Report a bug of binutils-2.38

Fri, 30 Sep 2022 07:07:34 -0700 

Version: binutils-2.38 release
Machine: ubuntu 18, 64bit server
Compiler: clang-6.0
Command argument: binutils/nm-new -C ./poc
Bug Type: CWE-674 Uncontrolled Recursion
Crash 
location: demangle_path_maybe_open_generics(), libiberty/rust-demangle.c:1087
Found by: bjchan...@foxmail.com
Details: 


There is an uncontrolled stack recursion vulnerability in binutils-2.38, 
which allows stack consumption in 
demangle_path_maybe_open_generics(). 


To trigger this bug, use the poc file in attachment and run the following 
commands:


```
cd binutils-2.38
CC=clang ./configure --disable-shared
./binutils/nm-new -C ./poc
```


The gdb trace is as follows:
```
Program received signal SIGSEGV, Segmentation fault.
0x00000000005f2a2d in demangle_path_maybe_open_generics (rdm=0x7fffffffe0b8) at 
../../libiberty/rust-demangle.c:1087
1087          backref = parse_integer_62 (rdm);
(gdb) bt
#0  0x00000000005f2a2d in demangle_path_maybe_open_generics 
(rdm=0x7fffffffe0b8) at ../../libiberty/rust-demangle.c:1087
#1  0x00000000005f2a6d in demangle_path_maybe_open_generics 
(rdm=0x7fffffffe0b8) at ../../libiberty/rust-demangle.c:1092
#2  0x00000000005f2a6d in demangle_path_maybe_open_generics 
(rdm=0x7fffffffe0b8) at ../../libiberty/rust-demangle.c:1092
#3  0x00000000005f2a6d in demangle_path_maybe_open_generics 
(rdm=0x7fffffffe0b8) at ../../libiberty/rust-demangle.c:1092
#4  0x00000000005f2a6d in demangle_path_maybe_open_generics 
(rdm=0x7fffffffe0b8) at ../../libiberty/rust-demangle.c:1092
#5  0x00000000005f2a6d in demangle_path_maybe_open_generics 
(rdm=0x7fffffffe0b8) at ../../libiberty/rust-demangle.c:1092
#6  0x00000000005f2a6d in demangle_path_maybe_open_generics 
(rdm=0x7fffffffe0b8) at ../../libiberty/rust-demangle.c:1092
#7  0x00000000005f2a6d in demangle_path_maybe_open_generics 
(rdm=0x7fffffffe0b8) at ../../libiberty/rust-demangle.c:1092
#8  0x00000000005f2a6d in demangle_path_maybe_open_generics 
(rdm=0x7fffffffe0b8) at ../../libiberty/rust-demangle.c:1092
#9  0x00000000005f2a6d in demangle_path_maybe_open_generics 
(rdm=0x7fffffffe0b8) at ../../libiberty/rust-demangle.c:1092
#10 0x00000000005f2a6d in demangle_path_maybe_open_generics 
(rdm=0x7fffffffe0b8) at ../../libiberty/rust-demangle.c:1092
#11 0x00000000005f2a6d in demangle_path_maybe_open_generics 
(rdm=0x7fffffffe0b8) at ../../libiberty/rust-demangle.c:1092
#12 0x00000000005f2a6d in demangle_path_maybe_open_generics 
(rdm=0x7fffffffe0b8) at ../../libiberty/rust-demangle.c:1092

```

Attachment: poc
Description: Binary data

Reply via email to