[Bug gdb/15714] New: gdb 7.5 crash with a double-free when trying to attach to a daemon

[Bug gdb/15714] New: gdb 7.5 crash with a double-free when trying to attach to a daemon

[devillers.nicolas at gmail dot com]

http://sourceware.org/bugzilla/show_bug.cgi?id=15714

            Bug ID: 15714
           Summary: gdb 7.5 crash with a double-free when trying to attach
                    to a daemon
           Product: gdb
           Version: 7.5
            Status: NEW
          Severity: minor
          Priority: P2
         Component: gdb
          Assignee: unassigned at sourceware dot org
          Reporter: devillers.nicolas at gmail dot com

I'm having a crash with double-free detected by glibc when trying to attach to
the pid of a running daemon in gdb 7.5 as shipped with ubuntu x86.

Ubuntu is in version 12.10, kernel 3.5.0-17-generic

my gdb is using .gdbinit from http://reverse.put.as revision 8.0.3 (21/03/2013)
futhermore it's including last version of peda as taken from
https://github.com/longld/peda, by just adding source ~/peda/peda.py at the end
of the .gdbinit

Here is the stacktrace :

nicolas@nicolas-VirtualBox:~$ sudo gdb --pid 13442  
GNU gdb (GDB) 7.5-ubuntu
Copyright (C) 2012 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.  Type "show copying"
and "show warranty" for details.
This GDB was configured as "i686-linux-gnu".
For bug reporting instructions, please see:
<http://www.gnu.org/software/gdb/bugs/>.

warning: not using untrusted file "/home/nicolas/.gdbinit"
*** glibc detected *** gdb: double free or corruption (!prev): 0x08653f40 ***
======= Backtrace: =========
/lib/i386-linux-gnu/libc.so.6(+0x75ee2)[0xb7ab7ee2]
/lib/i386-linux-gnu/libc.so.6(fclose+0x154)[0xb7aa7424]
gdb[0x82b2475]
gdb[0x816f576]
gdb(do_cleanups+0x19)[0x816f5d1]
gdb[0x80f43e4]
gdb(source_script+0x20)[0x80f4437]
gdb(catch_command_errors+0x42)[0x81d4a7f]
gdb[0x81d6fcb]
gdb(catch_errors+0x4c)[0x81d49a9]
gdb(gdb_main+0x34)[0x81d752a]
gdb(main+0x4f)[0x80880eb]
/lib/i386-linux-gnu/libc.so.6(__libc_start_main+0xf3)[0xb7a5b4d3]
gdb[0x8087fd1]
======= Memory map: ========
08048000-0852b000 r-xp 00000000 08:01 268141     /usr/bin/gdb
0852b000-0852c000 r--p 004e2000 08:01 268141     /usr/bin/gdb
0852c000-08536000 rw-p 004e3000 08:01 268141     /usr/bin/gdb
08536000-08673000 rw-p 00000000 00:00 0          [heap]
b7733000-b7777000 rw-p 00000000 00:00 0 
b7777000-b779c000 r--p 00000000 08:01 42090     
/usr/share/locale-langpack/fr/LC_MESSAGES/libc.mo
b779c000-b781e000 rw-p 00000000 00:00 0 
b781e000-b7a1e000 r--p 00000000 08:01 402149     /usr/lib/locale/locale-archive
b7a1e000-b7a20000 rw-p 00000000 00:00 0 
b7a20000-b7a3c000 r-xp 00000000 08:01 262876    
/lib/i386-linux-gnu/libgcc_s.so.1
b7a3c000-b7a3d000 r--p 0001b000 08:01 262876    
/lib/i386-linux-gnu/libgcc_s.so.1
b7a3d000-b7a3e000 rw-p 0001c000 08:01 262876    
/lib/i386-linux-gnu/libgcc_s.so.1
b7a3e000-b7a40000 r-xp 00000000 08:01 268964    
/lib/i386-linux-gnu/libutil-2.15.so
b7a40000-b7a41000 r--p 00001000 08:01 268964    
/lib/i386-linux-gnu/libutil-2.15.so
b7a41000-b7a42000 rw-p 00002000 08:01 268964    
/lib/i386-linux-gnu/libutil-2.15.so
b7a42000-b7be5000 r-xp 00000000 08:01 268327    
/lib/i386-linux-gnu/libc-2.15.so
b7be5000-b7be6000 ---p 001a3000 08:01 268327    
/lib/i386-linux-gnu/libc-2.15.so
b7be6000-b7be8000 r--p 001a3000 08:01 268327    
/lib/i386-linux-gnu/libc-2.15.so
b7be8000-b7be9000 rw-p 001a5000 08:01 268327    
/lib/i386-linux-gnu/libc-2.15.so
b7be9000-b7bec000 rw-p 00000000 00:00 0 
b7bec000-b7c11000 r-xp 00000000 08:01 262871    
/lib/i386-linux-gnu/libexpat.so.1.6.0
b7c11000-b7c13000 r--p 00025000 08:01 262871    
/lib/i386-linux-gnu/libexpat.so.1.6.0
b7c13000-b7c14000 rw-p 00027000 08:01 262871    
/lib/i386-linux-gnu/libexpat.so.1.6.0
b7c14000-b7e7c000 r-xp 00000000 08:01 394926     /usr/lib/libpython2.7.so.1.0
b7e7c000-b7e7d000 ---p 00268000 08:01 394926     /usr/lib/libpython2.7.so.1.0
b7e7d000-b7e7e000 r--p 00268000 08:01 394926     /usr/lib/libpython2.7.so.1.0
b7e7e000-b7ed4000 rw-p 00269000 08:01 394926     /usr/lib/libpython2.7.so.1.0
b7ed4000-b7ee1000 rw-p 00000000 00:00 0 
b7ee1000-b7ef8000 r-xp 00000000 08:01 304503    
/lib/i386-linux-gnu/libpthread-2.15.so
b7ef8000-b7ef9000 r--p 00016000 08:01 304503    
/lib/i386-linux-gnu/libpthread-2.15.so
b7ef9000-b7efa000 rw-p 00017000 08:01 304503    
/lib/i386-linux-gnu/libpthread-2.15.so
b7efa000-b7efc000 rw-p 00000000 00:00 0 
b7efc000-b7f26000 r-xp 00000000 08:01 304757    
/lib/i386-linux-gnu/libm-2.15.so
b7f26000-b7f27000 r--p 00029000 08:01 304757    
/lib/i386-linux-gnu/libm-2.15.so
b7f27000-b7f28000 rw-p 0002a000 08:01 304757    
/lib/i386-linux-gnu/libm-2.15.so
b7f28000-b7f3f000 r-xp 00000000 08:01 262985    
/lib/i386-linux-gnu/libz.so.1.2.7
b7f3f000-b7f40000 r--p 00016000 08:01 262985    
/lib/i386-linux-gnu/libz.so.1.2.7
b7f40000-b7f41000 rw-p 00017000 08:01 262985    
/lib/i386-linux-gnu/libz.so.1.2.7
b7f41000-b7f5d000 r-xp 00000000 08:01 262968    
/lib/i386-linux-gnu/libtinfo.so.5.9
b7f5d000-b7f5f000 r--p 0001b000 08:01 262968    
/lib/i386-linux-gnu/libtinfo.so.5.9
b7f5f000-b7f60000 rw-p 0001d000 08:01 262968    
/lib/i386-linux-gnu/libtinfo.so.5.9
b7f60000-b7f80000 r-xp 00000000 08:01 262899    
/lib/i386-linux-gnu/libncurses.so.5.9
b7f80000-b7f81000 r--p 0001f000 08:01 262899    
/lib/i386-linux-gnu/libncurses.so.5.9
b7f81000-b7f82000 rw-p 00020000 08:01 262899    
/lib/i386-linux-gnu/libncurses.so.5.9
b7f82000-b7f83000 rw-p 00000000 00:00 0 
b7f83000-b7f86000 r-xp 00000000 08:01 269144    
/lib/i386-linux-gnu/libdl-2.15.so
b7f86000-b7f87000 r--p 00002000 08:01 269144    
/lib/i386-linux-gnu/libdl-2.15.so
b7f87000-b7f88000 rw-p 00003000 08:01 269144    
/lib/i386-linux-gnu/libdl-2.15.so
b7f88000-b7fbd000 r-xp 00000000 08:01 262952    
/lib/i386-linux-gnu/libreadline.so.6.2
b7fbd000-b7fbe000 r--p 00035000 08:01 262952    
/lib/i386-linux-gnu/libreadline.so.6.2
b7fbe000-b7fc1000 rw-p 00036000 08:01 262952    
/lib/i386-linux-gnu/libreadline.so.6.2
b7fc1000-b7fc2000 rw-p 00000000 00:00 0 
b7fcd000-b7fd4000 r--s 00000000 08:01 393861    
/usr/lib/i386-linux-gnu/gconv/gconv-modules.cache
b7fd4000-b7fda000 r--p 00000000 08:01 42177     
/usr/share/locale-langpack/fr/LC_MESSAGES/gdb.mo
b7fda000-b7fdb000 r--p 00858000 08:01 402149     /usr/lib/locale/locale-archive
b7fdb000-b7fdd000 rw-p 00000000 00:00 0 
b7fdd000-b7fde000 r-xp 00000000 00:00 0          [vdso]
b7fde000-b7ffe000 r-xp 00000000 08:01 307500     /lib/i386-linux-gnu/ld-2.15.so
b7ffe000-b7fff000 r--p 0001f000 08:01 307500     /lib/i386-linux-gnu/ld-2.15.so
b7fff000-b8000000 rw-p 00020000 08:01 307500     /lib/i386-linux-gnu/ld-2.15.so
bffdf000-c0000000 rw-p 00000000 00:00 0          [stack]


I'm able to reproduce this bug by trying to attach to any running process.
However, I'm not able to reproduce it with gdb-7.6 compiled from the source.

I didn't find a related fix in the changelog so I'm really sorry if this is
something already fixed.

-- 
You are receiving this mail because:
You are on the CC list for the bug.

[Bug gdb/15714] gdb 7.5 crash with a double-free when trying to attach to a daemon

[keiths at redhat dot com]

http://sourceware.org/bugzilla/show_bug.cgi?id=15714

Keith Seitz <keiths at redhat dot com> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 CC|                            |keiths at redhat dot com

--- Comment #1 from Keith Seitz <keiths at redhat dot com> ---
I have a VM of Ubuntu i686 12.10 on my machine, and I'm trying to reproduce
this using the vendor-supplied gdb (7.5-ubuntu).

Unfortunately, from what I can gather from your description, I am unable to
reproduce it by attaching to a running xterm instance.

Note that in the log you posted, gdb has warned you 'not using untrusted file
"/home/nicolas/.gdbinit"', so I did not actually try any of that
peda/reverse.put.as init stuff.

Can you try to reproduce this passing -nx to gdb? Do you still encounter
problems? If not, that would indicate that there is still some .gdbinit-stuff
that gdb is picking up somewhere that is causing problems.

Can you install debuginfo for gdb and get a more descriptive backtrace?

I tried to reproduce this with the FSF 7.5 release and also could not reproduce
it on either Fedora 18 or my Ubuntu 12.10 VM (kernel 3.5.0-27).

-- 
You are receiving this mail because:
You are on the CC list for the bug.

[Bug gdb/15714] gdb 7.5 crash with a double-free when run with sudo and a specific .gdbinit file

[devillers.nicolas at gmail dot com]

http://sourceware.org/bugzilla/show_bug.cgi?id=15714

Nicolas Devillers <devillers.nicolas at gmail dot com> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
            Summary|gdb 7.5 crash with a        |gdb 7.5 crash with a
                   |double-free when trying to  |double-free when run with
                   |attach to a daemon          |sudo and a specific
                   |                            |.gdbinit file

--- Comment #2 from Nicolas Devillers <devillers.nicolas at gmail dot com> ---
"Can you try to reproduce this passing -nx to gdb? Do you still encounter
problems?"

Yes I tried and it didn't reproduce the problem.

"Can you install debuginfo for gdb and get a more descriptive backtrace?"

I wanted to but didn't manage to find an ubuntu package providing gdb debugging
symbols.

-- 
You are receiving this mail because:
You are on the CC list for the bug.

[Bug gdb/15714] gdb 7.5 crash with a double-free when run with sudo and a specific .gdbinit file

[devillers.nicolas at gmail dot com]

http://sourceware.org/bugzilla/show_bug.cgi?id=15714

--- Comment #3 from Nicolas Devillers <devillers.nicolas at gmail dot com> ---
"Can you try to reproduce this passing -nx to gdb? Do you still encounter
problems?"

Yes I tried and it didn't reproduce the problem.

"Can you install debuginfo for gdb and get a more descriptive backtrace?"

I wanted to but didn't manage to find an ubuntu package providing gdb debugging
symbols.

my guess was that it is related to the cleaning of the structure parsing the
.gdbinit file and the python api.

I did a valgrind trace but it's not really usefull without dbg symbols. I'll
try to dive into this bug.

-- 
You are receiving this mail because:
You are on the CC list for the bug.

[Bug gdb/15714] gdb 7.5 crash with a double-free when run with sudo and a specific .gdbinit file

[jan.kratochvil at redhat dot com]

http://sourceware.org/bugzilla/show_bug.cgi?id=15714

Jan Kratochvil <jan.kratochvil at redhat dot com> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
             Status|NEW                         |RESOLVED
                 CC|                            |jan.kratochvil at redhat dot com
         Resolution|---                         |FIXED

--- Comment #4 from Jan Kratochvil <jan.kratochvil at redhat dot com> ---
I do not see the message 'not using untrusted file' in FSF GDB sources, it was
never there, it was always only Red Hat extension.

It has been superseded in FSF GDB before 7.5 was released by:
  http://sourceware.org/ml/gdb-patches/2012-01/msg00586.html

The Red Hat patch was removed thanks to it in Fedora 17 on 2012-04-18 by:
 
http://pkgs.fedoraproject.org/cgit/gdb.git/commit/?id=08451779f969455df3b5f16e872f5e698ca794f9

I have found the inappropriate patch is still present in:
  http://packages.ubuntu.com/source/quantal/gdb
 
http://archive.ubuntu.com/ubuntu/pool/main/g/gdb/gdb_7.5-0ubuntu2.debian.tar.gz
  ./debian/patches/gdbinit-ownership.patch
And there is really at least a double fclose bug in that patch.

But that is Ubuntu specific problem, this Bugzilla is for FSF GDB.

-- 
You are receiving this mail because:
You are on the CC list for the bug.

[Bug gdb/15714] gdb 7.5 crash with a double-free when run with sudo and a specific .gdbinit file

[jan.kratochvil at redhat dot com]

http://sourceware.org/bugzilla/show_bug.cgi?id=15714

Jan Kratochvil <jan.kratochvil at redhat dot com> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
         Resolution|FIXED                       |INVALID

-- 
You are receiving this mail because:
You are on the CC list for the bug.

[Bug gdb/15714] gdb 7.5 crash with a double-free when run with sudo and a specific .gdbinit file

[devillers.nicolas at gmail dot com]

http://sourceware.org/bugzilla/show_bug.cgi?id=15714

--- Comment #5 from Nicolas Devillers <devillers.nicolas at gmail dot com> ---
Indeed. Sorry about the noise here.

-- 
You are receiving this mail because:
You are on the CC list for the bug.