[Bug demangler/107108] New: Uncontrolled stack recursion in rust-demangler.c

Fri, 30 Sep 2022 19:30:34 -0700 

https://gcc.gnu.org/bugzilla/show_bug.cgi?id=107108

            Bug ID: 107108
           Summary: Uncontrolled stack recursion in rust-demangler.c
           Product: gcc
           Version: unknown
            Status: UNCONFIRMED
          Severity: normal
          Priority: P3
         Component: demangler
          Assignee: unassigned at gcc dot gnu.org
          Reporter: bjchan9an at foxmail dot com
  Target Milestone: ---

Created attachment 53647
  --> https://gcc.gnu.org/bugzilla/attachment.cgi?id=53647&action=edit
nm-new poc file

There is an uncontrolled stack recursion vulnerability in
libiberty/rust-demangle.c in binutils-2.38, which allows stack consumption in
demangle_path_maybe_open_generics().

To reproduce this bug, build the binutils-2.38 release, use the poc file in
attachments and run the following commands:

```
nm-new -C ./poc
```


The gdb crash trace is as follows:
```
Program received signal SIGSEGV, Segmentation fault.
0x00000000005f2a2d in demangle_path_maybe_open_generics (rdm=0x7fffffffe0b8) at
../../libiberty/rust-demangle.c:1087
1087          backref = parse_integer_62 (rdm);
(gdb) bt
#0  0x00000000005f2a2d in demangle_path_maybe_open_generics
(rdm=0x7fffffffe0b8) at ../../libiberty/rust-demangle.c:1087
#1  0x00000000005f2a6d in demangle_path_maybe_open_generics
(rdm=0x7fffffffe0b8) at ../../libiberty/rust-demangle.c:1092
#2  0x00000000005f2a6d in demangle_path_maybe_open_generics
(rdm=0x7fffffffe0b8) at ../../libiberty/rust-demangle.c:1092
#3  0x00000000005f2a6d in demangle_path_maybe_open_generics
(rdm=0x7fffffffe0b8) at ../../libiberty/rust-demangle.c:1092
#4  0x00000000005f2a6d in demangle_path_maybe_open_generics
(rdm=0x7fffffffe0b8) at ../../libiberty/rust-demangle.c:1092
#5  0x00000000005f2a6d in demangle_path_maybe_open_generics
(rdm=0x7fffffffe0b8) at ../../libiberty/rust-demangle.c:1092
#6  0x00000000005f2a6d in demangle_path_maybe_open_generics
(rdm=0x7fffffffe0b8) at ../../libiberty/rust-demangle.c:1092
#7  0x00000000005f2a6d in demangle_path_maybe_open_generics
(rdm=0x7fffffffe0b8) at ../../libiberty/rust-demangle.c:1092
#8  0x00000000005f2a6d in demangle_path_maybe_open_generics
(rdm=0x7fffffffe0b8) at ../../libiberty/rust-demangle.c:1092
#9  0x00000000005f2a6d in demangle_path_maybe_open_generics
(rdm=0x7fffffffe0b8) at ../../libiberty/rust-demangle.c:1092
#10 0x00000000005f2a6d in demangle_path_maybe_open_generics
(rdm=0x7fffffffe0b8) at ../../libiberty/rust-demangle.c:1092
#11 0x00000000005f2a6d in demangle_path_maybe_open_generics
(rdm=0x7fffffffe0b8) at ../../libiberty/rust-demangle.c:1092
#12 0x00000000005f2a6d in demangle_path_maybe_open_generics
(rdm=0x7fffffffe0b8) at ../../libiberty/rust-demangle.c:1092
```

Reply via email to