From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: by sourceware.org (Postfix, from userid 48) id 3ADBD3853D10; Fri, 21 Jul 2023 20:03:57 +0000 (GMT) DKIM-Filter: OpenDKIM Filter v2.11.0 sourceware.org 3ADBD3853D10 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=sourceware.org; s=default; t=1689969837; bh=KlGlqjE6w0Li4Ne0jwYC7PirJr5nUtVUpWs9rc0RQAg=; h=From:To:Subject:Date:From; b=EY1fqLtcycvoCHaJD/qFoOcu440gJN8Ko4HSx9C957my2X0qZj9Gy6AnXfj6eeP2E nC5kmoAVRMXo7qqaHIsLta756AaglNBJFl5k/Gka8sNiPIVIm8DgdyTP0u5eL9h+Tg 6uc5cWw2ZWuqDOAhZky5VV3vI/KN15mRB2jZnuC4= From: "mattlloydhouse at gmail dot com" To: gdb-prs@sourceware.org Subject: [Bug shlibs/30663] New: Segfault when reading malformed PT_INTERP header Date: Fri, 21 Jul 2023 20:03:56 +0000 X-Bugzilla-Reason: CC X-Bugzilla-Type: new X-Bugzilla-Watch-Reason: None X-Bugzilla-Product: gdb X-Bugzilla-Component: shlibs X-Bugzilla-Version: HEAD X-Bugzilla-Keywords: X-Bugzilla-Severity: normal X-Bugzilla-Who: mattlloydhouse at gmail dot com X-Bugzilla-Status: UNCONFIRMED X-Bugzilla-Resolution: X-Bugzilla-Priority: P2 X-Bugzilla-Assigned-To: unassigned at sourceware dot org X-Bugzilla-Target-Milestone: --- X-Bugzilla-Flags: X-Bugzilla-Changed-Fields: bug_id short_desc product version bug_status bug_severity priority component assigned_to reporter target_milestone attachments.created Message-ID: Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable X-Bugzilla-URL: http://sourceware.org/bugzilla/ Auto-Submitted: auto-generated MIME-Version: 1.0 List-Id: https://sourceware.org/bugzilla/show_bug.cgi?id=3D30663 Bug ID: 30663 Summary: Segfault when reading malformed PT_INTERP header Product: gdb Version: HEAD Status: UNCONFIRMED Severity: normal Priority: P2 Component: shlibs Assignee: unassigned at sourceware dot org Reporter: mattlloydhouse at gmail dot com Target Milestone: --- Created attachment 14995 --> https://sourceware.org/bugzilla/attachment.cgi?id=3D14995&action=3Ded= it The program used for reproduction. In find_program_interpreter() in gdb/solib-svr4.c, if there isn't a current exec_bfd, then the interpreter string is read using read_program_header(PT_INTERP), which reads phdr->p_memsz bytes starting at phdr->p_vaddr in inferior memory. This may return an empty byte vector, or a vector that is not null-terminated. (The Linux kernel's ELF loader only verifies that the phdr->p_filesz bytes starting at phdr->p_offset in the fi= le are null-terminated.) However, enable_break() in gdb/solib-svr4.c passes a pointer to the byte vector's buffer to solib_bfd_open(), which passes it to solib_find(), which calls xstrdup() to copy it. If the byte vector is empty (i.e., phdr->p_mems= z =3D=3D 0), then its buffer is set to a null pointer, and this raises a segfault. Presumably, other issues can occur if the vector otherwise isn't null-terminated. I can reproduce this on the latest snapshot by writing an ELF program with ehdr->e_ident[EI_VERSION] =3D=3D EV_NONE to prevent the file from being loa= ded by GDB, and phdr->p_memsz =3D=3D 0 on the PT_INTERP header to cause the segfau= lt. Then, I run it indirectly via env(1). $ xxd -r < program 00000000: 7f45 4c46 0201 0003 0000 0000 0000 0000 .ELF............ 00000010: 0300 3e00 0100 0000 0000 0000 0000 0000 ..>............. 00000020: 4000 0000 0000 0000 0000 0000 0000 0000 @............... 00000030: 0000 0000 4000 3800 0200 4000 0000 0000 ....@.8...@..... 00000040: 0300 0000 0400 0000 b000 0000 0000 0000 ................ 00000050: b000 0000 0000 0000 0000 0000 0000 0000 ................ 00000060: 1c00 0000 0000 0000 0000 0000 0000 0000 ................ 00000070: 0000 0000 0000 0000 0100 0000 0500 0000 ................ 00000080: 0000 0000 0000 0000 0000 0000 0000 0000 ................ 00000090: 0000 0000 0000 0000 cc00 0000 0000 0000 ................ 000000a0: cc00 0000 0000 0000 0000 0000 0000 0000 ................ 000000b0: 2f6c 6962 3634 2f6c 642d 6c69 6e75 782d /lib64/ld-linux- 000000c0: 7838 362d 3634 2e73 6f2e 3200 x86-64.so.2. EOF $ chmod +x program $ gdb --args env ./program=20 GNU gdb (GDB) 14.0.50.20230721-git Copyright (C) 2023 Free Software Foundation, Inc. License GPLv3+: GNU GPL version 3 or later This is free software: you are free to change and redistribute it. There is NO WARRANTY, to the extent permitted by law. Type "show copying" and "show warranty" for details. This GDB was configured as "x86_64-pc-linux-gnu". Type "show configuration" for configuration details. For bug reporting instructions, please see: . Find the GDB manual and other documentation resources online at: . For help, type "help". Type "apropos word" to search for commands related to "word"... Reading symbols from env... (No debugging symbols found in env) (gdb) run Starting program: /usr/bin/env ./program [Thread debugging using libthread_db enabled] Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1". process 1096118 is executing new program: /home/lm978/program warning: "/home/lm978/program": not in executable format: file format not recognized warning: `/home/lm978/program': can't read symbols: file format not recogni= zed. Fatal signal: Segmentation fault ----- Backtrace ----- 0x56522c29ff90 gdb_internal_backtrace_1 /home/lm978/gdb-14.0.50.20230721/gdb/bt-utils.c:122 0x56522c29ff90 _Z22gdb_internal_backtracev /home/lm978/gdb-14.0.50.20230721/gdb/bt-utils.c:168 0x56522c3c695e handle_fatal_signal /home/lm978/gdb-14.0.50.20230721/gdb/event-top.c:889 0x56522c3c6b18 handle_sigsegv /home/lm978/gdb-14.0.50.20230721/gdb/event-top.c:962 0x7fd3cf2c451f ??? ./signal/../sysdeps/unix/sysv/linux/x86_64/libc_sigaction.c:0 0x7fd3cf41f97d ??? ../sysdeps/x86_64/multiarch/strlen-avx2.S:74 0x56522c7bc352 xstrdup ./xstrdup.c:33 0x56522c57ca8d solib_find_1 /home/lm978/gdb-14.0.50.20230721/gdb/solib.c:184 0x56522c57d71a _Z10solib_findPKcPi /home/lm978/gdb-14.0.50.20230721/gdb/solib.c:419 0x56522c57d842 _Z14solib_bfd_openPKc /home/lm978/gdb-14.0.50.20230721/gdb/solib.c:456 0x56522c57873e enable_break /home/lm978/gdb-14.0.50.20230721/gdb/solib-svr4.c:2444 0x56522c57873e svr4_solib_create_inferior_hook /home/lm978/gdb-14.0.50.20230721/gdb/solib-svr4.c:3163 0x56522c461c8e _ZNKSt8functionIFvP8inferiorS1_EEclES1_S1_ /usr/include/c++/11/bits/std_function.h:590 0x56522c461c8e _ZNK3gdb9observers10observableIJP8inferiorS3_EE6notifyES3_S3_ ./../gdbsupport/observable.h:166 0x56522c461c8e follow_exec /home/lm978/gdb-14.0.50.20230721/gdb/infrun.c:1371 0x56522c461c8e handle_inferior_event /home/lm978/gdb-14.0.50.20230721/gdb/infrun.c:6051 0x56522c462aca _Z20fetch_inferior_eventv /home/lm978/gdb-14.0.50.20230721/gdb/infrun.c:4462 0x56522c7ce755 gdb_wait_for_event /home/lm978/gdb-14.0.50.20230721/gdbsupport/event-loop.cc:694 0x56522c7cf1e9 gdb_wait_for_event /home/lm978/gdb-14.0.50.20230721/gdbsupport/event-loop.cc:593 0x56522c7cf1e9 _Z16gdb_do_one_eventi /home/lm978/gdb-14.0.50.20230721/gdbsupport/event-loop.cc:217 0x56522c4ade89 start_event_loop /home/lm978/gdb-14.0.50.20230721/gdb/main.c:412 0x56522c4ade89 captured_command_loop /home/lm978/gdb-14.0.50.20230721/gdb/main.c:476 0x56522c4b0394 captured_main /home/lm978/gdb-14.0.50.20230721/gdb/main.c:1320 0x56522c4b0394 _Z8gdb_mainP18captured_main_args /home/lm978/gdb-14.0.50.20230721/gdb/main.c:1339 0x56522c1e6ccf main /home/lm978/gdb-14.0.50.20230721/gdb/gdb.c:32 --------------------- A fatal error internal to GDB has been detected, further debugging is not possible. GDB will now terminate. This is a bug, please report it. For instructions, see: . Segmentation fault (core dumped) System info: $ uname -a Linux firmament 5.15.0-75-generic #82-Ubuntu SMP Tue Jun 6 23:10:23 UTC 2023 x86_64 x86_64 x86_64 GNU/Linux $ gcc -v Using built-in specs. COLLECT_GCC=3Dgcc COLLECT_LTO_WRAPPER=3D/usr/lib/gcc/x86_64-linux-gnu/11/lto-wrapper OFFLOAD_TARGET_NAMES=3Dnvptx-none:amdgcn-amdhsa OFFLOAD_TARGET_DEFAULT=3D1 Target: x86_64-linux-gnu Configured with: ../src/configure -v --with-pkgversion=3D'Ubuntu 11.3.0-1ubuntu1~22.04.1' --with-bugurl=3Dfile:///usr/share/doc/gcc-11/READM= E.Bugs --enable-languages=3Dc,ada,c++,go,brig,d,fortran,objc,obj-c++,m2 --prefix= =3D/usr --with-gcc-major-version-only --program-suffix=3D-11 --program-prefix=3Dx86_64-linux-gnu- --enable-shared --enable-linker-build-= id --libexecdir=3D/usr/lib --without-included-gettext --enable-threads=3Dposix --libdir=3D/usr/lib --enable-nls --enable-bootstrap --enable-clocale=3Dgnu --enable-libstdcxx-debug --enable-libstdcxx-time=3Dyes --with-default-libstdcxx-abi=3Dnew --enable-gnu-unique-object --disable-vtable-verify --enable-plugin --enable-default-pie --with-system-= zlib --enable-libphobos-checking=3Drelease --with-target-system-zlib=3Dauto --enable-objc-gc=3Dauto --enable-multiarch --disable-werror --enable-cet --with-arch-32=3Di686 --with-abi=3Dm64 --with-multilib-list=3Dm32,m64,mx32 --enable-multilib --with-tune=3Dgeneric --enable-offload-targets=3Dnvptx-none=3D/build/gcc-11-aYxV0E/gcc-11-11.3.0/= debian/tmp-nvptx/usr,amdgcn-amdhsa=3D/build/gcc-11-aYxV0E/gcc-11-11.3.0/deb= ian/tmp-gcn/usr --without-cuda-driver --enable-checking=3Drelease --build=3Dx86_64-linux-gnu --host=3Dx86_64-linux-gnu --target=3Dx86_64-linux-gnu --with-build-config=3Dbootstrap-lto-lean --enable-link-serialization=3D2 Thread model: posix Supported LTO compression algorithms: zlib zstd gcc version 11.3.0 (Ubuntu 11.3.0-1ubuntu1~22.04.1) --=20 You are receiving this mail because: You are on the CC list for the bug.=