https://gcc.gnu.org/bugzilla/show_bug.cgi?id=95815
Bug ID: 95815
Summary: Infinite recursive error about "demangle_args"
"demangle_nested_args" in libiberty when running
cxxfilt
Product: gcc
Version: unknown
Status: UNCONFIRMED
Severity: normal
Priority: P3
Component: demangler
Assignee: unassigned at gcc dot gnu.org
Reporter: ossecurity at iscas dot ac.cn
Target Milestone: ---
Created attachment 48770
--> https://gcc.gnu.org/bugzilla/attachment.cgi?id=48770&action=edit
crash input of cxxfilt (cxxfilt < ./payload002040)
Hi, developers, we find an infinite recursive error of cxxfilt(Binutils-2.31
and earlier) when demangle malformed inputs(Generate by our modified version of
AFL). This bug seems to be fixed in 2.32 and it is not reported yet, is there
any patches for earlier version?
reproduce command: cxxfilt < payload002040
Compile:
obj-2.31$../binutils-2.31/configure --disable-shared --disable-gdb
--disable-libde
cnumber --disable-readline --disable-sim --disable-ld AR=llvm-ar
RANLIB=llvm-ranlib CC=clang
Any comments or suggestions are grateful.
Best regards,
Ke Yang
==================
Valgrind log(binutils-2.31):
obj-2.31/binutils$ valgrind -- ./cxxfilt < ./paload002040
==24114== Memcheck, a memory error detector
==24114== Copyright (C) 2002-2015, and GNU GPL'd, by Julian Seward et al.
==24114== Using Valgrind-3.11.0 and LibVEX; rerun with -h for copyright info
==24114== Command: ./cxxfilt
==24114==
__?__aTSY_____]fS __t4__fm4d6666666T66666666666666664]fS
__t4__fm4d66676666666T66666666666666664_Z���_
_%�'
����������
77�
_( ( ( (void))))���������������FeFFFFFFF@FFK_(int255_t, ( ( ( ( ( ( ( ( ( (
( ( ( ( ( ( ( ( ( ( ( ( ( ( ( (void)))))))))))))))))))))))))))@FFK_(int255_t,
( ( ( ( ( ( ( ( (double, ( ( ( ( ( ())))))))))))))))���_
_%�����������������������������
==24114== Stack overflow in thread #1: can't grow stack to 0xffe801000
==24114==
==24114== Process terminating with default action of signal 11 (SIGSEGV)
==24114== Access not within mapped region at address 0xFFE801FF0
==24114== Stack overflow in thread #1: can't grow stack to 0xffe801000
==24114== at 0x497BBA: string_init (cplus-dem.c:4935)
==24114== by 0x497BBA: do_type (cplus-dem.c:3628)
==24114== If you believe this happened as a result of a stack
==24114== overflow in your program's main thread (unlikely but
==24114== possible), you can try to increase the size of the
==24114== main thread stack using the --main-stacksize= flag.
==24114== The main thread stack size used in this run was 8388608.
==24114== Stack overflow in thread #1: can't grow stack to 0xffe801000
==24114==
==24114== Process terminating with default action of signal 11 (SIGSEGV)
==24114== Access not within mapped region at address 0xFFE801FD8
==24114== Stack overflow in thread #1: can't grow stack to 0xffe801000
==24114== at 0x4A28680: _vgnU_freeres (in
/usr/lib/valgrind/vgpreload_core-amd64-linux.so)
==24114== If you believe this happened as a result of a stack
==24114== overflow in your program's main thread (unlikely but
==24114== possible), you can try to increase the size of the
==24114== main thread stack using the --main-stacksize= flag.
==24114== The main thread stack size used in this run was 8388608.
==24114==
==24114== HEAP SUMMARY:
==24114== in use at exit: 1,091,324 bytes in 38,796 blocks
==24114== total heap usage: 39,071 allocs, 275 frees, 1,103,917 bytes
allocated
==24114==
==24114== LEAK SUMMARY:
==24114== definitely lost: 0 bytes in 0 blocks
==24114== indirectly lost: 0 bytes in 0 blocks
==24114== possibly lost: 0 bytes in 0 blocks
==24114== still reachable: 1,091,324 bytes in 38,796 blocks
==24114== suppressed: 0 bytes in 0 blocks
==24114== Rerun with --leak-check=full to see details of leaked memory
==24114==
==24114== For counts of detected and suppressed errors, rerun with: -v
==24114== ERROR SUMMARY: 0 errors from 0 contexts (suppressed: 0 from 0)
Segmentation fault
GDB log:
Program received signal SIGSEGV, Segmentation fault.
0x00007ffff788ab9a in _int_malloc (av=av@entry=0x7ffff7bcdb20 <main_arena>,
bytes=bytes@entry=32) at malloc.c:3319
3319 malloc.c: No such file or directory.
(gdb) bt
#0 0x00007ffff788ab9a in _int_malloc (av=av@entry=0x7ffff7bcdb20 <main_arena>,
bytes=bytes@entry=32) at malloc.c:3319
#1 0x00007ffff788d184 in __GI___libc_malloc (bytes=32) at malloc.c:2913
#2 0x00000000004bda45 in xmalloc (size=32) at
../../binutils-2.31/libiberty/xmalloc.c:147
#3 0x00000000004a58eb in string_need (s=<optimized out>, n=32)
at ../../binutils-2.31/libiberty/cplus-dem.c:4906
#4 string_append (p=<optimized out>, s=<optimized out>)
at ../../binutils-2.31/libiberty/cplus-dem.c:4961
#5 demangle_args (work=0x7fffffffdc30, mangled=0x7fffffffdbd0,
declp=0x7fffff7ff100)
at ../../binutils-2.31/libiberty/cplus-dem.c:4578
#6 0x0000000000498711 in demangle_nested_args (work=0x7fffffffdc30,
declp=<optimized out>,
mangled=<optimized out>) at ../../binutils-2.31/libiberty/cplus-dem.c:4713
#7 do_type (work=<optimized out>, mangled=<optimized out>, result=<optimized
out>)
at ../../binutils-2.31/libiberty/cplus-dem.c:3719
#8 0x00000000004a646c in do_arg (work=0x7fffffffdc30, mangled=0x7fffffffdbd0,
result=0x7fffff7ff230) at ../../binutils-2.31/libiberty/cplus-dem.c:4332
#9 0x00000000004a5a9d in demangle_args (work=0x7fffffffdc30,
mangled=<optimized out>,
declp=0x7fffff7ff2b0) at ../../binutils-2.31/libiberty/cplus-dem.c:4659
#10 0x0000000000498711 in demangle_nested_args (work=0x7fffffffdc30,
declp=<optimized out>,
mangled=<optimized out>) at ../../binutils-2.31/libiberty/cplus-dem.c:4713
#11 do_type (work=<optimized out>, mangled=<optimized out>, result=<optimized
out>)
at ../../binutils-2.31/libiberty/cplus-dem.c:3719
#12 0x00000000004a646c in do_arg (work=0x7fffffffdc30, mangled=0x7fffffffdbd0,
result=0x7fffff7ff3e0) at ../../binutils-2.31/libiberty/cplus-dem.c:4332
#13 0x00000000004a5a9d in demangle_args (work=0x7fffffffdc30,
mangled=<optimized out>,
declp=0x7fffff7ff460) at ../../binutils-2.31/libiberty/cplus-dem.c:4659
#14 0x0000000000498711 in demangle_nested_args (work=0x7fffffffdc30,
declp=<optimized out>,
mangled=<optimized out>) at ../../binutils-2.31/libiberty/cplus-dem.c:4713
#15 do_type (work=<optimized out>, mangled=<optimized out>, result=<optimized
out>)
at ../../binutils-2.31/libiberty/cplus-dem.c:3719
#16 0x00000000004a646c in do_arg (work=0x7fffffffdc30, mangled=0x7fffffffdbd0,
result=0x7fffff7ff590) at ../../binutils-2.31/libiberty/cplus-dem.c:4332
#17 0x00000000004a5a9d in demangle_args (work=0x7fffffffdc30,
mangled=<optimized out>,
declp=0x7fffff7ff610) at ../../binutils-2.31/libiberty/cplus-dem.c:4659
#18 0x0000000000498711 in demangle_nested_args (work=0x7fffffffdc30,
declp=<optimized out>,
mangled=<optimized out>) at ../../binutils-2.31/libiberty/cplus-dem.c:4713
#19 do_type (work=<optimized out>, mangled=<optimized out>, result=<optimized
out>)
at ../../binutils-2.31/libiberty/cplus-dem.c:3719
#20 0x00000000004a646c in do_arg (work=0x7fffffffdc30, mangled=0x7fffffffdbd0,
result=0x7fffff7ff740) at ../../binutils-2.31/libiberty/cplus-dem.c:4332
#21 0x00000000004a5a9d in demangle_args (work=0x7fffffffdc30,
mangled=<optimized out>,
declp=0x7fffff7ff7c0) at ../../binutils-2.31/libiberty/cplus-dem.c:4659
#22 0x0000000000498711 in demangle_nested_args (work=0x7fffffffdc30,
declp=<optimized out>,
mangled=<optimized out>) at ../../binutils-2.31/libiberty/cplus-dem.c:4713
#23 do_type (work=<optimized out>, mangled=<optimized out>, result=<optimized
out>)
at ../../binutils-2.31/libiberty/cplus-dem.c:3719
#24 0x00000000004a646c in do_arg (work=0x7fffffffdc30, mangled=0x7fffffffdbd0,
result=0x7fffff7ff8f0) at ../../binutils-2.31/libiberty/cplus-dem.c:4332
#25 0x00000000004a5a9d in demangle_args (work=0x7fffffffdc30,
mangled=<optimized out>,
declp=0x7fffff7ff970) at ../../binutils-2.31/libiberty/cplus-dem.c:4659
#26 0x0000000000498711 in demangle_nested_args (work=0x7fffffffdc30,
declp=<optimized out>,
mangled=<optimized out>) at ../../binutils-2.31/libiberty/cplus-dem.c:4713
#27 do_type (work=<optimized out>, mangled=<optimized out>, result=<optimized
out>)
at ../../binutils-2.31/libiberty/cplus-dem.c:3719
#28 0x00000000004a646c in do_arg (work=0x7fffffffdc30, mangled=0x7fffffffdbd0,
result=0x7fffff7ffaa0) at ../../binutils-2.31/libiberty/cplus-dem.c:4332
#29 0x00000000004a5a9d in demangle_args (work=0x7fffffffdc30,
mangled=<optimized out>,
declp=0x7fffff7ffb20) at ../../binutils-2.31/libiberty/cplus-dem.c:4659
#30 0x0000000000498711 in demangle_nested_args (work=0x7fffffffdc30,
declp=<optimized out>,
mangled=<optimized out>) at ../../binutils-2.31/libiberty/cplus-dem.c:4713
#31 do_type (work=<optimized out>, mangled=<optimized out>, result=<optimized
out>)
at ../../binutils-2.31/libiberty/cplus-dem.c:3719
#32 0x00000000004a646c in do_arg (work=0x7fffffffdc30, mangled=0x7fffffffdbd0,
result=0x7fffff7ffc50) at ../../binutils-2.31/libiberty/cplus-dem.c:4332
#33 0x00000000004a5a9d in demangle_args (work=0x7fffffffdc30,
mangled=<optimized out>,
declp=0x7fffff7ffcd0) at ../../binutils-2.31/libiberty/cplus-dem.c:4659
#34 0x0000000000498711 in demangle_nested_args (work=0x7fffffffdc30,
declp=<optimized out>,
mangled=<optimized out>) at ../../binutils-2.31/libiberty/cplus-dem.c:4713
#35 do_type (work=<optimized out>, mangled=<optimized out>, result=<optimized
out>)
at ../../binutils-2.31/libiberty/cplus-dem.c:3719
#36 0x00000000004a646c in do_arg (work=0x7fffffffdc30, mangled=0x7fffffffdbd0,
result=0x7fffff7ffe00) at ../../binutils-2.31/libiberty/cplus-dem.c:4332
#37 0x00000000004a5a9d in demangle_args (work=0x7fffffffdc30,
mangled=<optimized out>,
declp=0x7fffff7ffe80) at ../../binutils-2.31/libiberty/cplus-dem.c:4659
#38 0x0000000000498711 in demangle_nested_args (work=0x7fffffffdc30,
declp=<optimized out>,
mangled=<optimized out>) at ../../binutils-2.31/libiberty/cplus-dem.c:4713
#39 do_type (work=<optimized out>, mangled=<optimized out>, result=<optimized
out>)
at ../../binutils-2.31/libiberty/cplus-dem.c:3719
#40 0x00000000004a646c in do_arg (work=0x7fffffffdc30, mangled=0x7fffffffdbd0,
result=0x7fffff7fffb0) at ../../binutils-2.31/libiberty/cplus-dem.c:4332
#41 0x00000000004a5a9d in demangle_args (work=0x7fffffffdc30,
mangled=<optimized out>,
declp=0x7fffff800030) at ../../binutils-2.31/libiberty/cplus-dem.c:4659
#42 0x0000000000498711 in demangle_nested_args (work=0x7fffffffdc30,
declp=<optimized out>,
mangled=<optimized out>) at ../../binutils-2.31/libiberty/cplus-dem.c:4713
#43 do_type (work=<optimized out>, mangled=<optimized out>, result=<optimized
out>)
at ../../binutils-2.31/libiberty/cplus-dem.c:3719
#44 0x00000000004a646c in do_arg (work=0x7fffffffdc30, mangled=0x7fffffffdbd0,
result=0x7fffff800160) at ../../binutils-2.31/libiberty/cplus-dem.c:4332
