Bug 1645958 (CVE-2018-18484) - CVE-2018-18484 binutils: Stack exhaustion in cp-demangle.c allows for denial of service
Summary: CVE-2018-18484 binutils: Stack exhaustion in cp-demangle.c allows for denial ...
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2018-18484
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
low
low
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 1645962 1645964 1645967 1645968 1650647 1654030 1654031
Blocks: 1647427
TreeView+ depends on / blocked
 
Reported: 2018-11-05 05:14 UTC by Sam Fowler
Modified: 2021-10-25 22:21 UTC (History)
20 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2021-10-25 22:21:28 UTC
Embargoed:

Attachments (Terms of Use)

Description Sam Fowler 2018-11-05 05:14:45 UTC 
An issue was discovered in cp-demangle.c in GNU libiberty, as distributed in GNU Binutils 2.31. Stack Exhaustion occurs in the C++ demangling functions provided by libiberty, and there is a stack consumption problem caused by recursive stack frames: cplus_demangle_type, d_bare_function_type, d_function_type.


Upstream Bugs:

https://gcc.gnu.org/bugzilla/show_bug.cgi?id=87636
Comment 1 Sam Fowler 2018-11-05 05:20:32 UTC 
Created binutils tracking bugs for this issue:

Affects: fedora-all [bug 1645962]


Created mingw-binutils tracking bugs for this issue:

Affects: epel-all [bug 1645964]
Comment 9 Scott Gayou 2018-11-16 17:35:39 UTC 
Reproduces consistently on RHEL.
Comment 10 Scott Gayou 2018-11-16 18:42:58 UTC 
So, this "flaw" seem to be duplicated many times upstream. See: https://gcc.gnu.org/bugzilla/show_bug.cgi?id=87636. Lots of people are running afl and reporting variations on what looks like the exact same root issue, but sometimes with slightly different callflows. Hard to say that the issues are all the same root cause without attempting a recursion limit and re-resting all of the AFL test cases, but I suspect they are.

See Michael Matz's reply here: https://gcc.gnu.org/bugzilla/show_bug.cgi?id=87675. This does at least seem like a very low importance Denial of Service flaw, so I think letting the maintainers decide is at least warranted.
Comment 11 Scott Gayou 2018-11-16 21:37:18 UTC 
After doing a bit more analysis, the cause of this seems to be that they don't cap recursion in libiberty cp-demangle.c. The call flows are all a bit different, so I will continue treating these issues as different unless other information comes to light. I was debating whether or not to mark these all as a duplicate generic issue.
Comment 12 Sam Fowler 2018-11-18 23:47:53 UTC 
(In reply to Scott Gayou from comment #11)
> After doing a bit more analysis, the cause of this seems to be that they
> don't cap recursion in libiberty cp-demangle.c. The call flows are all a bit
> different, so I will continue treating these issues as different unless
> other information comes to light. I was debating whether or not to mark
> these all as a duplicate generic issue.

Maybe it's worth considering sharing this with upstream. If upstream agree, we can then reject the duplicate assignments.
Comment 13 Scott Gayou 2018-11-27 19:43:30 UTC 
Good call. I posted a message upstream.
Note You need to log in before you can comment on or make changes to this bug.