Bug 1680657 (CVE-2019-9071)
Summary: | CVE-2019-9071 binutils: stack consumption in function d_count_templates_scopes in cp-demangle.c | ||
---|---|---|---|
Product: | [Other] Security Response | Reporter: | Dhananjay Arunesh <darunesh> |
Component: | vulnerability | Assignee: | Red Hat Product Security <security-response-team> |
Status: | CLOSED WONTFIX | QA Contact: | |
Severity: | low | Docs Contact: | |
Priority: | low | ||
Version: | unspecified | CC: | abhgupta, aoliva, dbaker, dvlasenk, fweimer, jakub, jokerman, law, mprchlik, nickc, ohudlick, sthangav, trankin |
Target Milestone: | --- | Keywords: | Security |
Target Release: | --- | ||
Hardware: | All | ||
OS: | Linux | ||
Whiteboard: | |||
Fixed In Version: | Doc Type: | If docs needed, set a value | |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2019-06-10 10:48:48 UTC | Type: | --- |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: | |||
Bug Depends On: | 1680658, 1691113 | ||
Bug Blocks: | 1680680 |
Description
Dhananjay Arunesh
2019-02-25 13:24:32 UTC
Created binutils tracking bugs for this issue: Affects: fedora-all [bug 1680658] Text from CVE-2019-9071 was copied here by mistake. The correct summary and reference are as follows: (as taken from NIST) An issue was discovered in GNU libiberty, as distributed in GNU Binutils 2.32. It is a stack consumption issue in d_count_templates_scopes in cp-demangle.c after many recursive calls. Reference: https://gcc.gnu.org/bugzilla/show_bug.cgi?id=89394 Recurses inside d_count_templates_scopes for a very long time. I upped the stack size dramatically and never got it to finish without segfaulting. ``` │4124 recurse_left_right: │ >│4125 d_count_templates_scopes (num_templates, num_scopes, │ │4126 d_left (dc)); │ │4127 d_count_templates_scopes (num_templates, num_scopes, │ │4128 d_right (dc)); │ │4129 break; ``` Here's dc contents: ``` (gdb) print dc $1 = (const struct demangle_component *) 0x7fffffffdce0 (gdb) print *dc $2 = {type = DEMANGLE_COMPONENT_TYPED_NAME, d_printing = 0, u = {s_name = {s = 0x7fffffffdad0 "", len = -9016}, s_operator = {op = 0x7fffffffdad0}, s_extended_operator = {args = -9520, name = 0x7fffffffdcc8}, s_fixed = { length = 0x7fffffffdad0, accum = -9016, sat = -1}, s_ctor = {kind = 4294957776, name = 0x7fffffffdcc8}, s_dtor = {kind = 4294957776, name = 0x7fffffffdcc8}, s_builtin = {type = 0x7fffffffdad0}, s_string = { string = 0x7fffffffdad0 "", len = -9016}, s_number = {number = 140737488345808}, s_character = { character = -9520}, s_binary = {left = 0x7fffffffdad0, right = 0x7fffffffdcc8}, s_unary_num = { sub = 0x7fffffffdad0, num = -9016}}} ``` len = -9016. Wondering if we're getting an overflow/underflow somewhere here leading to the large recursion. (In reply to Scott Gayou from comment #5) Hi Scott, > $2 = {type = DEMANGLE_COMPONENT_TYPED_NAME, d_printing = 0, u = {s_name = {s > = 0x7fffffffdad0 "", len = -9016}, > len = -9016. Wondering if we're getting an overflow/underflow somewhere here > leading to the large recursion. Actually that is a red herring. The len field is only used in some of the entries in the demangle_component union, and in particular it is not used for entries that need left/right recursion. I think that the actual problem is that the testcase is just pathalogical. It is encoded as if it had a ridiculously large number of nested templates. I have proposed a patch on the gcc mailing list, which I hope will be accepted: https://gcc.gnu.org/ml/gcc-patches/2019-03/msg01048.html If this goes in (to the FSF gcc sources) then I will copy it to Fedora rawhide. Oh - just to be clear - I mean that I will copy it into the rawhide binutils, not the rawhide gcc. I will leave updating gcc to the gcc maintainers. |