public inbox for gdb-prs@sourceware.org
help / color / mirror / Atom feed
* [Bug gdb/30764] New: SUMMARY: AddressSanitizer: heap-use-after-free /home/root/gdb/binutils-gdb-gdb-13.1-release/gdb/coff-pe-read.c:137 in add_pe_exported_sym
@ 2023-08-15 7:15 sihan2021 at iscas dot ac.cn
2023-08-15 16:37 ` [Bug gdb/30764] " keiths at redhat dot com
2023-08-16 12:25 ` tromey at sourceware dot org
0 siblings, 2 replies; 3+ messages in thread
From: sihan2021 at iscas dot ac.cn @ 2023-08-15 7:15 UTC (permalink / raw)
To: gdb-prs
https://sourceware.org/bugzilla/show_bug.cgi?id=30764
Bug ID: 30764
Summary: SUMMARY: AddressSanitizer: heap-use-after-free
/home/root/gdb/binutils-gdb-gdb-13.1-release/gdb/coff-
pe-read.c:137 in add_pe_exported_sym
Product: gdb
Version: 13.1
Status: UNCONFIRMED
Severity: normal
Priority: P2
Component: gdb
Assignee: unassigned at sourceware dot org
Reporter: sihan2021 at iscas dot ac.cn
Target Milestone: ---
Created attachment 15058
--> https://sourceware.org/bugzilla/attachment.cgi?id=15058&action=edit
input file
Hello, developers of gdb, we recently ran some fuzz on gdb 13.1 and find a
stack-buffer-overflow bug. Here is the description of this bug. I hope this
can accsit you to solve this bug.
Version:
gdb 13.1 (compile with ASAN)
ubuntu 20.04
Command to reproduce:
gdb UAF_2
warning: Found custom handler for signal 7 (Bus error) preinstalled.
warning: Found custom handler for signal 8 (Floating point exception)
preinstalled.
warning: Found custom handler for signal 11 (Segmentation fault) preinstalled.
Some signal dispositions inherited from the environment (SIG_DFL/SIG_IGN)
won't be propagated to spawned programs.
GNU gdb (GDB) 13.1
Copyright (C) 2023 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.
Type "show copying" and "show warranty" for details.
This GDB was configured as "x86_64-pc-linux-gnu".
Type "show configuration" for configuration details.
For bug reporting instructions, please see:
<https://www.gnu.org/software/gdb/bugs/>.
Find the GDB manual and other documentation resources online at:
<http://www.gnu.org/software/gdb/documentation/>.
For help, type "help".
Type "apropos word" to search for commands related to "word"...
Reading symbols from UAF_2...
=================================================================
==966688==ERROR: AddressSanitizer: heap-use-after-free on address
0x7f343eff4800 at pc 0x5646ccecf0d5 bp 0x7ffecc770210 sp 0x7ffecc770200
READ of size 1 at 0x7f343eff4800 thread T0
#0 0x5646ccecf0d4 in add_pe_exported_sym
/home/root/gdb/binutils-gdb-gdb-13.1-release/gdb/coff-pe-read.c:137
#1 0x5646cced1e2d in read_pe_exported_syms(minimal_symbol_reader&,
objfile*) /home/root/gdb/binutils-gdb-gdb-13.1-release/gdb/coff-pe-read.c:560
#2 0x5646cced6d82 in coff_read_minsyms
/home/root/gdb/binutils-gdb-gdb-13.1-release/gdb/coffread.c:548
#3 0x5646cced7c07 in coff_symfile_read
/home/root/gdb/binutils-gdb-gdb-13.1-release/gdb/coffread.c:703
#4 0x5646cd963421 in read_symbols
/home/root/gdb/binutils-gdb-gdb-13.1-release/gdb/symfile.c:773
#5 0x5646cd96438a in syms_from_objfile_1
/home/root/gdb/binutils-gdb-gdb-13.1-release/gdb/symfile.c:968
#6 0x5646cd9645f9 in syms_from_objfile
/home/root/gdb/binutils-gdb-gdb-13.1-release/gdb/symfile.c:985
#7 0x5646cd9654f6 in symbol_file_add_with_addrs
/home/root/gdb/binutils-gdb-gdb-13.1-release/gdb/symfile.c:1088
#8 0x5646cd9661fd in symbol_file_add_from_bfd(gdb::ref_ptr<bfd,
gdb_bfd_ref_policy> const&, char const*, enum_flags<symfile_add_flag>,
std::vector<other_sections, std::allocator<other_sections> >*,
enum_flags<objfile_flag>, objfile*)
/home/root/gdb/binutils-gdb-gdb-13.1-release/gdb/symfile.c:1168
#9 0x5646cd9663a2 in symbol_file_add(char const*,
enum_flags<symfile_add_flag>, std::vector<other_sections,
std::allocator<other_sections> >*, enum_flags<objfile_flag>)
/home/root/gdb/binutils-gdb-gdb-13.1-release/gdb/symfile.c:1181
#10 0x5646cd96670c in symbol_file_add_main_1
/home/root/gdb/binutils-gdb-gdb-13.1-release/gdb/symfile.c:1205
#11 0x5646cd966558 in symbol_file_add_main(char const*,
enum_flags<symfile_add_flag>)
/home/root/gdb/binutils-gdb-gdb-13.1-release/gdb/symfile.c:1196
#12 0x5646cd4f08cf in symbol_file_add_main_adapter
/home/root/gdb/binutils-gdb-gdb-13.1-release/gdb/main.c:540
#13 0x5646cd4f06bf in catch_command_errors
/home/root/gdb/binutils-gdb-gdb-13.1-release/gdb/main.c:513
#14 0x5646cd4f358a in captured_main_1
/home/root/gdb/binutils-gdb-gdb-13.1-release/gdb/main.c:1213
#15 0x5646cd4f448f in captured_main
/home/root/gdb/binutils-gdb-gdb-13.1-release/gdb/main.c:1320
#16 0x5646cd4f4530 in gdb_main(captured_main_args*)
/home/root/gdb/binutils-gdb-gdb-13.1-release/gdb/main.c:1345
#17 0x5646ccb1deb1 in main
/home/root/gdb/binutils-gdb-gdb-13.1-release/gdb/gdb.c:32
#18 0x7f3473885082 in __libc_start_main ../csu/libc-start.c:308
#19 0x5646ccb1dc8d in _start
(/home/root/gdb/binutils-gdb-gdb-13.1-release/install/bin/gdb+0xb02c8d)
0x7f343eff4800 is located 442368 bytes inside of 786432-byte region
[0x7f343ef88800,0x7f343f048800)
freed by thread T0 here:
#0 0x7f347463851f in operator delete(void*)
../../../../src/libsanitizer/asan/asan_new_delete.cc:165
#1 0x5646cced450d in
__gnu_cxx::new_allocator<read_pe_section_data>::deallocate(read_pe_section_data*,
unsigned long) /usr/include/c++/9/ext/new_allocator.h:128
#2 0x5646cced4175 in
std::allocator_traits<std::allocator<read_pe_section_data>
>::deallocate(std::allocator<read_pe_section_data>&, read_pe_section_data*,
unsigned long) /usr/include/c++/9/bits/alloc_traits.h:469
#3 0x5646cced3be9 in std::_Vector_base<read_pe_section_data,
std::allocator<read_pe_section_data> >::_M_deallocate(read_pe_section_data*,
unsigned long) /usr/include/c++/9/bits/stl_vector.h:351
#4 0x5646cced3681 in std::vector<read_pe_section_data,
std::allocator<read_pe_section_data> >::_M_default_append(unsigned long)
/usr/include/c++/9/bits/vector.tcc:675
#5 0x5646cced2de2 in std::vector<read_pe_section_data,
std::allocator<read_pe_section_data> >::resize(unsigned long)
/usr/include/c++/9/bits/stl_vector.h:937
#6 0x5646cced123d in read_pe_exported_syms(minimal_symbol_reader&,
objfile*) /home/root/gdb/binutils-gdb-gdb-13.1-release/gdb/coff-pe-read.c:453
#7 0x5646cced6d82 in coff_read_minsyms
/home/root/gdb/binutils-gdb-gdb-13.1-release/gdb/coffread.c:548
#8 0x5646cced7c07 in coff_symfile_read
/home/root/gdb/binutils-gdb-gdb-13.1-release/gdb/coffread.c:703
#9 0x5646cd963421 in read_symbols
/home/root/gdb/binutils-gdb-gdb-13.1-release/gdb/symfile.c:773
#10 0x5646cd96438a in syms_from_objfile_1
/home/root/gdb/binutils-gdb-gdb-13.1-release/gdb/symfile.c:968
#11 0x5646cd9645f9 in syms_from_objfile
/home/root/gdb/binutils-gdb-gdb-13.1-release/gdb/symfile.c:985
#12 0x5646cd9654f6 in symbol_file_add_with_addrs
/home/root/gdb/binutils-gdb-gdb-13.1-release/gdb/symfile.c:1088
#13 0x5646cd9661fd in symbol_file_add_from_bfd(gdb::ref_ptr<bfd,
gdb_bfd_ref_policy> const&, char const*, enum_flags<symfile_add_flag>,
std::vector<other_sections, std::allocator<other_sections> >*,
enum_flags<objfile_flag>, objfile*)
/home/root/gdb/binutils-gdb-gdb-13.1-release/gdb/symfile.c:1168
#14 0x5646cd9663a2 in symbol_file_add(char const*,
enum_flags<symfile_add_flag>, std::vector<other_sections,
std::allocator<other_sections> >*, enum_flags<objfile_flag>)
/home/root/gdb/binutils-gdb-gdb-13.1-release/gdb/symfile.c:1181
#15 0x5646cd96670c in symbol_file_add_main_1
/home/root/gdb/binutils-gdb-gdb-13.1-release/gdb/symfile.c:1205
#16 0x5646cd966558 in symbol_file_add_main(char const*,
enum_flags<symfile_add_flag>)
/home/root/gdb/binutils-gdb-gdb-13.1-release/gdb/symfile.c:1196
#17 0x5646cd4f08cf in symbol_file_add_main_adapter
/home/root/gdb/binutils-gdb-gdb-13.1-release/gdb/main.c:540
#18 0x5646cd4f06bf in catch_command_errors
/home/root/gdb/binutils-gdb-gdb-13.1-release/gdb/main.c:513
#19 0x5646cd4f358a in captured_main_1
/home/root/gdb/binutils-gdb-gdb-13.1-release/gdb/main.c:1213
#20 0x5646cd4f448f in captured_main
/home/root/gdb/binutils-gdb-gdb-13.1-release/gdb/main.c:1320
#21 0x5646cd4f4530 in gdb_main(captured_main_args*)
/home/root/gdb/binutils-gdb-gdb-13.1-release/gdb/main.c:1345
#22 0x5646ccb1deb1 in main
/home/root/gdb/binutils-gdb-gdb-13.1-release/gdb/gdb.c:32
#23 0x7f3473885082 in __libc_start_main ../csu/libc-start.c:308
previously allocated by thread T0 here:
#0 0x7f3474637587 in operator new(unsigned long)
../../../../src/libsanitizer/asan/asan_new_delete.cc:104
#1 0x5646cced45f6 in
__gnu_cxx::new_allocator<read_pe_section_data>::allocate(unsigned long, void
const*) /usr/include/c++/9/ext/new_allocator.h:114
#2 0x5646cced421f in
std::allocator_traits<std::allocator<read_pe_section_data>
>::allocate(std::allocator<read_pe_section_data>&, unsigned long)
/usr/include/c++/9/bits/alloc_traits.h:443
#3 0x5646cced3ef5 in std::_Vector_base<read_pe_section_data,
std::allocator<read_pe_section_data> >::_M_allocate(unsigned long)
/usr/include/c++/9/bits/stl_vector.h:343
#4 0x5646cced3420 in std::vector<read_pe_section_data,
std::allocator<read_pe_section_data> >::_M_default_append(unsigned long)
/usr/include/c++/9/bits/vector.tcc:635
#5 0x5646cced2de2 in std::vector<read_pe_section_data,
std::allocator<read_pe_section_data> >::resize(unsigned long)
/usr/include/c++/9/bits/stl_vector.h:937
#6 0x5646cced123d in read_pe_exported_syms(minimal_symbol_reader&,
objfile*) /home/root/gdb/binutils-gdb-gdb-13.1-release/gdb/coff-pe-read.c:453
#7 0x5646cced6d82 in coff_read_minsyms
/home/root/gdb/binutils-gdb-gdb-13.1-release/gdb/coffread.c:548
#8 0x5646cced7c07 in coff_symfile_read
/home/root/gdb/binutils-gdb-gdb-13.1-release/gdb/coffread.c:703
#9 0x5646cd963421 in read_symbols
/home/root/gdb/binutils-gdb-gdb-13.1-release/gdb/symfile.c:773
#10 0x5646cd96438a in syms_from_objfile_1
/home/root/gdb/binutils-gdb-gdb-13.1-release/gdb/symfile.c:968
#11 0x5646cd9645f9 in syms_from_objfile
/home/root/gdb/binutils-gdb-gdb-13.1-release/gdb/symfile.c:985
#12 0x5646cd9654f6 in symbol_file_add_with_addrs
/home/root/gdb/binutils-gdb-gdb-13.1-release/gdb/symfile.c:1088
#13 0x5646cd9661fd in symbol_file_add_from_bfd(gdb::ref_ptr<bfd,
gdb_bfd_ref_policy> const&, char const*, enum_flags<symfile_add_flag>,
std::vector<other_sections, std::allocator<other_sections> >*,
enum_flags<objfile_flag>, objfile*)
/home/root/gdb/binutils-gdb-gdb-13.1-release/gdb/symfile.c:1168
#14 0x5646cd9663a2 in symbol_file_add(char const*,
enum_flags<symfile_add_flag>, std::vector<other_sections,
std::allocator<other_sections> >*, enum_flags<objfile_flag>)
/home/root/gdb/binutils-gdb-gdb-13.1-release/gdb/symfile.c:1181
#15 0x5646cd96670c in symbol_file_add_main_1
/home/root/gdb/binutils-gdb-gdb-13.1-release/gdb/symfile.c:1205
#16 0x5646cd966558 in symbol_file_add_main(char const*,
enum_flags<symfile_add_flag>)
/home/root/gdb/binutils-gdb-gdb-13.1-release/gdb/symfile.c:1196
#17 0x5646cd4f08cf in symbol_file_add_main_adapter
/home/root/gdb/binutils-gdb-gdb-13.1-release/gdb/main.c:540
#18 0x5646cd4f06bf in catch_command_errors
/home/root/gdb/binutils-gdb-gdb-13.1-release/gdb/main.c:513
#19 0x5646cd4f358a in captured_main_1
/home/root/gdb/binutils-gdb-gdb-13.1-release/gdb/main.c:1213
#20 0x5646cd4f448f in captured_main
/home/root/gdb/binutils-gdb-gdb-13.1-release/gdb/main.c:1320
#21 0x5646cd4f4530 in gdb_main(captured_main_args*)
/home/root/gdb/binutils-gdb-gdb-13.1-release/gdb/main.c:1345
#22 0x5646ccb1deb1 in main
/home/root/gdb/binutils-gdb-gdb-13.1-release/gdb/gdb.c:32
#23 0x7f3473885082 in __libc_start_main ../csu/libc-start.c:308
SUMMARY: AddressSanitizer: heap-use-after-free
/home/root/gdb/binutils-gdb-gdb-13.1-release/gdb/coff-pe-read.c:137 in
add_pe_exported_sym
Shadow bytes around the buggy address:
0x0fe707df68b0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x0fe707df68c0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x0fe707df68d0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x0fe707df68e0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x0fe707df68f0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
=>0x0fe707df6900:[fd]fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x0fe707df6910: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x0fe707df6920: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x0fe707df6930: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x0fe707df6940: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x0fe707df6950: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
Shadow gap: cc
==966688==ABORTING
--
You are receiving this mail because:
You are on the CC list for the bug.
^ permalink raw reply [flat|nested] 3+ messages in thread
* [Bug gdb/30764] SUMMARY: AddressSanitizer: heap-use-after-free /home/root/gdb/binutils-gdb-gdb-13.1-release/gdb/coff-pe-read.c:137 in add_pe_exported_sym
2023-08-15 7:15 [Bug gdb/30764] New: SUMMARY: AddressSanitizer: heap-use-after-free /home/root/gdb/binutils-gdb-gdb-13.1-release/gdb/coff-pe-read.c:137 in add_pe_exported_sym sihan2021 at iscas dot ac.cn
@ 2023-08-15 16:37 ` keiths at redhat dot com
2023-08-16 12:25 ` tromey at sourceware dot org
1 sibling, 0 replies; 3+ messages in thread
From: keiths at redhat dot com @ 2023-08-15 16:37 UTC (permalink / raw)
To: gdb-prs
https://sourceware.org/bugzilla/show_bug.cgi?id=30764
Keith Seitz <keiths at redhat dot com> changed:
What |Removed |Added
----------------------------------------------------------------------------
CC| |keiths at redhat dot com
--- Comment #1 from Keith Seitz <keiths at redhat dot com> ---
Like 30763, I can reproduce this on gdb-13-branch.
Also like the earlier bug, origin/master does NOT reproduce this.
The same commit (2db20b97f1dc3e5dce3d6ed74a8a62f0dede8c80)
fixes this, too.
--
You are receiving this mail because:
You are on the CC list for the bug.
^ permalink raw reply [flat|nested] 3+ messages in thread
* [Bug gdb/30764] SUMMARY: AddressSanitizer: heap-use-after-free /home/root/gdb/binutils-gdb-gdb-13.1-release/gdb/coff-pe-read.c:137 in add_pe_exported_sym
2023-08-15 7:15 [Bug gdb/30764] New: SUMMARY: AddressSanitizer: heap-use-after-free /home/root/gdb/binutils-gdb-gdb-13.1-release/gdb/coff-pe-read.c:137 in add_pe_exported_sym sihan2021 at iscas dot ac.cn
2023-08-15 16:37 ` [Bug gdb/30764] " keiths at redhat dot com
@ 2023-08-16 12:25 ` tromey at sourceware dot org
1 sibling, 0 replies; 3+ messages in thread
From: tromey at sourceware dot org @ 2023-08-16 12:25 UTC (permalink / raw)
To: gdb-prs
https://sourceware.org/bugzilla/show_bug.cgi?id=30764
Tom Tromey <tromey at sourceware dot org> changed:
What |Removed |Added
----------------------------------------------------------------------------
CC| |tromey at sourceware dot org
Target Milestone|--- |14.1
Status|UNCONFIRMED |RESOLVED
Resolution|--- |FIXED
--- Comment #2 from Tom Tromey <tromey at sourceware dot org> ---
Fixed.
--
You are receiving this mail because:
You are on the CC list for the bug.
^ permalink raw reply [flat|nested] 3+ messages in thread
end of thread, other threads:[~2023-08-16 12:25 UTC | newest]
Thread overview: 3+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2023-08-15 7:15 [Bug gdb/30764] New: SUMMARY: AddressSanitizer: heap-use-after-free /home/root/gdb/binutils-gdb-gdb-13.1-release/gdb/coff-pe-read.c:137 in add_pe_exported_sym sihan2021 at iscas dot ac.cn
2023-08-15 16:37 ` [Bug gdb/30764] " keiths at redhat dot com
2023-08-16 12:25 ` tromey at sourceware dot org
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).