public inbox for gdb-prs@sourceware.org
help / color / mirror / Atom feed
* [Bug gdb/27003] New: AddressSanitizer: heap-buffer-overflow in completion_tracker::build_completion_result
@ 2020-12-02 22:37 vries at gcc dot gnu.org
2020-12-02 22:37 ` [Bug gdb/27003] " vries at gcc dot gnu.org
` (5 more replies)
0 siblings, 6 replies; 7+ messages in thread
From: vries at gcc dot gnu.org @ 2020-12-02 22:37 UTC (permalink / raw)
To: gdb-prs
https://sourceware.org/bugzilla/show_bug.cgi?id=27003
Bug ID: 27003
Summary: AddressSanitizer: heap-buffer-overflow in
completion_tracker::build_completion_result
Product: gdb
Version: HEAD
Status: NEW
Severity: normal
Priority: P2
Component: gdb
Assignee: unassigned at sourceware dot org
Reporter: vries at gcc dot gnu.org
Target Milestone: ---
With target board unix/-m32:
...
(gdb) p /d=================================================================
==5743==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x60200025c02f
at pc 0x000000cd9d64 bp 0x7fff3297da30 sp 0x7fff3297da28
READ of size 1 at 0x60200025c02f thread T0
#0 0xcd9d63 in completion_tracker::build_completion_result(char const*,
int, int) /home/vries/gdb_versions/devel/src/gdb/completer.c:2258
#1 0xcda54d in gdb_rl_attempted_completion_function_throw
/home/vries/gdb_versions/devel/src/gdb/completer.c:2418
#2 0xcda732 in gdb_rl_attempted_completion_function(char const*, int, int)
/home/vries/gdb_versions/devel/src/gdb/completer.c:2447
#3 0x1901ef6 in gen_completion_matches
/home/vries/gdb_versions/devel/src/readline/readline/complete.c:1209
#4 0x1906039 in rl_complete_internal
/home/vries/gdb_versions/devel/src/readline/readline/complete.c:2013
#5 0x18ff2fd in rl_complete
/home/vries/gdb_versions/devel/src/readline/readline/complete.c:438
#6 0x18eb276 in _rl_dispatch_subseq
/home/vries/gdb_versions/devel/src/readline/readline/readline.c:852
#7 0x18eae4a in _rl_dispatch
/home/vries/gdb_versions/devel/src/readline/readline/readline.c:798
#8 0x18ea687 in readline_internal_char
/home/vries/gdb_versions/devel/src/readline/readline/readline.c:632
#9 0x1936ed4 in rl_callback_read_char
/home/vries/gdb_versions/devel/src/readline/readline/callback.c:262
#10 0xf1ae79 in gdb_rl_callback_read_char_wrapper_noexcept
/home/vries/gdb_versions/devel/src/gdb/event-top.c:177
#11 0xf1b068 in gdb_rl_callback_read_char_wrapper
/home/vries/gdb_versions/devel/src/gdb/event-top.c:194
#12 0xf1c250 in stdin_event_handler(int, void*)
/home/vries/gdb_versions/devel/src/gdb/event-top.c:516
#13 0x1f85cec in handle_file_event
/home/vries/gdb_versions/devel/src/gdbsupport/event-loop.cc:575
#14 0x1f864bd in gdb_wait_for_event
/home/vries/gdb_versions/devel/src/gdbsupport/event-loop.cc:701
#15 0x1f8456e in gdb_do_one_event()
/home/vries/gdb_versions/devel/src/gdbsupport/event-loop.cc:237
#16 0x11d4e94 in start_event_loop
/home/vries/gdb_versions/devel/src/gdb/main.c:347
#17 0x11d5188 in captured_command_loop
/home/vries/gdb_versions/devel/src/gdb/main.c:407
#18 0x11d8a84 in captured_main
/home/vries/gdb_versions/devel/src/gdb/main.c:1234
#19 0x11d8b14 in gdb_main(captured_main_args*)
/home/vries/gdb_versions/devel/src/gdb/main.c:1249
#20 0x997e64 in main /home/vries/gdb_versions/devel/src/gdb/gdb.c:32
#21 0x7f76ff971349 in __libc_start_main ../csu/libc-start.c:308
#22 0x997c79 in _start
(/home/vries/gdb_versions/devel/build/gdb/gdb+0x997c79)
0x60200025c02f is located 1 bytes to the left of 1-byte region
[0x60200025c030,0x60200025c031)
allocated by thread T0 here:
#0 0x7f7702a39eaf in __interceptor_malloc (/usr/lib64/libasan.so.6+0xb0eaf)
#1 0xa411bd in xmalloc /home/vries/gdb_versions/devel/src/gdb/alloc.c:60
#2 0x1fd77e4 in reconcat
/home/vries/gdb_versions/devel/src/libiberty/concat.c:184
#3 0xcd9c6d in completion_tracker::build_completion_result(char const*,
int, int) /home/vries/gdb_versions/devel/src/gdb/completer.c:2249
#4 0xcda54d in gdb_rl_attempted_completion_function_throw
/home/vries/gdb_versions/devel/src/gdb/completer.c:2418
#5 0xcda732 in gdb_rl_attempted_completion_function(char const*, int, int)
/home/vries/gdb_versions/devel/src/gdb/completer.c:2447
#6 0x1901ef6 in gen_completion_matches
/home/vries/gdb_versions/devel/src/readline/readline/complete.c:1209
#7 0x1906039 in rl_complete_internal
/home/vries/gdb_versions/devel/src/readline/readline/complete.c:2013
#8 0x18ff2fd in rl_complete
/home/vries/gdb_versions/devel/src/readline/readline/complete.c:438
#9 0x18eb276 in _rl_dispatch_subseq
/home/vries/gdb_versions/devel/src/readline/readline/readline.c:852
#10 0x18eae4a in _rl_dispatch
/home/vries/gdb_versions/devel/src/readline/readline/readline.c:798
#11 0x18ea687 in readline_internal_char
/home/vries/gdb_versions/devel/src/readline/readline/readline.c:632
#12 0x1936ed4 in rl_callback_read_char
/home/vries/gdb_versions/devel/src/readline/readline/callback.c:262
#13 0xf1ae79 in gdb_rl_callback_read_char_wrapper_noexcept
/home/vries/gdb_versions/devel/src/gdb/event-top.c:177
#14 0xf1b068 in gdb_rl_callback_read_char_wrapper
/home/vries/gdb_versions/devel/src/gdb/event-top.c:194
#15 0xf1c250 in stdin_event_handler(int, void*)
/home/vries/gdb_versions/devel/src/gdb/event-top.c:516
#16 0x1f85cec in handle_file_event
/home/vries/gdb_versions/devel/src/gdbsupport/event-loop.cc:575
#17 0x1f864bd in gdb_wait_for_event
/home/vries/gdb_versions/devel/src/gdbsupport/event-loop.cc:701
#18 0x1f8456e in gdb_do_one_event()
/home/vries/gdb_versions/devel/src/gdbsupport/event-loop.cc:237
#19 0x11d4e94 in start_event_loop
/home/vries/gdb_versions/devel/src/gdb/main.c:347
#20 0x11d5188 in captured_command_loop
/home/vries/gdb_versions/devel/src/gdb/main.c:407
#21 0x11d8a84 in captured_main
/home/vries/gdb_versions/devel/src/gdb/main.c:1234
#22 0x11d8b14 in gdb_main(captured_main_args*)
/home/vries/gdb_versions/devel/src/gdb/main.c:1249
#23 0x997e64 in main /home/vries/gdb_versions/devel/src/gdb/gdb.c:32
#24 0x7f76ff971349 in __libc_start_main ../csu/libc-start.c:308
SUMMARY: AddressSanitizer: heap-buffer-overflow
/home/vries/gdb_versions/devel/src/gdb/completer.c:2258 in
completion_tracker::build_completion_result(char const*, int, int)
Shadow bytes around the buggy address:
0x0c04800437b0: fa fa fd fa fa fa fd fa fa fa fd fa fa fa fd fd
0x0c04800437c0: fa fa 00 04 fa fa 00 05 fa fa 00 05 fa fa fd fa
0x0c04800437d0: fa fa fd fa fa fa fd fa fa fa fd fd fa fa 07 fa
0x0c04800437e0: fa fa 07 fa fa fa 00 fa fa fa 05 fa fa fa 01 fa
0x0c04800437f0: fa fa 01 fa fa fa 00 00 fa fa 01 fa fa fa 01 fa
=>0x0c0480043800: fa fa fd fa fa[fa]01 fa fa fa fa fa fa fa fa fa
0x0c0480043810: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c0480043820: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c0480043830: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c0480043840: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c0480043850: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
Shadow gap: cc
==5743==ABORTING
...
--
You are receiving this mail because:
You are on the CC list for the bug.
^ permalink raw reply [flat|nested] 7+ messages in thread
* [Bug gdb/27003] AddressSanitizer: heap-buffer-overflow in completion_tracker::build_completion_result
2020-12-02 22:37 [Bug gdb/27003] New: AddressSanitizer: heap-buffer-overflow in completion_tracker::build_completion_result vries at gcc dot gnu.org
@ 2020-12-02 22:37 ` vries at gcc dot gnu.org
2020-12-02 22:40 ` vries at gcc dot gnu.org
` (4 subsequent siblings)
5 siblings, 0 replies; 7+ messages in thread
From: vries at gcc dot gnu.org @ 2020-12-02 22:37 UTC (permalink / raw)
To: gdb-prs
https://sourceware.org/bugzilla/show_bug.cgi?id=27003
--- Comment #1 from Tom de Vries <vries at gcc dot gnu.org> ---
Created attachment 13023
--> https://sourceware.org/bugzilla/attachment.cgi?id=13023&action=edit
gdb.log
--
You are receiving this mail because:
You are on the CC list for the bug.
^ permalink raw reply [flat|nested] 7+ messages in thread
* [Bug gdb/27003] AddressSanitizer: heap-buffer-overflow in completion_tracker::build_completion_result
2020-12-02 22:37 [Bug gdb/27003] New: AddressSanitizer: heap-buffer-overflow in completion_tracker::build_completion_result vries at gcc dot gnu.org
2020-12-02 22:37 ` [Bug gdb/27003] " vries at gcc dot gnu.org
@ 2020-12-02 22:40 ` vries at gcc dot gnu.org
2020-12-04 14:10 ` vries at gcc dot gnu.org
` (3 subsequent siblings)
5 siblings, 0 replies; 7+ messages in thread
From: vries at gcc dot gnu.org @ 2020-12-02 22:40 UTC (permalink / raw)
To: gdb-prs
https://sourceware.org/bugzilla/show_bug.cgi?id=27003
Tom de Vries <vries at gcc dot gnu.org> changed:
What |Removed |Added
----------------------------------------------------------------------------
CC| |palves at redhat dot com
--- Comment #2 from Tom de Vries <vries at gcc dot gnu.org> ---
Looks like it's the -1 here:
...
bool completion_suppress_append
= (suppress_append_ws ()
|| match_list[0][strlen (match_list[0]) - 1] == ' ');
...
--
You are receiving this mail because:
You are on the CC list for the bug.
^ permalink raw reply [flat|nested] 7+ messages in thread
* [Bug gdb/27003] AddressSanitizer: heap-buffer-overflow in completion_tracker::build_completion_result
2020-12-02 22:37 [Bug gdb/27003] New: AddressSanitizer: heap-buffer-overflow in completion_tracker::build_completion_result vries at gcc dot gnu.org
2020-12-02 22:37 ` [Bug gdb/27003] " vries at gcc dot gnu.org
2020-12-02 22:40 ` vries at gcc dot gnu.org
@ 2020-12-04 14:10 ` vries at gcc dot gnu.org
2020-12-04 17:40 ` vries at gcc dot gnu.org
` (2 subsequent siblings)
5 siblings, 0 replies; 7+ messages in thread
From: vries at gcc dot gnu.org @ 2020-12-04 14:10 UTC (permalink / raw)
To: gdb-prs
https://sourceware.org/bugzilla/show_bug.cgi?id=27003
--- Comment #3 from Tom de Vries <vries at gcc dot gnu.org> ---
Tentative patch:
...
diff --git a/gdb/completer.c b/gdb/completer.c
index 262c8556bf..83b46a0e4d 100644
--- a/gdb/completer.c
+++ b/gdb/completer.c
@@ -2253,9 +2253,11 @@
/* If the tracker wants to, or we already have a space at the
end of the match, tell readline to skip appending
another. */
+ char *match = match_list[0];
bool completion_suppress_append
= (suppress_append_ws ()
- || match_list[0][strlen (match_list[0]) - 1] == ' ');
+ || (match[0] != '\0'
+ && match[strlen (match) - 1] == ' '));
return completion_result (match_list, 1, completion_suppress_append);
}
...
--
You are receiving this mail because:
You are on the CC list for the bug.
^ permalink raw reply [flat|nested] 7+ messages in thread
* [Bug gdb/27003] AddressSanitizer: heap-buffer-overflow in completion_tracker::build_completion_result
2020-12-02 22:37 [Bug gdb/27003] New: AddressSanitizer: heap-buffer-overflow in completion_tracker::build_completion_result vries at gcc dot gnu.org
` (2 preceding siblings ...)
2020-12-04 14:10 ` vries at gcc dot gnu.org
@ 2020-12-04 17:40 ` vries at gcc dot gnu.org
2020-12-04 21:35 ` cvs-commit at gcc dot gnu.org
2020-12-04 21:36 ` vries at gcc dot gnu.org
5 siblings, 0 replies; 7+ messages in thread
From: vries at gcc dot gnu.org @ 2020-12-04 17:40 UTC (permalink / raw)
To: gdb-prs
https://sourceware.org/bugzilla/show_bug.cgi?id=27003
--- Comment #4 from Tom de Vries <vries at gcc dot gnu.org> ---
patch submitted:
https://sourceware.org/pipermail/gdb-patches/2020-December/173780.html
--
You are receiving this mail because:
You are on the CC list for the bug.
^ permalink raw reply [flat|nested] 7+ messages in thread
* [Bug gdb/27003] AddressSanitizer: heap-buffer-overflow in completion_tracker::build_completion_result
2020-12-02 22:37 [Bug gdb/27003] New: AddressSanitizer: heap-buffer-overflow in completion_tracker::build_completion_result vries at gcc dot gnu.org
` (3 preceding siblings ...)
2020-12-04 17:40 ` vries at gcc dot gnu.org
@ 2020-12-04 21:35 ` cvs-commit at gcc dot gnu.org
2020-12-04 21:36 ` vries at gcc dot gnu.org
5 siblings, 0 replies; 7+ messages in thread
From: cvs-commit at gcc dot gnu.org @ 2020-12-04 21:35 UTC (permalink / raw)
To: gdb-prs
https://sourceware.org/bugzilla/show_bug.cgi?id=27003
--- Comment #5 from cvs-commit at gcc dot gnu.org <cvs-commit at gcc dot gnu.org> ---
The master branch has been updated by Tom de Vries <vries@sourceware.org>:
https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=aafdfb4eddc3c58be24fe50a1e6543a4b9c8cbac
commit aafdfb4eddc3c58be24fe50a1e6543a4b9c8cbac
Author: Tom de Vries <tdevries@suse.de>
Date: Fri Dec 4 22:35:07 2020 +0100
[gdb] Fix heap-buffer-overflow in
completion_tracker::build_completion_result
When building gdb with address sanitizer and running test-case
gdb.base/completion.exp, we run into:
...
==5743==ERROR: AddressSanitizer: heap-buffer-overflow on address \
0x60200025c02f at pc 0x000000cd9d64 bp 0x7fff3297da30 sp 0x7fff3297da28
READ of size 1 at 0x60200025c02f thread T0
#0 0xcd9d63 in completion_tracker::build_completion_result(char const*,
\
int, int) gdb/completer.c:2258
...
0x60200025c02f is located 1 bytes to the left of 1-byte region \
[0x60200025c030,0x60200025c031)
...
This can be reproduced using just:
...
$ gdb
(gdb) p/d[TAB]
...
The problem is in this code in completion_tracker::build_completion_result:
...
bool completion_suppress_append
= (suppress_append_ws ()
|| match_list[0][strlen (match_list[0]) - 1] == ' ');
...
If strlen (match_list[0]) == 0, then we access match_list[0][-1].
Fix this by testing if the memory access is in bounds before doing the
memory
access.
Tested on x86_64-linux.
gdb/ChangeLog:
2020-12-04 Tom de Vries <tdevries@suse.de>
PR gdb/27003
* completer.c (completion_tracker::build_completion_result): Don't
access match_list[0][-1].
--
You are receiving this mail because:
You are on the CC list for the bug.
^ permalink raw reply [flat|nested] 7+ messages in thread
* [Bug gdb/27003] AddressSanitizer: heap-buffer-overflow in completion_tracker::build_completion_result
2020-12-02 22:37 [Bug gdb/27003] New: AddressSanitizer: heap-buffer-overflow in completion_tracker::build_completion_result vries at gcc dot gnu.org
` (4 preceding siblings ...)
2020-12-04 21:35 ` cvs-commit at gcc dot gnu.org
@ 2020-12-04 21:36 ` vries at gcc dot gnu.org
5 siblings, 0 replies; 7+ messages in thread
From: vries at gcc dot gnu.org @ 2020-12-04 21:36 UTC (permalink / raw)
To: gdb-prs
https://sourceware.org/bugzilla/show_bug.cgi?id=27003
Tom de Vries <vries at gcc dot gnu.org> changed:
What |Removed |Added
----------------------------------------------------------------------------
Status|NEW |RESOLVED
Target Milestone|--- |11.1
Resolution|--- |FIXED
--- Comment #6 from Tom de Vries <vries at gcc dot gnu.org> ---
Patch with fix committed, marking resolved-fixed.
--
You are receiving this mail because:
You are on the CC list for the bug.
^ permalink raw reply [flat|nested] 7+ messages in thread
end of thread, other threads:[~2020-12-04 21:36 UTC | newest]
Thread overview: 7+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2020-12-02 22:37 [Bug gdb/27003] New: AddressSanitizer: heap-buffer-overflow in completion_tracker::build_completion_result vries at gcc dot gnu.org
2020-12-02 22:37 ` [Bug gdb/27003] " vries at gcc dot gnu.org
2020-12-02 22:40 ` vries at gcc dot gnu.org
2020-12-04 14:10 ` vries at gcc dot gnu.org
2020-12-04 17:40 ` vries at gcc dot gnu.org
2020-12-04 21:35 ` cvs-commit at gcc dot gnu.org
2020-12-04 21:36 ` vries at gcc dot gnu.org
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).