`demangle_const` causes infinite recursion and stack overflow
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
binutils |
New
|
Medium
|
|||
binutils (Ubuntu) |
Confirmed
|
Medium
|
Unassigned |
Bug Description
Original Post: `https:/
The bug is similar to CVE-2021-3530, which was reported here: `https:/
Commit: `e84412c6a3c3ee
The simplified PoC:
$ echo _RYAbB2_ | ./binutils/cxxfilt
Segmentation fault
Root Cause Analysis:
1. In `rust_demangle_
2. Next char 'Y' causes `demangle_type` to be called[4] in a switch-case branch, with `rdm.next == 1`.
3. Next char 'A' causes `demangle_type` to be called first[5] to consume char 'b', then `demangle_const` is called[6] with `rdm.next == 3`.
4. Next char 'B' is consumed[7], and "2_" is parsed as `integer_62`[8] to be value 3, and this vlaue is assigned to `rdm.next`, then `demangle_const` is called recursively[9]. However, currently the situation is `rdm.next == 3` again, which is exactly same as last call to `demangle_const`, and this causes infinite recursion.
[1] https:/
[2] https:/
[3] https:/
[4] https:/
[5] https:/
[6] https:/
[7] https:/
[8] https:/
[9] https:/
Possible Fix:
The infinite recursion check added in this [commit](https:/
Changed in binutils: | |
importance: | Unknown → Medium |
status: | Unknown → New |
Changed in binutils (Ubuntu): | |
status: | New → Confirmed |
Changed in binutils (Ubuntu): | |
importance: | Undecided → Medium |
Created attachment 52721
output.txt is output of ASAN, and inf-recursion is the poc
At commit `b8e92c571baed4 e794bd62b7bf417 fa8bbaf5c95` of `binutils-gdb`, the given poc can produces crash on `cxxfilt`:
build2/ binutils/ cxxfilt < inf-recursion