public inbox for gcc-patches@gcc.gnu.org
 help / color / mirror / Atom feed
* RFA: libiberty: Add a limit on demangling qualifiers (PR 87241)
@ 2018-12-12 11:29 Nick Clifton
  2018-12-12 20:31 ` Jason Merrill
  0 siblings, 1 reply; 3+ messages in thread
From: Nick Clifton @ 2018-12-12 11:29 UTC (permalink / raw)
  To: ian; +Cc: gcc-patches, redi

Hi Ian,

  Sorry to bother you, but I have another libiberty demangler resource
  exhaustion prevention patch to present.  This one is for:

https://gcc.gnu.org/bugzilla/show_bug.cgi?id=87241

  Jonathan Wakely reported that __cxa_demanlge() was returning a -2
  result, but I did not see this.  Instead I found that
  consume_count_with_underscores() is returning a very large number
  (because a very large value is encoded in the mangled string) and this
  is resulting in many calls to remember_Ktype() which eventually
  exhaust the amount of memory available.

  The attached patch is a simplistic approach to solving this problem by
  adding a hard upper limit on the number of qualifiers that will be
  allowed by the demangler.  I am not sure if this is the best approach
  to solving the problem, but it is a simple one, and I would think one
  that would not prevent the demangling of any real mangled names.  The
  limit does not have to be DEMANGLE_RECURSE_LIMIT of course.  I just
  chose that value because it was convenient and of a size that I
  thought was appropriate.

  I also did run the libiberty testsuite this time, with no failures
  reported. :-)

  OK to apply ?

Cheers
  Nick

libiberty/ChangeLog
2018-12-12  Nick Clifton  <nickc@redhat.com>

	* cplus-dem.c (demangle_qualified): Add an upper limit on the
	number of qualifiers supported, based upon the value of
	DEMANGLE_RECURSE_LIMIT.

Index: libiberty/cplus-dem.c
===================================================================
--- libiberty/cplus-dem.c	(revision 267043)
+++ libiberty/cplus-dem.c	(working copy)
@@ -3443,6 +3443,17 @@
       success = 0;
     }
 
+  /* PR 87241: Catch malicious input that will try to trick this code into
+     allocating a ridiculous amount of memory via the remember_Ktype()
+     function.
+     The choice of DEMANGLE_RECURSION_LIMIT is somewhat arbitrary.  Possibly
+     a better solution would be to track how much memory remember_Ktype
+     allocates and abort when some upper limit is reached.  */
+  if (qualifiers > DEMANGLE_RECURSION_LIMIT)
+    /* FIXME: We ought to have some way to tell the user that
+       this limit has been reached.  */
+    success = 0;
+
   if (!success)
     return success;
 

^ permalink raw reply	[flat|nested] 3+ messages in thread

* Re: RFA: libiberty: Add a limit on demangling qualifiers (PR 87241)
  2018-12-12 11:29 RFA: libiberty: Add a limit on demangling qualifiers (PR 87241) Nick Clifton
@ 2018-12-12 20:31 ` Jason Merrill
  2018-12-13  9:48   ` Nick Clifton
  0 siblings, 1 reply; 3+ messages in thread
From: Jason Merrill @ 2018-12-12 20:31 UTC (permalink / raw)
  To: Nick Clifton; +Cc: Ian Lance Taylor, gcc-patches List, redi

On Wed, Dec 12, 2018 at 6:29 AM Nick Clifton <nickc@redhat.com> wrote:
>
>   Sorry to bother you, but I have another libiberty demangler resource
>   exhaustion prevention patch to present.  This one is for:
>
> https://gcc.gnu.org/bugzilla/show_bug.cgi?id=87241
>
>   Jonathan Wakely reported that __cxa_demanlge() was returning a -2
>   result, but I did not see this.  Instead I found that
>   consume_count_with_underscores() is returning a very large number
>   (because a very large value is encoded in the mangled string) and this
>   is resulting in many calls to remember_Ktype() which eventually
>   exhaust the amount of memory available.
>
>   The attached patch is a simplistic approach to solving this problem by
>   adding a hard upper limit on the number of qualifiers that will be
>   allowed by the demangler.  I am not sure if this is the best approach
>   to solving the problem, but it is a simple one, and I would think one
>   that would not prevent the demangling of any real mangled names.  The
>   limit does not have to be DEMANGLE_RECURSE_LIMIT of course.  I just
>   chose that value because it was convenient and of a size that I
>   thought was appropriate.
>
>   I also did run the libiberty testsuite this time, with no failures
>   reported. :-)
>
>   OK to apply ?
>
> Cheers
>   Nick
>
> libiberty/ChangeLog
> 2018-12-12  Nick Clifton  <nickc@redhat.com>
>
>         * cplus-dem.c (demangle_qualified): Add an upper limit on the
>         number of qualifiers supported, based upon the value of
>         DEMANGLE_RECURSE_LIMIT.

This issue also will be resolved by disabling or removing the old
demangling code, which I haven't seen anyone argue against.

Jason

^ permalink raw reply	[flat|nested] 3+ messages in thread

* Re: RFA: libiberty: Add a limit on demangling qualifiers (PR 87241)
  2018-12-12 20:31 ` Jason Merrill
@ 2018-12-13  9:48   ` Nick Clifton
  0 siblings, 0 replies; 3+ messages in thread
From: Nick Clifton @ 2018-12-13  9:48 UTC (permalink / raw)
  To: Jason Merrill; +Cc: Ian Lance Taylor, gcc-patches List, redi

Hi Jason,

> This issue also will be resolved by disabling or removing the old
> demangling code, which I haven't seen anyone argue against.

Doh - of course.  I withdraw my patch and I hope that yours will go in soon.

Cheers
  Nick


^ permalink raw reply	[flat|nested] 3+ messages in thread

end of thread, other threads:[~2018-12-13  9:48 UTC | newest]

Thread overview: 3+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2018-12-12 11:29 RFA: libiberty: Add a limit on demangling qualifiers (PR 87241) Nick Clifton
2018-12-12 20:31 ` Jason Merrill
2018-12-13  9:48   ` Nick Clifton

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).