An issue was discovered in GNU libiberty, as distributed in GNU Binutils 2.32. It is a heap-based buffer over-read in d_expression_1 in cp-demangle.c after many recursive calls. Reference: https://gcc.gnu.org/bugzilla/show_bug.cgi?id=89395
Created binutils tracking bugs for this issue: Affects: fedora-all [bug 1680658]
Text from CVE-2019-9071 was copied here by mistake. The correct summary and reference are as follows: (as taken from NIST) An issue was discovered in GNU libiberty, as distributed in GNU Binutils 2.32. It is a stack consumption issue in d_count_templates_scopes in cp-demangle.c after many recursive calls. Reference: https://gcc.gnu.org/bugzilla/show_bug.cgi?id=89394
Recurses inside d_count_templates_scopes for a very long time. I upped the stack size dramatically and never got it to finish without segfaulting. ``` │4124 recurse_left_right: │ >│4125 d_count_templates_scopes (num_templates, num_scopes, │ │4126 d_left (dc)); │ │4127 d_count_templates_scopes (num_templates, num_scopes, │ │4128 d_right (dc)); │ │4129 break; ```
Here's dc contents: ``` (gdb) print dc $1 = (const struct demangle_component *) 0x7fffffffdce0 (gdb) print *dc $2 = {type = DEMANGLE_COMPONENT_TYPED_NAME, d_printing = 0, u = {s_name = {s = 0x7fffffffdad0 "", len = -9016}, s_operator = {op = 0x7fffffffdad0}, s_extended_operator = {args = -9520, name = 0x7fffffffdcc8}, s_fixed = { length = 0x7fffffffdad0, accum = -9016, sat = -1}, s_ctor = {kind = 4294957776, name = 0x7fffffffdcc8}, s_dtor = {kind = 4294957776, name = 0x7fffffffdcc8}, s_builtin = {type = 0x7fffffffdad0}, s_string = { string = 0x7fffffffdad0 "", len = -9016}, s_number = {number = 140737488345808}, s_character = { character = -9520}, s_binary = {left = 0x7fffffffdad0, right = 0x7fffffffdcc8}, s_unary_num = { sub = 0x7fffffffdad0, num = -9016}}} ``` len = -9016. Wondering if we're getting an overflow/underflow somewhere here leading to the large recursion.
(In reply to Scott Gayou from comment #5) Hi Scott, > $2 = {type = DEMANGLE_COMPONENT_TYPED_NAME, d_printing = 0, u = {s_name = {s > = 0x7fffffffdad0 "", len = -9016}, > len = -9016. Wondering if we're getting an overflow/underflow somewhere here > leading to the large recursion. Actually that is a red herring. The len field is only used in some of the entries in the demangle_component union, and in particular it is not used for entries that need left/right recursion. I think that the actual problem is that the testcase is just pathalogical. It is encoded as if it had a ridiculously large number of nested templates. I have proposed a patch on the gcc mailing list, which I hope will be accepted: https://gcc.gnu.org/ml/gcc-patches/2019-03/msg01048.html If this goes in (to the FSF gcc sources) then I will copy it to Fedora rawhide.
Oh - just to be clear - I mean that I will copy it into the rawhide binutils, not the rawhide gcc. I will leave updating gcc to the gcc maintainers.