bug-binutils
[Top][All Lists]
Advanced

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Bug binutils/23177] New: Stack Overflow in nm-new


From: thuanpv at comp dot nus.edu.sg
Subject: [Bug binutils/23177] New: Stack Overflow in nm-new
Date: Sun, 13 May 2018 08:12:17 +0000

https://sourceware.org/bugzilla/show_bug.cgi?id=23177

            Bug ID: 23177
           Summary: Stack Overflow in nm-new
           Product: binutils
           Version: 2.31 (HEAD)
            Status: UNCONFIRMED
          Severity: normal
          Priority: P2
         Component: binutils
          Assignee: unassigned at sourceware dot org
          Reporter: thuanpv at comp dot nus.edu.sg
  Target Milestone: ---

Created attachment 11015
  --> https://sourceware.org/bugzilla/attachment.cgi?id=11015&action=edit
crash-inducing sample file

Dear all,

This bug was found with AFLSmart, an extension of AFL. Thanks also to Marcel
Böhme, Andrew Santosa and Alexandru Razvan Caciulescu. 

This bug was found on Ubuntu 16.04 64-bit & binutils was checked out from main
repository at git://sourceware.org/git/binutils-gdb.git. Its commit is
68e91e42492551e165b103d819c021c4953da10b (April 14 2018)


To reproduce:

Compile binutils with ASAN enabled

CC=gcc-6 CXX=g++-6 CFLAGS="-DFORTIFY_SOURCE=2 -fstack-protector-all
-fsanitize=undefined,address -fno-omit-frame-pointer -g -Wno-error"
CXXFLAGS="$CFLAGS" ./configure --disable-shared --disable-gdb
--disable-libdecnumber --disable-readline --disable-sim

Download the attached file - crash_4
nm-new -C crash_4

Valgrind says:

==49727== Memcheck, a memory error detector
==49727== Copyright (C) 2002-2015, and GNU GPL'd, by Julian Seward et al.
==49727== Using Valgrind-3.11.0 and LibVEX; rerun with -h for copyright info
==49727== Command: ../binutils-gdb/binutils/nm-new -C crash_4
==49727== 
==49727== Stack overflow in thread #1: can't grow stack to 0xffe801000
==49727== 
==49727== Process terminating with default action of signal 11 (SIGSEGV)
==49727==  Access not within mapped region at address 0xFFE801FD8
==49727== Stack overflow in thread #1: can't grow stack to 0xffe801000
==49727==    at 0x7B5638: string_need (cplus-dem.c:4900)
==49727==    by 0x7B5638: string_append (cplus-dem.c:4961)
==49727==    by 0x7B5638: demangle_args (cplus-dem.c:4578)
==49727==  If you believe this happened as a result of a stack
==49727==  overflow in your program's main thread (unlikely but
==49727==  possible), you can try to increase the size of the
==49727==  main thread stack using the --main-stacksize= flag.
==49727==  The main thread stack size used in this run was 8388608.
==49727== Stack overflow in thread #1: can't grow stack to 0xffe801000
==49727== 
==49727== Process terminating with default action of signal 11 (SIGSEGV)
==49727==  Access not within mapped region at address 0xFFE801FD0
==49727== Stack overflow in thread #1: can't grow stack to 0xffe801000
==49727==    at 0x4A28680: _vgnU_freeres (in
/usr/lib/valgrind/vgpreload_core-amd64-linux.so)
==49727==  If you believe this happened as a result of a stack
==49727==  overflow in your program's main thread (unlikely but
==49727==  possible), you can try to increase the size of the
==49727==  main thread stack using the --main-stacksize= flag.
==49727==  The main thread stack size used in this run was 8388608.


ASAN says:

ASAN:DEADLYSIGNAL
=================================================================
==49728==ERROR: AddressSanitizer: stack-overflow on address 0x7ffc5da2ee68 (pc
0x7fdfe8646eb6 bp 0x7ffc5da2f6f0 sp 0x7ffc5da2ee70 T0)
    #0 0x7fdfe8646eb5  (/usr/lib/x86_64-linux-gnu/libasan.so.3+0x3ceb5)
    #1 0x82c4e2 in string_append cplus-dem.c:4960
    #2 0x827ec5 in demangle_args cplus-dem.c:4578
    #3 0x82907a in demangle_nested_args cplus-dem.c:4713
    #4 0x81f894 in do_type cplus-dem.c:3719
    #5 0x8257c5 in do_arg cplus-dem.c:4332
    #6 0x8288d4 in demangle_args cplus-dem.c:4659
    #7 0x82907a in demangle_nested_args cplus-dem.c:4713
    #8 0x81f894 in do_type cplus-dem.c:3719
    #9 0x8257c5 in do_arg cplus-dem.c:4332
    #10 0x8288d4 in demangle_args cplus-dem.c:4659
    #11 0x82907a in demangle_nested_args cplus-dem.c:4713
    #12 0x81f894 in do_type cplus-dem.c:3719
    #13 0x8257c5 in do_arg cplus-dem.c:4332
    #14 0x8288d4 in demangle_args cplus-dem.c:4659
    #15 0x82907a in demangle_nested_args cplus-dem.c:4713
    #16 0x81f894 in do_type cplus-dem.c:3719
    #17 0x8257c5 in do_arg cplus-dem.c:4332
    #18 0x8288d4 in demangle_args cplus-dem.c:4659
    #19 0x82907a in demangle_nested_args cplus-dem.c:4713
    #20 0x81f894 in do_type cplus-dem.c:3719
    #21 0x8257c5 in do_arg cplus-dem.c:4332
    #22 0x8288d4 in demangle_args cplus-dem.c:4659
    #23 0x82907a in demangle_nested_args cplus-dem.c:4713
    #24 0x81f894 in do_type cplus-dem.c:3719

...

Regards,

Thuan

-- 
You are receiving this mail because:
You are on the CC list for the bug.


reply via email to

[Prev in Thread] Current Thread [Next in Thread]