[Bug cli/15827] New: Segfault on reading symbols from a fuzzed (corrupted) binary

[Bug cli/15827] New: Segfault on reading symbols from a fuzzed (corrupted) binary

[jutaky at gmail dot com]

http://sourceware.org/bugzilla/show_bug.cgi?id=15827

            Bug ID: 15827
           Summary: Segfault on reading symbols from a fuzzed (corrupted)
                    binary
           Product: gdb
           Version: HEAD
            Status: NEW
          Severity: normal
          Priority: P2
         Component: cli
          Assignee: unassigned at sourceware dot org
          Reporter: jutaky at gmail dot com

I am performing fuzzing against gdb and checking how it behaves on different
kind of input. Here is the first finding.

Segmentation fault on reading symbols from a fuzzed binary.

gdb version 7.6.50.20130809-cvs.

Test case: http://jutaky.com/fuzzing/gdb_case_6958_4981.bin

Reading symbols from /home/jutaky/fuzzing/gdb_case_6958_4981.bin...
Program received signal SIGSEGV, Segmentation fault.
0x00000000005e891c in read_unsigned_leb128 (abfd=0xd3d4a0, buf=0x76e73134
<Address 0x76e73134 out of bounds>, bytes_read_ptr=0x7fffffffde64) at
dwarf2read.c:15166
15166          byte = bfd_get_8 (abfd, buf);
(gdb) bt
#0  0x00000000005e891c in read_unsigned_leb128 (abfd=0xd3d4a0, buf=0x76e73134
<Address 0x76e73134 out of bounds>, bytes_read_ptr=0x7fffffffde64) at
dwarf2read.c:15166
#1  0x00000000005d4ff8 in peek_die_abbrev (info_ptr=0x76e73134 <Address
0x76e73134 out of bounds>, bytes_read=0x7fffffffde64, cu=0xd5b1c0) at
dwarf2read.c:6669
#2  0x00000000005e6020 in load_partial_dies (reader=0x7fffffffe0c0,
info_ptr=0x76e73134 <Address 0x76e73134 out of bounds>, building_psymtab=1) at
dwarf2read.c:13945
#3  0x00000000005d2d38 in process_psymtab_comp_unit_reader
(reader=0x7fffffffe0c0, info_ptr=0xd62f9d "\002\060\a", comp_unit_die=0xd689a0,
has_children=1, data=0x7fffffffe190) at dwarf2read.c:5710
#4  0x00000000005d1a6d in init_cutu_and_read_dies (this_cu=0xd593c0,
abbrev_table=0x0, use_existing_cu=0, keep=0, die_reader_func=0x5d2a1f
<process_psymtab_comp_unit_reader>, data=0x7fffffffe190)
    at dwarf2read.c:5143
#5  0x00000000005d320d in process_psymtab_comp_unit (this_cu=0xd593c0,
want_partial_unit=0, pretend_language=language_minimal) at dwarf2read.c:5797
#6  0x00000000005d3923 in dwarf2_build_psymtabs_hard (objfile=0xd47750) at
dwarf2read.c:5977
#7  0x00000000005ce7ac in dwarf2_build_psymtabs (objfile=0xd47750) at
dwarf2read.c:3839
#8  0x00000000004b1f05 in read_psyms (objfile=0xd47750) at elfread.c:1473
#9  0x000000000053aee2 in require_partial_symbols (objfile=0xd47750, verbose=0)
at psymtab.c:92
#10 0x0000000000540c3d in read_symbols (objfile=0xd47750, add_flags=6) at
symfile.c:847
#11 0x000000000054107e in syms_from_objfile_1 (objfile=0xd47750,
addrs=0xd519e0, add_flags=6) at symfile.c:998
#12 0x00000000005410c1 in syms_from_objfile (objfile=0xd47750, addrs=0x0,
add_flags=6) at symfile.c:1014
#13 0x00000000005412b3 in symbol_file_add_with_addrs (abfd=0xd3d4a0,
add_flags=6, addrs=0x0, flags=0, parent=0x0) at symfile.c:1109
#14 0x0000000000541493 in symbol_file_add_from_bfd (abfd=0xd3d4a0, add_flags=6,
addrs=0x0, flags=0, parent=0x0) at symfile.c:1196
#15 0x00000000005414e7 in symbol_file_add (name=0x7fffffffeb26
"gdb_case_6958_4981.bin", add_flags=6, addrs=0x0, flags=0) at symfile.c:1210
#16 0x0000000000541576 in symbol_file_add_main_1 (args=0x7fffffffeb26
"gdb_case_6958_4981.bin", from_tty=1, flags=0) at symfile.c:1235
#17 0x0000000000541522 in symbol_file_add_main (args=0x7fffffffeb26
"gdb_case_6958_4981.bin", from_tty=1) at symfile.c:1226
#18 0x0000000000571fa8 in catch_command_errors (command=0x5414fd
<symbol_file_add_main>, arg=0x7fffffffeb26 "gdb_case_6958_4981.bin",
from_tty=1, mask=6) at exceptions.c:551
#19 0x0000000000575b3a in captured_main (data=0x7fffffffe710) at main.c:946
#20 0x0000000000571ed6 in catch_errors (func=0x574d53 <captured_main>,
func_args=0x7fffffffe710, errstring=0x828fd4 "", mask=6) at exceptions.c:524
#21 0x0000000000575eca in gdb_main (args=0x7fffffffe710) at main.c:1062
#22 0x0000000000406c9e in main (argc=2, argv=0x7fffffffe818) at gdb.c:34

--
Juha Kylmänen
Research Assistant, OUSPG

-- 
You are receiving this mail because:
You are on the CC list for the bug.
>From gdb-prs-return-14164-listarch-gdb-prs=sources.redhat.com@sourceware.org Fri Aug 09 15:43:45 2013
Return-Path: <gdb-prs-return-14164-listarch-gdb-prs=sources.redhat.com@sourceware.org>
Delivered-To: listarch-gdb-prs@sources.redhat.com
Received: (qmail 27957 invoked by alias); 9 Aug 2013 15:43:44 -0000
Mailing-List: contact gdb-prs-help@sourceware.org; run by ezmlm
Precedence: bulk
List-Id: <gdb-prs.sourceware.org>
List-Subscribe: <mailto:gdb-prs-subscribe@sourceware.org>
List-Archive: <http://sourceware.org/ml/gdb-prs/>
List-Post: <mailto:gdb-prs@sourceware.org>
List-Help: <mailto:gdb-prs-help@sourceware.org>, <http://sourceware.org/lists.html#faqs>
Sender: gdb-prs-owner@sourceware.org
Delivered-To: mailing list gdb-prs@sourceware.org
Received: (qmail 27897 invoked by uid 48); 9 Aug 2013 15:43:44 -0000
From: "tromey at redhat dot com" <sourceware-bugzilla@sourceware.org>
To: gdb-prs@sourceware.org
Subject: [Bug threads/15824] Can't get threads name from info threads with
 linux kernel version below 2.6.32
Date: Fri, 09 Aug 2013 15:43:00 -0000
X-Bugzilla-Reason: CC
X-Bugzilla-Type: changed
X-Bugzilla-Watch-Reason: None
X-Bugzilla-Product: gdb
X-Bugzilla-Component: threads
X-Bugzilla-Version: 7.6
X-Bugzilla-Keywords:
X-Bugzilla-Severity: enhancement
X-Bugzilla-Who: tromey at redhat dot com
X-Bugzilla-Status: NEW
X-Bugzilla-Priority: P2
X-Bugzilla-Assigned-To: unassigned at sourceware dot org
X-Bugzilla-Target-Milestone: ---
X-Bugzilla-Flags:
X-Bugzilla-Changed-Fields: cc
Message-ID: <bug-15824-4717-y7zVx5sS7T@http.sourceware.org/bugzilla/>
In-Reply-To: <bug-15824-4717@http.sourceware.org/bugzilla/>
References: <bug-15824-4717@http.sourceware.org/bugzilla/>
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: 7bit
X-Bugzilla-URL: http://sourceware.org/bugzilla/
Auto-Submitted: auto-generated
MIME-Version: 1.0
X-SW-Source: 2013-q3/txt/msg00198.txt.bz2
Content-length: 699

http://sourceware.org/bugzilla/show_bug.cgi?id\x15824

Tom Tromey <tromey at redhat dot com> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 CC|                            |tromey at redhat dot com

--- Comment #1 from Tom Tromey <tromey at redhat dot com> ---
Thanks.

See the contribution checklist for submitting patches:
http://sourceware.org/gdb/wiki/ContributionChecklist

I glanced at the patch and noticed that is doesn't follow
the GNU coding standards.  You'll want to fix that up
before submitting.

--
You are receiving this mail because:
You are on the CC list for the bug.

[Bug gdb/15827] Segfault on reading symbols from a fuzzed (corrupted) binary

[keiths at redhat dot com]

https://sourceware.org/bugzilla/show_bug.cgi?id=15827

Keith Seitz <keiths at redhat dot com> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
             Status|NEW                         |ASSIGNED
                 CC|                            |keiths at redhat dot com
          Component|cli                         |gdb

--- Comment #1 from Keith Seitz <keiths at redhat dot com> ---
Thank you for the bug report on this issue. I have a patch pending upstream to
address this. If you find any more, please pass them on! There are almost
certainly a bunch of related bugs lurking in the dwarf reader.

https://sourceware.org/ml/gdb-patches/2014-03/msg00526.html

-- 
You are receiving this mail because:
You are on the CC list for the bug.

[Bug gdb/15827] Segfault on reading symbols from a fuzzed (corrupted) binary

[cvs-commit at gcc dot gnu.org]

https://sourceware.org/bugzilla/show_bug.cgi?id=15827

--- Comment #2 from cvs-commit at gcc dot gnu.org <cvs-commit at gcc dot gnu.org> ---
This is an automated email from the git hooks/post-receive script. It was
generated because a ref change was pushed to the repository containing
the project "gdb and binutils".

The branch, master has been updated
       via  22869d73e127511e177a6bd855f9b5dbe22b9eca (commit)
      from  c4f87ca6dbe041e2a331e5054a76c9134f29d545 (commit)

Those revisions listed above that are new to this repository have
not appeared on any other notification email; so we list those
revisions in full, below.

- Log -----------------------------------------------------------------
https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=22869d73e127511e177a6bd855f9b5dbe22b9eca

commit 22869d73e127511e177a6bd855f9b5dbe22b9eca
Author: Keith Seitz <keiths@redhat.com>
Date:   Wed Apr 16 14:39:10 2014 -0700

    PR gdb/15827

    Install some sanity checks that sibling DIE offsets are not beyond the
    defined limits of the DWARF input buffer in read_partial_die and
skip_one_die.

    2014-03-20  Keith Seitz  <keiths@redhat.com>

        PR gdb/15827
        * dwarf2read.c (skip_one_die): Check that all relative-offset
        sibling DIEs fall within range of the current reader's buffer.
        (read_partial_die): Likewise.

    2014-03-20  Keith Seitz  <keiths@redhat.com>

        PR gdb/15827
        * gdb.dwarf2/corrupt.c: New file.
        * gdb.dwarf2/corrupt.exp: New file.

-----------------------------------------------------------------------

Summary of changes:
 gdb/ChangeLog                        |    7 +++
 gdb/dwarf2read.c                     |    4 ++
 gdb/testsuite/ChangeLog              |    6 +++
 gdb/testsuite/gdb.dwarf2/corrupt.c   |   24 ++++++++++
 gdb/testsuite/gdb.dwarf2/corrupt.exp |   77 ++++++++++++++++++++++++++++++++++
 5 files changed, 118 insertions(+), 0 deletions(-)
 create mode 100644 gdb/testsuite/gdb.dwarf2/corrupt.c
 create mode 100644 gdb/testsuite/gdb.dwarf2/corrupt.exp

-- 
You are receiving this mail because:
You are on the CC list for the bug.

[Bug gdb/15827] Segfault on reading symbols from a fuzzed (corrupted) binary

[keiths at redhat dot com]

https://sourceware.org/bugzilla/show_bug.cgi?id=15827

Keith Seitz <keiths at redhat dot com> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
             Status|ASSIGNED                    |RESOLVED
         Resolution|---                         |FIXED
           Assignee|unassigned at sourceware dot org   |keiths at redhat dot com
   Target Milestone|---                         |7.8

--- Comment #3 from Keith Seitz <keiths at redhat dot com> ---
I have pushed a patch for this. If you encounter any further problems, please
open a new bug.

-- 
You are receiving this mail because:
You are on the CC list for the bug.