Отправить #752768: universal-ctags ctags master-branch Uncontrolled RecursionИнформация

Названиеuniversal-ctags ctags master-branch Uncontrolled Recursion
Описание### Description We discovered a Stack Overflow vulnerability in the V language parser of Universal Ctags. The crash occurs due to uncontrolled recursion when parsing deeply nested expressions. The ASAN report shows an infinite recursion loop between parseExpression and parseExprList, eventually leading to a stack exhaustion and a crash in getInputFilePosition. ### Environment - OS: Linux x86_64 - Complier: Clang - Build Configuration: Release mode with ASan enabled. ### Vulnerability Details - Target: Universal Ctags (ctags) - Vulnerability Type: CWE-674: Uncontrolled Recursion (Stack Overflow) - Function: parseExpression / parseExprList - Location: parsers/v.c:2744 (and parsers/v.c:2721) - Root Cause Analysis: The V parser uses recursive calls to handle expressions and expression lists. The cycle is: parseExpression calls parseExprList, which in turn calls parseExpression again. ``` // parsers/v.c static void parseExpression (...) { // ... parseExprList(...); // ... } static void parseExprList (...) { // ... parseExpression(...); // ... } ``` There appears to be no limit on the nesting depth of expressions. A specially crafted V source file with deeply nested structures (e.g., deeply nested parentheses or arrays) triggers this infinite recursion. ### Reproduce 1. Build ctags with Release optimization and ASAN enabled. 3. Run with the crashing file [repro](https://github.com/oneafter/0116/blob/main/poc.v): ``` ./ctags -f /dev/null --sort=no poc.v ``` <details> <summary>ASAN report</summary> ``` AddressSanitizer:DEADLYSIGNAL ================================================================= ==12961==ERROR: AddressSanitizer: stack-overflow on address 0x7ffec5913ec8 (pc 0x5626acc1b09a bp 0x7ffec5914710 sp 0x7ffec5913ed0 T0) #0 0x5626acc1b09a in __asan_memcpy (/src/ctags/ctags+0x19909a) (BuildId: 4e8981c500ee9870205e9d50b4bf13ab5c564fbe) #1 0x5626accae7c2 in getInputFilePosition /src/ctags/main/read.c:353:27 #2 0x5626acfe46f3 in readTokenFull /src/ctags/parsers/v.c:608:24 #3 0x5626acff3ee2 in readToken /src/ctags/parsers/v.c:891:2 #4 0x5626acff3ee2 in parseExpression /src/ctags/parsers/v.c:2721:3 #5 0x5626acff795d in parseExprList /src/ctags/parsers/v.c #6 0x5626acff40c5 in parseExpression /src/ctags/parsers/v.c:2744:5 #7 0x5626acff795d in parseExprList /src/ctags/parsers/v.c #8 0x5626acff40c5 in parseExpression /src/ctags/parsers/v.c:2744:5 #9 0x5626acff795d in parseExprList /src/ctags/parsers/v.c #10 0x5626acff40c5 in parseExpression /src/ctags/parsers/v.c:2744:5 #11 0x5626acff795d in parseExprList /src/ctags/parsers/v.c #12 0x5626acff40c5 in parseExpression /src/ctags/parsers/v.c:2744:5 #13 0x5626acff795d in parseExprList /src/ctags/parsers/v.c #14 0x5626acff40c5 in parseExpression /src/ctags/parsers/v.c:2744:5 #15 0x5626acff795d in parseExprList /src/ctags/parsers/v.c #16 0x5626acff40c5 in parseExpression /src/ctags/parsers/v.c:2744:5 #17 0x5626acff795d in parseExprList /src/ctags/parsers/v.c #18 0x5626acff40c5 in parseExpression /src/ctags/parsers/v.c:2744:5 #19 0x5626acff795d in parseExprList /src/ctags/parsers/v.c #20 0x5626acff40c5 in parseExpression /src/ctags/parsers/v.c:2744:5 #21 0x5626acff795d in parseExprList /src/ctags/parsers/v.c #22 0x5626acff40c5 in parseExpression /src/ctags/parsers/v.c:2744:5 #23 0x5626acff795d in parseExprList /src/ctags/parsers/v.c #24 0x5626acff40c5 in parseExpression /src/ctags/parsers/v.c:2744:5 #25 0x5626acff795d in parseExprList /src/ctags/parsers/v.c #26 0x5626acff40c5 in parseExpression /src/ctags/parsers/v.c:2744:5 #27 0x5626acff795d in parseExprList /src/ctags/parsers/v.c #28 0x5626acff40c5 in parseExpression /src/ctags/parsers/v.c:2744:5 #29 0x5626acff795d in parseExprList /src/ctags/parsers/v.c #30 0x5626acff40c5 in parseExpression /src/ctags/parsers/v.c:2744:5 #31 0x5626acff795d in parseExprList /src/ctags/parsers/v.c #32 0x5626acff40c5 in parseExpression /src/ctags/parsers/v.c:2744:5 #33 0x5626acff795d in parseExprList /src/ctags/parsers/v.c #34 0x5626acff40c5 in parseExpression /src/ctags/parsers/v.c:2744:5 #35 0x5626acff795d in parseExprList /src/ctags/parsers/v.c #36 0x5626acff40c5 in parseExpression /src/ctags/parsers/v.c:2744:5 #37 0x5626acff795d in parseExprList /src/ctags/parsers/v.c #38 0x5626acff40c5 in parseExpression /src/ctags/parsers/v.c:2744:5 #39 0x5626acff795d in parseExprList /src/ctags/parsers/v.c #40 0x5626acff40c5 in parseExpression /src/ctags/parsers/v.c:2744:5 #41 0x5626acff795d in parseExprList /src/ctags/parsers/v.c #42 0x5626acff40c5 in parseExpression /src/ctags/parsers/v.c:2744:5 #43 0x5626acff795d in parseExprList /src/ctags/parsers/v.c #44 0x5626acff40c5 in parseExpression /src/ctags/parsers/v.c:2744:5 #45 0x5626acff795d in parseExprList /src/ctags/parsers/v.c #46 0x5626acff40c5 in parseExpression /src/ctags/parsers/v.c:2744:5 #47 0x5626acff795d in parseExprList /src/ctags/parsers/v.c #48 0x5626acff40c5 in parseExpression /src/ctags/parsers/v.c:2744:5 #49 0x5626acff795d in parseExprList /src/ctags/parsers/v.c #50 0x5626acff40c5 in parseExpression /src/ctags/parsers/v.c:2744:5 #51 0x5626acff795d in parseExprList /src/ctags/parsers/v.c #52 0x5626acff40c5 in parseExpression /src/ctags/parsers/v.c:2744:5 #53 0x5626acff795d in parseExprList /src/ctags/parsers/v.c #54 0x5626acff40c5 in parseExpression /src/ctags/parsers/v.c:2744:5 #55 0x5626acff795d in parseExprList /src/ctags/parsers/v.c #56 0x5626acff40c5 in parseExpression /src/ctags/parsers/v.c:2744:5 #57 0x5626acff795d in parseExprList /src/ctags/parsers/v.c #58 0x5626acff40c5 in parseExpression /src/ctags/parsers/v.c:2744:5 #59 0x5626acff795d in parseExprList /src/ctags/parsers/v.c #60 0x5626acff40c5 in parseExpression /src/ctags/parsers/v.c:2744:5 #61 0x5626acff795d in parseExprList /src/ctags/parsers/v.c #62 0x5626acff40c5 in parseExpression /src/ctags/parsers/v.c:2744:5 #63 0x5626acff795d in parseExprList /src/ctags/parsers/v.c #64 0x5626acff40c5 in parseExpression /src/ctags/parsers/v.c:2744:5 #65 0x5626acff795d in parseExprList /src/ctags/parsers/v.c #66 0x5626acff40c5 in parseExpression /src/ctags/parsers/v.c:2744:5 #67 0x5626acff795d in parseExprList /src/ctags/parsers/v.c #68 0x5626acff40c5 in parseExpression /src/ctags/parsers/v.c:2744:5 #69 0x5626acff795d in parseExprList /src/ctags/parsers/v.c #70 0x5626acff40c5 in parseExpression /src/ctags/parsers/v.c:2744:5 #71 0x5626acff795d in parseExprList /src/ctags/parsers/v.c #72 0x5626acff40c5 in parseExpression /src/ctags/parsers/v.c:2744:5 #73 0x5626acff795d in parseExprList /src/ctags/parsers/v.c #74 0x5626acff40c5 in parseExpression /src/ctags/parsers/v.c:2744:5 #75 0x5626acff795d in parseExprList /src/ctags/parsers/v.c #76 0x5626acff40c5 in parseExpression /src/ctags/parsers/v.c:2744:5 #77 0x5626acff795d in parseExprList /src/ctags/parsers/v.c #78 0x5626acff40c5 in parseExpression /src/ctags/parsers/v.c:2744:5 #79 0x5626acff795d in parseExprList /src/ctags/parsers/v.c #80 0x5626acff40c5 in parseExpression /src/ctags/parsers/v.c:2744:5 #81 0x5626acff795d in parseExprList /src/ctags/parsers/v.c #82 0x5626acff40c5 in parseExpression /src/ctags/parsers/v.c:2744:5 #83 0x5626acff795d in parseExprList /src/ctags/parsers/v.c #84 0x5626acff40c5 in parseExpression /src/ctags/parsers/v.c:2744:5 #85 0x5626acff795d in parseExprList /src/ctags/parsers/v.c #86 0x5626acff40c5 in parseExpression /src/ctags/parsers/v.c:2744:5 #87 0x5626acff795d in parseExprList /src/ctags/parsers/v.c #88 0x5626acff40c5 in parseExpression /src/ctags/parsers/v.c:2744:5 #89 0x5626acff795d in parseExprList /src/ctags/parsers/v.c #90 0x5626acff40c5 in parseExpression /src/ctags/parsers/v.c:2744:5 #91 0x5626acff795d in parseExprList /src/ctags/parsers/v.c #92 0x5626acff40c5 in parseExpression /src/ctags/parsers/v.c:2744:5 #93 0x5626acff795d in parseExprList /src/ctags/parsers/v.c #94 0x5626acff40c5 in parseExpression /src/ctags/parsers/v.c:2744:5 #95 0x5626acff795d in parseExprList /src/ctags/parsers/v.c #96 0x5626acff40c5 in parseExpression /src/ctags/parsers/v.c:2744:5 #97 0x5626acff795d in parseExprList /src/ctags/parsers/v.c #98 0x5626acff40c5 in parseExpression /src/ctags/parsers/v.c:2744:5 #99 0x5626acff795d in parseExprList /src/ctags/parsers/v.c #100 0x5626acff40c5 in parseExpression /src/ctags/parsers/v.c:2744:5 #101 0x5626acff795d in parseExprList /src/ctags/parsers/v.c #102 0x5626acff40c5 in parseExpression /src/ctags/parsers/v.c:2744:5 #103 0x5626acff795d in parseExprList /src/ctags/parsers/v.c #104 0x5626acff40c5 in parseExpression /src/ctags/parsers/v.c:2744:5 #105 0x5626acff795d in parseExprList /src/ctags/parsers/v.c #106 0x5626acff40c5 in parseExpression /src/ctags/parsers/v.c:2744:5 #107 0x5626acff795d in parseExprList /src/ctags/parsers/v.c #108 0x5626acff40c5 in parseExpression /src/ctags/parsers/v.c:2744:5 #109 0x5626acff795d in parseExprList /src/ctags/parsers/v.c #110 0x5626acff40c5 in parseExpression /src/ctags/parsers/v.c:2744:5 #111 0x5626acff795d in parseExprList /src/ctags/parsers/v.c #112 0x5626acff40c5 in parseExpression /src/ctags/parsers/v.c:2744:5 #113 0x5626acff795d in parseExprList /src/ctags/parsers/v.c #114 0x5626acff40c5 in parseExpression /src/ctags/parsers/v.c:2744:5 #115 0x5626acff795d in parseExprList /src/ctags/parsers/v.c #116 0x5626acff40c5 in parseExpression /src/ctags/parsers/v.c:2744:5 #117 0x5626acff795d in parseExprList /src/ctags/parsers/v.c #118 0x5626acff4
Источник⚠️ https://github.com/universal-ctags/ctags/issues/4369
Пользователь
 Oneafter (UID 92781)
Представление05.02.2026 10:42 (4 месяцы назад)
Модерация17.02.2026 21:23 (12 days later)
Статуспринято
Запись VulDB346397 [universal-ctags до 6.2.1 V Language Parser parsers/v.c parseExpression/parseExprList отказ в обслуживании]
Баллы20

ПредыдущийОбзорДалее

Do you want to use VulDB in your project?

Use the official API to access entries easily!