Submit #752768: universal-ctags ctags master-branch Uncontrolled Recursioninfo

Titeluniversal-ctags ctags master-branch Uncontrolled Recursion
Beschreibung### Description We discovered a Stack Overflow vulnerability in the V language parser of Universal Ctags. The crash occurs due to uncontrolled recursion when parsing deeply nested expressions. The ASAN report shows an infinite recursion loop between parseExpression and parseExprList, eventually leading to a stack exhaustion and a crash in getInputFilePosition. ### Environment - OS: Linux x86_64 - Complier: Clang - Build Configuration: Release mode with ASan enabled. ### Vulnerability Details - Target: Universal Ctags (ctags) - Vulnerability Type: CWE-674: Uncontrolled Recursion (Stack Overflow) - Function: parseExpression / parseExprList - Location: parsers/v.c:2744 (and parsers/v.c:2721) - Root Cause Analysis: The V parser uses recursive calls to handle expressions and expression lists. The cycle is: parseExpression calls parseExprList, which in turn calls parseExpression again. ``` // parsers/v.c static void parseExpression (...) { // ... parseExprList(...); // ... } static void parseExprList (...) { // ... parseExpression(...); // ... } ``` There appears to be no limit on the nesting depth of expressions. A specially crafted V source file with deeply nested structures (e.g., deeply nested parentheses or arrays) triggers this infinite recursion. ### Reproduce 1. Build ctags with Release optimization and ASAN enabled. 3. Run with the crashing file [repro](https://github.com/oneafter/0116/blob/main/poc.v): ``` ./ctags -f /dev/null --sort=no poc.v ``` <details> <summary>ASAN report</summary> ``` AddressSanitizer:DEADLYSIGNAL ================================================================= ==12961==ERROR: AddressSanitizer: stack-overflow on address 0x7ffec5913ec8 (pc 0x5626acc1b09a bp 0x7ffec5914710 sp 0x7ffec5913ed0 T0) #0 0x5626acc1b09a in __asan_memcpy (/src/ctags/ctags+0x19909a) (BuildId: 4e8981c500ee9870205e9d50b4bf13ab5c564fbe) #1 0x5626accae7c2 in getInputFilePosition /src/ctags/main/read.c:353:27 #2 0x5626acfe46f3 in readTokenFull /src/ctags/parsers/v.c:608:24 #3 0x5626acff3ee2 in readToken /src/ctags/parsers/v.c:891:2 #4 0x5626acff3ee2 in parseExpression /src/ctags/parsers/v.c:2721:3 #5 0x5626acff795d in parseExprList /src/ctags/parsers/v.c #6 0x5626acff40c5 in parseExpression /src/ctags/parsers/v.c:2744:5 #7 0x5626acff795d in parseExprList /src/ctags/parsers/v.c #8 0x5626acff40c5 in parseExpression /src/ctags/parsers/v.c:2744:5 #9 0x5626acff795d in parseExprList /src/ctags/parsers/v.c #10 0x5626acff40c5 in parseExpression /src/ctags/parsers/v.c:2744:5 #11 0x5626acff795d in parseExprList /src/ctags/parsers/v.c #12 0x5626acff40c5 in parseExpression /src/ctags/parsers/v.c:2744:5 #13 0x5626acff795d in parseExprList /src/ctags/parsers/v.c #14 0x5626acff40c5 in parseExpression /src/ctags/parsers/v.c:2744:5 #15 0x5626acff795d in parseExprList /src/ctags/parsers/v.c #16 0x5626acff40c5 in parseExpression /src/ctags/parsers/v.c:2744:5 #17 0x5626acff795d in parseExprList /src/ctags/parsers/v.c #18 0x5626acff40c5 in parseExpression /src/ctags/parsers/v.c:2744:5 #19 0x5626acff795d in parseExprList /src/ctags/parsers/v.c #20 0x5626acff40c5 in parseExpression /src/ctags/parsers/v.c:2744:5 #21 0x5626acff795d in parseExprList /src/ctags/parsers/v.c #22 0x5626acff40c5 in parseExpression /src/ctags/parsers/v.c:2744:5 #23 0x5626acff795d in parseExprList /src/ctags/parsers/v.c #24 0x5626acff40c5 in parseExpression /src/ctags/parsers/v.c:2744:5 #25 0x5626acff795d in parseExprList /src/ctags/parsers/v.c #26 0x5626acff40c5 in parseExpression /src/ctags/parsers/v.c:2744:5 #27 0x5626acff795d in parseExprList /src/ctags/parsers/v.c #28 0x5626acff40c5 in parseExpression /src/ctags/parsers/v.c:2744:5 #29 0x5626acff795d in parseExprList /src/ctags/parsers/v.c #30 0x5626acff40c5 in parseExpression /src/ctags/parsers/v.c:2744:5 #31 0x5626acff795d in parseExprList /src/ctags/parsers/v.c #32 0x5626acff40c5 in parseExpression /src/ctags/parsers/v.c:2744:5 #33 0x5626acff795d in parseExprList /src/ctags/parsers/v.c #34 0x5626acff40c5 in parseExpression /src/ctags/parsers/v.c:2744:5 #35 0x5626acff795d in parseExprList /src/ctags/parsers/v.c #36 0x5626acff40c5 in parseExpression /src/ctags/parsers/v.c:2744:5 #37 0x5626acff795d in parseExprList /src/ctags/parsers/v.c #38 0x5626acff40c5 in parseExpression /src/ctags/parsers/v.c:2744:5 #39 0x5626acff795d in parseExprList /src/ctags/parsers/v.c #40 0x5626acff40c5 in parseExpression /src/ctags/parsers/v.c:2744:5 #41 0x5626acff795d in parseExprList /src/ctags/parsers/v.c #42 0x5626acff40c5 in parseExpression /src/ctags/parsers/v.c:2744:5 #43 0x5626acff795d in parseExprList /src/ctags/parsers/v.c #44 0x5626acff40c5 in parseExpression /src/ctags/parsers/v.c:2744:5 #45 0x5626acff795d in parseExprList /src/ctags/parsers/v.c #46 0x5626acff40c5 in parseExpression /src/ctags/parsers/v.c:2744:5 #47 0x5626acff795d in parseExprList /src/ctags/parsers/v.c #48 0x5626acff40c5 in parseExpression /src/ctags/parsers/v.c:2744:5 #49 0x5626acff795d in parseExprList /src/ctags/parsers/v.c #50 0x5626acff40c5 in parseExpression /src/ctags/parsers/v.c:2744:5 #51 0x5626acff795d in parseExprList /src/ctags/parsers/v.c #52 0x5626acff40c5 in parseExpression /src/ctags/parsers/v.c:2744:5 #53 0x5626acff795d in parseExprList /src/ctags/parsers/v.c #54 0x5626acff40c5 in parseExpression /src/ctags/parsers/v.c:2744:5 #55 0x5626acff795d in parseExprList /src/ctags/parsers/v.c #56 0x5626acff40c5 in parseExpression /src/ctags/parsers/v.c:2744:5 #57 0x5626acff795d in parseExprList /src/ctags/parsers/v.c #58 0x5626acff40c5 in parseExpression /src/ctags/parsers/v.c:2744:5 #59 0x5626acff795d in parseExprList /src/ctags/parsers/v.c #60 0x5626acff40c5 in parseExpression /src/ctags/parsers/v.c:2744:5 #61 0x5626acff795d in parseExprList /src/ctags/parsers/v.c #62 0x5626acff40c5 in parseExpression /src/ctags/parsers/v.c:2744:5 #63 0x5626acff795d in parseExprList /src/ctags/parsers/v.c #64 0x5626acff40c5 in parseExpression /src/ctags/parsers/v.c:2744:5 #65 0x5626acff795d in parseExprList /src/ctags/parsers/v.c #66 0x5626acff40c5 in parseExpression /src/ctags/parsers/v.c:2744:5 #67 0x5626acff795d in parseExprList /src/ctags/parsers/v.c #68 0x5626acff40c5 in parseExpression /src/ctags/parsers/v.c:2744:5 #69 0x5626acff795d in parseExprList /src/ctags/parsers/v.c #70 0x5626acff40c5 in parseExpression /src/ctags/parsers/v.c:2744:5 #71 0x5626acff795d in parseExprList /src/ctags/parsers/v.c #72 0x5626acff40c5 in parseExpression /src/ctags/parsers/v.c:2744:5 #73 0x5626acff795d in parseExprList /src/ctags/parsers/v.c #74 0x5626acff40c5 in parseExpression /src/ctags/parsers/v.c:2744:5 #75 0x5626acff795d in parseExprList /src/ctags/parsers/v.c #76 0x5626acff40c5 in parseExpression /src/ctags/parsers/v.c:2744:5 #77 0x5626acff795d in parseExprList /src/ctags/parsers/v.c #78 0x5626acff40c5 in parseExpression /src/ctags/parsers/v.c:2744:5 #79 0x5626acff795d in parseExprList /src/ctags/parsers/v.c #80 0x5626acff40c5 in parseExpression /src/ctags/parsers/v.c:2744:5 #81 0x5626acff795d in parseExprList /src/ctags/parsers/v.c #82 0x5626acff40c5 in parseExpression /src/ctags/parsers/v.c:2744:5 #83 0x5626acff795d in parseExprList /src/ctags/parsers/v.c #84 0x5626acff40c5 in parseExpression /src/ctags/parsers/v.c:2744:5 #85 0x5626acff795d in parseExprList /src/ctags/parsers/v.c #86 0x5626acff40c5 in parseExpression /src/ctags/parsers/v.c:2744:5 #87 0x5626acff795d in parseExprList /src/ctags/parsers/v.c #88 0x5626acff40c5 in parseExpression /src/ctags/parsers/v.c:2744:5 #89 0x5626acff795d in parseExprList /src/ctags/parsers/v.c #90 0x5626acff40c5 in parseExpression /src/ctags/parsers/v.c:2744:5 #91 0x5626acff795d in parseExprList /src/ctags/parsers/v.c #92 0x5626acff40c5 in parseExpression /src/ctags/parsers/v.c:2744:5 #93 0x5626acff795d in parseExprList /src/ctags/parsers/v.c #94 0x5626acff40c5 in parseExpression /src/ctags/parsers/v.c:2744:5 #95 0x5626acff795d in parseExprList /src/ctags/parsers/v.c #96 0x5626acff40c5 in parseExpression /src/ctags/parsers/v.c:2744:5 #97 0x5626acff795d in parseExprList /src/ctags/parsers/v.c #98 0x5626acff40c5 in parseExpression /src/ctags/parsers/v.c:2744:5 #99 0x5626acff795d in parseExprList /src/ctags/parsers/v.c #100 0x5626acff40c5 in parseExpression /src/ctags/parsers/v.c:2744:5 #101 0x5626acff795d in parseExprList /src/ctags/parsers/v.c #102 0x5626acff40c5 in parseExpression /src/ctags/parsers/v.c:2744:5 #103 0x5626acff795d in parseExprList /src/ctags/parsers/v.c #104 0x5626acff40c5 in parseExpression /src/ctags/parsers/v.c:2744:5 #105 0x5626acff795d in parseExprList /src/ctags/parsers/v.c #106 0x5626acff40c5 in parseExpression /src/ctags/parsers/v.c:2744:5 #107 0x5626acff795d in parseExprList /src/ctags/parsers/v.c #108 0x5626acff40c5 in parseExpression /src/ctags/parsers/v.c:2744:5 #109 0x5626acff795d in parseExprList /src/ctags/parsers/v.c #110 0x5626acff40c5 in parseExpression /src/ctags/parsers/v.c:2744:5 #111 0x5626acff795d in parseExprList /src/ctags/parsers/v.c #112 0x5626acff40c5 in parseExpression /src/ctags/parsers/v.c:2744:5 #113 0x5626acff795d in parseExprList /src/ctags/parsers/v.c #114 0x5626acff40c5 in parseExpression /src/ctags/parsers/v.c:2744:5 #115 0x5626acff795d in parseExprList /src/ctags/parsers/v.c #116 0x5626acff40c5 in parseExpression /src/ctags/parsers/v.c:2744:5 #117 0x5626acff795d in parseExprList /src/ctags/parsers/v.c #118 0x5626acff4
Quelle⚠️ https://github.com/universal-ctags/ctags/issues/4369
Benutzer
 Oneafter (UID 92781)
Einreichung05.02.2026 10:42 (vor 4 Monaten)
Moderieren17.02.2026 21:23 (12 days later)
StatusAkzeptiert
VulDB Eintrag346397 [universal-ctags bis 6.2.1 V Language Parser parsers/v.c parseExpression/parseExprList Denial of Service]
Punkte20

ZurückÜbersichtWeiter

Do you want to use VulDB in your project?

Use the official API to access entries easily!