https://gcc.gnu.org/bugzilla/show_bug.cgi?id=104186
Bug ID: 104186
Summary: Stack overflow in demangle_type() -> print_str() in
libiberty/rust-demangle.c:869, cxxfilt
Product: gcc
Version: unknown
Status: UNCONFIRMED
Severity: normal
Priority: P3
Component: demangler
Assignee: unassigned at gcc dot gnu.org
Reporter: sanjayr at ymail dot com
Target Milestone: ---
Created attachment 52268
--> https://gcc.gnu.org/bugzilla/attachment.cgi?id=52268&action=edit
Commandline input for the crash (cxxfilt < PoV)
Hello,
While evaluating our new fuzzer on cxxfilt, we found several stack overflows in
libiberty/rust-demangle.c. This issue is specific to a stack overflow in
demangle_type(), which internally called a macro PRINT() that unfolds in
calling to print_str(). Looks like, the copy operation in this function does
not check buf length properly.
We compiled the utility (binutils cxxfilt) with ASAN.
Comandline: cxxfilt < input_file (PoV that is attached)
ASan outupt:
===================================
status: 1
sanitizer: ASAN
error class: stack-overflow
location: __interceptor_strlen.part.0 in
/home/xyzz/build/llvm_tools/llvm-11.0.0.src/projects/compiler-rt/lib/asan/../sanitizer_common/sanitizer_common_interceptors.inc:370:31
backtrace:
#0 46ec57 __interceptor_strlen.part.0 in
/home/xyzz/build/llvm_tools/llvm-11.0.0.src/projects/compiler-rt/lib/asan/../sanitizer_common/sanitizer_common_interceptors.inc:370:31
#1 857cb1 demangle_type in
/home/xyzz/MyProject/remote_fuzz_suite/target_src/binutils-gdb/build/libiberty/../../libiberty/rust-demangle.c:869:7
#3 853d83 demangle_path in
/home/xyzz/MyProject/remote_fuzz_suite/target_src/binutils-gdb/build/libiberty/../../libiberty/rust-demangle.c:747:7
#4 853e11 demangle_path in
/home/xyzz/MyProject/remote_fuzz_suite/target_src/binutils-gdb/build/libiberty/../../libiberty/rust-demangle.c:751:11
#5 8542e4 demangle_path in
/home/xyzz/MyProject/remote_fuzz_suite/target_src/binutils-gdb/build/libiberty/../../libiberty/rust-demangle.c:774:11
#6 853e11 demangle_path in
/home/xyzz/MyProject/remote_fuzz_suite/target_src/binutils-gdb/build/libiberty/../../libiberty/rust-demangle.c:751:11
#7 853e11 demangle_path in
/home/xyzz/MyProject/remote_fuzz_suite/target_src/binutils-gdb/build/libiberty/../../libiberty/rust-demangle.c:751:11
#8 8542e4 demangle_path in
/home/xyzz/MyProject/remote_fuzz_suite/target_src/binutils-gdb/build/libiberty/../../libiberty/rust-demangle.c:774:11
#9 853e11 demangle_path in
/home/xyzz/MyProject/remote_fuzz_suite/target_src/binutils-gdb/build/libiberty/../../libiberty/rust-demangle.c:751:11
#10 853e11 demangle_path in
/home/xyzz/MyProject/remote_fuzz_suite/target_src/binutils-gdb/build/libiberty/../../libiberty/rust-demangle.c:751:11
#11 8542e4 demangle_path in
/home/xyzz/MyProject/remote_fuzz_suite/target_src/binutils-gdb/build/libiberty/../../libiberty/rust-demangle.c:774:11
#12 853e11 demangle_path in
/home/xyzz/MyProject/remote_fuzz_suite/target_src/binutils-gdb/build/libiberty/../../libiberty/rust-demangle.c:751:11
#13 853e11 demangle_path in
/home/xyzz/MyProject/remote_fuzz_suite/target_src/binutils-gdb/build/libiberty/../../libiberty/rust-demangle.c:751:11
#14 8542e4 demangle_path in
/home/xyzz/MyProject/remote_fuzz_suite/target_src/binutils-gdb/build/libiberty/../../libiberty/rust-demangle.c:774:11
#15 853e11 demangle_path in
/home/xyzz/MyProject/remote_fuzz_suite/target_src/binutils-gdb/build/libiberty/../../libiberty/rust-demangle.c:751:11
#16 853e11 demangle_path in
/home/xyzz/MyProject/remote_fuzz_suite/target_src/binutils-gdb/build/libiberty/../../libiberty/rust-demangle.c:751:11
#17 8542e4 demangle_path in
/home/xyzz/MyProject/remote_fuzz_suite/target_src/binutils-gdb/build/libiberty/../../libiberty/rust-demangle.c:774:11
#18 853e11 demangle_path in
/home/xyzz/MyProject/remote_fuzz_suite/target_src/binutils-gdb/build/libiberty/../../libiberty/rust-demangle.c:751:11
#19 853e11 demangle_path in
/home/xyzz/MyProject/remote_fuzz_suite/target_src/binutils-gdb/build/libiberty/../../libiberty/rust-demangle.c:751:11
#20 8542e4 demangle_path in
/home/xyzz/MyProject/remote_fuzz_suite/target_src/binutils-gdb/build/libiberty/../../libiberty/rust-demangle.c:774:11
#21 853e11 demangle_path in
/home/xyzz/MyProject/remote_fuzz_suite/target_src/binutils-gdb/build/libiberty/../../libiberty/rust-demangle.c:751:11
#22 853e11 demangle_path in
/home/xyzz/MyProject/remote_fuzz_suite/target_src/binutils-gdb/build/libiberty/../../libiberty/rust-demangle.c:751:11
#23 8542e4 demangle_path in
/home/xyzz/MyProject/remote_fuzz_suite/target_src/binutils-gdb/build/libiberty/../../libiberty/rust-demangle.c:774:11
#24 853e11 demangle_path in
/home/xyzz/MyProject/remote_fuzz_suite/target_src/binutils-gdb/build/libiberty/../../libiberty/rust-demangle.c:751:11
#25 853e11 demangle_path in
/home/xyzz/MyProject/remote_fuzz_suite/target_src/binutils-gdb/build/libiberty/../../libiberty/rust-demangle.c:751:11
#26 8542e4 demangle_path in
/home/xyzz/MyProject/remote_fuzz_suite/target_src/binutils-gdb/build/libiberty/../../libiberty/rust-demangle.c:774:11
#27 853e11 demangle_path in
/home/xyzz/MyProject/remote_fuzz_suite/target_src/binutils-gdb/build/libiberty/../../libiberty/rust-demangle.c:751:11
#28 853e11 demangle_path in
/home/xyzz/MyProject/remote_fuzz_suite/target_src/binutils-gdb/build/libiberty/../../libiberty/rust-demangle.c:751:11
#29 8542e4 demangle_path in
/home/xyzz/MyProject/remote_fuzz_suite/target_src/binutils-gdb/build/libiberty/../../libiberty/rust-demangle.c:774:11
#30 853e11 demangle_path in
/home/xyzz/MyProject/remote_fuzz_suite/target_src/binutils-gdb/build/libiberty/../../libiberty/rust-demangle.c:751:11
.....
.......
==================================
