From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: by sourceware.org (Postfix, from userid 48) id E07DA3858CDB; Sat, 15 Jul 2023 06:15:39 +0000 (GMT) DKIM-Filter: OpenDKIM Filter v2.11.0 sourceware.org E07DA3858CDB DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=sourceware.org; s=default; t=1689401739; bh=AFM0Az877+mQZNS1CNirvEVKCLfG1jXrL7wdZ+tK2Nk=; h=From:To:Subject:Date:From; b=FyoJ42jjHOQlMpZwz6pG2EYkVnvN2tpokS0uw+R7ci8snO67PdGJ8ZxvjXdv9rg4F c/hQzQjC+aam7yXi5CKekSoSzZebHMbdhu4mM3wKhCOMzhvHW0DKKsvPimNvLuDUge HGH2gMldCo8IkjUVV2QCoxv26mZAQzmJDWIPpeNk= From: "sihan2021 at iscas dot ac.cn" To: gdb-prs@sourceware.org Subject: =?UTF-8?B?W0J1ZyBnZGIvMzA2MzhdIE5ldzogQWRkcmVzc1Nhbml0aXplcjog?= =?UTF-8?B?aGVhcC11c2UtYWZ0ZXItZnJlZSAoL2hvbWUvY21kL3NwL0Z1enovYWZscHBf?= =?UTF-8?B?ZnV6ei9CaW51dGlscy9kb2N1bWVudF9ncm91cC9iYXRjaF94L2dkYl8xL2dk?= =?UTF-8?B?YisweDQ0YWVlMCkgaW4gc3RycmNocg==?= Date: Sat, 15 Jul 2023 06:15:39 +0000 X-Bugzilla-Reason: CC X-Bugzilla-Type: new X-Bugzilla-Watch-Reason: None X-Bugzilla-Product: gdb X-Bugzilla-Component: gdb X-Bugzilla-Version: 13.1 X-Bugzilla-Keywords: X-Bugzilla-Severity: normal X-Bugzilla-Who: sihan2021 at iscas dot ac.cn X-Bugzilla-Status: UNCONFIRMED X-Bugzilla-Resolution: X-Bugzilla-Priority: P2 X-Bugzilla-Assigned-To: unassigned at sourceware dot org X-Bugzilla-Target-Milestone: --- X-Bugzilla-Flags: X-Bugzilla-Changed-Fields: bug_id short_desc product version bug_status bug_severity priority component assigned_to reporter target_milestone attachments.created Message-ID: Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable X-Bugzilla-URL: http://sourceware.org/bugzilla/ Auto-Submitted: auto-generated MIME-Version: 1.0 List-Id: https://sourceware.org/bugzilla/show_bug.cgi?id=3D30638 Bug ID: 30638 Summary: AddressSanitizer: heap-use-after-free (/home/cmd/sp/Fuzz/aflpp_fuzz/Binutils/document_group/ batch_x/gdb_1/gdb+0x44aee0) in strrchr Product: gdb Version: 13.1 Status: UNCONFIRMED Severity: normal Priority: P2 Component: gdb Assignee: unassigned at sourceware dot org Reporter: sihan2021 at iscas dot ac.cn Target Milestone: --- Created attachment 14965 --> https://sourceware.org/bugzilla/attachment.cgi?id=3D14965&action=3Ded= it crash seed Hello GDB developers, We recently conducted a fuzzing test on GDB and discovered a Use-After-Free (UAF) bug. We would like to provide a detailed description of the bug and s= eek your assistance in addressing it. version: gdb:GNU gdb (GDB) 13.0.50.20220805-git gcc:gcc version 9.4.0 (Ubuntu 9.4.0-1ubuntu1~20.04.1) ubuntu: 20.04 command to reproduce: gdb -x command.gdb UAF_1 UAF_1 is attached to this report It seems that only one attachment can be added. So I paste the content of command.gdb below: # Set breakpoint at beginning of main function break main # Run program run # Print values of variables when breakpoint is hit echo "Breakpoint hit!" info locals info registers ASAN report: =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D =3D=3D2661285=3D=3DERROR: AddressSanitizer: heap-use-after-free on address 0x7fd44bc09800 at pc 0x00000044aee1 bp 0x7fff3d1f5420 sp 0x7fff3d1f4be0 READ of size 1 at 0x7fd44bc09800 thread T0 #0 0x44aee0 in strrchr (/home/root/sp/Fuzz/aflpp_fuzz/Binutils/document_group/batch_x/gdb_1/gdb+0x= 44aee0) #1 0xb13a0a in read_pe_truncate_name(char*) /home/root/sp/Dataset/Binutils/binutils_aflpp/gdb/coff-pe-read.c:252:22 #2 0xb11912 in read_pe_exported_syms(minimal_symbol_reader&, objfile*) /home/root/sp/Dataset/Binutils/binutils_aflpp/gdb/coff-pe-read.c:499:3 #3 0xb1d543 in coff_read_minsyms(long, unsigned int, objfile*) /home/root/sp/Dataset/Binutils/binutils_aflpp/gdb/coffread.c:548:7 #4 0xb1abd0 in coff_symfile_read(objfile*, enum_flags) /home/root/sp/Dataset/Binutils/binutils_aflpp/gdb/coffread.c:702:3 #5 0x1bf6a0e in read_symbols(objfile*, enum_flags) /home/root/sp/Dataset/Binutils/binutils_aflpp/gdb/symfile.c:772:3 #6 0x1c19531 in syms_from_objfile_1(objfile*, std::vector >*, enum_flags) /home/root/sp/Dataset/Binutils/binutils_aflpp/gdb/symfile.c:968:3 #7 0x1c180fd in syms_from_objfile(objfile*, std::vector >*, enum_flags) /home/root/sp/Dataset/Binutils/binutils_aflpp/gdb/symfile.c:985:3 #8 0x1be663c in symbol_file_add_with_addrs(bfd*, char const*, enum_flags, std::vector >*, enum_flags, objfile*) /home/root/sp/Dataset/Binutils/binutils_aflpp/gdb/symfile.c:1088:3 #9 0x1be70b3 in symbol_file_add_from_bfd(bfd*, char const*, enum_flags, std::vector >*, enum_flags, objfile*) /home/root/sp/Dataset/Binutils/binutils_aflpp/gdb/symfile.c:1168:10 #10 0x1be7459 in symbol_file_add(char const*, enum_flags, std::vector >*, enum_flags) /home/root/sp/Dataset/Binutils/binutils_aflpp/gdb/symfile.c:1181:10 #11 0x1be873e in symbol_file_add_main_1(char const*, enum_flags, enum_flags, unsigned long) /home/root/sp/Dataset/Binutils/binutils_aflpp/gdb/symfile.c:1205:29 #12 0x1be82ea in symbol_file_add_main(char const*, enum_flags) /home/root/sp/Dataset/Binutils/binutils_aflpp/gdb/symfile.c:1196:3 #13 0x15c8b73 in symbol_file_add_main_adapter(char const*, int) /home/root/sp/Dataset/Binutils/binutils_aflpp/gdb/main.c:540:3 #14 0x15c6d2c in catch_command_errors(void (*)(char const*, int), char const*, int, bool) /home/root/sp/Dataset/Binutils/binutils_aflpp/gdb/main.c:513:7 #15 0x15c433a in captured_main_1(captured_main_args*) /home/root/sp/Dataset/Binutils/binutils_aflpp/gdb/main.c:1212:8 #16 0x15be28d in captured_main(void*) /home/root/sp/Dataset/Binutils/binutils_aflpp/gdb/main.c:1319:3 #17 0x15be058 in gdb_main(captured_main_args*) /home/root/sp/Dataset/Binutils/binutils_aflpp/gdb/main.c:1344:7 #18 0x4e4f12 in main /home/root/sp/Dataset/Binutils/binutils_aflpp/gdb/gdb.c:32:10 #19 0x7fd47e6c6082 in __libc_start_main /build/glibc-SzIz7B/glibc-2.31/csu/../csu/libc-start.c:308:16 #20 0x433ebd in _start (/home/root/sp/Fuzz/aflpp_fuzz/Binutils/document_group/batch_x/gdb_1/gdb+0x= 433ebd) 0x7fd44bc09800 is located 98304 bytes inside of 196608-byte region [0x7fd44bbf1800,0x7fd44bc21800) freed by thread T0 here: #0 0x4e2c8d in operator delete(void*) (/home/root/sp/Fuzz/aflpp_fuzz/Binutils/document_group/batch_x/gdb_1/gdb+0x= 4e2c8d) #1 0xb182c1 in __gnu_cxx::new_allocator::deallocate(read_pe_section_= data*, unsigned long) /usr/lib/gcc/x86_64-linux-gnu/10/../../../../include/c++/10/ext/new_allocat= or.h:133:2 #2 0xb18269 in std::allocator_traits >::deallocate(std::allocator&, read_pe_section_data*, unsigned long) /usr/lib/gcc/x86_64-linux-gnu/10/../../../../include/c++/10/bits/alloc_trai= ts.h:492:13 #3 0xb18203 in std::_Vector_base >::_M_deallocate(read_pe_section_data*, unsigned long) /usr/lib/gcc/x86_64-linux-gnu/10/../../../../include/c++/10/bits/stl_vector= .h:354:4 #4 0xb1882d in std::vector >::_M_default_append(unsigned long) /usr/lib/gcc/x86_64-linux-gnu/10/../../../../include/c++/10/bits/vector.tcc= :675:8 #5 0xb13487 in std::vector >::resize(unsigned long) /usr/lib/gcc/x86_64-linux-gnu/10/../../../../include/c++/10/bits/stl_vector= .h:940:4 #6 0xb10b1d in read_pe_exported_syms(minimal_symbol_reader&, objfile*) /home/root/sp/Dataset/Binutils/binutils_aflpp/gdb/coff-pe-read.c:451:17 #7 0xb1d543 in coff_read_minsyms(long, unsigned int, objfile*) /home/root/sp/Dataset/Binutils/binutils_aflpp/gdb/coffread.c:548:7 #8 0xb1abd0 in coff_symfile_read(objfile*, enum_flags) /home/root/sp/Dataset/Binutils/binutils_aflpp/gdb/coffread.c:702:3 #9 0x1bf6a0e in read_symbols(objfile*, enum_flags) /home/root/sp/Dataset/Binutils/binutils_aflpp/gdb/symfile.c:772:3 #10 0x1c19531 in syms_from_objfile_1(objfile*, std::vector >*, enum_flags) /home/root/sp/Dataset/Binutils/binutils_aflpp/gdb/symfile.c:968:3 #11 0x1c180fd in syms_from_objfile(objfile*, std::vector >*, enum_flags) /home/root/sp/Dataset/Binutils/binutils_aflpp/gdb/symfile.c:985:3 #12 0x1be663c in symbol_file_add_with_addrs(bfd*, char const*, enum_flags, std::vector >*, enum_flags, objfile*) /home/root/sp/Dataset/Binutils/binutils_aflpp/gdb/symfile.c:1088:3 #13 0x1be70b3 in symbol_file_add_from_bfd(bfd*, char const*, enum_flags, std::vector >*, enum_flags, objfile*) /home/root/sp/Dataset/Binutils/binutils_aflpp/gdb/symfile.c:1168:10 #14 0x1be7459 in symbol_file_add(char const*, enum_flags, std::vector >*, enum_flags) /home/root/sp/Dataset/Binutils/binutils_aflpp/gdb/symfile.c:1181:10 #15 0x1be873e in symbol_file_add_main_1(char const*, enum_flags, enum_flags, unsigned long) /home/root/sp/Dataset/Binutils/binutils_aflpp/gdb/symfile.c:1205:29 #16 0x1be82ea in symbol_file_add_main(char const*, enum_flags) /home/root/sp/Dataset/Binutils/binutils_aflpp/gdb/symfile.c:1196:3 #17 0x15c8b73 in symbol_file_add_main_adapter(char const*, int) /home/root/sp/Dataset/Binutils/binutils_aflpp/gdb/main.c:540:3 #18 0x15c6d2c in catch_command_errors(void (*)(char const*, int), char const*, int, bool) /home/root/sp/Dataset/Binutils/binutils_aflpp/gdb/main.c:513:7 #19 0x15c433a in captured_main_1(captured_main_args*) /home/root/sp/Dataset/Binutils/binutils_aflpp/gdb/main.c:1212:8 #20 0x15be28d in captured_main(void*) /home/root/sp/Dataset/Binutils/binutils_aflpp/gdb/main.c:1319:3 #21 0x15be058 in gdb_main(captured_main_args*) /home/root/sp/Dataset/Binutils/binutils_aflpp/gdb/main.c:1344:7 #22 0x4e4f12 in main /home/root/sp/Dataset/Binutils/binutils_aflpp/gdb/gdb.c:32:10 #23 0x7fd47e6c6082 in __libc_start_main /build/glibc-SzIz7B/glibc-2.31/csu/../csu/libc-start.c:308:16 previously allocated by thread T0 here: #0 0x4e242d in operator new(unsigned long) (/home/root/sp/Fuzz/aflpp_fuzz/Binutils/document_group/batch_x/gdb_1/gdb+0x= 4e242d) #1 0xb17b62 in __gnu_cxx::new_allocator::allocate(unsigned long, void const*) /usr/lib/gcc/x86_64-linux-gnu/10/../../../../include/c++/10/ext/new_allocat= or.h:115:27 #2 0xb17a71 in std::allocator_traits >::allocate(std::allocator&, unsigned long) /usr/lib/gcc/x86_64-linux-gnu/10/../../../../include/c++/10/bits/alloc_trai= ts.h:460:20 #3 0xb179d1 in std::_Vector_base >::_M_allocate(unsigned long) /usr/lib/gcc/x86_64-linux-gnu/10/../../../../include/c++/10/bits/stl_vector= .h:346:20 #4 0xb185b7 in std::vector >::_M_default_append(unsigned long) /usr/lib/gcc/x86_64-linux-gnu/10/../../../../include/c++/10/bits/vector.tcc= :635:34 #5 0xb13487 in std::vector >::resize(unsigned long) /usr/lib/gcc/x86_64-linux-gnu/10/../../../../include/c++/10/bits/stl_vector= .h:940:4 #6 0xb10b1d in read_pe_exported_syms(minimal_symbol_reader&, objfile*) /home/root/sp/Dataset/Binutils/binutils_aflpp/gdb/coff-pe-read.c:451:17 #7 0xb1d543 in coff_read_minsyms(long, unsigned int, objfile*) /home/root/sp/Dataset/Binutils/binutils_aflpp/gdb/coffread.c:548:7 #8 0xb1abd0 in coff_symfile_read(objfile*, enum_flags) /home/root/sp/Dataset/Binutils/binutils_aflpp/gdb/coffread.c:702:3 #9 0x1bf6a0e in read_symbols(objfile*, enum_flags) /home/root/sp/Dataset/Binutils/binutils_aflpp/gdb/symfile.c:772:3 #10 0x1c19531 in syms_from_objfile_1(objfile*, std::vector >*, enum_flags) /home/root/sp/Dataset/Binutils/binutils_aflpp/gdb/symfile.c:968:3 #11 0x1c180fd in syms_from_objfile(objfile*, std::vector >*, enum_flags) /home/root/sp/Dataset/Binutils/binutils_aflpp/gdb/symfile.c:985:3 #12 0x1be663c in symbol_file_add_with_addrs(bfd*, char const*, enum_flags, std::vector >*, enum_flags, objfile*) /home/root/sp/Dataset/Binutils/binutils_aflpp/gdb/symfile.c:1088:3 #13 0x1be70b3 in symbol_file_add_from_bfd(bfd*, char const*, enum_flags, std::vector >*, enum_flags, objfile*) /home/root/sp/Dataset/Binutils/binutils_aflpp/gdb/symfile.c:1168:10 #14 0x1be7459 in symbol_file_add(char const*, enum_flags, std::vector >*, enum_flags) /home/root/sp/Dataset/Binutils/binutils_aflpp/gdb/symfile.c:1181:10 #15 0x1be873e in symbol_file_add_main_1(char const*, enum_flags, enum_flags, unsigned long) /home/root/sp/Dataset/Binutils/binutils_aflpp/gdb/symfile.c:1205:29 #16 0x1be82ea in symbol_file_add_main(char const*, enum_flags) /home/root/sp/Dataset/Binutils/binutils_aflpp/gdb/symfile.c:1196:3 #17 0x15c8b73 in symbol_file_add_main_adapter(char const*, int) /home/root/sp/Dataset/Binutils/binutils_aflpp/gdb/main.c:540:3 #18 0x15c6d2c in catch_command_errors(void (*)(char const*, int), char const*, int, bool) /home/root/sp/Dataset/Binutils/binutils_aflpp/gdb/main.c:513:7 #19 0x15c433a in captured_main_1(captured_main_args*) /home/root/sp/Dataset/Binutils/binutils_aflpp/gdb/main.c:1212:8 #20 0x15be28d in captured_main(void*) /home/root/sp/Dataset/Binutils/binutils_aflpp/gdb/main.c:1319:3 #21 0x15be058 in gdb_main(captured_main_args*) /home/root/sp/Dataset/Binutils/binutils_aflpp/gdb/main.c:1344:7 #22 0x4e4f12 in main /home/root/sp/Dataset/Binutils/binutils_aflpp/gdb/gdb.c:32:10 #23 0x7fd47e6c6082 in __libc_start_main /build/glibc-SzIz7B/glibc-2.31/csu/../csu/libc-start.c:308:16 SUMMARY: AddressSanitizer: heap-use-after-free (/home/root/sp/Fuzz/aflpp_fuzz/Binutils/document_group/batch_x/gdb_1/gdb+0x= 44aee0) in strrchr Shadow bytes around the buggy address: 0x0ffb097792b0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd 0x0ffb097792c0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd 0x0ffb097792d0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd 0x0ffb097792e0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd 0x0ffb097792f0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd =3D>0x0ffb09779300:[fd]fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd 0x0ffb09779310: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd 0x0ffb09779320: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd 0x0ffb09779330: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd 0x0ffb09779340: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd 0x0ffb09779350: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd Shadow byte legend (one shadow byte represents 8 application bytes): Addressable: 00 Partially addressable: 01 02 03 04 05 06 07=20 Heap left redzone: fa Freed heap region: fd Stack left redzone: f1 Stack mid redzone: f2 Stack right redzone: f3 Stack after return: f5 Stack use after scope: f8 Global redzone: f9 Global init order: f6 Poisoned by user: f7 Container overflow: fc Array cookie: ac Intra object redzone: bb ASan internal: fe Left alloca redzone: ca Right alloca redzone: cb =3D=3D2661285=3D=3DABORTING Thank you for your attention and support. Best regards, Michael Zhang. --=20 You are receiving this mail because: You are on the CC list for the bug.=