public inbox for gdb-prs@sourceware.org
help / color / mirror / Atom feed
* [Bug gdb/30323] New: gdb heap buffer overflow
@ 2023-04-07 7:57 mengda2020 at iscas dot ac.cn
2023-04-07 8:02 ` [Bug gdb/30323] " mengda2020 at iscas dot ac.cn
0 siblings, 1 reply; 2+ messages in thread
From: mengda2020 at iscas dot ac.cn @ 2023-04-07 7:57 UTC (permalink / raw)
To: gdb-prs
https://sourceware.org/bugzilla/show_bug.cgi?id=30323
Bug ID: 30323
Summary: gdb heap buffer overflow
Product: gdb
Version: 13.1
Status: UNCONFIRMED
Severity: normal
Priority: P2
Component: gdb
Assignee: unassigned at sourceware dot org
Reporter: mengda2020 at iscas dot ac.cn
Target Milestone: ---
Created attachment 14806
--> https://sourceware.org/bugzilla/attachment.cgi?id=14806&action=edit
PoC file
I found a heap bufer pverflow bug in gdb.
Please confirm.
Thanks!
### Test Environment
Ubuntu 20.04, 64 bit (version: v13.1 ;master)
### How to trigger
Compile the program with AddressSanitizer
Run command
$ ./gdb --readnow --tty=TTY $PoC
### Details
ASAN report
$./gdb --readnow --tty=TTY $PoC
```
warning: Found custom handler for signal 7 (Bus error) preinstalled.
warning: Found custom handler for signal 8 (Floating point exception)
preinstalled.
warning: Found custom handler for signal 11 (Segmentation fault) preinstalled.
warning: Found custom handler for signal 15 (Terminated) preinstalled.
Some signal dispositions inherited from the environment (SIG_DFL/SIG_IGN)
won't be propagated to spawned programs.
GNU gdb (GDB) 13.0.50.20220805-git
Copyright (C) 2022 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.
Type "show copying" and "show warranty" for details.
This GDB was configured as "x86_64-pc-linux-gnu".
Type "show configuration" for configuration details.
For bug reporting instructions, please see:
<https://www.gnu.org/software/gdb/bugs/>.
Find the GDB manual and other documentation resources online at:
<http://www.gnu.org/software/gdb/documentation/>.
For help, type "help".
Type "apropos word" to search for commands related to "word"...
Reading symbols from
out/default/crashes/id:000154,sig:11,src:001619,time:65783077,execs:1503403,op:havoc,rep:4...
=================================================================
==2013205==ERROR: AddressSanitizer: heap-buffer-overflow on address
0x7f84a1f31700 at pc 0x000000b135ee bp 0x7ffff3567600 sp 0x7ffff35675f8
READ of size 1 at 0x7f84a1f31700 thread T0
#0 0xb135ed in pe_as32(void*)
/home/cmd/FuzzDateset/binutils/binutils-gdb-binutils-2_39/gdb/coff-pe-read.c:292:10
#1 0xb11ab6 in read_pe_exported_syms(minimal_symbol_reader&, objfile*)
/home/cmd/FuzzDateset/binutils/binutils-gdb-binutils-2_39/gdb/coff-pe-read.c:510:32
#2 0xb1d543 in coff_read_minsyms(long, unsigned int, objfile*)
/home/cmd/FuzzDateset/binutils/binutils-gdb-binutils-2_39/gdb/coffread.c:548:7
#3 0xb1abd0 in coff_symfile_read(objfile*, enum_flags<symfile_add_flag>)
/home/cmd/FuzzDateset/binutils/binutils-gdb-binutils-2_39/gdb/coffread.c:702:3
#4 0x1bf6a0e in read_symbols(objfile*, enum_flags<symfile_add_flag>)
/home/cmd/FuzzDateset/binutils/binutils-gdb-binutils-2_39/gdb/symfile.c:772:3
#5 0x1c19531 in syms_from_objfile_1(objfile*, std::vector<other_sections,
std::allocator<other_sections> >*, enum_flags<symfile_add_flag>)
/home/cmd/FuzzDateset/binutils/binutils-gdb-binutils-2_39/gdb/symfile.c:968:3
#6 0x1c180fd in syms_from_objfile(objfile*, std::vector<other_sections,
std::allocator<other_sections> >*, enum_flags<symfile_add_flag>)
/home/cmd/FuzzDateset/binutils/binutils-gdb-binutils-2_39/gdb/symfile.c:985:3
#7 0x1be663c in symbol_file_add_with_addrs(bfd*, char const*,
enum_flags<symfile_add_flag>, std::vector<other_sections,
std::allocator<other_sections> >*, enum_flags<objfile_flag>, objfile*)
/home/cmd/FuzzDateset/binutils/binutils-gdb-binutils-2_39/gdb/symfile.c:1088:3
#8 0x1be70b3 in symbol_file_add_from_bfd(bfd*, char const*,
enum_flags<symfile_add_flag>, std::vector<other_sections,
std::allocator<other_sections> >*, enum_flags<objfile_flag>, objfile*)
/home/cmd/FuzzDateset/binutils/binutils-gdb-binutils-2_39/gdb/symfile.c:1168:10
#9 0x1be7459 in symbol_file_add(char const*, enum_flags<symfile_add_flag>,
std::vector<other_sections, std::allocator<other_sections> >*,
enum_flags<objfile_flag>)
/home/cmd/FuzzDateset/binutils/binutils-gdb-binutils-2_39/gdb/symfile.c:1181:10
#10 0x1be873e in symbol_file_add_main_1(char const*,
enum_flags<symfile_add_flag>, enum_flags<objfile_flag>, unsigned long)
/home/cmd/FuzzDateset/binutils/binutils-gdb-binutils-2_39/gdb/symfile.c:1205:29
#11 0x1be82ea in symbol_file_add_main(char const*,
enum_flags<symfile_add_flag>)
/home/cmd/FuzzDateset/binutils/binutils-gdb-binutils-2_39/gdb/symfile.c:1196:3
#12 0x15c8b73 in symbol_file_add_main_adapter(char const*, int)
/home/cmd/FuzzDateset/binutils/binutils-gdb-binutils-2_39/gdb/main.c:540:3
#13 0x15c6d2c in catch_command_errors(void (*)(char const*, int), char
const*, int, bool)
/home/cmd/FuzzDateset/binutils/binutils-gdb-binutils-2_39/gdb/main.c:513:7
#14 0x15c433a in captured_main_1(captured_main_args*)
/home/cmd/FuzzDateset/binutils/binutils-gdb-binutils-2_39/gdb/main.c:1212:8
#15 0x15be28d in captured_main(void*)
/home/cmd/FuzzDateset/binutils/binutils-gdb-binutils-2_39/gdb/main.c:1319:3
#16 0x15be058 in gdb_main(captured_main_args*)
/home/cmd/FuzzDateset/binutils/binutils-gdb-binutils-2_39/gdb/main.c:1344:7
#17 0x4e4f12 in main
/home/cmd/FuzzDateset/binutils/binutils-gdb-binutils-2_39/gdb/gdb.c:32:10
#18 0x7f84d47d1082 in __libc_start_main
/build/glibc-SzIz7B/glibc-2.31/csu/../csu/libc-start.c:308:16
#19 0x433ebd in _start
(/home/cmd/randomFuzz/binutils/gdb/gdb_r_t_q/gdb+0x433ebd)
0x7f84a1f31700 is located 0 bytes to the right of 200448-byte region
[0x7f84a1f00800,0x7f84a1f31700)
allocated by thread T0 here:
#0 0x4e242d in operator new(unsigned long)
(/home/cmd/randomFuzz/binutils/gdb/gdb_r_t_q/gdb+0x4e242d)
#1 0x627d92 in __gnu_cxx::new_allocator<unsigned char>::allocate(unsigned
long, void const*)
/usr/lib/gcc/x86_64-linux-gnu/10/../../../../include/c++/10/ext/new_allocator.h:115:27
#2 0x627ca1 in std::allocator_traits<gdb::default_init_allocator<unsigned
char, std::allocator<unsigned char> >
>::allocate(gdb::default_init_allocator<unsigned char, std::allocator<unsigned
char> >&, unsigned long)
/usr/lib/gcc/x86_64-linux-gnu/10/../../../../include/c++/10/bits/alloc_traits.h:314:20
#3 0x627661 in std::_Vector_base<unsigned char,
gdb::default_init_allocator<unsigned char, std::allocator<unsigned char> >
>::_M_allocate(unsigned long)
/usr/lib/gcc/x86_64-linux-gnu/10/../../../../include/c++/10/bits/stl_vector.h:346:20
#4 0x6b7121 in std::_Vector_base<unsigned char,
gdb::default_init_allocator<unsigned char, std::allocator<unsigned char> >
>::_M_create_storage(unsigned long)
/usr/lib/gcc/x86_64-linux-gnu/10/../../../../include/c++/10/bits/stl_vector.h:361:33
#5 0x6b6dd9 in std::_Vector_base<unsigned char,
gdb::default_init_allocator<unsigned char, std::allocator<unsigned char> >
>::_Vector_base(unsigned long, gdb::default_init_allocator<unsigned char,
std::allocator<unsigned char> > const&)
/usr/lib/gcc/x86_64-linux-gnu/10/../../../../include/c++/10/bits/stl_vector.h:305:9
#6 0xa9ea40 in std::vector<unsigned char,
gdb::default_init_allocator<unsigned char, std::allocator<unsigned char> >
>::vector(unsigned long, gdb::default_init_allocator<unsigned char,
std::allocator<unsigned char> > const&)
/usr/lib/gcc/x86_64-linux-gnu/10/../../../../include/c++/10/bits/stl_vector.h:511:9
#7 0xb1106b in read_pe_exported_syms(minimal_symbol_reader&, objfile*)
/home/cmd/FuzzDateset/binutils/binutils-gdb-binutils-2_39/gdb/coff-pe-read.c:469:34
#8 0xb1d543 in coff_read_minsyms(long, unsigned int, objfile*)
/home/cmd/FuzzDateset/binutils/binutils-gdb-binutils-2_39/gdb/coffread.c:548:7
#9 0xb1abd0 in coff_symfile_read(objfile*, enum_flags<symfile_add_flag>)
/home/cmd/FuzzDateset/binutils/binutils-gdb-binutils-2_39/gdb/coffread.c:702:3
#10 0x1bf6a0e in read_symbols(objfile*, enum_flags<symfile_add_flag>)
/home/cmd/FuzzDateset/binutils/binutils-gdb-binutils-2_39/gdb/symfile.c:772:3
#11 0x1c19531 in syms_from_objfile_1(objfile*, std::vector<other_sections,
std::allocator<other_sections> >*, enum_flags<symfile_add_flag>)
/home/cmd/FuzzDateset/binutils/binutils-gdb-binutils-2_39/gdb/symfile.c:968:3
#12 0x1c180fd in syms_from_objfile(objfile*, std::vector<other_sections,
std::allocator<other_sections> >*, enum_flags<symfile_add_flag>)
/home/cmd/FuzzDateset/binutils/binutils-gdb-binutils-2_39/gdb/symfile.c:985:3
#13 0x1be663c in symbol_file_add_with_addrs(bfd*, char const*,
enum_flags<symfile_add_flag>, std::vector<other_sections,
std::allocator<other_sections> >*, enum_flags<objfile_flag>, objfile*)
/home/cmd/FuzzDateset/binutils/binutils-gdb-binutils-2_39/gdb/symfile.c:1088:3
#14 0x1be70b3 in symbol_file_add_from_bfd(bfd*, char const*,
enum_flags<symfile_add_flag>, std::vector<other_sections,
std::allocator<other_sections> >*, enum_flags<objfile_flag>, objfile*)
/home/cmd/FuzzDateset/binutils/binutils-gdb-binutils-2_39/gdb/symfile.c:1168:10
#15 0x1be7459 in symbol_file_add(char const*, enum_flags<symfile_add_flag>,
std::vector<other_sections, std::allocator<other_sections> >*,
enum_flags<objfile_flag>)
/home/cmd/FuzzDateset/binutils/binutils-gdb-binutils-2_39/gdb/symfile.c:1181:10
#16 0x1be873e in symbol_file_add_main_1(char const*,
enum_flags<symfile_add_flag>, enum_flags<objfile_flag>, unsigned long)
/home/cmd/FuzzDateset/binutils/binutils-gdb-binutils-2_39/gdb/symfile.c:1205:29
#17 0x1be82ea in symbol_file_add_main(char const*,
enum_flags<symfile_add_flag>)
/home/cmd/FuzzDateset/binutils/binutils-gdb-binutils-2_39/gdb/symfile.c:1196:3
#18 0x15c8b73 in symbol_file_add_main_adapter(char const*, int)
/home/cmd/FuzzDateset/binutils/binutils-gdb-binutils-2_39/gdb/main.c:540:3
#19 0x15c6d2c in catch_command_errors(void (*)(char const*, int), char
const*, int, bool)
/home/cmd/FuzzDateset/binutils/binutils-gdb-binutils-2_39/gdb/main.c:513:7
#20 0x15c433a in captured_main_1(captured_main_args*)
/home/cmd/FuzzDateset/binutils/binutils-gdb-binutils-2_39/gdb/main.c:1212:8
#21 0x15be28d in captured_main(void*)
/home/cmd/FuzzDateset/binutils/binutils-gdb-binutils-2_39/gdb/main.c:1319:3
#22 0x15be058 in gdb_main(captured_main_args*)
/home/cmd/FuzzDateset/binutils/binutils-gdb-binutils-2_39/gdb/main.c:1344:7
#23 0x4e4f12 in main
/home/cmd/FuzzDateset/binutils/binutils-gdb-binutils-2_39/gdb/gdb.c:32:10
#24 0x7f84d47d1082 in __libc_start_main
/build/glibc-SzIz7B/glibc-2.31/csu/../csu/libc-start.c:308:16
SUMMARY: AddressSanitizer: heap-buffer-overflow
/home/cmd/FuzzDateset/binutils/binutils-gdb-binutils-2_39/gdb/coff-pe-read.c:292:10
in pe_as32(void*)
Shadow bytes around the buggy address:
0x0ff1143de290: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0ff1143de2a0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0ff1143de2b0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0ff1143de2c0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0ff1143de2d0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x0ff1143de2e0:[fa]fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0ff1143de2f0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0ff1143de300: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0ff1143de310: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0ff1143de320: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0ff1143de330: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
==2013205==ABORTING
```
--
You are receiving this mail because:
You are on the CC list for the bug.
^ permalink raw reply [flat|nested] 2+ messages in thread
* [Bug gdb/30323] gdb heap buffer overflow
2023-04-07 7:57 [Bug gdb/30323] New: gdb heap buffer overflow mengda2020 at iscas dot ac.cn
@ 2023-04-07 8:02 ` mengda2020 at iscas dot ac.cn
0 siblings, 0 replies; 2+ messages in thread
From: mengda2020 at iscas dot ac.cn @ 2023-04-07 8:02 UTC (permalink / raw)
To: gdb-prs
https://sourceware.org/bugzilla/show_bug.cgi?id=30323
--- Comment #1 from 陈孟达 <mengda2020 at iscas dot ac.cn> ---
heap buffer overflow bug
--
You are receiving this mail because:
You are on the CC list for the bug.
^ permalink raw reply [flat|nested] 2+ messages in thread
end of thread, other threads:[~2023-04-07 8:02 UTC | newest]
Thread overview: 2+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2023-04-07 7:57 [Bug gdb/30323] New: gdb heap buffer overflow mengda2020 at iscas dot ac.cn
2023-04-07 8:02 ` [Bug gdb/30323] " mengda2020 at iscas dot ac.cn
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).