Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Infinite recursion in demangler_gnu #1454

Closed
MarcSchoenefeld opened this issue Jan 19, 2020 · 1 comment
Closed

Infinite recursion in demangler_gnu #1454

MarcSchoenefeld opened this issue Jan 19, 2020 · 1 comment
Assignees
@dragonmacher
Labels
Feature: Demangler Type: Bug Something isn't working
Milestone
9.2

Comments

@MarcSchoenefeld
Copy link

Describe the bug
Applying the reproducer from https://gcc.gnu.org/bugzilla/show_bug.cgi?id=78252 (2016) leads to a stack recursion.

To Reproduce

lldb ./GPL/DemanglerGnu/os/osx64/demangler_gnu "_ZSt7forwardIRZN8abcdefgh6abcdef15abcde_abcdefghi12_GLOBAL__N_116abcdefAbcdefghijERSt6vectorIPNS1_16abcde_abcdefghij24AbdefAbcdefghijAbcdefghiESaIS7_EEmdEUlRT_E3_EOSB_RNSt16abcdef_abcdefghiISB_E4typeE"
[..]
thread #1, queue = 'com.apple.main-thread', stop reason = EXC_BAD_ACCESS (code=2, address=0x7ffeef3fff18)
frame #0: 0x00000001000052ce demangler_gnud_print_comp + 94 demangler_gnud_print_comp:
-> 0x1000052ce <+94>: call 0x100007d10 ; d_print_saw_error
0x1000052d3 <+99>: cmp eax, 0x0
0x1000052d6 <+102>: je 0x1000052e1 ; <+113>
0x1000052dc <+108>: jmp 0x100007b21 ; <+10417>
Target 0: (demangler_gnu) stopped.

[...]
frame #11125: 0x00000001000054c7 demangler_gnud_print_comp + 599 frame #11126: 0x0000000100006301 demangler_gnud_print_comp + 4241
frame #11127: 0x00000001000069d6 demangler_gnud_print_comp + 5990 frame #11128: 0x0000000100007a29 demangler_gnud_print_comp + 10169
frame #11129: 0x00000001000054c7 demangler_gnud_print_comp + 599 frame #11130: 0x0000000100006301 demangler_gnud_print_comp + 4241
frame #11131: 0x00000001000069d6 demangler_gnud_print_comp + 5990 frame #11132: 0x0000000100007a29 demangler_gnud_print_comp + 10169
frame #11133: 0x00000001000054c7 demangler_gnud_print_comp + 599 frame #11134: 0x0000000100006301 demangler_gnud_print_comp + 4241
frame #11135: 0x00000001000064fb demangler_gnud_print_comp + 4747 frame #11136: 0x00000001000058fd demangler_gnud_print_comp + 1677
frame #11137: 0x000000010000516a demangler_gnucplus_demangle_print_callback + 106 frame #11138: 0x000000010000832b demangler_gnud_demangle_callback + 747
frame #11139: 0x0000000100007f91 demangler_gnud_demangle + 65 frame #11140: 0x0000000100007f3f demangler_gnucplus_demangle_v3 + 31
frame #11141: 0x00000001000103cc demangler_gnucplus_demangle + 188 frame #11142: 0x0000000100011b42 demangler_gnudemangle_it + 130
frame #11143: 0x000000010001164b demangler_gnumain + 507 frame #11144: 0x00007fff6b67c3d5 libdyld.dylibstart + 1

Expected behavior
Process input with proper return value

Environment (please complete the following information):

  • OS: [e.g. macOS 10.14.6]
  • Java Version: [e.g. 13.0.2]
  • Ghidra Version: [e.g. 9.1.1]

Additional context
The default demangler version with Ghidra seems out of date, a rebase to newer libiberty may reduce the attack surface. The upstream version was fixed with https://gcc.gnu.org/viewcvs/gcc?view=revision&revision=243568
@MarcSchoenefeld
Copy link
Author

As similar bug #1451 states the demangler is 10 years old, so this also falls under CWE-937 [1]

[1] https://owasp.org/www-project-top-ten/OWASP_Top_Ten_2017/Top_10-2017_A9-Using_Components_with_Known_Vulnerabilities

@astrelsky astrelsky mentioned this issue Jan 23, 2020
Closed
@dragonmacher dragonmacher self-assigned this Jan 28, 2020
@GhidorahRex GhidorahRex added this to the 9.2 milestone Feb 18, 2020
@ryanmkurtz ryanmkurtz added Feature: Demangler Type: Bug Something isn't working labels Feb 1, 2021
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@dragonmacher dragonmacher

Labels
Feature: Demangler Type: Bug Something isn't working
Projects
None yet
Milestone
9.2
Development

Successfully merging a pull request may close this issue.

Updated DemanglerGnu astrelsky/ghidra
4 participants
@MarcSchoenefeld @ryanmkurtz @dragonmacher @GhidorahRex