From patchwork Wed Dec 12 11:40:19 2018 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Nick Clifton X-Patchwork-Id: 1011854 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@bilbo.ozlabs.org Authentication-Results: ozlabs.org; spf=pass (mailfrom) smtp.mailfrom=gcc.gnu.org (client-ip=209.132.180.131; helo=sourceware.org; envelope-from=gcc-patches-return-492215-incoming=patchwork.ozlabs.org@gcc.gnu.org; receiver=) Authentication-Results: ozlabs.org; dmarc=fail (p=none dis=none) header.from=redhat.com Authentication-Results: ozlabs.org; dkim=pass (1024-bit key; unprotected) header.d=gcc.gnu.org header.i=@gcc.gnu.org header.b="aaI7+uSG"; dkim-atps=neutral Received: from sourceware.org (server1.sourceware.org [209.132.180.131]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ozlabs.org (Postfix) with ESMTPS id 43FFHM5wv4z9s5c for ; Wed, 12 Dec 2018 22:40:31 +1100 (AEDT) DomainKey-Signature: a=rsa-sha1; c=nofws; d=gcc.gnu.org; h=list-id :list-unsubscribe:list-archive:list-post:list-help:sender:from :to:cc:subject:date:message-id:mime-version:content-type; q=dns; s=default; b=YlXl5+6cN9BggUtuU24ByOTkVQGJhwBZUeLWrTHijBFsOh54nx +jx1UihjOzSpEjHCcwokytpyxm5OAH0ils9m6GC0lADlFeEPzdEjqlNiWvZwMFXH DSYRcx7Ym6duuZ7EP7kbeM9p1sTFh2o2orWcw/7mDB0l9+4aMx/vpFQQk= DKIM-Signature: v=1; a=rsa-sha1; c=relaxed; d=gcc.gnu.org; h=list-id :list-unsubscribe:list-archive:list-post:list-help:sender:from :to:cc:subject:date:message-id:mime-version:content-type; s= default; bh=Bz4pjf+wykMutTFxAE7D4XdJ80E=; b=aaI7+uSG/+DmV3ghV7Mu jd/oixAySwLsEjUxiqOXuQoIWF/rwURqSGevDe8Irb28JQjOjeGzK4koJT+S4tmx MvyuHAbbjvEDFB/SW1XE+IDjV0/sivnLOniy+FYZ483wWqeTKvZhXh563ULc2vs/ Ac4tmMqbb5DzPOibJQt2uv8= Received: (qmail 67139 invoked by alias); 12 Dec 2018 11:40:24 -0000 Mailing-List: contact gcc-patches-help@gcc.gnu.org; run by ezmlm Precedence: bulk List-Id: List-Unsubscribe: List-Archive: List-Post: List-Help: Sender: gcc-patches-owner@gcc.gnu.org Delivered-To: mailing list gcc-patches@gcc.gnu.org Received: (qmail 66748 invoked by uid 89); 12 Dec 2018 11:40:24 -0000 Authentication-Results: sourceware.org; auth=none X-Spam-SWARE-Status: No, score=-11.9 required=5.0 tests=BAYES_00, GIT_PATCH_2, GIT_PATCH_3, SPF_HELO_PASS autolearn=ham version=3.3.2 spammy=malicious X-HELO: mx1.redhat.com Received: from mx1.redhat.com (HELO mx1.redhat.com) (209.132.183.28) by sourceware.org (qpsmtpd/0.93/v0.84-503-g423c35a) with ESMTP; Wed, 12 Dec 2018 11:40:23 +0000 Received: from smtp.corp.redhat.com (int-mx01.intmail.prod.int.phx2.redhat.com [10.5.11.11]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mx1.redhat.com (Postfix) with ESMTPS id 15CF7307EAB6; Wed, 12 Dec 2018 11:40:22 +0000 (UTC) Received: from comet.redhat.com (ovpn-117-39.ams2.redhat.com [10.36.117.39]) by smtp.corp.redhat.com (Postfix) with ESMTPS id 06B696012D; Wed, 12 Dec 2018 11:40:20 +0000 (UTC) From: Nick Clifton To: ian@airs.com Cc: gcc-patches@gcc.gnu.org, redi@gcc.gnu.org Subject: RFA: libiberty: Add a limit on demangling qualifiers (PR 87241) (version 2) Date: Wed, 12 Dec 2018 11:40:19 +0000 Message-ID: <87mupbj7mk.fsf@redhat.com> MIME-Version: 1.0 X-IsSubscribed: yes Hi Ian, *sigh* 5 minutes after sending the patch for this PR, I realised that I had made a mistake. I should have conditionalized the limit on the number of supported qualifiers, so that the check is only made if we have resource limits enabled. Like this: Cheers Nick Index: libiberty/cplus-dem.c =================================================================== --- libiberty/cplus-dem.c (revision 267043) +++ libiberty/cplus-dem.c (working copy) @@ -3443,6 +3443,20 @@ success = 0; } + if ((work->options & DMGL_NO_RECURSE_LIMIT) == 0) + { + /* PR 87241: Catch malicious input that will try to trick this code into + allocating a ridiculous amount of memory via the remember_Ktype() + function. + The choice of DEMANGLE_RECURSION_LIMIT is somewhat arbitrary. Possibly + a better solution would be to track how much memory remember_Ktype + allocates and abort when some upper limit is reached. */ + if (qualifiers > DEMANGLE_RECURSION_LIMIT) + /* FIXME: We ought to have some way to tell the user that + this limit has been reached. */ + success = 0; + } + if (!success) return success;