public inbox for gdb-prs@sourceware.org
help / color / mirror / Atom feed
* [Bug gdb/27816] New: AddressSanitizer: heap-buffer-overflow in add_path
@ 2021-05-03 21:24 vries at gcc dot gnu.org
2021-05-03 21:53 ` [Bug gdb/27816] " vries at gcc dot gnu.org
` (3 more replies)
0 siblings, 4 replies; 5+ messages in thread
From: vries at gcc dot gnu.org @ 2021-05-03 21:24 UTC (permalink / raw)
To: gdb-prs
https://sourceware.org/bugzilla/show_bug.cgi?id=27816
Bug ID: 27816
Summary: AddressSanitizer: heap-buffer-overflow in add_path
Product: gdb
Version: HEAD
Status: NEW
Severity: normal
Priority: P2
Component: gdb
Assignee: unassigned at sourceware dot org
Reporter: vries at gcc dot gnu.org
Target Milestone: ---
Build gdb with address sanitizer, and ran into trouble in
gdb.base/source-dir.exp.
Reproduce:
...
$ gdb -q -batch -ex "set directories :/foo:/bar"
=================================================================
==31969==ERROR: AddressSanitizer: heap-buffer-overflow on address
0x6020000241cf at pc 0x00000185cf37 bp 0x7ffff5a52fc0 sp 0x7ffff5a52fb8
READ of size 1 at 0x6020000241cf thread T0
#0 0x185cf36 in add_path(char const*, char**, int)
/home/vries/gdb_versions/devel/src/gdb/source.c:540
#1 0x185c987 in mod_path(char const*, char**)
/home/vries/gdb_versions/devel/src/gdb/source.c:492
#2 0x185be6f in set_directories_command
/home/vries/gdb_versions/devel/src/gdb/source.c:376
#3 0xdedc39 in do_sfunc
/home/vries/gdb_versions/devel/src/gdb/cli/cli-decode.c:117
#4 0xe2ad8b in do_set_command(char const*, int, cmd_list_element*)
/home/vries/gdb_versions/devel/src/gdb/cli/cli-setshow.c:520
#5 0x19d2d47 in execute_command(char const*, int)
/home/vries/gdb_versions/devel/src/gdb/top.c:662
#6 0x1400b31 in catch_command_errors
/home/vries/gdb_versions/devel/src/gdb/main.c:523
#7 0x1401129 in execute_cmdargs
/home/vries/gdb_versions/devel/src/gdb/main.c:618
#8 0x1404222 in captured_main_1
/home/vries/gdb_versions/devel/src/gdb/main.c:1322
#9 0x14047aa in captured_main
/home/vries/gdb_versions/devel/src/gdb/main.c:1343
#10 0x140483f in gdb_main(captured_main_args*)
/home/vries/gdb_versions/devel/src/gdb/main.c:1368
#11 0xa9d9aa in main /home/vries/gdb_versions/devel/src/gdb/gdb.c:32
#12 0x7f5fa9639349 in __libc_start_main (/lib64/libc.so.6+0x24349)
#13 0xa9d7b9 in _start
(/home/vries/gdb_versions/devel/build/gdb/gdb+0xa9d7b9)
0x6020000241cf is located 1 bytes to the left of 1-byte region
[0x6020000241d0,0x6020000241d1)
allocated by thread T0 here:
#0 0x7f5fac6da500 in malloc (/usr/lib64/libasan.so.4+0xdc500)
#1 0xb9d0a5 in xmalloc /home/vries/gdb_versions/devel/src/gdb/alloc.c:60
#2 0x22520f4 in delim_string_to_char_ptr_vec_append
/home/vries/gdb_versions/devel/src/gdbsupport/gdb_vecs.cc:47
#3 0x22522a2 in
dirnames_to_char_ptr_vec_append(std::vector<std::unique_ptr<char,
gdb::xfree_deleter<char> >, std::allocator<std::unique_ptr<char,
gdb::xfree_deleter<char> > > >*, char const*)
/home/vries/gdb_versions/devel/src/gdbsupport/gdb_vecs.cc:75
#4 0x185cc1d in add_path(char const*, char**, int)
/home/vries/gdb_versions/devel/src/gdb/source.c:518
#5 0x185c987 in mod_path(char const*, char**)
/home/vries/gdb_versions/devel/src/gdb/source.c:492
#6 0x185be6f in set_directories_command
/home/vries/gdb_versions/devel/src/gdb/source.c:376
#7 0xdedc39 in do_sfunc
/home/vries/gdb_versions/devel/src/gdb/cli/cli-decode.c:117
#8 0xe2ad8b in do_set_command(char const*, int, cmd_list_element*)
/home/vries/gdb_versions/devel/src/gdb/cli/cli-setshow.c:520
#9 0x19d2d47 in execute_command(char const*, int)
/home/vries/gdb_versions/devel/src/gdb/top.c:662
#10 0x1400b31 in catch_command_errors
/home/vries/gdb_versions/devel/src/gdb/main.c:523
#11 0x1401129 in execute_cmdargs
/home/vries/gdb_versions/devel/src/gdb/main.c:618
#12 0x1404222 in captured_main_1
/home/vries/gdb_versions/devel/src/gdb/main.c:1322
#13 0x14047aa in captured_main
/home/vries/gdb_versions/devel/src/gdb/main.c:1343
#14 0x140483f in gdb_main(captured_main_args*)
/home/vries/gdb_versions/devel/src/gdb/main.c:1368
#15 0xa9d9aa in main /home/vries/gdb_versions/devel/src/gdb/gdb.c:32
#16 0x7f5fa9639349 in __libc_start_main (/lib64/libc.so.6+0x24349)
SUMMARY: AddressSanitizer: heap-buffer-overflow
/home/vries/gdb_versions/devel/src/gdb/source.c:540 in add_path(char const*,
char**, int)
Shadow bytes around the buggy address:
0x0c047fffc7e0: fa fa fd fa fa fa fd fa fa fa fd fa fa fa fd fd
0x0c047fffc7f0: fa fa fd fa fa fa fd fd fa fa 00 07 fa fa fd fa
0x0c047fffc800: fa fa fd fa fa fa fd fa fa fa fd fa fa fa fd fa
0x0c047fffc810: fa fa fd fa fa fa fd fa fa fa fd fa fa fa fd fd
0x0c047fffc820: fa fa 00 03 fa fa fd fa fa fa fd fa fa fa 00 03
=>0x0c047fffc830: fa fa fd fd fa fa fd fd fa[fa]01 fa fa fa fd fa
0x0c047fffc840: fa fa 05 fa fa fa fd fd fa fa 05 fa fa fa fa fa
0x0c047fffc850: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c047fffc860: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c047fffc870: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c047fffc880: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
==31969==ABORTING
...
--
You are receiving this mail because:
You are on the CC list for the bug.
^ permalink raw reply [flat|nested] 5+ messages in thread
* [Bug gdb/27816] AddressSanitizer: heap-buffer-overflow in add_path
2021-05-03 21:24 [Bug gdb/27816] New: AddressSanitizer: heap-buffer-overflow in add_path vries at gcc dot gnu.org
@ 2021-05-03 21:53 ` vries at gcc dot gnu.org
2021-05-04 14:09 ` tromey at sourceware dot org
` (2 subsequent siblings)
3 siblings, 0 replies; 5+ messages in thread
From: vries at gcc dot gnu.org @ 2021-05-03 21:53 UTC (permalink / raw)
To: gdb-prs
https://sourceware.org/bugzilla/show_bug.cgi?id=27816
--- Comment #1 from Tom de Vries <vries at gcc dot gnu.org> ---
Tentative patch:
...
diff --git a/gdb/source.c b/gdb/source.c
index 6fc27ae72f7..d13469e27d5 100644
--- a/gdb/source.c
+++ b/gdb/source.c
@@ -537,7 +537,7 @@ add_path (const char *dirname, char **which_path, int
parse_separa
tors)
/* On MS-DOS and MS-Windows, h:\ is different from h: */
&& !(p == name + 3 && name[1] == ':') /* "d:/" */
#endif
- && IS_DIR_SEPARATOR (p[-1]))
+ && p > name && IS_DIR_SEPARATOR (p[-1]))
/* Sigh. "foo/" => "foo" */
--p;
*p = '\0';
...
--
You are receiving this mail because:
You are on the CC list for the bug.
^ permalink raw reply [flat|nested] 5+ messages in thread
* [Bug gdb/27816] AddressSanitizer: heap-buffer-overflow in add_path
2021-05-03 21:24 [Bug gdb/27816] New: AddressSanitizer: heap-buffer-overflow in add_path vries at gcc dot gnu.org
2021-05-03 21:53 ` [Bug gdb/27816] " vries at gcc dot gnu.org
@ 2021-05-04 14:09 ` tromey at sourceware dot org
2021-05-04 14:15 ` vries at gcc dot gnu.org
2021-05-21 1:07 ` vries at gcc dot gnu.org
3 siblings, 0 replies; 5+ messages in thread
From: tromey at sourceware dot org @ 2021-05-04 14:09 UTC (permalink / raw)
To: gdb-prs
https://sourceware.org/bugzilla/show_bug.cgi?id=27816
Tom Tromey <tromey at sourceware dot org> changed:
What |Removed |Added
----------------------------------------------------------------------------
Assignee|unassigned at sourceware dot org |tromey at sourceware dot org
CC| |tromey at sourceware dot org
--- Comment #2 from Tom Tromey <tromey at sourceware dot org> ---
https://sourceware.org/pipermail/gdb-patches/2021-May/178447.html
Weird coincidence that we both looked at this on the same day.
--
You are receiving this mail because:
You are on the CC list for the bug.
^ permalink raw reply [flat|nested] 5+ messages in thread
* [Bug gdb/27816] AddressSanitizer: heap-buffer-overflow in add_path
2021-05-03 21:24 [Bug gdb/27816] New: AddressSanitizer: heap-buffer-overflow in add_path vries at gcc dot gnu.org
2021-05-03 21:53 ` [Bug gdb/27816] " vries at gcc dot gnu.org
2021-05-04 14:09 ` tromey at sourceware dot org
@ 2021-05-04 14:15 ` vries at gcc dot gnu.org
2021-05-21 1:07 ` vries at gcc dot gnu.org
3 siblings, 0 replies; 5+ messages in thread
From: vries at gcc dot gnu.org @ 2021-05-04 14:15 UTC (permalink / raw)
To: gdb-prs
https://sourceware.org/bugzilla/show_bug.cgi?id=27816
--- Comment #3 from Tom de Vries <vries at gcc dot gnu.org> ---
(In reply to Tom Tromey from comment #2)
> https://sourceware.org/pipermail/gdb-patches/2021-May/178447.html
>
> Weird coincidence that we both looked at this on the same day.
Yeah. Anyway, you got the same fix, so that's good :)
--
You are receiving this mail because:
You are on the CC list for the bug.
^ permalink raw reply [flat|nested] 5+ messages in thread
* [Bug gdb/27816] AddressSanitizer: heap-buffer-overflow in add_path
2021-05-03 21:24 [Bug gdb/27816] New: AddressSanitizer: heap-buffer-overflow in add_path vries at gcc dot gnu.org
` (2 preceding siblings ...)
2021-05-04 14:15 ` vries at gcc dot gnu.org
@ 2021-05-21 1:07 ` vries at gcc dot gnu.org
3 siblings, 0 replies; 5+ messages in thread
From: vries at gcc dot gnu.org @ 2021-05-21 1:07 UTC (permalink / raw)
To: gdb-prs
https://sourceware.org/bugzilla/show_bug.cgi?id=27816
Tom de Vries <vries at gcc dot gnu.org> changed:
What |Removed |Added
----------------------------------------------------------------------------
Status|NEW |RESOLVED
Resolution|--- |FIXED
Target Milestone|--- |11.1
--- Comment #4 from Tom de Vries <vries at gcc dot gnu.org> ---
https://sourceware.org/git/?p=binutils-gdb.git;a=commit;h=baea2f9d52d606f6b58a736420017c98351f5b5c
--
You are receiving this mail because:
You are on the CC list for the bug.
^ permalink raw reply [flat|nested] 5+ messages in thread
end of thread, other threads:[~2021-05-21 1:07 UTC | newest]
Thread overview: 5+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2021-05-03 21:24 [Bug gdb/27816] New: AddressSanitizer: heap-buffer-overflow in add_path vries at gcc dot gnu.org
2021-05-03 21:53 ` [Bug gdb/27816] " vries at gcc dot gnu.org
2021-05-04 14:09 ` tromey at sourceware dot org
2021-05-04 14:15 ` vries at gcc dot gnu.org
2021-05-21 1:07 ` vries at gcc dot gnu.org
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).