bug-binutils
[Top][All Lists]
Advanced
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Report a bug of binutils-2.38

From: bjchan9an
Subject: Report a bug of binutils-2.38
Date: Fri, 30 Sep 2022 21:52:41 +0800
Version: binutils-2.38 release
Machine: ubuntu 18, 64bit server
Compiler: clang-6.0
Command argument: binutils/nm-new -C ./poc
Bug Type: CWE-674 Uncontrolled Recursion
Crash location: demangle_path_maybe_open_generics(), libiberty/rust-demangle.c:1087
Found by: bjchan9an@foxmail.com
Details: 

There is an uncontrolled stack recursion vulnerability in binutils-2.38, which allows stack consumption in demangle_path_maybe_open_generics(). 

To trigger this bug, use the poc file in attachment and run the following commands:

```
cd binutils-2.38
CC=clang ./configure --disable-shared
./binutils/nm-new -C ./poc
```

The gdb trace is as follows:
```
Program received signal SIGSEGV, Segmentation fault.
0x00000000005f2a2d in demangle_path_maybe_open_generics (rdm=0x7fffffffe0b8) at ../../libiberty/rust-demangle.c:1087
1087       backref = parse_integer_62 (rdm);
(gdb) bt
#0  0x00000000005f2a2d in demangle_path_maybe_open_generics (rdm=0x7fffffffe0b8) at ../../libiberty/rust-demangle.c:1087
#1  0x00000000005f2a6d in demangle_path_maybe_open_generics (rdm=0x7fffffffe0b8) at ../../libiberty/rust-demangle.c:1092
#2  0x00000000005f2a6d in demangle_path_maybe_open_generics (rdm=0x7fffffffe0b8) at ../../libiberty/rust-demangle.c:1092
#3  0x00000000005f2a6d in demangle_path_maybe_open_generics (rdm=0x7fffffffe0b8) at ../../libiberty/rust-demangle.c:1092
#4  0x00000000005f2a6d in demangle_path_maybe_open_generics (rdm=0x7fffffffe0b8) at ../../libiberty/rust-demangle.c:1092
#5  0x00000000005f2a6d in demangle_path_maybe_open_generics (rdm=0x7fffffffe0b8) at ../../libiberty/rust-demangle.c:1092
#6  0x00000000005f2a6d in demangle_path_maybe_open_generics (rdm=0x7fffffffe0b8) at ../../libiberty/rust-demangle.c:1092
#7  0x00000000005f2a6d in demangle_path_maybe_open_generics (rdm=0x7fffffffe0b8) at ../../libiberty/rust-demangle.c:1092
#8  0x00000000005f2a6d in demangle_path_maybe_open_generics (rdm=0x7fffffffe0b8) at ../../libiberty/rust-demangle.c:1092
#9  0x00000000005f2a6d in demangle_path_maybe_open_generics (rdm=0x7fffffffe0b8) at ../../libiberty/rust-demangle.c:1092
#10 0x00000000005f2a6d in demangle_path_maybe_open_generics (rdm=0x7fffffffe0b8) at ../../libiberty/rust-demangle.c:1092
#11 0x00000000005f2a6d in demangle_path_maybe_open_generics (rdm=0x7fffffffe0b8) at ../../libiberty/rust-demangle.c:1092
#12 0x00000000005f2a6d in demangle_path_maybe_open_generics (rdm=0x7fffffffe0b8) at ../../libiberty/rust-demangle.c:1092
```

Attachment: poc
Description: Binary data

reply via email to
[Prev in Thread] Current Thread [Next in Thread]