Bug 1645958 (CVE-2018-18484)

Summary: CVE-2018-18484 binutils: Stack exhaustion in cp-demangle.c allows for denial of service
Product: [Other] Security Response Reporter: Sam Fowler <sfowler>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: NEW --- QA Contact:
Severity: low Docs Contact:
Priority: low    
Version: unspecifiedCC: abhgupta, dbaker, dvlasenk, erik-fedora, fweimer, jakub, jokerman, kanderso, klember, ktietz, law, mcermak, mnewsome, mpolacek, nickc, ohudlick, rjones, sfowler, sthangav, trankin, virt-maint, yselkowi
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Bug Depends On: 1645962, 1645964, 1645967, 1645968, 1650647, 1654030, 1654031    
Bug Blocks: 1647427    

Description Sam Fowler 2018-11-05 05:14:45 UTC
An issue was discovered in cp-demangle.c in GNU libiberty, as distributed in GNU Binutils 2.31. Stack Exhaustion occurs in the C++ demangling functions provided by libiberty, and there is a stack consumption problem caused by recursive stack frames: cplus_demangle_type, d_bare_function_type, d_function_type.


Upstream Bugs:

https://gcc.gnu.org/bugzilla/show_bug.cgi?id=87636

Comment 1 Sam Fowler 2018-11-05 05:20:32 UTC
Created binutils tracking bugs for this issue:

Affects: fedora-all [bug 1645962]


Created mingw-binutils tracking bugs for this issue:

Affects: epel-all [bug 1645964]

Comment 9 Scott Gayou 2018-11-16 17:35:39 UTC
Reproduces consistently on RHEL.

Comment 10 Scott Gayou 2018-11-16 18:42:58 UTC
So, this "flaw" seem to be duplicated many times upstream. See: https://gcc.gnu.org/bugzilla/show_bug.cgi?id=87636. Lots of people are running afl and reporting variations on what looks like the exact same root issue, but sometimes with slightly different callflows. Hard to say that the issues are all the same root cause without attempting a recursion limit and re-resting all of the AFL test cases, but I suspect they are.

See Michael Matz's reply here: https://gcc.gnu.org/bugzilla/show_bug.cgi?id=87675. This does at least seem like a very low importance Denial of Service flaw, so I think letting the maintainers decide is at least warranted.

Comment 11 Scott Gayou 2018-11-16 21:37:18 UTC
After doing a bit more analysis, the cause of this seems to be that they don't cap recursion in libiberty cp-demangle.c. The call flows are all a bit different, so I will continue treating these issues as different unless other information comes to light. I was debating whether or not to mark these all as a duplicate generic issue.

Comment 12 Sam Fowler 2018-11-18 23:47:53 UTC
(In reply to Scott Gayou from comment #11)
> After doing a bit more analysis, the cause of this seems to be that they
> don't cap recursion in libiberty cp-demangle.c. The call flows are all a bit
> different, so I will continue treating these issues as different unless
> other information comes to light. I was debating whether or not to mark
> these all as a duplicate generic issue.

Maybe it's worth considering sharing this with upstream. If upstream agree, we can then reject the duplicate assignments.

Comment 13 Scott Gayou 2018-11-27 19:43:30 UTC
Good call. I posted a message upstream.