From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: by sourceware.org (Postfix, from userid 48) id 157F73858D35; Thu, 7 Sep 2023 17:54:36 +0000 (GMT) DKIM-Filter: OpenDKIM Filter v2.11.0 sourceware.org 157F73858D35 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=sourceware.org; s=default; t=1694109276; bh=71VamrMoFPu2qnodO3lzFJwnbVXaLnhvQ9WqznjA59c=; h=From:To:Subject:Date:From; b=m5GQPbp2NakqUMjgKXselHFSeo0lHXcghJcuVp8J5mGB/gKB3J3XVmhi4GDy/hOoa 8kyEOOGH7JbP6W5VqG5K+rRXzOWHe3JhQ7/O8UjBH5nc/W/NZva/wJC0HVr+2xGrdH JKylae80x+oro+iWNVC9KkLKMPGCK5F9UbjtFU9M= From: "research.mntcrl at gmail dot com" To: gdb-prs@sourceware.org Subject: [Bug server/30832] New: Sending specific GDB Remote Serial Protocol commands with a certain timing results a read out of bound and SEGFAULT Date: Thu, 07 Sep 2023 17:54:35 +0000 X-Bugzilla-Reason: CC X-Bugzilla-Type: new X-Bugzilla-Watch-Reason: None X-Bugzilla-Product: gdb X-Bugzilla-Component: server X-Bugzilla-Version: HEAD X-Bugzilla-Keywords: X-Bugzilla-Severity: normal X-Bugzilla-Who: research.mntcrl at gmail dot com X-Bugzilla-Status: UNCONFIRMED X-Bugzilla-Resolution: X-Bugzilla-Priority: P2 X-Bugzilla-Assigned-To: unassigned at sourceware dot org X-Bugzilla-Target-Milestone: --- X-Bugzilla-Flags: X-Bugzilla-Changed-Fields: bug_id short_desc product version bug_status bug_severity priority component assigned_to reporter target_milestone attachments.created Message-ID: Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable X-Bugzilla-URL: http://sourceware.org/bugzilla/ Auto-Submitted: auto-generated MIME-Version: 1.0 List-Id: https://sourceware.org/bugzilla/show_bug.cgi?id=3D30832 Bug ID: 30832 Summary: Sending specific GDB Remote Serial Protocol commands with a certain timing results a read out of bound and SEGFAULT Product: gdb Version: HEAD Status: UNCONFIRMED Severity: normal Priority: P2 Component: server Assignee: unassigned at sourceware dot org Reporter: research.mntcrl at gmail dot com Target Milestone: --- Created attachment 15102 --> https://sourceware.org/bugzilla/attachment.cgi?id=3D15102&action=3Ded= it Python3 script used to trigger the bug Hello GDB developers, During a debug session with IDAPro 7.7 in conjunction with gdbserver runnin= g on Debian, I encountered a crash while IDA was trying to reconnect to the remo= te debugger. I reproduced exactly all the =E2=80=9CGDB serial Protocol=E2=80=9D commands= that I sent to gdbserver using a python script and the only error I got was SIGPIPE. I not= iced that adding a sleep between the commands resulted in the same crash mention= ed above. After a little bit of trial and error I found that the combinantion of comm= ands resulting in SEGFAULT was: 1) "+" --> (sleep one sencond after the response) 2) "QStartNoAckMode" --> (sleep one second after the response) 3) "%" --> (sleep one second after the response, and the string sent can be anything) I was running gdbserver in my local network using "gdbserver localhost:23946 ~/Desktop/binary", the version of gdbserver is GNU gdbserver (Debian 13.2-1) 13.2 and gdbserver was configured as "x86_64-linux-gnu" Usually if the commands are not sent with the right timing the only error raised is SIGPIPE and the program keeps running. I found out that there is a read out of bound during the call of the readc= har (gdbserver/remote-utils.cc:847). The variable readchar_bufcnt is decremented leading to a backward stack read out of bound causing a SEGMENTATION FAULT. I have no clue why the inputs bypasses the checks and starts to read the st= ack. If readchar_bufcnt < 0 in readchar (gdbserver/remote-utils.cc:847) would re= turn -1. gdbserver is installed using the packet manager (sudo apt install gdbserver) I compiled the program with symbols and I got the same issue. Thank you for your attention and support. Vincenzo Cantatore Gianluca Parisi Vincenzo Turturro (M0NT3C4RL0 Team) -- System Information: Distributor ID: Kali Description: Kali GNU/Linux Rolling Release: 2023.3 Codename: kali-rolling Architecture: x86_64 Kernel: Linux 5.10.0-kali3-amd64 (SMP w/2 CPU threads) Kernel taint flags: TAINT_UNSIGNED_MODULE Locale: LANG=3Den_US.UTF-8, LC_CTYPE=3Den_US.UTF-8 (charmap=3DUTF-8), LANGU= AGE not set Shell: /bin/sh linked to /usr/bin/dash Init: systemd (via /run/systemd/system) LSM: AppArmor: enabled Versions of packages gdbserver depends on: ii libc6 2.37-6 ii libgcc-s1 13.1.0-6 ii libstdc++6 13.1.0-6 gdbserver recommends no packages. gdbserver suggests no packages. -- no debconf information --=20 You are receiving this mail because: You are on the CC list for the bug.=