From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: by sourceware.org (Postfix, from userid 48) id 325773858D33; Fri, 7 Apr 2023 07:57:50 +0000 (GMT) DKIM-Filter: OpenDKIM Filter v2.11.0 sourceware.org 325773858D33 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=sourceware.org; s=default; t=1680854270; bh=q8G5l2o8JE7bVyRORk8Hb//83iPeQhwSL1eU7BGZTRM=; h=From:To:Subject:Date:From; b=rViRmz84AQkEA9y31cXtIG8ncxAm7Vmac13y61kAlRjcQu0YBCAWL6Fr3GHHq4tb2 80G9A9OVfHmHuDjQWCSF6oUsgcUsL5UmekpdDHPrA/Mh80L8v+Ptecilo32tfNBhT1 kBUDeiugWh+p8hsubYoUxgnQBUdyXfh64wZ1jts8= From: "mengda2020 at iscas dot ac.cn" To: gdb-prs@sourceware.org Subject: [Bug gdb/30323] New: gdb heap buffer overflow Date: Fri, 07 Apr 2023 07:57:49 +0000 X-Bugzilla-Reason: CC X-Bugzilla-Type: new X-Bugzilla-Watch-Reason: None X-Bugzilla-Product: gdb X-Bugzilla-Component: gdb X-Bugzilla-Version: 13.1 X-Bugzilla-Keywords: X-Bugzilla-Severity: normal X-Bugzilla-Who: mengda2020 at iscas dot ac.cn X-Bugzilla-Status: UNCONFIRMED X-Bugzilla-Resolution: X-Bugzilla-Priority: P2 X-Bugzilla-Assigned-To: unassigned at sourceware dot org X-Bugzilla-Target-Milestone: --- X-Bugzilla-Flags: X-Bugzilla-Changed-Fields: bug_id short_desc product version bug_status bug_severity priority component assigned_to reporter target_milestone attachments.created Message-ID: Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable X-Bugzilla-URL: http://sourceware.org/bugzilla/ Auto-Submitted: auto-generated MIME-Version: 1.0 List-Id: https://sourceware.org/bugzilla/show_bug.cgi?id=3D30323 Bug ID: 30323 Summary: gdb heap buffer overflow Product: gdb Version: 13.1 Status: UNCONFIRMED Severity: normal Priority: P2 Component: gdb Assignee: unassigned at sourceware dot org Reporter: mengda2020 at iscas dot ac.cn Target Milestone: --- Created attachment 14806 --> https://sourceware.org/bugzilla/attachment.cgi?id=3D14806&action=3Ded= it PoC file I found a heap bufer pverflow bug in gdb. Please confirm. Thanks! ### Test Environment Ubuntu 20.04, 64 bit (version: v13.1 ;master) ### How to trigger Compile the program with AddressSanitizer Run command=20 $ ./gdb --readnow --tty=3DTTY $PoC ### Details ASAN report $./gdb --readnow --tty=3DTTY $PoC ``` warning: Found custom handler for signal 7 (Bus error) preinstalled. warning: Found custom handler for signal 8 (Floating point exception) preinstalled. warning: Found custom handler for signal 11 (Segmentation fault) preinstall= ed. warning: Found custom handler for signal 15 (Terminated) preinstalled. Some signal dispositions inherited from the environment (SIG_DFL/SIG_IGN) won't be propagated to spawned programs. GNU gdb (GDB) 13.0.50.20220805-git Copyright (C) 2022 Free Software Foundation, Inc. License GPLv3+: GNU GPL version 3 or later This is free software: you are free to change and redistribute it. There is NO WARRANTY, to the extent permitted by law. Type "show copying" and "show warranty" for details. This GDB was configured as "x86_64-pc-linux-gnu". Type "show configuration" for configuration details. For bug reporting instructions, please see: . Find the GDB manual and other documentation resources online at: . For help, type "help". Type "apropos word" to search for commands related to "word"... Reading symbols from out/default/crashes/id:000154,sig:11,src:001619,time:65783077,execs:1503403= ,op:havoc,rep:4... =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D =3D=3D2013205=3D=3DERROR: AddressSanitizer: heap-buffer-overflow on address 0x7f84a1f31700 at pc 0x000000b135ee bp 0x7ffff3567600 sp 0x7ffff35675f8 READ of size 1 at 0x7f84a1f31700 thread T0 #0 0xb135ed in pe_as32(void*) /home/cmd/FuzzDateset/binutils/binutils-gdb-binutils-2_39/gdb/coff-pe-read.= c:292:10 #1 0xb11ab6 in read_pe_exported_syms(minimal_symbol_reader&, objfile*) /home/cmd/FuzzDateset/binutils/binutils-gdb-binutils-2_39/gdb/coff-pe-read.= c:510:32 #2 0xb1d543 in coff_read_minsyms(long, unsigned int, objfile*) /home/cmd/FuzzDateset/binutils/binutils-gdb-binutils-2_39/gdb/coffread.c:54= 8:7 #3 0xb1abd0 in coff_symfile_read(objfile*, enum_flags) /home/cmd/FuzzDateset/binutils/binutils-gdb-binutils-2_39/gdb/coffread.c:70= 2:3 #4 0x1bf6a0e in read_symbols(objfile*, enum_flags) /home/cmd/FuzzDateset/binutils/binutils-gdb-binutils-2_39/gdb/symfile.c:772= :3 #5 0x1c19531 in syms_from_objfile_1(objfile*, std::vector >*, enum_flags) /home/cmd/FuzzDateset/binutils/binutils-gdb-binutils-2_39/gdb/symfile.c:968= :3 #6 0x1c180fd in syms_from_objfile(objfile*, std::vector >*, enum_flags) /home/cmd/FuzzDateset/binutils/binutils-gdb-binutils-2_39/gdb/symfile.c:985= :3 #7 0x1be663c in symbol_file_add_with_addrs(bfd*, char const*, enum_flags, std::vector >*, enum_flags, objfile*) /home/cmd/FuzzDateset/binutils/binutils-gdb-binutils-2_39/gdb/symfile.c:108= 8:3 #8 0x1be70b3 in symbol_file_add_from_bfd(bfd*, char const*, enum_flags, std::vector >*, enum_flags, objfile*) /home/cmd/FuzzDateset/binutils/binutils-gdb-binutils-2_39/gdb/symfile.c:116= 8:10 #9 0x1be7459 in symbol_file_add(char const*, enum_flags, std::vector >*, enum_flags) /home/cmd/FuzzDateset/binutils/binutils-gdb-binutils-2_39/gdb/symfile.c:118= 1:10 #10 0x1be873e in symbol_file_add_main_1(char const*, enum_flags, enum_flags, unsigned long) /home/cmd/FuzzDateset/binutils/binutils-gdb-binutils-2_39/gdb/symfile.c:120= 5:29 #11 0x1be82ea in symbol_file_add_main(char const*, enum_flags) /home/cmd/FuzzDateset/binutils/binutils-gdb-binutils-2_39/gdb/symfile.c:119= 6:3 #12 0x15c8b73 in symbol_file_add_main_adapter(char const*, int) /home/cmd/FuzzDateset/binutils/binutils-gdb-binutils-2_39/gdb/main.c:540:3 #13 0x15c6d2c in catch_command_errors(void (*)(char const*, int), char const*, int, bool) /home/cmd/FuzzDateset/binutils/binutils-gdb-binutils-2_39/gdb/main.c:513:7 #14 0x15c433a in captured_main_1(captured_main_args*) /home/cmd/FuzzDateset/binutils/binutils-gdb-binutils-2_39/gdb/main.c:1212:8 #15 0x15be28d in captured_main(void*) /home/cmd/FuzzDateset/binutils/binutils-gdb-binutils-2_39/gdb/main.c:1319:3 #16 0x15be058 in gdb_main(captured_main_args*) /home/cmd/FuzzDateset/binutils/binutils-gdb-binutils-2_39/gdb/main.c:1344:7 #17 0x4e4f12 in main /home/cmd/FuzzDateset/binutils/binutils-gdb-binutils-2_39/gdb/gdb.c:32:10 #18 0x7f84d47d1082 in __libc_start_main /build/glibc-SzIz7B/glibc-2.31/csu/../csu/libc-start.c:308:16 #19 0x433ebd in _start (/home/cmd/randomFuzz/binutils/gdb/gdb_r_t_q/gdb+0x433ebd) 0x7f84a1f31700 is located 0 bytes to the right of 200448-byte region [0x7f84a1f00800,0x7f84a1f31700) allocated by thread T0 here: #0 0x4e242d in operator new(unsigned long) (/home/cmd/randomFuzz/binutils/gdb/gdb_r_t_q/gdb+0x4e242d) #1 0x627d92 in __gnu_cxx::new_allocator::allocate(unsign= ed long, void const*) /usr/lib/gcc/x86_64-linux-gnu/10/../../../../include/c++/10/ext/new_allocat= or.h:115:27 #2 0x627ca1 in std::allocator_traits > >::allocate(gdb::default_init_allocator >&, unsigned long) /usr/lib/gcc/x86_64-linux-gnu/10/../../../../include/c++/10/bits/alloc_trai= ts.h:314:20 #3 0x627661 in std::_Vector_base > >::_M_allocate(unsigned long) /usr/lib/gcc/x86_64-linux-gnu/10/../../../../include/c++/10/bits/stl_vector= .h:346:20 #4 0x6b7121 in std::_Vector_base > >::_M_create_storage(unsigned long) /usr/lib/gcc/x86_64-linux-gnu/10/../../../../include/c++/10/bits/stl_vector= .h:361:33 #5 0x6b6dd9 in std::_Vector_base > >::_Vector_base(unsigned long, gdb::default_init_allocator > const&) /usr/lib/gcc/x86_64-linux-gnu/10/../../../../include/c++/10/bits/stl_vector= .h:305:9 #6 0xa9ea40 in std::vector > >::vector(unsigned long, gdb::default_init_allocator > const&) /usr/lib/gcc/x86_64-linux-gnu/10/../../../../include/c++/10/bits/stl_vector= .h:511:9 #7 0xb1106b in read_pe_exported_syms(minimal_symbol_reader&, objfile*) /home/cmd/FuzzDateset/binutils/binutils-gdb-binutils-2_39/gdb/coff-pe-read.= c:469:34 #8 0xb1d543 in coff_read_minsyms(long, unsigned int, objfile*) /home/cmd/FuzzDateset/binutils/binutils-gdb-binutils-2_39/gdb/coffread.c:54= 8:7 #9 0xb1abd0 in coff_symfile_read(objfile*, enum_flags) /home/cmd/FuzzDateset/binutils/binutils-gdb-binutils-2_39/gdb/coffread.c:70= 2:3 #10 0x1bf6a0e in read_symbols(objfile*, enum_flags) /home/cmd/FuzzDateset/binutils/binutils-gdb-binutils-2_39/gdb/symfile.c:772= :3 #11 0x1c19531 in syms_from_objfile_1(objfile*, std::vector >*, enum_flags) /home/cmd/FuzzDateset/binutils/binutils-gdb-binutils-2_39/gdb/symfile.c:968= :3 #12 0x1c180fd in syms_from_objfile(objfile*, std::vector >*, enum_flags) /home/cmd/FuzzDateset/binutils/binutils-gdb-binutils-2_39/gdb/symfile.c:985= :3 #13 0x1be663c in symbol_file_add_with_addrs(bfd*, char const*, enum_flags, std::vector >*, enum_flags, objfile*) /home/cmd/FuzzDateset/binutils/binutils-gdb-binutils-2_39/gdb/symfile.c:108= 8:3 #14 0x1be70b3 in symbol_file_add_from_bfd(bfd*, char const*, enum_flags, std::vector >*, enum_flags, objfile*) /home/cmd/FuzzDateset/binutils/binutils-gdb-binutils-2_39/gdb/symfile.c:116= 8:10 #15 0x1be7459 in symbol_file_add(char const*, enum_flags, std::vector >*, enum_flags) /home/cmd/FuzzDateset/binutils/binutils-gdb-binutils-2_39/gdb/symfile.c:118= 1:10 #16 0x1be873e in symbol_file_add_main_1(char const*, enum_flags, enum_flags, unsigned long) /home/cmd/FuzzDateset/binutils/binutils-gdb-binutils-2_39/gdb/symfile.c:120= 5:29 #17 0x1be82ea in symbol_file_add_main(char const*, enum_flags) /home/cmd/FuzzDateset/binutils/binutils-gdb-binutils-2_39/gdb/symfile.c:119= 6:3 #18 0x15c8b73 in symbol_file_add_main_adapter(char const*, int) /home/cmd/FuzzDateset/binutils/binutils-gdb-binutils-2_39/gdb/main.c:540:3 #19 0x15c6d2c in catch_command_errors(void (*)(char const*, int), char const*, int, bool) /home/cmd/FuzzDateset/binutils/binutils-gdb-binutils-2_39/gdb/main.c:513:7 #20 0x15c433a in captured_main_1(captured_main_args*) /home/cmd/FuzzDateset/binutils/binutils-gdb-binutils-2_39/gdb/main.c:1212:8 #21 0x15be28d in captured_main(void*) /home/cmd/FuzzDateset/binutils/binutils-gdb-binutils-2_39/gdb/main.c:1319:3 #22 0x15be058 in gdb_main(captured_main_args*) /home/cmd/FuzzDateset/binutils/binutils-gdb-binutils-2_39/gdb/main.c:1344:7 #23 0x4e4f12 in main /home/cmd/FuzzDateset/binutils/binutils-gdb-binutils-2_39/gdb/gdb.c:32:10 #24 0x7f84d47d1082 in __libc_start_main /build/glibc-SzIz7B/glibc-2.31/csu/../csu/libc-start.c:308:16 SUMMARY: AddressSanitizer: heap-buffer-overflow /home/cmd/FuzzDateset/binutils/binutils-gdb-binutils-2_39/gdb/coff-pe-read.= c:292:10 in pe_as32(void*) Shadow bytes around the buggy address: 0x0ff1143de290: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0ff1143de2a0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0ff1143de2b0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0ff1143de2c0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0ff1143de2d0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 =3D>0x0ff1143de2e0:[fa]fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0ff1143de2f0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0ff1143de300: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0ff1143de310: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0ff1143de320: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0ff1143de330: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa Shadow byte legend (one shadow byte represents 8 application bytes): Addressable: 00 Partially addressable: 01 02 03 04 05 06 07=20 Heap left redzone: fa Freed heap region: fd Stack left redzone: f1 Stack mid redzone: f2 Stack right redzone: f3 Stack after return: f5 Stack use after scope: f8 Global redzone: f9 Global init order: f6 Poisoned by user: f7 Container overflow: fc Array cookie: ac Intra object redzone: bb ASan internal: fe Left alloca redzone: ca Right alloca redzone: cb =3D=3D2013205=3D=3DABORTING ``` --=20 You are receiving this mail because: You are on the CC list for the bug.=