
+ this limit has been reached. */
+ success = 0;
+
if (!success)
return success;
^ permalink raw reply [flat|nested] 3+ messages in thread
* Re: RFA: libiberty: Add a limit on demangling qualifiers (PR 87241)
2018-12-12 11:29 RFA: libiberty: Add a limit on demangling qualifiers (PR 87241) Nick Clifton
@ 2018-12-12 20:31 ` Jason Merrill
2018-12-13 9:48 ` Nick Clifton
0 siblings, 1 reply; 3+ messages in thread
From: Jason Merrill @ 2018-12-12 20:31 UTC (permalink / raw)
To: Nick Clifton; +Cc: Ian Lance Taylor, gcc-patches List, redi
On Wed, Dec 12, 2018 at 6:29 AM Nick Clifton <nickc@redhat.com> wrote:
>
> Sorry to bother you, but I have another libiberty demangler resource
> exhaustion prevention patch to present. This one is for:
>
> https://gcc.gnu.org/bugzilla/show_bug.cgi?id=87241
>
> Jonathan Wakely reported that __cxa_demanlge() was returning a -2
> result, but I did not see this. Instead I found that
> consume_count_with_underscores() is returning a very large number
> (because a very large value is encoded in the mangled string) and this
> is resulting in many calls to remember_Ktype() which eventually
> exhaust the amount of memory available.
>
> The attached patch is a simplistic approach to solving this problem by
> adding a hard upper limit on the number of qualifiers that will be
> allowed by the demangler. I am not sure if this is the best approach
> to solving the problem, but it is a simple one, and I would think one
> that would not prevent the demangling of any real mangled names. The
> limit does not have to be DEMANGLE_RECURSE_LIMIT of course. I just
> chose that value because it was convenient and of a size that I
> thought was appropriate.
>
> I also did run the libiberty testsuite this time, with no failures
> reported. :-)
>
> OK to apply ?
>
> Cheers
> Nick
>
> libiberty/ChangeLog
> 2018-12-12 Nick Clifton <nickc@redhat.com>
>
> * cplus-dem.c (demangle_qualified): Add an upper limit on the
> number of qualifiers supported, based upon the value of
> DEMANGLE_RECURSE_LIMIT.
This issue also will be resolved by disabling or removing the old
demangling code, which I haven't seen anyone argue against.
Jason
^ permalink raw reply [flat|nested] 3+ messages in thread
* Re: RFA: libiberty: Add a limit on demangling qualifiers (PR 87241)
2018-12-12 20:31 ` Jason Merrill
@ 2018-12-13 9:48 ` Nick Clifton
0 siblings, 0 replies; 3+ messages in thread
From: Nick Clifton @ 2018-12-13 9:48 UTC (permalink / raw)
To: Jason Merrill; +Cc: Ian Lance Taylor, gcc-patches List, redi
Hi Jason,
> This issue also will be resolved by disabling or removing the old
> demangling code, which I haven't seen anyone argue against.
Doh - of course. I withdraw my patch and I hope that yours will go in soon.
Cheers
Nick
^ permalink raw reply [flat|nested] 3+ messages in thread
end of thread, other threads:[~2018-12-13 9:48 UTC | newest]
Thread overview: 3+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2018-12-12 11:29 RFA: libiberty: Add a limit on demangling qualifiers (PR 87241) Nick Clifton
2018-12-12 20:31 ` Jason Merrill
2018-12-13 9:48 ` Nick Clifton
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).