public inbox for gdb-prs@sourceware.org help / color / mirror / Atom feed
From: "research.mntcrl at gmail dot com" <sourceware-bugzilla@sourceware.org> To: gdb-prs@sourceware.org Subject: [Bug server/30832] New: Sending specific GDB Remote Serial Protocol commands with a certain timing results a read out of bound and SEGFAULT Date: Thu, 07 Sep 2023 17:54:35 +0000 [thread overview] Message-ID: <bug-30832-4717@http.sourceware.org/bugzilla/> (raw) https://sourceware.org/bugzilla/show_bug.cgi?id=30832 Bug ID: 30832 Summary: Sending specific GDB Remote Serial Protocol commands with a certain timing results a read out of bound and SEGFAULT Product: gdb Version: HEAD Status: UNCONFIRMED Severity: normal Priority: P2 Component: server Assignee: unassigned at sourceware dot org Reporter: research.mntcrl at gmail dot com Target Milestone: --- Created attachment 15102 --> https://sourceware.org/bugzilla/attachment.cgi?id=15102&action=edit Python3 script used to trigger the bug Hello GDB developers, During a debug session with IDAPro 7.7 in conjunction with gdbserver running on Debian, I encountered a crash while IDA was trying to reconnect to the remote debugger. I reproduced exactly all the “GDB serial Protocol” commands that I sent to gdbserver using a python script and the only error I got was SIGPIPE. I noticed that adding a sleep between the commands resulted in the same crash mentioned above. After a little bit of trial and error I found that the combinantion of commands resulting in SEGFAULT was: 1) "+" --> (sleep one sencond after the response) 2) "QStartNoAckMode" --> (sleep one second after the response) 3) "%" --> (sleep one second after the response, and the string sent can be anything) I was running gdbserver in my local network using "gdbserver localhost:23946 ~/Desktop/binary", the version of gdbserver is GNU gdbserver (Debian 13.2-1) 13.2 and gdbserver was configured as "x86_64-linux-gnu" Usually if the commands are not sent with the right timing the only error raised is SIGPIPE and the program keeps running. I found out that there is a read out of bound during the call of the readchar (gdbserver/remote-utils.cc:847). The variable readchar_bufcnt is decremented leading to a backward stack read out of bound causing a SEGMENTATION FAULT. I have no clue why the inputs bypasses the checks and starts to read the stack. If readchar_bufcnt < 0 in readchar (gdbserver/remote-utils.cc:847) would return -1. gdbserver is installed using the packet manager (sudo apt install gdbserver) I compiled the program with symbols and I got the same issue. Thank you for your attention and support. Vincenzo Cantatore Gianluca Parisi Vincenzo Turturro (M0NT3C4RL0 Team) -- System Information: Distributor ID: Kali Description: Kali GNU/Linux Rolling Release: 2023.3 Codename: kali-rolling Architecture: x86_64 Kernel: Linux 5.10.0-kali3-amd64 (SMP w/2 CPU threads) Kernel taint flags: TAINT_UNSIGNED_MODULE Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), LANGUAGE not set Shell: /bin/sh linked to /usr/bin/dash Init: systemd (via /run/systemd/system) LSM: AppArmor: enabled Versions of packages gdbserver depends on: ii libc6 2.37-6 ii libgcc-s1 13.1.0-6 ii libstdc++6 13.1.0-6 gdbserver recommends no packages. gdbserver suggests no packages. -- no debconf information -- You are receiving this mail because: You are on the CC list for the bug.
next reply other threads:[~2023-09-07 17:54 UTC|newest] Thread overview: 2+ messages / expand[flat|nested] mbox.gz Atom feed top 2023-09-07 17:54 research.mntcrl at gmail dot com [this message] 2023-09-07 18:31 ` [Bug server/30832] " ssbssa at sourceware dot org
Reply instructions: You may reply publicly to this message via plain-text email using any one of the following methods: * Save the following mbox file, import it into your mail client, and reply-to-all from there: mbox Avoid top-posting and favor interleaved quoting: https://en.wikipedia.org/wiki/Posting_style#Interleaved_style * Reply using the --to, --cc, and --in-reply-to switches of git-send-email(1): git send-email \ --in-reply-to=bug-30832-4717@http.sourceware.org/bugzilla/ \ --to=sourceware-bugzilla@sourceware.org \ --cc=gdb-prs@sourceware.org \ /path/to/YOUR_REPLY https://kernel.org/pub/software/scm/git/docs/git-send-email.html * If your mail client supports setting the In-Reply-To header via mailto: links, try the mailto: linkBe sure your reply has a Subject: header at the top and a blank line before the message body.
This is a public inbox, see mirroring instructions for how to clone and mirror all data and code used for this inbox; as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).