|Summary:||CVE-2018-18484 binutils: Stack exhaustion in cp-demangle.c allows for denial of service|
|Product:||[Other] Security Response||Reporter:||Sam Fowler <sfowler>|
|Component:||vulnerability||Assignee:||Red Hat Product Security <security-response-team>|
|Status:||NEW ---||QA Contact:|
|Version:||unspecified||CC:||abhgupta, dbaker, dvlasenk, erik-fedora, fweimer, jakub, jokerman, kanderso, klember, ktietz, law, mcermak, mnewsome, mpolacek, nickc, ohudlick, rjones, sfowler, sthangav, trankin, virt-maint, yselkowi|
|Fixed In Version:||Doc Type:||If docs needed, set a value|
|Doc Text:||Story Points:||---|
|oVirt Team:||---||RHEL 7.3 requirements from Atomic Host:|
|Cloudforms Team:||---||Target Upstream Version:|
|Bug Depends On:||1645962, 1645964, 1645967, 1645968, 1650647, 1654030, 1654031|
Description Sam Fowler 2018-11-05 05:14:45 UTC
An issue was discovered in cp-demangle.c in GNU libiberty, as distributed in GNU Binutils 2.31. Stack Exhaustion occurs in the C++ demangling functions provided by libiberty, and there is a stack consumption problem caused by recursive stack frames: cplus_demangle_type, d_bare_function_type, d_function_type. Upstream Bugs: https://gcc.gnu.org/bugzilla/show_bug.cgi?id=87636
Comment 1 Sam Fowler 2018-11-05 05:20:32 UTC
Created binutils tracking bugs for this issue: Affects: fedora-all [bug 1645962] Created mingw-binutils tracking bugs for this issue: Affects: epel-all [bug 1645964]
Comment 9 Scott Gayou 2018-11-16 17:35:39 UTC
Reproduces consistently on RHEL.
Comment 10 Scott Gayou 2018-11-16 18:42:58 UTC
So, this "flaw" seem to be duplicated many times upstream. See: https://gcc.gnu.org/bugzilla/show_bug.cgi?id=87636. Lots of people are running afl and reporting variations on what looks like the exact same root issue, but sometimes with slightly different callflows. Hard to say that the issues are all the same root cause without attempting a recursion limit and re-resting all of the AFL test cases, but I suspect they are. See Michael Matz's reply here: https://gcc.gnu.org/bugzilla/show_bug.cgi?id=87675. This does at least seem like a very low importance Denial of Service flaw, so I think letting the maintainers decide is at least warranted.
Comment 11 Scott Gayou 2018-11-16 21:37:18 UTC
After doing a bit more analysis, the cause of this seems to be that they don't cap recursion in libiberty cp-demangle.c. The call flows are all a bit different, so I will continue treating these issues as different unless other information comes to light. I was debating whether or not to mark these all as a duplicate generic issue.
Comment 12 Sam Fowler 2018-11-18 23:47:53 UTC
(In reply to Scott Gayou from comment #11) > After doing a bit more analysis, the cause of this seems to be that they > don't cap recursion in libiberty cp-demangle.c. The call flows are all a bit > different, so I will continue treating these issues as different unless > other information comes to light. I was debating whether or not to mark > these all as a duplicate generic issue. Maybe it's worth considering sharing this with upstream. If upstream agree, we can then reject the duplicate assignments.
Comment 13 Scott Gayou 2018-11-27 19:43:30 UTC
Good call. I posted a message upstream.