From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <sourceware-bugzilla@sourceware.org>
Received: by sourceware.org (Postfix, from userid 48)
 id 87383393BC37; Mon,  3 May 2021 21:24:13 +0000 (GMT)
DKIM-Filter: OpenDKIM Filter v2.11.0 sourceware.org 87383393BC37
From: "vries at gcc dot gnu.org" <sourceware-bugzilla@sourceware.org>
To: gdb-prs@sourceware.org
Subject: [Bug gdb/27816] New: AddressSanitizer: heap-buffer-overflow in
 add_path
Date: Mon, 03 May 2021 21:24:13 +0000
X-Bugzilla-Reason: CC
X-Bugzilla-Type: new
X-Bugzilla-Watch-Reason: None
X-Bugzilla-Product: gdb
X-Bugzilla-Component: gdb
X-Bugzilla-Version: HEAD
X-Bugzilla-Keywords: 
X-Bugzilla-Severity: normal
X-Bugzilla-Who: vries at gcc dot gnu.org
X-Bugzilla-Status: NEW
X-Bugzilla-Resolution: 
X-Bugzilla-Priority: P2
X-Bugzilla-Assigned-To: unassigned at sourceware dot org
X-Bugzilla-Target-Milestone: ---
X-Bugzilla-Flags: 
X-Bugzilla-Changed-Fields: bug_id short_desc product version bug_status
 bug_severity priority component assigned_to reporter target_milestone
Message-ID: <bug-27816-4717@http.sourceware.org/bugzilla/>
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
X-Bugzilla-URL: http://sourceware.org/bugzilla/
Auto-Submitted: auto-generated
MIME-Version: 1.0
X-BeenThere: gdb-prs@sourceware.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Gdb-prs mailing list <gdb-prs.sourceware.org>
List-Unsubscribe: <https://sourceware.org/mailman/options/gdb-prs>,
 <mailto:gdb-prs-request@sourceware.org?subject=unsubscribe>
List-Archive: <https://sourceware.org/pipermail/gdb-prs/>
List-Help: <mailto:gdb-prs-request@sourceware.org?subject=help>
List-Subscribe: <https://sourceware.org/mailman/listinfo/gdb-prs>,
 <mailto:gdb-prs-request@sourceware.org?subject=subscribe>
X-List-Received-Date: Mon, 03 May 2021 21:24:13 -0000

https://sourceware.org/bugzilla/show_bug.cgi?id=3D27816

            Bug ID: 27816
           Summary: AddressSanitizer: heap-buffer-overflow in add_path
           Product: gdb
           Version: HEAD
            Status: NEW
          Severity: normal
          Priority: P2
         Component: gdb
          Assignee: unassigned at sourceware dot org
          Reporter: vries at gcc dot gnu.org
  Target Milestone: ---

Build gdb with address sanitizer, and ran into trouble in
gdb.base/source-dir.exp.

Reproduce:
...
$ gdb -q -batch -ex "set directories :/foo:/bar"
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D
=3D=3D31969=3D=3DERROR: AddressSanitizer: heap-buffer-overflow on address
0x6020000241cf at pc 0x00000185cf37 bp 0x7ffff5a52fc0 sp 0x7ffff5a52fb8
READ of size 1 at 0x6020000241cf thread T0
    #0 0x185cf36 in add_path(char const*, char**, int)
/home/vries/gdb_versions/devel/src/gdb/source.c:540
    #1 0x185c987 in mod_path(char const*, char**)
/home/vries/gdb_versions/devel/src/gdb/source.c:492
    #2 0x185be6f in set_directories_command
/home/vries/gdb_versions/devel/src/gdb/source.c:376
    #3 0xdedc39 in do_sfunc
/home/vries/gdb_versions/devel/src/gdb/cli/cli-decode.c:117
    #4 0xe2ad8b in do_set_command(char const*, int, cmd_list_element*)
/home/vries/gdb_versions/devel/src/gdb/cli/cli-setshow.c:520
    #5 0x19d2d47 in execute_command(char const*, int)
/home/vries/gdb_versions/devel/src/gdb/top.c:662
    #6 0x1400b31 in catch_command_errors
/home/vries/gdb_versions/devel/src/gdb/main.c:523
    #7 0x1401129 in execute_cmdargs
/home/vries/gdb_versions/devel/src/gdb/main.c:618
    #8 0x1404222 in captured_main_1
/home/vries/gdb_versions/devel/src/gdb/main.c:1322
    #9 0x14047aa in captured_main
/home/vries/gdb_versions/devel/src/gdb/main.c:1343
    #10 0x140483f in gdb_main(captured_main_args*)
/home/vries/gdb_versions/devel/src/gdb/main.c:1368
    #11 0xa9d9aa in main /home/vries/gdb_versions/devel/src/gdb/gdb.c:32
    #12 0x7f5fa9639349 in __libc_start_main (/lib64/libc.so.6+0x24349)
    #13 0xa9d7b9 in _start
(/home/vries/gdb_versions/devel/build/gdb/gdb+0xa9d7b9)

0x6020000241cf is located 1 bytes to the left of 1-byte region
[0x6020000241d0,0x6020000241d1)
allocated by thread T0 here:
    #0 0x7f5fac6da500 in malloc (/usr/lib64/libasan.so.4+0xdc500)
    #1 0xb9d0a5 in xmalloc /home/vries/gdb_versions/devel/src/gdb/alloc.c:60
    #2 0x22520f4 in delim_string_to_char_ptr_vec_append
/home/vries/gdb_versions/devel/src/gdbsupport/gdb_vecs.cc:47
    #3 0x22522a2 in
dirnames_to_char_ptr_vec_append(std::vector<std::unique_ptr<char,
gdb::xfree_deleter<char> >, std::allocator<std::unique_ptr<char,
gdb::xfree_deleter<char> > > >*, char const*)
/home/vries/gdb_versions/devel/src/gdbsupport/gdb_vecs.cc:75
    #4 0x185cc1d in add_path(char const*, char**, int)
/home/vries/gdb_versions/devel/src/gdb/source.c:518
    #5 0x185c987 in mod_path(char const*, char**)
/home/vries/gdb_versions/devel/src/gdb/source.c:492
    #6 0x185be6f in set_directories_command
/home/vries/gdb_versions/devel/src/gdb/source.c:376
    #7 0xdedc39 in do_sfunc
/home/vries/gdb_versions/devel/src/gdb/cli/cli-decode.c:117
    #8 0xe2ad8b in do_set_command(char const*, int, cmd_list_element*)
/home/vries/gdb_versions/devel/src/gdb/cli/cli-setshow.c:520
    #9 0x19d2d47 in execute_command(char const*, int)
/home/vries/gdb_versions/devel/src/gdb/top.c:662
    #10 0x1400b31 in catch_command_errors
/home/vries/gdb_versions/devel/src/gdb/main.c:523
    #11 0x1401129 in execute_cmdargs
/home/vries/gdb_versions/devel/src/gdb/main.c:618
    #12 0x1404222 in captured_main_1
/home/vries/gdb_versions/devel/src/gdb/main.c:1322
    #13 0x14047aa in captured_main
/home/vries/gdb_versions/devel/src/gdb/main.c:1343
    #14 0x140483f in gdb_main(captured_main_args*)
/home/vries/gdb_versions/devel/src/gdb/main.c:1368
    #15 0xa9d9aa in main /home/vries/gdb_versions/devel/src/gdb/gdb.c:32
    #16 0x7f5fa9639349 in __libc_start_main (/lib64/libc.so.6+0x24349)

SUMMARY: AddressSanitizer: heap-buffer-overflow
/home/vries/gdb_versions/devel/src/gdb/source.c:540 in add_path(char const*,
char**, int)
Shadow bytes around the buggy address:
  0x0c047fffc7e0: fa fa fd fa fa fa fd fa fa fa fd fa fa fa fd fd
  0x0c047fffc7f0: fa fa fd fa fa fa fd fd fa fa 00 07 fa fa fd fa
  0x0c047fffc800: fa fa fd fa fa fa fd fa fa fa fd fa fa fa fd fa
  0x0c047fffc810: fa fa fd fa fa fa fd fa fa fa fd fa fa fa fd fd
  0x0c047fffc820: fa fa 00 03 fa fa fd fa fa fa fd fa fa fa 00 03
=3D>0x0c047fffc830: fa fa fd fd fa fa fd fd fa[fa]01 fa fa fa fd fa
  0x0c047fffc840: fa fa 05 fa fa fa fd fd fa fa 05 fa fa fa fa fa
  0x0c047fffc850: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047fffc860: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047fffc870: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047fffc880: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07=20
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
=3D=3D31969=3D=3DABORTING
...

--=20
You are receiving this mail because:
You are on the CC list for the bug.=