public inbox for gdb-prs@sourceware.org
help / color / mirror / Atom feed
* [Bug gdb/28114] New: heap-buffer-overflow with gdb dir command
@ 2021-07-21 7:06 again.liu at gmail dot com
2021-07-21 7:11 ` [Bug gdb/28114] " again.liu at gmail dot com
` (7 more replies)
0 siblings, 8 replies; 9+ messages in thread
From: again.liu at gmail dot com @ 2021-07-21 7:06 UTC (permalink / raw)
To: gdb-prs
https://sourceware.org/bugzilla/show_bug.cgi?id=28114
Bug ID: 28114
Summary: heap-buffer-overflow with gdb dir command
Product: gdb
Version: 10.1
Status: UNCONFIRMED
Severity: normal
Priority: P2
Component: gdb
Assignee: unassigned at sourceware dot org
Reporter: again.liu at gmail dot com
Target Milestone: ---
Hi, I am here to report a bug I found with AFL++, with afl-clang-fast++2.68c.
I choose the version as 10.1, but this bug also exist in 10.2.
The OS information of the Ubuntu build I used:
--
root@ubuntu:~/Desktop$ cat /etc/os-*
NAME="Ubuntu"
VERSION="20.04.2 LTS (Focal Fossa)"
ID=ubuntu
ID_LIKE=debian
PRETTY_NAME="Ubuntu 20.04.2 LTS"
VERSION_ID="20.04"
HOME_URL="https://www.ubuntu.com/"
SUPPORT_URL="https://help.ubuntu.com/"
BUG_REPORT_URL="https://bugs.launchpad.net/ubuntu/"
PRIVACY_POLICY_URL="https://www.ubuntu.com/legal/terms-and-policies/privacy-policy"
VERSION_CODENAME=focal
UBUNTU_CODENAME=focal
--
The source was downloaded from the following URLs.
http://ftp.gnu.org/gnu/gdb/gdb-10.1.tar.gz
http://ftp.gnu.org/gnu/gdb/gdb-10.2.tar.gz
Configuration option was:
CC=afl-clang-fast CXX=afl-clang-fast++ AFL_USE_ASAN=1 ./configure
CC=afl-clang-fast CXX=afl-clang-fast++ AFL_USE_ASAN=1 make -j$(nproc)
To reproduce with 10.2:
root@ubuntu:/tmp/gdb-10.2$ echo "dir:" > /tmp/test && ./gdb/gdb -x /tmp/test
The following are the addressSanitizer report with 10.2 running.
--
==17806==ERROR: AddressSanitizer: heap-buffer-overflow on address
0x6020000134cf at pc 0x000000e2901c bp 0x7fffffffced0 sp 0x7fffffffcec8
READ of size 1 at 0x6020000134cf thread T0
#0 0xe2901b in add_path(char const*, char**, int)
/tmp/gdb-10.2/gdb/source.c:530:10
#1 0xe2ea3f in mod_path(char const*, char**)
/tmp/gdb-10.2/gdb/source.c:482:3
#2 0xe2ea3f in directory_command(char const*, int)
/tmp/gdb-10.2/gdb/source.c:461:7
#3 0x6dfacf in cmd_func(cmd_list_element*, char const*, int)
/tmp/gdb-10.2/gdb/cli/cli-decode.c:2181:7
#4 0xf9b992 in execute_command(char const*, int)
/tmp/gdb-10.2/gdb/top.c:668:2
#5 0x979e72 in command_handler(char const*)
/tmp/gdb-10.2/gdb/event-top.c:588:7
#6 0xf98e9e in read_command_file(_IO_FILE*) /tmp/gdb-10.2/gdb/top.c:447:7
#7 0x6fde36 in script_from_file(_IO_FILE*, char const*)
/tmp/gdb-10.2/gdb/cli/cli-script.c:1622:7
#8 0x6c6870 in source_script_from_stream(_IO_FILE*, char const*, char
const*) /tmp/gdb-10.2/gdb/cli/cli-cmds.c:700:3
#9 0x6c6870 in source_script_with_search(char const*, int, int)
/tmp/gdb-10.2/gdb/cli/cli-cmds.c:736:3
#10 0xbc185e in catch_command_errors(void (*)(char const*, int), char
const*, int) /tmp/gdb-10.2/gdb/main.c:457:7
#11 0xbc185e in captured_main_1(captured_main_args*)
/tmp/gdb-10.2/gdb/main.c:1214:10
#12 0xbbe0f8 in captured_main(void*) /tmp/gdb-10.2/gdb/main.c:1243:3
#13 0xbbe0f8 in gdb_main(captured_main_args*)
/tmp/gdb-10.2/gdb/main.c:1268:7
#14 0x4e26e5 in main /tmp/gdb-10.2/gdb/gdb.c:32:10
#15 0x7ffff78cb0b2 in __libc_start_main
/build/glibc-eX1tMB/glibc-2.31/csu/../csu/libc-start.c:308:16
#16 0x435f8d in _start (/tmp/gdb-10.2/gdb/gdb+0x435f8d)
0x6020000134cf is located 1 bytes to the left of 1-byte region
[0x6020000134d0,0x6020000134d1)
allocated by thread T0 here:
#0 0x4afffd in malloc (/tmp/gdb-10.2/gdb/gdb+0x4afffd)
#1 0x575436 in xmalloc /tmp/gdb-10.2/gdb/alloc.c:60:9
#2 0xe2828b in add_path(char const*, char**, int)
/tmp/gdb-10.2/gdb/source.c:508:2
#3 0xe2ea3f in mod_path(char const*, char**)
/tmp/gdb-10.2/gdb/source.c:482:3
#4 0xe2ea3f in directory_command(char const*, int)
/tmp/gdb-10.2/gdb/source.c:461:7
#5 0x6dfacf in cmd_func(cmd_list_element*, char const*, int)
/tmp/gdb-10.2/gdb/cli/cli-decode.c:2181:7
#6 0xf9b992 in execute_command(char const*, int)
/tmp/gdb-10.2/gdb/top.c:668:2
#7 0x979e72 in command_handler(char const*)
/tmp/gdb-10.2/gdb/event-top.c:588:7
#8 0xf98e9e in read_command_file(_IO_FILE*) /tmp/gdb-10.2/gdb/top.c:447:7
#9 0x6c6870 in source_script_from_stream(_IO_FILE*, char const*, char
const*) /tmp/gdb-10.2/gdb/cli/cli-cmds.c:700:3
#10 0x6c6870 in source_script_with_search(char const*, int, int)
/tmp/gdb-10.2/gdb/cli/cli-cmds.c:736:3
#11 0xbc185e in catch_command_errors(void (*)(char const*, int), char
const*, int) /tmp/gdb-10.2/gdb/main.c:457:7
#12 0xbc185e in captured_main_1(captured_main_args*)
/tmp/gdb-10.2/gdb/main.c:1214:10
#13 0xbbe0f8 in captured_main(void*) /tmp/gdb-10.2/gdb/main.c:1243:3
#14 0xbbe0f8 in gdb_main(captured_main_args*)
/tmp/gdb-10.2/gdb/main.c:1268:7
#15 0x7ffff78cb0b2 in __libc_start_main
/build/glibc-eX1tMB/glibc-2.31/csu/../csu/libc-start.c:308:16
SUMMARY: AddressSanitizer: heap-buffer-overflow
/tmp/gdb-10.2/gdb/source.c:530:10 in add_path(char const*, char**, int)
Shadow bytes around the buggy address:
0x0c047fffa640: fa fa fd fa fa fa fd fa fa fa fd fd fa fa fd fa
0x0c047fffa650: fa fa fd fa fa fa fd fa fa fa fd fd fa fa fd fa
0x0c047fffa660: fa fa fd fa fa fa fd fa fa fa fd fd fa fa fd fd
0x0c047fffa670: fa fa fd fa fa fa fd fa fa fa fd fa fa fa fd fa
0x0c047fffa680: fa fa fd fa fa fa fd fa fa fa fd fa fa fa 00 fa
=>0x0c047fffa690: fa fa fd fa fa fa fd fa fa[fa]01 fa fa fa fd fa
0x0c047fffa6a0: fa fa 01 fa fa fa 00 00 fa fa fa fa fa fa fa fa
0x0c047fffa6b0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c047fffa6c0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c047fffa6d0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c047fffa6e0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
Shadow gap: cc
==17806==ABORTING
--
--
You are receiving this mail because:
You are on the CC list for the bug.
^ permalink raw reply [flat|nested] 9+ messages in thread
* [Bug gdb/28114] heap-buffer-overflow with gdb dir command
2021-07-21 7:06 [Bug gdb/28114] New: heap-buffer-overflow with gdb dir command again.liu at gmail dot com
@ 2021-07-21 7:11 ` again.liu at gmail dot com
2021-07-21 8:33 ` again.liu at gmail dot com
` (6 subsequent siblings)
7 siblings, 0 replies; 9+ messages in thread
From: again.liu at gmail dot com @ 2021-07-21 7:11 UTC (permalink / raw)
To: gdb-prs
https://sourceware.org/bugzilla/show_bug.cgi?id=28114
again.liu at gmail dot com changed:
What |Removed |Added
----------------------------------------------------------------------------
CC| |again.liu at gmail dot com
--
You are receiving this mail because:
You are on the CC list for the bug.
^ permalink raw reply [flat|nested] 9+ messages in thread
* [Bug gdb/28114] heap-buffer-overflow with gdb dir command
2021-07-21 7:06 [Bug gdb/28114] New: heap-buffer-overflow with gdb dir command again.liu at gmail dot com
2021-07-21 7:11 ` [Bug gdb/28114] " again.liu at gmail dot com
@ 2021-07-21 8:33 ` again.liu at gmail dot com
2021-07-24 13:01 ` ssbssa at sourceware dot org
` (5 subsequent siblings)
7 siblings, 0 replies; 9+ messages in thread
From: again.liu at gmail dot com @ 2021-07-21 8:33 UTC (permalink / raw)
To: gdb-prs
https://sourceware.org/bugzilla/show_bug.cgi?id=28114
--- Comment #1 from again.liu at gmail dot com ---
Also confirmed that the same crash happens in the HEAD of gdb-10-branch.
--
You are receiving this mail because:
You are on the CC list for the bug.
^ permalink raw reply [flat|nested] 9+ messages in thread
* [Bug gdb/28114] heap-buffer-overflow with gdb dir command
2021-07-21 7:06 [Bug gdb/28114] New: heap-buffer-overflow with gdb dir command again.liu at gmail dot com
2021-07-21 7:11 ` [Bug gdb/28114] " again.liu at gmail dot com
2021-07-21 8:33 ` again.liu at gmail dot com
@ 2021-07-24 13:01 ` ssbssa at sourceware dot org
2021-07-25 2:52 ` again.liu at gmail dot com
` (4 subsequent siblings)
7 siblings, 0 replies; 9+ messages in thread
From: ssbssa at sourceware dot org @ 2021-07-24 13:01 UTC (permalink / raw)
To: gdb-prs
https://sourceware.org/bugzilla/show_bug.cgi?id=28114
Hannes Domani <ssbssa at sourceware dot org> changed:
What |Removed |Added
----------------------------------------------------------------------------
CC| |ssbssa at sourceware dot org
--- Comment #2 from Hannes Domani <ssbssa at sourceware dot org> ---
I think this was fixed on master with this commit:
https://sourceware.org/git/?p=binutils-gdb.git;a=commitdiff;h=baea2f9d52d606f6b58a736420017c98351f5b5c
--
You are receiving this mail because:
You are on the CC list for the bug.
^ permalink raw reply [flat|nested] 9+ messages in thread
* [Bug gdb/28114] heap-buffer-overflow with gdb dir command
2021-07-21 7:06 [Bug gdb/28114] New: heap-buffer-overflow with gdb dir command again.liu at gmail dot com
` (2 preceding siblings ...)
2021-07-24 13:01 ` ssbssa at sourceware dot org
@ 2021-07-25 2:52 ` again.liu at gmail dot com
2021-07-25 4:31 ` again.liu at gmail dot com
` (3 subsequent siblings)
7 siblings, 0 replies; 9+ messages in thread
From: again.liu at gmail dot com @ 2021-07-25 2:52 UTC (permalink / raw)
To: gdb-prs
https://sourceware.org/bugzilla/show_bug.cgi?id=28114
--- Comment #3 from kurisu <again.liu at gmail dot com> ---
Confirmed that this crash won't happen after the following commit:
https://sourceware.org/git/?p=binutils-gdb.git;a=commit;h=bb3a4efe13c0bd9a7b15ecd02ddb966870a03bd0
However somehow the fix did not go into the 10.2 releases.
--
You are receiving this mail because:
You are on the CC list for the bug.
^ permalink raw reply [flat|nested] 9+ messages in thread
* [Bug gdb/28114] heap-buffer-overflow with gdb dir command
2021-07-21 7:06 [Bug gdb/28114] New: heap-buffer-overflow with gdb dir command again.liu at gmail dot com
` (3 preceding siblings ...)
2021-07-25 2:52 ` again.liu at gmail dot com
@ 2021-07-25 4:31 ` again.liu at gmail dot com
2021-07-25 13:29 ` simark at simark dot ca
` (2 subsequent siblings)
7 siblings, 0 replies; 9+ messages in thread
From: again.liu at gmail dot com @ 2021-07-25 4:31 UTC (permalink / raw)
To: gdb-prs
https://sourceware.org/bugzilla/show_bug.cgi?id=28114
--- Comment #4 from kurisu <again.liu at gmail dot com> ---
the bb3a4efe13c0bd9a7b15ecd02ddb966870a03bd0 commit exist in the gdb-11-branch
but not in the gdb-10-branch.
--
You are receiving this mail because:
You are on the CC list for the bug.
^ permalink raw reply [flat|nested] 9+ messages in thread
* [Bug gdb/28114] heap-buffer-overflow with gdb dir command
2021-07-21 7:06 [Bug gdb/28114] New: heap-buffer-overflow with gdb dir command again.liu at gmail dot com
` (4 preceding siblings ...)
2021-07-25 4:31 ` again.liu at gmail dot com
@ 2021-07-25 13:29 ` simark at simark dot ca
2021-07-25 20:56 ` again.liu at gmail dot com
2021-12-28 21:42 ` tromey at sourceware dot org
7 siblings, 0 replies; 9+ messages in thread
From: simark at simark dot ca @ 2021-07-25 13:29 UTC (permalink / raw)
To: gdb-prs
https://sourceware.org/bugzilla/show_bug.cgi?id=28114
Simon Marchi <simark at simark dot ca> changed:
What |Removed |Added
----------------------------------------------------------------------------
CC| |simark at simark dot ca
--- Comment #5 from Simon Marchi <simark at simark dot ca> ---
This is expect, as there won't be any more GDB 10 releases, so we don't
backport fixes there.
--
You are receiving this mail because:
You are on the CC list for the bug.
^ permalink raw reply [flat|nested] 9+ messages in thread
* [Bug gdb/28114] heap-buffer-overflow with gdb dir command
2021-07-21 7:06 [Bug gdb/28114] New: heap-buffer-overflow with gdb dir command again.liu at gmail dot com
` (5 preceding siblings ...)
2021-07-25 13:29 ` simark at simark dot ca
@ 2021-07-25 20:56 ` again.liu at gmail dot com
2021-12-28 21:42 ` tromey at sourceware dot org
7 siblings, 0 replies; 9+ messages in thread
From: again.liu at gmail dot com @ 2021-07-25 20:56 UTC (permalink / raw)
To: gdb-prs
https://sourceware.org/bugzilla/show_bug.cgi?id=28114
--- Comment #6 from kurisu <again.liu at gmail dot com> ---
Understood. I will register a cve for this just for the record.
Thanks for confirming.
--
You are receiving this mail because:
You are on the CC list for the bug.
^ permalink raw reply [flat|nested] 9+ messages in thread
* [Bug gdb/28114] heap-buffer-overflow with gdb dir command
2021-07-21 7:06 [Bug gdb/28114] New: heap-buffer-overflow with gdb dir command again.liu at gmail dot com
` (6 preceding siblings ...)
2021-07-25 20:56 ` again.liu at gmail dot com
@ 2021-12-28 21:42 ` tromey at sourceware dot org
7 siblings, 0 replies; 9+ messages in thread
From: tromey at sourceware dot org @ 2021-12-28 21:42 UTC (permalink / raw)
To: gdb-prs
https://sourceware.org/bugzilla/show_bug.cgi?id=28114
Tom Tromey <tromey at sourceware dot org> changed:
What |Removed |Added
----------------------------------------------------------------------------
Status|UNCONFIRMED |RESOLVED
CC| |tromey at sourceware dot org
Target Milestone|--- |11.1
Resolution|--- |FIXED
--- Comment #7 from Tom Tromey <tromey at sourceware dot org> ---
Fixed in 11.
--
You are receiving this mail because:
You are on the CC list for the bug.
^ permalink raw reply [flat|nested] 9+ messages in thread
end of thread, other threads:[~2021-12-28 21:42 UTC | newest]
Thread overview: 9+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2021-07-21 7:06 [Bug gdb/28114] New: heap-buffer-overflow with gdb dir command again.liu at gmail dot com
2021-07-21 7:11 ` [Bug gdb/28114] " again.liu at gmail dot com
2021-07-21 8:33 ` again.liu at gmail dot com
2021-07-24 13:01 ` ssbssa at sourceware dot org
2021-07-25 2:52 ` again.liu at gmail dot com
2021-07-25 4:31 ` again.liu at gmail dot com
2021-07-25 13:29 ` simark at simark dot ca
2021-07-25 20:56 ` again.liu at gmail dot com
2021-12-28 21:42 ` tromey at sourceware dot org
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).