[Bug gdb/17947] New: S-Record handling read out of bounds

public inbox for gdb-prs@sourceware.org
help / color / mirror / Atom feed

* [Bug gdb/17947] New: S-Record handling read out of bounds
@ 2015-02-09 18:59 symeon.paraschoudis at htbridge dot com
  0 siblings, 0 replies; only message in thread
From: symeon.paraschoudis at htbridge dot com @ 2015-02-09 18:59 UTC (permalink / raw)
  To: gdb-prs

https://sourceware.org/bugzilla/show_bug.cgi?id=17947

            Bug ID: 17947
           Summary: S-Record handling read out of bounds
           Product: gdb
           Version: 7.8
            Status: NEW
          Severity: critical
          Priority: P2
         Component: gdb
          Assignee: unassigned at sourceware dot org
          Reporter: symeon.paraschoudis at htbridge dot com

Created attachment 8110
  --> https://sourceware.org/bugzilla/attachment.cgi?id=8110&action=edit
testcase to reproduce it

Hello team!

When trying to open the attached test case, AddressSanitizer reports the
following:

=================================================================
==7193== ERROR: AddressSanitizer: heap-buffer-overflow on address 0xb536a0d2 at
pc 0x87eada2 bp 0xbfb63c38 sp 0xbfb63c2c
READ of size 1 at 0xb536a0d2 thread T0
    #0 0x87eada1 in srec_scan srec.c:522
    #1 0x87ec221 in srec_object_p srec.c:651 (discriminator 1)
    #2 0x87c8740 in bfd_check_format_matches format.c:305
    #3 0x84a5c7b in exec_file_attach exec.c:232
    #4 0x8412a04 in catch_command_errors main.c:355
    #5 0x84145f2 in captured_main main.c:1055
    #6 0x84080d3 in catch_errors exceptions.c:506
    #7 0x8414bee in gdb_main main.c:1172
    #8 0x809462a in main gdb.c:33
    #9 0xb5b37a82 in __libc_start_main libc-start.c:287
    #10 0x80943d0 in _start ??:?
0xb536a0d2 is located 0 bytes to the right of 2-byte region
[0xb536a0d0,0xb536a0d2)
allocated by thread T0 here:
    #0 0xb612b854 in malloc ??:?
    #1 0x87c9882 in bfd_malloc libbfd.c:181
    #2 0x87ea6e6 in srec_scan srec.c:483
    #3 0x87ec221 in srec_object_p srec.c:651 (discriminator 1)
    #4 0x87c8740 in bfd_check_format_matches format.c:305
    #5 0x84a5c7b in exec_file_attach exec.c:232
    #6 0x8412a04 in catch_command_errors main.c:355
    #7 0x84145f2 in captured_main main.c:1055
    #8 0x84080d3 in catch_errors exceptions.c:506
    #9 0x8414bee in gdb_main main.c:1172
    #10 0x809462a in main gdb.c:33
    #11 0xb5b37a82 in __libc_start_main libc-start.c:287

Debugging it with gdb:

gdb$ r ~/Desktop/gdb_heap_overflow 
Starting program: /home/user/Desktop/gdb-7.8.2/gdb/gdb
~/Desktop/gdb_heap_overflow
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib/i386-linux-gnu/libthread_db.so.1".
GNU gdb (GDB) 7.8.2
Copyright (C) 2014 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.  Type "show copying"
and "show warranty" for details.
This GDB was configured as "i686-pc-linux-gnu".
Type "show configuration" for configuration details.
For bug reporting instructions, please see:
<http://www.gnu.org/software/gdb/bugs/>.
Find the GDB manual and other documentation resources online at:
<http://www.gnu.org/software/gdb/documentation/>.
For help, type "help".

Program received signal SIGSEGV, Segmentation fault.
--------------------------------------------------------------------------[regs]
  EAX: 0x08767000  EBX: 0x0866DC38  ECX: 0x08745258  EDX: 0x00000630  o d I t S
z a P c 
  ESI: 0x00000000  EDI: 0x00000000  EBP: 0xBFFFEE58  ESP: 0xBFFFEDC0  EIP:
0x0837BB66
  CS: 0073  DS: 007B  ES: 007B  FS: 0000  GS: 0033  SS: 007B
--------------------------------------------------------------------------[code]
=> 0x837bb66 <srec_scan+2191>:    movzx  eax,BYTE PTR [eax]
   0x837bb69 <srec_scan+2194>:    movzx  eax,al
   0x837bb6c <srec_scan+2197>:    movzx  eax,BYTE PTR [eax+0x8546ce0]
   0x837bb73 <srec_scan+2204>:    shl    eax,0x4
   0x837bb76 <srec_scan+2207>:    mov    edx,eax
   0x837bb78 <srec_scan+2209>:    mov    eax,DWORD PTR [ebp-0x40]
   0x837bb7b <srec_scan+2212>:    add    eax,0x1
   0x837bb7e <srec_scan+2215>:    movzx  eax,BYTE PTR [eax]
--------------------------------------------------------------------------------
0x0837bb66 in srec_scan (abfd=0x8704858) at srec.c:557
557                check_sum += HEX (data);
gdb$ x/20x $eax
0x8767000:    Cannot access memory at address 0x8767000
gdb$ 

My system is a Ubuntu 14.04 x86.
Thank you!

-- 
You are receiving this mail because:
You are on the CC list for the bug.


^ permalink raw reply	[flat|nested] only message in thread

only message in thread, other threads:[~2015-02-09 12:57 UTC | newest]

Thread overview: (only message) (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2015-02-09 18:59 [Bug gdb/17947] New: S-Record handling read out of bounds symeon.paraschoudis at htbridge dot com

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).