From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: by sourceware.org (Postfix, from userid 48) id 24F623858020; Tue, 15 Aug 2023 07:02:01 +0000 (GMT) DKIM-Filter: OpenDKIM Filter v2.11.0 sourceware.org 24F623858020 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=sourceware.org; s=default; t=1692082921; bh=aq+Dy01tLI8ICgi4R6ChHtcsT86nLBWgwppyispNgdk=; h=From:To:Subject:Date:From; b=IKMWZ8DhTh1b/NqZschDRHze2rSj7oJdF2XtRZaV9sjpnOkKC7iqOlaZsou2MLKVl CM9ALVIQY/p8CcKZ22VUd6icQJF69AlvSdav+8fPsljRicnOJkUATIsbKlK5jnOzjh vcZEr+Pyoy2lpPmgBhthM7xL4XNk9schdq1GjsY8= From: "sihan2021 at iscas dot ac.cn" To: gdb-prs@sourceware.org Subject: [Bug gdb/30763] New: SUMMARY: AddressSanitizer: heap-buffer-overflow /home/root/gdb/binutils-gdb-gdb-13.1-release/gdb/coff-pe-read.c:284 in pe_as16 Date: Tue, 15 Aug 2023 07:02:00 +0000 X-Bugzilla-Reason: CC X-Bugzilla-Type: new X-Bugzilla-Watch-Reason: None X-Bugzilla-Product: gdb X-Bugzilla-Component: gdb X-Bugzilla-Version: 13.1 X-Bugzilla-Keywords: X-Bugzilla-Severity: normal X-Bugzilla-Who: sihan2021 at iscas dot ac.cn X-Bugzilla-Status: UNCONFIRMED X-Bugzilla-Resolution: X-Bugzilla-Priority: P2 X-Bugzilla-Assigned-To: unassigned at sourceware dot org X-Bugzilla-Target-Milestone: --- X-Bugzilla-Flags: X-Bugzilla-Changed-Fields: bug_id short_desc product version bug_status bug_severity priority component assigned_to reporter target_milestone attachments.created Message-ID: Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable X-Bugzilla-URL: http://sourceware.org/bugzilla/ Auto-Submitted: auto-generated MIME-Version: 1.0 List-Id: https://sourceware.org/bugzilla/show_bug.cgi?id=3D30763 Bug ID: 30763 Summary: SUMMARY: AddressSanitizer: heap-buffer-overflow /home/root/gdb/binutils-gdb-gdb-13.1-release/gdb/coff- pe-read.c:284 in pe_as16 Product: gdb Version: 13.1 Status: UNCONFIRMED Severity: normal Priority: P2 Component: gdb Assignee: unassigned at sourceware dot org Reporter: sihan2021 at iscas dot ac.cn Target Milestone: --- Created attachment 15057 --> https://sourceware.org/bugzilla/attachment.cgi?id=3D15057&action=3Ded= it input file Hello, developers of gdb, we recently ran some fuzz on gdb 13.1 and find a stack-buffer-overflow bug. Here is the description of this bug. I hope this can accsit you to solve this bug. Version: gdb 13.1 (compile with ASAN)=20 ubuntu 20.04 Command to reproduce: gdb hbo warning: Found custom handler for signal 7 (Bus error) preinstalled. warning: Found custom handler for signal 8 (Floating point exception) preinstalled. warning: Found custom handler for signal 11 (Segmentation fault) preinstall= ed. Some signal dispositions inherited from the environment (SIG_DFL/SIG_IGN) won't be propagated to spawned programs. GNU gdb (GDB) 13.1 Copyright (C) 2023 Free Software Foundation, Inc. License GPLv3+: GNU GPL version 3 or later This is free software: you are free to change and redistribute it. There is NO WARRANTY, to the extent permitted by law. Type "show copying" and "show warranty" for details. This GDB was configured as "x86_64-pc-linux-gnu". Type "show configuration" for configuration details. For bug reporting instructions, please see: . Find the GDB manual and other documentation resources online at: . For help, type "help". Type "apropos word" to search for commands related to "word"... BFD: /home/root/gdb/binutils-gdb-gdb-13.1-release/install/bin/hbo: warning: claims to have 0xffff relocs, without overflow /home/root/gdb/binutils-gdb-gdb-13.1-release/install/bin/hbo: warning: clai= ms to have 0xffff relocs, without overflow Reading symbols from hbo... =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D =3D=3D1208501=3D=3DERROR: AddressSanitizer: heap-buffer-overflow on address 0x7f1523eb0800 at pc 0x55faed3193ee bp 0x7ffea75fbeb0 sp 0x7ffea75fbea0 READ of size 1 at 0x7f1523eb0800 thread T0 #0 0x55faed3193ed in pe_as16 /home/root/gdb/binutils-gdb-gdb-13.1-release/gdb/coff-pe-read.c:284 #1 0x55faed31aa4b in read_pe_exported_syms(minimal_symbol_reader&, objfile*) /home/root/gdb/binutils-gdb-gdb-13.1-release/gdb/coff-pe-read.c:5= 15 #2 0x55faed31fd82 in coff_read_minsyms /home/root/gdb/binutils-gdb-gdb-13.1-release/gdb/coffread.c:548 #3 0x55faed320c07 in coff_symfile_read /home/root/gdb/binutils-gdb-gdb-13.1-release/gdb/coffread.c:703 #4 0x55faeddac421 in read_symbols /home/root/gdb/binutils-gdb-gdb-13.1-release/gdb/symfile.c:773 #5 0x55faeddad38a in syms_from_objfile_1 /home/root/gdb/binutils-gdb-gdb-13.1-release/gdb/symfile.c:968 #6 0x55faeddad5f9 in syms_from_objfile /home/root/gdb/binutils-gdb-gdb-13.1-release/gdb/symfile.c:985 #7 0x55faeddae4f6 in symbol_file_add_with_addrs /home/root/gdb/binutils-gdb-gdb-13.1-release/gdb/symfile.c:1088 #8 0x55faeddaf1fd in symbol_file_add_from_bfd(gdb::ref_ptr const&, char const*, enum_flags, std::vector >*, enum_flags, objfile*) /home/root/gdb/binutils-gdb-gdb-13.1-release/gdb/symfile.c:1168 #9 0x55faeddaf3a2 in symbol_file_add(char const*, enum_flags, std::vector >*, enum_flags) /home/root/gdb/binutils-gdb-gdb-13.1-release/gdb/symfile.c:1181 #10 0x55faeddaf70c in symbol_file_add_main_1 /home/root/gdb/binutils-gdb-gdb-13.1-release/gdb/symfile.c:1205 #11 0x55faeddaf558 in symbol_file_add_main(char const*, enum_flags) /home/root/gdb/binutils-gdb-gdb-13.1-release/gdb/symfile.c:1196 #12 0x55faed9398cf in symbol_file_add_main_adapter /home/root/gdb/binutils-gdb-gdb-13.1-release/gdb/main.c:540 #13 0x55faed9396bf in catch_command_errors /home/root/gdb/binutils-gdb-gdb-13.1-release/gdb/main.c:513 #14 0x55faed93c58a in captured_main_1 /home/root/gdb/binutils-gdb-gdb-13.1-release/gdb/main.c:1213 #15 0x55faed93d48f in captured_main /home/root/gdb/binutils-gdb-gdb-13.1-release/gdb/main.c:1320 #16 0x55faed93d530 in gdb_main(captured_main_args*) /home/root/gdb/binutils-gdb-gdb-13.1-release/gdb/main.c:1345 #17 0x55faecf66eb1 in main /home/root/gdb/binutils-gdb-gdb-13.1-release/gdb/gdb.c:32 #18 0x7f155865a082 in __libc_start_main ../csu/libc-start.c:308 #19 0x55faecf66c8d in _start (/home/root/gdb/binutils-gdb-gdb-13.1-release/install/bin/gdb+0xb02c8d) 0x7f1523eb0800 is located 0 bytes to the right of 262144-byte region [0x7f1523e70800,0x7f1523eb0800) allocated by thread T0 here: #0 0x7f155940c587 in operator new(unsigned long) ../../../../src/libsanitizer/asan/asan_new_delete.cc:104 #1 0x55faed026770 in __gnu_cxx::new_allocator::allocate(unsigned long, void const*) /usr/include/c++/9/ext/new_allocator.h:114 #2 0x55faed020b11 in std::allocator_traits > >::allocate(gdb::default_init_allocator >&, unsigned long) /usr/include/c++/9/bits/alloc_traits.h:305 #3 0x55faed01b477 in std::_Vector_base > >::_M_allocate(unsigned long) /usr/include/c++/9/bits/stl_vector.h:343 #4 0x55faed08205c in std::_Vector_base > >::_M_create_storage(unsigned long) /usr/include/c++/9/bits/stl_vector.h:358 #5 0x55faed081c98 in std::_Vector_base > >::_Vector_base(unsigned long, gdb::default_init_allocator > const&) /usr/include/c++/9/bits/stl_vector.h:302 #6 0x55faed2d7312 in std::vector > >::vector(unsigned long, gdb::default_init_allocator > const&) /usr/include/c++/9/bits/stl_vector.h:508 #7 0x55faed31a5b4 in read_pe_exported_syms(minimal_symbol_reader&, objfile*) /home/root/gdb/binutils-gdb-gdb-13.1-release/gdb/coff-pe-read.c:4= 71 #8 0x55faed31fd82 in coff_read_minsyms /home/root/gdb/binutils-gdb-gdb-13.1-release/gdb/coffread.c:548 #9 0x55faed320c07 in coff_symfile_read /home/root/gdb/binutils-gdb-gdb-13.1-release/gdb/coffread.c:703 #10 0x55faeddac421 in read_symbols /home/root/gdb/binutils-gdb-gdb-13.1-release/gdb/symfile.c:773 #11 0x55faeddad38a in syms_from_objfile_1 /home/root/gdb/binutils-gdb-gdb-13.1-release/gdb/symfile.c:968 #12 0x55faeddad5f9 in syms_from_objfile /home/root/gdb/binutils-gdb-gdb-13.1-release/gdb/symfile.c:985 #13 0x55faeddae4f6 in symbol_file_add_with_addrs /home/root/gdb/binutils-gdb-gdb-13.1-release/gdb/symfile.c:1088 #14 0x55faeddaf1fd in symbol_file_add_from_bfd(gdb::ref_ptr const&, char const*, enum_flags, std::vector >*, enum_flags, objfile*) /home/root/gdb/binutils-gdb-gdb-13.1-release/gdb/symfile.c:1168 #15 0x55faeddaf3a2 in symbol_file_add(char const*, enum_flags, std::vector >*, enum_flags) /home/root/gdb/binutils-gdb-gdb-13.1-release/gdb/symfile.c:1181 #16 0x55faeddaf70c in symbol_file_add_main_1 /home/root/gdb/binutils-gdb-gdb-13.1-release/gdb/symfile.c:1205 #17 0x55faeddaf558 in symbol_file_add_main(char const*, enum_flags) /home/root/gdb/binutils-gdb-gdb-13.1-release/gdb/symfile.c:1196 #18 0x55faed9398cf in symbol_file_add_main_adapter /home/root/gdb/binutils-gdb-gdb-13.1-release/gdb/main.c:540 #19 0x55faed9396bf in catch_command_errors /home/root/gdb/binutils-gdb-gdb-13.1-release/gdb/main.c:513 #20 0x55faed93c58a in captured_main_1 /home/root/gdb/binutils-gdb-gdb-13.1-release/gdb/main.c:1213 #21 0x55faed93d48f in captured_main /home/root/gdb/binutils-gdb-gdb-13.1-release/gdb/main.c:1320 #22 0x55faed93d530 in gdb_main(captured_main_args*) /home/root/gdb/binutils-gdb-gdb-13.1-release/gdb/main.c:1345 #23 0x55faecf66eb1 in main /home/root/gdb/binutils-gdb-gdb-13.1-release/gdb/gdb.c:32 #24 0x7f155865a082 in __libc_start_main ../csu/libc-start.c:308 SUMMARY: AddressSanitizer: heap-buffer-overflow /home/root/gdb/binutils-gdb-gdb-13.1-release/gdb/coff-pe-read.c:284 in pe_a= s16 Shadow bytes around the buggy address: 0x0fe3247ce0b0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0fe3247ce0c0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0fe3247ce0d0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0fe3247ce0e0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0fe3247ce0f0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 =3D>0x0fe3247ce100:[fa]fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0fe3247ce110: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0fe3247ce120: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0fe3247ce130: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0fe3247ce140: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0fe3247ce150: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa Shadow byte legend (one shadow byte represents 8 application bytes): Addressable: 00 Partially addressable: 01 02 03 04 05 06 07=20 Heap left redzone: fa Freed heap region: fd Stack left redzone: f1 Stack mid redzone: f2 Stack right redzone: f3 Stack after return: f5 Stack use after scope: f8 Global redzone: f9 Global init order: f6 Poisoned by user: f7 Container overflow: fc Array cookie: ac Intra object redzone: bb ASan internal: fe Left alloca redzone: ca Right alloca redzone: cb Shadow gap: cc =3D=3D1208501=3D=3DABORTING --=20 You are receiving this mail because: You are on the CC list for the bug.=