https://sourceware.org/bugzilla/show_bug.cgi?id=28718
Bug ID: 28718
Summary: debug.c: Stack-overflow in debug_write_type
Product: binutils
Version: 2.38 (HEAD)
Status: UNCONFIRMED
Severity: normal
Priority: P2
Component: binutils
Assignee: unassigned at sourceware dot org
Reporter: pmayorov at cloudlinux dot com
Target Milestone: ---
Created attachment 13870
--> https://sourceware.org/bugzilla/attachment.cgi?id=13870&action=edit
PoC and ASAN report
I found a stack-overflow in 'debug_write_type' (binutils/debug.c). The problem
is caused by a self-reference in a type definition string in the "stabs"
representation of debugging information
(http://www.sourceware.org/gdb/onlinedocs/stabs.html).
This leads to an infinite recursion during the printing debug information about
this type.
There is the following type definition:
.stabs "some_type:t&1=2=3=2",128,0,0,0
Here 'some_type' is defined as a reference to the indirect type 1, which is the
indirect type 2, which is the indirect type 3, which finally is the indirect
type 2. And after parsing we get a "looped" type 2:
*type->u.kindirect->slot == type
Steps to reproduce:
Build current verison of binutils with ASAN:
./configure --disable-shared --disable-gdb --disable-gdbserver CFLAGS="-ggdb
-Wno-error -fsanitize=address -fsanitize-recover=address" CXXFLAGS="-ggdb
-Wno-error -fsanitize=address -fsanitize-recover=address"
make all
Run inputs under ASAN:
binutils/objdump -g ~/stack_overflow
The proof-of-concept and ASAN report are attached.
And I'm preparing a patch to solve this issue.
--
You are receiving this mail because:
You are on the CC list for the bug.
