[Bug server/30832] New: Sending specific GDB Remote Serial Protocol commands with a certain timing results a read out of bound and SEGFAULT

["research.mntcrl at gmail dot com" <sourceware-bugzilla@sourceware.org>]

https://sourceware.org/bugzilla/show_bug.cgi?id=30832

            Bug ID: 30832
           Summary: Sending specific GDB Remote Serial Protocol commands
                    with a certain timing results a read out of bound and
                    SEGFAULT
           Product: gdb
           Version: HEAD
            Status: UNCONFIRMED
          Severity: normal
          Priority: P2
         Component: server
          Assignee: unassigned at sourceware dot org
          Reporter: research.mntcrl at gmail dot com
  Target Milestone: ---

Created attachment 15102
  --> https://sourceware.org/bugzilla/attachment.cgi?id=15102&action=edit
Python3 script used to trigger the bug

Hello GDB developers,
During a debug session with IDAPro 7.7 in conjunction with gdbserver running on
Debian, I encountered a crash while IDA was trying to reconnect to the remote
debugger.

I reproduced exactly all the “GDB serial Protocol” commands that I sent to
gdbserver using a python script and the only error I got was SIGPIPE. I noticed
that adding a sleep between the commands resulted in the same crash mentioned
above.


After a little bit of trial and error I found that the combinantion of commands
resulting in SEGFAULT was:

1) "+" --> (sleep one sencond after the response)
2) "QStartNoAckMode" --> (sleep one second after the response)
3) "%" --> (sleep one second after the response, and the string sent can be
anything)

I was running gdbserver in my local network using "gdbserver localhost:23946
~/Desktop/binary", the version of gdbserver is GNU gdbserver (Debian 13.2-1)
13.2 and gdbserver was configured as "x86_64-linux-gnu"

Usually if the commands are not sent with the right timing the only error
raised is SIGPIPE and the program keeps running.
I found out that there is  a read out of bound during the call of the readchar
(gdbserver/remote-utils.cc:847).

The variable readchar_bufcnt is decremented leading to a backward stack read
out of bound causing a SEGMENTATION FAULT.

I have no clue why the inputs bypasses the checks and starts to read the stack.

If readchar_bufcnt < 0 in readchar (gdbserver/remote-utils.cc:847) would return
-1.

gdbserver is installed using the packet manager (sudo apt install gdbserver)

I compiled the program with symbols and I got the same issue.

Thank you for your attention and support.
Vincenzo Cantatore Gianluca Parisi Vincenzo Turturro (M0NT3C4RL0 Team)

-- System Information:
Distributor ID: Kali
Description: Kali GNU/Linux Rolling
Release: 2023.3
Codename: kali-rolling
Architecture: x86_64

Kernel: Linux 5.10.0-kali3-amd64 (SMP w/2 CPU threads)
Kernel taint flags: TAINT_UNSIGNED_MODULE
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), LANGUAGE not
set
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled

Versions of packages gdbserver depends on:
ii  libc6       2.37-6
ii  libgcc-s1   13.1.0-6
ii  libstdc++6  13.1.0-6

gdbserver recommends no packages.

gdbserver suggests no packages.

-- no debconf information

-- 
You are receiving this mail because:
You are on the CC list for the bug.