[Bug gdb/27816] New: AddressSanitizer: heap-buffer-overflow in add

public inbox for gdb-prs@sourceware.org
help / color / mirror / Atom feed

* [Bug gdb/27816] New: AddressSanitizer: heap-buffer-overflow in add_path
@ 2021-05-03 21:24 vries at gcc dot gnu.org
  2021-05-03 21:53 ` [Bug gdb/27816] " vries at gcc dot gnu.org
                   ` (3 more replies)
  0 siblings, 4 replies; 5+ messages in thread
From: vries at gcc dot gnu.org @ 2021-05-03 21:24 UTC (permalink / raw)
  To: gdb-prs

https://sourceware.org/bugzilla/show_bug.cgi?id=27816

            Bug ID: 27816
           Summary: AddressSanitizer: heap-buffer-overflow in add_path
           Product: gdb
           Version: HEAD
            Status: NEW
          Severity: normal
          Priority: P2
         Component: gdb
          Assignee: unassigned at sourceware dot org
          Reporter: vries at gcc dot gnu.org
  Target Milestone: ---

Build gdb with address sanitizer, and ran into trouble in
gdb.base/source-dir.exp.

Reproduce:
...
$ gdb -q -batch -ex "set directories :/foo:/bar"
=================================================================
==31969==ERROR: AddressSanitizer: heap-buffer-overflow on address
0x6020000241cf at pc 0x00000185cf37 bp 0x7ffff5a52fc0 sp 0x7ffff5a52fb8
READ of size 1 at 0x6020000241cf thread T0
    #0 0x185cf36 in add_path(char const*, char**, int)
/home/vries/gdb_versions/devel/src/gdb/source.c:540
    #1 0x185c987 in mod_path(char const*, char**)
/home/vries/gdb_versions/devel/src/gdb/source.c:492
    #2 0x185be6f in set_directories_command
/home/vries/gdb_versions/devel/src/gdb/source.c:376
    #3 0xdedc39 in do_sfunc
/home/vries/gdb_versions/devel/src/gdb/cli/cli-decode.c:117
    #4 0xe2ad8b in do_set_command(char const*, int, cmd_list_element*)
/home/vries/gdb_versions/devel/src/gdb/cli/cli-setshow.c:520
    #5 0x19d2d47 in execute_command(char const*, int)
/home/vries/gdb_versions/devel/src/gdb/top.c:662
    #6 0x1400b31 in catch_command_errors
/home/vries/gdb_versions/devel/src/gdb/main.c:523
    #7 0x1401129 in execute_cmdargs
/home/vries/gdb_versions/devel/src/gdb/main.c:618
    #8 0x1404222 in captured_main_1
/home/vries/gdb_versions/devel/src/gdb/main.c:1322
    #9 0x14047aa in captured_main
/home/vries/gdb_versions/devel/src/gdb/main.c:1343
    #10 0x140483f in gdb_main(captured_main_args*)
/home/vries/gdb_versions/devel/src/gdb/main.c:1368
    #11 0xa9d9aa in main /home/vries/gdb_versions/devel/src/gdb/gdb.c:32
    #12 0x7f5fa9639349 in __libc_start_main (/lib64/libc.so.6+0x24349)
    #13 0xa9d7b9 in _start
(/home/vries/gdb_versions/devel/build/gdb/gdb+0xa9d7b9)

0x6020000241cf is located 1 bytes to the left of 1-byte region
[0x6020000241d0,0x6020000241d1)
allocated by thread T0 here:
    #0 0x7f5fac6da500 in malloc (/usr/lib64/libasan.so.4+0xdc500)
    #1 0xb9d0a5 in xmalloc /home/vries/gdb_versions/devel/src/gdb/alloc.c:60
    #2 0x22520f4 in delim_string_to_char_ptr_vec_append
/home/vries/gdb_versions/devel/src/gdbsupport/gdb_vecs.cc:47
    #3 0x22522a2 in
dirnames_to_char_ptr_vec_append(std::vector<std::unique_ptr<char,
gdb::xfree_deleter<char> >, std::allocator<std::unique_ptr<char,
gdb::xfree_deleter<char> > > >*, char const*)
/home/vries/gdb_versions/devel/src/gdbsupport/gdb_vecs.cc:75
    #4 0x185cc1d in add_path(char const*, char**, int)
/home/vries/gdb_versions/devel/src/gdb/source.c:518
    #5 0x185c987 in mod_path(char const*, char**)
/home/vries/gdb_versions/devel/src/gdb/source.c:492
    #6 0x185be6f in set_directories_command
/home/vries/gdb_versions/devel/src/gdb/source.c:376
    #7 0xdedc39 in do_sfunc
/home/vries/gdb_versions/devel/src/gdb/cli/cli-decode.c:117
    #8 0xe2ad8b in do_set_command(char const*, int, cmd_list_element*)
/home/vries/gdb_versions/devel/src/gdb/cli/cli-setshow.c:520
    #9 0x19d2d47 in execute_command(char const*, int)
/home/vries/gdb_versions/devel/src/gdb/top.c:662
    #10 0x1400b31 in catch_command_errors
/home/vries/gdb_versions/devel/src/gdb/main.c:523
    #11 0x1401129 in execute_cmdargs
/home/vries/gdb_versions/devel/src/gdb/main.c:618
    #12 0x1404222 in captured_main_1
/home/vries/gdb_versions/devel/src/gdb/main.c:1322
    #13 0x14047aa in captured_main
/home/vries/gdb_versions/devel/src/gdb/main.c:1343
    #14 0x140483f in gdb_main(captured_main_args*)
/home/vries/gdb_versions/devel/src/gdb/main.c:1368
    #15 0xa9d9aa in main /home/vries/gdb_versions/devel/src/gdb/gdb.c:32
    #16 0x7f5fa9639349 in __libc_start_main (/lib64/libc.so.6+0x24349)

SUMMARY: AddressSanitizer: heap-buffer-overflow
/home/vries/gdb_versions/devel/src/gdb/source.c:540 in add_path(char const*,
char**, int)
Shadow bytes around the buggy address:
  0x0c047fffc7e0: fa fa fd fa fa fa fd fa fa fa fd fa fa fa fd fd
  0x0c047fffc7f0: fa fa fd fa fa fa fd fd fa fa 00 07 fa fa fd fa
  0x0c047fffc800: fa fa fd fa fa fa fd fa fa fa fd fa fa fa fd fa
  0x0c047fffc810: fa fa fd fa fa fa fd fa fa fa fd fa fa fa fd fd
  0x0c047fffc820: fa fa 00 03 fa fa fd fa fa fa fd fa fa fa 00 03
=>0x0c047fffc830: fa fa fd fd fa fa fd fd fa[fa]01 fa fa fa fd fa
  0x0c047fffc840: fa fa 05 fa fa fa fd fd fa fa 05 fa fa fa fa fa
  0x0c047fffc850: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047fffc860: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047fffc870: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047fffc880: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==31969==ABORTING
...

-- 
You are receiving this mail because:
You are on the CC list for the bug.

^ permalink raw reply	[flat|nested] 5+ messages in thread

* [Bug gdb/27816] AddressSanitizer: heap-buffer-overflow in add_path
  2021-05-03 21:24 [Bug gdb/27816] New: AddressSanitizer: heap-buffer-overflow in add_path vries at gcc dot gnu.org
@ 2021-05-03 21:53 ` vries at gcc dot gnu.org
  2021-05-04 14:09 ` tromey at sourceware dot org
                   ` (2 subsequent siblings)
  3 siblings, 0 replies; 5+ messages in thread
From: vries at gcc dot gnu.org @ 2021-05-03 21:53 UTC (permalink / raw)
  To: gdb-prs

https://sourceware.org/bugzilla/show_bug.cgi?id=27816

--- Comment #1 from Tom de Vries <vries at gcc dot gnu.org> ---
Tentative patch:
...
diff --git a/gdb/source.c b/gdb/source.c
index 6fc27ae72f7..d13469e27d5 100644
--- a/gdb/source.c
+++ b/gdb/source.c
@@ -537,7 +537,7 @@ add_path (const char *dirname, char **which_path, int
parse_separa
tors)
       /* On MS-DOS and MS-Windows, h:\ is different from h: */
             && !(p == name + 3 && name[1] == ':')              /* "d:/" */
 #endif
-            && IS_DIR_SEPARATOR (p[-1]))
+            && p > name && IS_DIR_SEPARATOR (p[-1]))
        /* Sigh.  "foo/" => "foo" */
        --p;
       *p = '\0';
...

-- 
You are receiving this mail because:
You are on the CC list for the bug.

^ permalink raw reply	[flat|nested] 5+ messages in thread

* [Bug gdb/27816] AddressSanitizer: heap-buffer-overflow in add_path
  2021-05-03 21:24 [Bug gdb/27816] New: AddressSanitizer: heap-buffer-overflow in add_path vries at gcc dot gnu.org
  2021-05-03 21:53 ` [Bug gdb/27816] " vries at gcc dot gnu.org
@ 2021-05-04 14:09 ` tromey at sourceware dot org
  2021-05-04 14:15 ` vries at gcc dot gnu.org
  2021-05-21  1:07 ` vries at gcc dot gnu.org
  3 siblings, 0 replies; 5+ messages in thread
From: tromey at sourceware dot org @ 2021-05-04 14:09 UTC (permalink / raw)
  To: gdb-prs

https://sourceware.org/bugzilla/show_bug.cgi?id=27816

Tom Tromey <tromey at sourceware dot org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
           Assignee|unassigned at sourceware dot org   |tromey at sourceware dot org
                 CC|                            |tromey at sourceware dot org

--- Comment #2 from Tom Tromey <tromey at sourceware dot org> ---
https://sourceware.org/pipermail/gdb-patches/2021-May/178447.html

Weird coincidence that we both looked at this on the same day.

-- 
You are receiving this mail because:
You are on the CC list for the bug.

^ permalink raw reply	[flat|nested] 5+ messages in thread

* [Bug gdb/27816] AddressSanitizer: heap-buffer-overflow in add_path
  2021-05-03 21:24 [Bug gdb/27816] New: AddressSanitizer: heap-buffer-overflow in add_path vries at gcc dot gnu.org
  2021-05-03 21:53 ` [Bug gdb/27816] " vries at gcc dot gnu.org
  2021-05-04 14:09 ` tromey at sourceware dot org
@ 2021-05-04 14:15 ` vries at gcc dot gnu.org
  2021-05-21  1:07 ` vries at gcc dot gnu.org
  3 siblings, 0 replies; 5+ messages in thread
From: vries at gcc dot gnu.org @ 2021-05-04 14:15 UTC (permalink / raw)
  To: gdb-prs

https://sourceware.org/bugzilla/show_bug.cgi?id=27816

--- Comment #3 from Tom de Vries <vries at gcc dot gnu.org> ---
(In reply to Tom Tromey from comment #2)
> https://sourceware.org/pipermail/gdb-patches/2021-May/178447.html
> 
> Weird coincidence that we both looked at this on the same day.

Yeah.  Anyway, you got the same fix, so that's good :)

-- 
You are receiving this mail because:
You are on the CC list for the bug.

^ permalink raw reply	[flat|nested] 5+ messages in thread

* [Bug gdb/27816] AddressSanitizer: heap-buffer-overflow in add_path
  2021-05-03 21:24 [Bug gdb/27816] New: AddressSanitizer: heap-buffer-overflow in add_path vries at gcc dot gnu.org
                   ` (2 preceding siblings ...)
  2021-05-04 14:15 ` vries at gcc dot gnu.org
@ 2021-05-21  1:07 ` vries at gcc dot gnu.org
  3 siblings, 0 replies; 5+ messages in thread
From: vries at gcc dot gnu.org @ 2021-05-21  1:07 UTC (permalink / raw)
  To: gdb-prs

https://sourceware.org/bugzilla/show_bug.cgi?id=27816

Tom de Vries <vries at gcc dot gnu.org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
             Status|NEW                         |RESOLVED
         Resolution|---                         |FIXED
   Target Milestone|---                         |11.1

--- Comment #4 from Tom de Vries <vries at gcc dot gnu.org> ---
https://sourceware.org/git/?p=binutils-gdb.git;a=commit;h=baea2f9d52d606f6b58a736420017c98351f5b5c

-- 
You are receiving this mail because:
You are on the CC list for the bug.

^ permalink raw reply	[flat|nested] 5+ messages in thread

end of thread, other threads:[~2021-05-21  1:07 UTC | newest]

Thread overview: 5+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2021-05-03 21:24 [Bug gdb/27816] New: AddressSanitizer: heap-buffer-overflow in add_path vries at gcc dot gnu.org
2021-05-03 21:53 ` [Bug gdb/27816] " vries at gcc dot gnu.org
2021-05-04 14:09 ` tromey at sourceware dot org
2021-05-04 14:15 ` vries at gcc dot gnu.org
2021-05-21  1:07 ` vries at gcc dot gnu.org

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).