search

Quuxplusone / LLVMBugzillaTest

0 stars 0 forks source link

Stack-overflow in demangler (2) #31851

Open Quuxplusone opened 7 years ago

Quuxplusone commented 7 years ago
Bugzilla Link PR32879
Status NEW
Importance P normal
Reported by Manh-Dung Nguyen (dungnguy@comp.nus.edu.sg)
Reported on 2017-05-02 03:12:47 -0700
Last modified on 2018-01-19 16:25:48 -0800
Version unspecified
Hardware All Linux
CC emaste@freebsd.org, kcc@google.com, llvm-bugs@lists.llvm.org, marcel.boehme@nus.edu.sg, mclow.lists@gmail.com
Fixed by commit(s)
Attachments
Blocks
Blocked by
See also 
Dear All,

This bug was found with AFLGo, a directed version of AFL/AFLFast. Thanks also
to Marcel Böhme and Van-Thuan Pham.

First, you need to build the project (https://github.com/llvm-
mirror/libcxxabi/blob/master/fuzz/cxa_demangle_fuzzer.cpp) to obtain the binary
file.

To reproduce:
$ for G in $(seq 1 15000); do printf "G"; done > test; echo "" >> test; cat
test | ./cxa_demangle_fuzzer

ASAN says:
==27344==ERROR: AddressSanitizer: stack-overflow on address 0x7ffdf42bbd60 (pc
0x00000084f33b bp 0x7ffdf42bc730 sp 0x7ffdf42bbd60 T0)
    #0 0x84f33a in char const* __cxxabiv1::(anonymous namespace)::parse_builtin_type<__cxxabiv1::(anonymous namespace)::Db>(char const*, char const*, __cxxabiv1::(anonymous namespace)::Db&) /src/llvm_libcxxabi/src/cxa_demangle.cpp:379
    #1 0x5328ee in char const* __cxxabiv1::(anonymous namespace)::parse_type<__cxxabiv1::(anonymous namespace)::Db>(char const*, char const*, __cxxabiv1::(anonymous namespace)::Db&) /src/llvm_libcxxabi/src/cxa_demangle.cpp:1967:33
    #2 0x534009 in char const* __cxxabiv1::(anonymous namespace)::parse_type<__cxxabiv1::(anonymous namespace)::Db>(char const*, char const*, __cxxabiv1::(anonymous namespace)::Db&) /src/llvm_libcxxabi/src/cxa_demangle.cpp:2008:29
    #3 0x534009 in char const* __cxxabiv1::(anonymous namespace)::parse_type<__cxxabiv1::(anonymous namespace)::Db>(char const*, char const*, __cxxabiv1::(anonymous namespace)::Db&) /src/llvm_libcxxabi/src/cxa_demangle.cpp:2008:29
    #4 0x534009 in char const* __cxxabiv1::(anonymous namespace)::parse_type<__cxxabiv1::(anonymous namespace)::Db>(char const*, char const*, __cxxabiv1::(anonymous namespace)::Db&) /src/llvm_libcxxabi/src/cxa_demangle.cpp:2008:29
    ...

Regards,
Manh-Dung Nguyen
Quuxplusone commented 7 years ago 
Yes, the demangler is full of stack overflows.
I suggest to not file many different bugs, but keep just one bug open instead.
Maybe just add stuff below https://bugs.llvm.org//show_bug.cgi?id=31031#c6

oss-fuzz has seen stack overflows too, but did not report upstream because,
sadly, such bugs are not getting fixed anyway.
https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=985
Quuxplusone commented 7 years ago 
I was looking into the reported stack-overflows. As a quick-fix one could track
and bound the recursion depth. However, using an arbitrary constant is tricky
and might violate the coding practices here at LLVM (It does for GNU). A proper
patch would turn the recursion into iteration. However, this requires *major*
refactoring.

Thoughts?