[Bug binutils/28718] New: debug.c: Stack-overflow in debug_write_type

[pmayorov at cloudlinux dot com]

https://sourceware.org/bugzilla/show_bug.cgi?id=28718

            Bug ID: 28718
           Summary: debug.c: Stack-overflow in debug_write_type
           Product: binutils
           Version: 2.38 (HEAD)
            Status: UNCONFIRMED
          Severity: normal
          Priority: P2
         Component: binutils
          Assignee: unassigned at sourceware dot org
          Reporter: pmayorov at cloudlinux dot com
  Target Milestone: ---

Created attachment 13870
  --> https://sourceware.org/bugzilla/attachment.cgi?id=13870&action=edit
PoC and ASAN report

I found a stack-overflow in 'debug_write_type' (binutils/debug.c). The problem
is caused by a self-reference in a type definition string in the "stabs"
representation of debugging information
(http://www.sourceware.org/gdb/onlinedocs/stabs.html). 
This leads to an infinite recursion during the printing debug information about
this type.

There is the following type definition:
    .stabs "some_type:t&1=2=3=2",128,0,0,0
Here 'some_type' is defined as a reference to the indirect type 1, which is the
indirect type 2, which is the indirect type 3, which finally is the indirect
type 2. And after parsing we get a "looped" type 2:
    *type->u.kindirect->slot == type

Steps to reproduce:

Build current verison of binutils with ASAN:
./configure --disable-shared --disable-gdb --disable-gdbserver CFLAGS="-ggdb
-Wno-error -fsanitize=address -fsanitize-recover=address" CXXFLAGS="-ggdb
-Wno-error -fsanitize=address -fsanitize-recover=address"
make all

Run inputs under ASAN:
binutils/objdump -g ~/stack_overflow

The proof-of-concept and ASAN report are attached.

And I'm preparing a patch to solve this issue.

-- 
You are receiving this mail because:
You are on the CC list for the bug.