public inbox for gdb-prs@sourceware.org
help / color / mirror / Atom feed
* [Bug gdb/30763] New: SUMMARY: AddressSanitizer: heap-buffer-overflow /home/root/gdb/binutils-gdb-gdb-13.1-release/gdb/coff-pe-read.c:284 in pe_as16
@ 2023-08-15 7:02 sihan2021 at iscas dot ac.cn
2023-08-15 16:36 ` [Bug gdb/30763] " keiths at redhat dot com
2023-08-16 12:25 ` tromey at sourceware dot org
0 siblings, 2 replies; 3+ messages in thread
From: sihan2021 at iscas dot ac.cn @ 2023-08-15 7:02 UTC (permalink / raw)
To: gdb-prs
https://sourceware.org/bugzilla/show_bug.cgi?id=30763
Bug ID: 30763
Summary: SUMMARY: AddressSanitizer: heap-buffer-overflow
/home/root/gdb/binutils-gdb-gdb-13.1-release/gdb/coff-
pe-read.c:284 in pe_as16
Product: gdb
Version: 13.1
Status: UNCONFIRMED
Severity: normal
Priority: P2
Component: gdb
Assignee: unassigned at sourceware dot org
Reporter: sihan2021 at iscas dot ac.cn
Target Milestone: ---
Created attachment 15057
--> https://sourceware.org/bugzilla/attachment.cgi?id=15057&action=edit
input file
Hello, developers of gdb, we recently ran some fuzz on gdb 13.1 and find a
stack-buffer-overflow bug. Here is the description of this bug. I hope this
can accsit you to solve this bug.
Version:
gdb 13.1 (compile with ASAN)
ubuntu 20.04
Command to reproduce:
gdb hbo
warning: Found custom handler for signal 7 (Bus error) preinstalled.
warning: Found custom handler for signal 8 (Floating point exception)
preinstalled.
warning: Found custom handler for signal 11 (Segmentation fault) preinstalled.
Some signal dispositions inherited from the environment (SIG_DFL/SIG_IGN)
won't be propagated to spawned programs.
GNU gdb (GDB) 13.1
Copyright (C) 2023 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.
Type "show copying" and "show warranty" for details.
This GDB was configured as "x86_64-pc-linux-gnu".
Type "show configuration" for configuration details.
For bug reporting instructions, please see:
<https://www.gnu.org/software/gdb/bugs/>.
Find the GDB manual and other documentation resources online at:
<http://www.gnu.org/software/gdb/documentation/>.
For help, type "help".
Type "apropos word" to search for commands related to "word"...
BFD: /home/root/gdb/binutils-gdb-gdb-13.1-release/install/bin/hbo: warning:
claims to have 0xffff relocs, without overflow
/home/root/gdb/binutils-gdb-gdb-13.1-release/install/bin/hbo: warning: claims
to have 0xffff relocs, without overflow
Reading symbols from hbo...
=================================================================
==1208501==ERROR: AddressSanitizer: heap-buffer-overflow on address
0x7f1523eb0800 at pc 0x55faed3193ee bp 0x7ffea75fbeb0 sp 0x7ffea75fbea0
READ of size 1 at 0x7f1523eb0800 thread T0
#0 0x55faed3193ed in pe_as16
/home/root/gdb/binutils-gdb-gdb-13.1-release/gdb/coff-pe-read.c:284
#1 0x55faed31aa4b in read_pe_exported_syms(minimal_symbol_reader&,
objfile*) /home/root/gdb/binutils-gdb-gdb-13.1-release/gdb/coff-pe-read.c:515
#2 0x55faed31fd82 in coff_read_minsyms
/home/root/gdb/binutils-gdb-gdb-13.1-release/gdb/coffread.c:548
#3 0x55faed320c07 in coff_symfile_read
/home/root/gdb/binutils-gdb-gdb-13.1-release/gdb/coffread.c:703
#4 0x55faeddac421 in read_symbols
/home/root/gdb/binutils-gdb-gdb-13.1-release/gdb/symfile.c:773
#5 0x55faeddad38a in syms_from_objfile_1
/home/root/gdb/binutils-gdb-gdb-13.1-release/gdb/symfile.c:968
#6 0x55faeddad5f9 in syms_from_objfile
/home/root/gdb/binutils-gdb-gdb-13.1-release/gdb/symfile.c:985
#7 0x55faeddae4f6 in symbol_file_add_with_addrs
/home/root/gdb/binutils-gdb-gdb-13.1-release/gdb/symfile.c:1088
#8 0x55faeddaf1fd in symbol_file_add_from_bfd(gdb::ref_ptr<bfd,
gdb_bfd_ref_policy> const&, char const*, enum_flags<symfile_add_flag>,
std::vector<other_sections, std::allocator<other_sections> >*,
enum_flags<objfile_flag>, objfile*)
/home/root/gdb/binutils-gdb-gdb-13.1-release/gdb/symfile.c:1168
#9 0x55faeddaf3a2 in symbol_file_add(char const*,
enum_flags<symfile_add_flag>, std::vector<other_sections,
std::allocator<other_sections> >*, enum_flags<objfile_flag>)
/home/root/gdb/binutils-gdb-gdb-13.1-release/gdb/symfile.c:1181
#10 0x55faeddaf70c in symbol_file_add_main_1
/home/root/gdb/binutils-gdb-gdb-13.1-release/gdb/symfile.c:1205
#11 0x55faeddaf558 in symbol_file_add_main(char const*,
enum_flags<symfile_add_flag>)
/home/root/gdb/binutils-gdb-gdb-13.1-release/gdb/symfile.c:1196
#12 0x55faed9398cf in symbol_file_add_main_adapter
/home/root/gdb/binutils-gdb-gdb-13.1-release/gdb/main.c:540
#13 0x55faed9396bf in catch_command_errors
/home/root/gdb/binutils-gdb-gdb-13.1-release/gdb/main.c:513
#14 0x55faed93c58a in captured_main_1
/home/root/gdb/binutils-gdb-gdb-13.1-release/gdb/main.c:1213
#15 0x55faed93d48f in captured_main
/home/root/gdb/binutils-gdb-gdb-13.1-release/gdb/main.c:1320
#16 0x55faed93d530 in gdb_main(captured_main_args*)
/home/root/gdb/binutils-gdb-gdb-13.1-release/gdb/main.c:1345
#17 0x55faecf66eb1 in main
/home/root/gdb/binutils-gdb-gdb-13.1-release/gdb/gdb.c:32
#18 0x7f155865a082 in __libc_start_main ../csu/libc-start.c:308
#19 0x55faecf66c8d in _start
(/home/root/gdb/binutils-gdb-gdb-13.1-release/install/bin/gdb+0xb02c8d)
0x7f1523eb0800 is located 0 bytes to the right of 262144-byte region
[0x7f1523e70800,0x7f1523eb0800)
allocated by thread T0 here:
#0 0x7f155940c587 in operator new(unsigned long)
../../../../src/libsanitizer/asan/asan_new_delete.cc:104
#1 0x55faed026770 in __gnu_cxx::new_allocator<unsigned
char>::allocate(unsigned long, void const*)
/usr/include/c++/9/ext/new_allocator.h:114
#2 0x55faed020b11 in
std::allocator_traits<gdb::default_init_allocator<unsigned char,
std::allocator<unsigned char> >
>::allocate(gdb::default_init_allocator<unsigned char, std::allocator<unsigned
char> >&, unsigned long) /usr/include/c++/9/bits/alloc_traits.h:305
#3 0x55faed01b477 in std::_Vector_base<unsigned char,
gdb::default_init_allocator<unsigned char, std::allocator<unsigned char> >
>::_M_allocate(unsigned long) /usr/include/c++/9/bits/stl_vector.h:343
#4 0x55faed08205c in std::_Vector_base<unsigned char,
gdb::default_init_allocator<unsigned char, std::allocator<unsigned char> >
>::_M_create_storage(unsigned long) /usr/include/c++/9/bits/stl_vector.h:358
#5 0x55faed081c98 in std::_Vector_base<unsigned char,
gdb::default_init_allocator<unsigned char, std::allocator<unsigned char> >
>::_Vector_base(unsigned long, gdb::default_init_allocator<unsigned char,
std::allocator<unsigned char> > const&)
/usr/include/c++/9/bits/stl_vector.h:302
#6 0x55faed2d7312 in std::vector<unsigned char,
gdb::default_init_allocator<unsigned char, std::allocator<unsigned char> >
>::vector(unsigned long, gdb::default_init_allocator<unsigned char,
std::allocator<unsigned char> > const&)
/usr/include/c++/9/bits/stl_vector.h:508
#7 0x55faed31a5b4 in read_pe_exported_syms(minimal_symbol_reader&,
objfile*) /home/root/gdb/binutils-gdb-gdb-13.1-release/gdb/coff-pe-read.c:471
#8 0x55faed31fd82 in coff_read_minsyms
/home/root/gdb/binutils-gdb-gdb-13.1-release/gdb/coffread.c:548
#9 0x55faed320c07 in coff_symfile_read
/home/root/gdb/binutils-gdb-gdb-13.1-release/gdb/coffread.c:703
#10 0x55faeddac421 in read_symbols
/home/root/gdb/binutils-gdb-gdb-13.1-release/gdb/symfile.c:773
#11 0x55faeddad38a in syms_from_objfile_1
/home/root/gdb/binutils-gdb-gdb-13.1-release/gdb/symfile.c:968
#12 0x55faeddad5f9 in syms_from_objfile
/home/root/gdb/binutils-gdb-gdb-13.1-release/gdb/symfile.c:985
#13 0x55faeddae4f6 in symbol_file_add_with_addrs
/home/root/gdb/binutils-gdb-gdb-13.1-release/gdb/symfile.c:1088
#14 0x55faeddaf1fd in symbol_file_add_from_bfd(gdb::ref_ptr<bfd,
gdb_bfd_ref_policy> const&, char const*, enum_flags<symfile_add_flag>,
std::vector<other_sections, std::allocator<other_sections> >*,
enum_flags<objfile_flag>, objfile*)
/home/root/gdb/binutils-gdb-gdb-13.1-release/gdb/symfile.c:1168
#15 0x55faeddaf3a2 in symbol_file_add(char const*,
enum_flags<symfile_add_flag>, std::vector<other_sections,
std::allocator<other_sections> >*, enum_flags<objfile_flag>)
/home/root/gdb/binutils-gdb-gdb-13.1-release/gdb/symfile.c:1181
#16 0x55faeddaf70c in symbol_file_add_main_1
/home/root/gdb/binutils-gdb-gdb-13.1-release/gdb/symfile.c:1205
#17 0x55faeddaf558 in symbol_file_add_main(char const*,
enum_flags<symfile_add_flag>)
/home/root/gdb/binutils-gdb-gdb-13.1-release/gdb/symfile.c:1196
#18 0x55faed9398cf in symbol_file_add_main_adapter
/home/root/gdb/binutils-gdb-gdb-13.1-release/gdb/main.c:540
#19 0x55faed9396bf in catch_command_errors
/home/root/gdb/binutils-gdb-gdb-13.1-release/gdb/main.c:513
#20 0x55faed93c58a in captured_main_1
/home/root/gdb/binutils-gdb-gdb-13.1-release/gdb/main.c:1213
#21 0x55faed93d48f in captured_main
/home/root/gdb/binutils-gdb-gdb-13.1-release/gdb/main.c:1320
#22 0x55faed93d530 in gdb_main(captured_main_args*)
/home/root/gdb/binutils-gdb-gdb-13.1-release/gdb/main.c:1345
#23 0x55faecf66eb1 in main
/home/root/gdb/binutils-gdb-gdb-13.1-release/gdb/gdb.c:32
#24 0x7f155865a082 in __libc_start_main ../csu/libc-start.c:308
SUMMARY: AddressSanitizer: heap-buffer-overflow
/home/root/gdb/binutils-gdb-gdb-13.1-release/gdb/coff-pe-read.c:284 in pe_as16
Shadow bytes around the buggy address:
0x0fe3247ce0b0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0fe3247ce0c0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0fe3247ce0d0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0fe3247ce0e0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0fe3247ce0f0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x0fe3247ce100:[fa]fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0fe3247ce110: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0fe3247ce120: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0fe3247ce130: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0fe3247ce140: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0fe3247ce150: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
Shadow gap: cc
==1208501==ABORTING
--
You are receiving this mail because:
You are on the CC list for the bug.
^ permalink raw reply [flat|nested] 3+ messages in thread
* [Bug gdb/30763] SUMMARY: AddressSanitizer: heap-buffer-overflow /home/root/gdb/binutils-gdb-gdb-13.1-release/gdb/coff-pe-read.c:284 in pe_as16
2023-08-15 7:02 [Bug gdb/30763] New: SUMMARY: AddressSanitizer: heap-buffer-overflow /home/root/gdb/binutils-gdb-gdb-13.1-release/gdb/coff-pe-read.c:284 in pe_as16 sihan2021 at iscas dot ac.cn
@ 2023-08-15 16:36 ` keiths at redhat dot com
2023-08-16 12:25 ` tromey at sourceware dot org
1 sibling, 0 replies; 3+ messages in thread
From: keiths at redhat dot com @ 2023-08-15 16:36 UTC (permalink / raw)
To: gdb-prs
https://sourceware.org/bugzilla/show_bug.cgi?id=30763
Keith Seitz <keiths at redhat dot com> changed:
What |Removed |Added
----------------------------------------------------------------------------
CC| |keiths at redhat dot com
--- Comment #1 from Keith Seitz <keiths at redhat dot com> ---
I can reproduce this on gdb-13-branch.
However, origin/master does NOT reproduce this. I am going to
assume this was due to Alan's recent commit:
From 2db20b97f1dc3e5dce3d6ed74a8a62f0dede8c80 Mon Sep 17 00:00:00 2001
From: Alan Modra <amodra@gmail.com>
Date: Wed, 9 Aug 2023 09:58:36 +0930
Subject: [PATCH] gdb: warn unused result for bfd IO functions
This fixes the compilation warnings introduced by my bfdio.c patch.
--
You are receiving this mail because:
You are on the CC list for the bug.
^ permalink raw reply [flat|nested] 3+ messages in thread
* [Bug gdb/30763] SUMMARY: AddressSanitizer: heap-buffer-overflow /home/root/gdb/binutils-gdb-gdb-13.1-release/gdb/coff-pe-read.c:284 in pe_as16
2023-08-15 7:02 [Bug gdb/30763] New: SUMMARY: AddressSanitizer: heap-buffer-overflow /home/root/gdb/binutils-gdb-gdb-13.1-release/gdb/coff-pe-read.c:284 in pe_as16 sihan2021 at iscas dot ac.cn
2023-08-15 16:36 ` [Bug gdb/30763] " keiths at redhat dot com
@ 2023-08-16 12:25 ` tromey at sourceware dot org
1 sibling, 0 replies; 3+ messages in thread
From: tromey at sourceware dot org @ 2023-08-16 12:25 UTC (permalink / raw)
To: gdb-prs
https://sourceware.org/bugzilla/show_bug.cgi?id=30763
Tom Tromey <tromey at sourceware dot org> changed:
What |Removed |Added
----------------------------------------------------------------------------
Target Milestone|--- |14.1
Resolution|--- |FIXED
Status|UNCONFIRMED |RESOLVED
CC| |tromey at sourceware dot org
--- Comment #2 from Tom Tromey <tromey at sourceware dot org> ---
(In reply to Keith Seitz from comment #1)
> However, origin/master does NOT reproduce this. I am going to
> assume this was due to Alan's recent commit:
I would think so too.
--
You are receiving this mail because:
You are on the CC list for the bug.
^ permalink raw reply [flat|nested] 3+ messages in thread
end of thread, other threads:[~2023-08-16 12:25 UTC | newest]
Thread overview: 3+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2023-08-15 7:02 [Bug gdb/30763] New: SUMMARY: AddressSanitizer: heap-buffer-overflow /home/root/gdb/binutils-gdb-gdb-13.1-release/gdb/coff-pe-read.c:284 in pe_as16 sihan2021 at iscas dot ac.cn
2023-08-15 16:36 ` [Bug gdb/30763] " keiths at redhat dot com
2023-08-16 12:25 ` tromey at sourceware dot org
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).