From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: by sourceware.org (Postfix, from userid 48) id 30DD83857713; Wed, 20 Sep 2023 14:42:05 +0000 (GMT) DKIM-Filter: OpenDKIM Filter v2.11.0 sourceware.org 30DD83857713 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=sourceware.org; s=default; t=1695220925; bh=TKXQSVJSlf5orNs0micxDcbAIEzcLG5WM40YohDD7Vw=; h=From:To:Subject:Date:In-Reply-To:References:From; b=fmVoP1IaJ0WLR+4lCyRxUpiEhxWKmca79u08rMJ43wj7BHKZku1puEh47vcDACa+k txFgoTakHhp5KY/iI/1hlsF1KjOTXmv59TA4Rk2V47ve1VIRMZuqO5UN4cqAhJL7Aw 52bRBkMs2iTEiqjfIbZN+4cWiLfKWJdyBz6HePNc= From: "dbrumley at forallsecure dot com" To: gdb-prs@sourceware.org Subject: [Bug gdb/30847] gdbtypes.c:3355: internal-error causes gdb to abort when setting breakpoint Date: Wed, 20 Sep 2023 14:42:03 +0000 X-Bugzilla-Reason: CC X-Bugzilla-Type: changed X-Bugzilla-Watch-Reason: None X-Bugzilla-Product: gdb X-Bugzilla-Component: gdb X-Bugzilla-Version: 13.1 X-Bugzilla-Keywords: X-Bugzilla-Severity: normal X-Bugzilla-Who: dbrumley at forallsecure dot com X-Bugzilla-Status: UNCONFIRMED X-Bugzilla-Resolution: X-Bugzilla-Priority: P2 X-Bugzilla-Assigned-To: unassigned at sourceware dot org X-Bugzilla-Target-Milestone: --- X-Bugzilla-Flags: X-Bugzilla-Changed-Fields: Message-ID: In-Reply-To: References: Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable X-Bugzilla-URL: http://sourceware.org/bugzilla/ Auto-Submitted: auto-generated MIME-Version: 1.0 List-Id: https://sourceware.org/bugzilla/show_bug.cgi?id=3D30847 --- Comment #2 from David Brumley --- Thanks for the reply! This is an old executable and was trying to run as-is. I have a very weird= use case. Was demo'ing exploitation (I'm a prof at CMU; demo'ing CVE-2020-13995= ), and was trying to do this on the binary from the vendor. A little more "authentic" that way. In the grand scheme of things this is odd, and report= ed because gdb said to and I was curious if it could be used for anti-debuggin= g. Totally fair to close this issue since I can't see this happening in any no= rmal dev scenario. For completeness: * The binary is from an old redhat system with an old `glibc` where `errno` works different (pre pthread?). * It failed to run initially with `extract75: symbol lookup error: ./extract75: undefined symbol: errno, vers= ion GLIBC_2.0` * I edited the binary to run (and it runs fine) by changing the errno symbo= l to point to stdin.=20 I thought the symbol editing might be the source of the problem. I recompi= led gdb on my debian system with symbols, and here is the symbol bt in case it's useful. I'm not seeing anything specific to stabs, but I'm also a total ne= wb here and don't know anything really. Again, feel free to close if uninteresting. ``` #0 __GI_raise (sig=3Dsig@entry=3D6) at ../sysdeps/unix/sysv/linux/raise.c:= 50 #1 0x00007f2a32386537 in __GI_abort () at abort.c:79 During symbol reading: incomplete CFI data; unspecified registers (e.g., ra= x) at 0x5652ee9bc49d #2 0x00005652ee9bc4c7 in dump_core () at utils.c:204 #3 0x00005652ee9bca14 in internal_vproblem(internal_problem *, const char = *, int, const char *, typedef __va_list_tag __va_list_tag *) ( problem=3D0x5652eefb7000 , file=3D0x5652eebf4abd "gdbtypes.c",=20 line=3D3355, fmt=3D0x5652eebf4769 "%s: Assertion `%s' failed.", ap=3D0x7ffe37252ec8) at utils.c:414 #4 0x00005652ee9bcada in internal_verror (file=3D0x5652eebf4abd "gdbtypes.= c", line=3D3355,=20 fmt=3D0x5652eebf4769 "%s: Assertion `%s' failed.", ap=3D0x7ffe37252ec8)= at utils.c:439 #5 0x00005652eeb427af in internal_error (file=3D0x5652eebf4abd "gdbtypes.c= ", line=3D3355,=20 fmt=3D0x5652eebf4769 "%s: Assertion `%s' failed.") at errors.cc:55 #6 0x00005652ee6c933c in init_complex_type (name=3D0x0, target_type=3D0x5652f021e600) at gdbtypes.c:3355 #7 0x00005652ee8ec69f in read_range_type (pp=3D0x7ffe37253298, typenums=3D0x7ffe372530d8,=20 type_size=3D-1, objfile=3D0x5652f01a2c40) at stabsread.c:4064 #8 0x00005652ee8e74e0 in read_type (pp=3D0x7ffe37253298, objfile=3D0x5652f= 01a2c40) at stabsread.c:1932 #9 0x00005652ee8e562f in define_symbol (valu=3D0x0,=20 string=3D0x5652f01de7d3 "complex double:t(0,17)=3Dr(0,17);16;0;", desc= =3D0, type=3D128,=20 objfile=3D0x5652f01a2c40) at stabsread.c:1205 #10 0x00005652ee5ba59a in process_one_symbol (type=3D128, desc=3D0, valu=3D= 0x0,=20 name=3D0x5652f01de7d3 "complex double:t(0,17)=3Dr(0,17);16;0;",=20 section_offsets=3Dstd::vector of length 31, capacity 31 =3D {...}, objfile=3D0x5652f01a2c40, language=3Dlanguage_c) at dbxread.c:2789 #11 0x00005652ee5b961a in read_ofile_symtab (objfile=3D0x5652f01a2c40, pst=3D0x5652f01dbf50) at dbxread.c:2233 #12 0x00005652ee5b8f59 in dbx_expand_psymtab (pst=3D0x5652f01dbf50, objfile=3D0x5652f01a2c40) at dbxread.c:2083 #13 0x00005652ee5bbb40 in legacy_psymtab::expand_psymtab (this=3D0x5652f01d= bf50, objf=3D0x5652f01a2c40) at psympriv.h:371 #14 0x00005652ee81723a in partial_symtab::expand_dependencies (this=3D0x5652f01ceeb0, objfile=3D0x5652f01a2c40) at psymtab.c:1731 #15 0x00005652ee5b8eea in dbx_expand_psymtab (pst=3D0x5652f01ceeb0, objfile=3D0x5652f01a2c40) at dbxread.c:2071 #16 0x00005652ee5bbb40 in legacy_psymtab::expand_psymtab (this=3D0x5652f01c= eeb0, objf=3D0x5652f01a2c40) at psympriv.h:371 #17 0x00005652ee81723a in partial_symtab::expand_dependencies (this=3D0x5652f01f2f00, objfile=3D0x5652f01a2c40) at psymtab.c:1731 #18 0x00005652ee5b8eea in dbx_expand_psymtab (pst=3D0x5652f01f2f00, objfile=3D0x5652f01a2c40) at dbxread.c:2071 #19 0x00005652ee5bbb40 in legacy_psymtab::expand_psymtab (this=3D0x5652f01f= 2f00, objf=3D0x5652f01a2c40) at psympriv.h:371 #20 0x00005652ee5b90b8 in dbx_read_symtab (self=3D0x5652f01f2f00, objfile=3D0x5652f01a2c40) at dbxread.c:2113 #21 0x00005652ee5bbb15 in legacy_psymtab::read_symtab (this=3D0x5652f01f2f0= 0, objf=3D0x5652f01a2c40) at psympriv.h:366 #22 0x00005652ee8146b4 in psymtab_to_symtab (objfile=3D0x5652f01a2c40, pst=3D0x5652f01f2f00) at psymtab.c:766 #23 0x00005652ee813bb4 in psym_lookup_symbol (objfile=3D0x5652f01a2c40, block_index=3DGLOBAL_BLOCK, name=3D0x7ffe37253f70 "main", domain=3DVAR_DOMA= IN) at psymtab.c:493 #24 0x00005652ee91a38f in lookup_symbol_via_quick_fns (objfile=3D0x5652f01a= 2c40, block_index=3DGLOBAL_BLOCK, name=3D0x7ffe37253f70 "main", domain=3DVAR_DOMA= IN) at symtab.c:2373 #25 0x00005652ee91a7ef in lookup_symbol_in_objfile (During symbol reading: Child DIE 0x25597a5 and its abstract origin 0x255ec59 have different parents objfile=3D0x5652f01a2c40, block_index=3DGLOBAL_BLOCK, name=3D0x7ffe37253f70= "main", domain=3DVAR_DOMAIN) at symtab.c:2522 #26 0x00005652ee91aa73 in lookup_symbol_global_or_static_iterator_cb (objfile=3D0x5652f01a2c40, cb_data=3D0x7ffe37253d40) at symtab.c:2596 #27 0x00005652ee8d04d0 in svr4_iterate_over_objfiles_in_search_order (gdbarch=3D0x5652f0172dd0, cb=3D0x5652ee91a9e8 , cb_data=3D0x7ffe37253d40, current_objfile=3D0x0) at solib-svr4.c:3248 #28 0x00005652ee6bec94 in gdbarch_iterate_over_objfiles_in_search_order (gdbarch=3D0x5652f0172dd0, cb=3D0x5652ee91a9e8 , cb_data=3D0x7ffe37253d40, current_objfile=3D0x0) at gdbarch.c:4868 #29 0x00005652ee91ac01 in lookup_global_or_static_symbol (name=3D0x7ffe3725= 3f70 "main", block_index=3DGLOBAL_BLOCK, objfile=3D0x0, domain=3DVAR_DOMAIN) at symtab.c:2641 #30 0x00005652ee91ad70 in lookup_global_symbol (name=3D0x7ffe37253f70 "main= ", block=3D0x0, domain=3DVAR_DOMAIN) at symtab.c:2692 #31 0x00005652ee91a568 in language_defn::lookup_symbol_nonlocal (this=3D0x5652eefc57e0 , name=3D0x7ffe37253f70 "main", blo= ck=3D0x0, domain=3DVAR_DOMAIN) at symtab.c:2442 #32 0x00005652ee919929 in lookup_symbol_aux (name=3D0x7ffe37253f70 "main", match_type=3Dsymbol_name_match_type::FULL, block=3D0x0, domain=3DVAR_DOMAIN, language=3Dlanguage_c, is_a_field_of_this=3D0x0) at symtab.c:2089 #33 0x00005652ee9190f8 in lookup_symbol_in_language (name=3D0x7ffe37253f70 "main", block=3D0x0, domain=3DVAR_DOMAIN, lang=3Dlanguage_c, is_a_field_of_= this=3D0x0) at symtab.c:1884 #34 0x00005652ee919172 in lookup_symbol (name=3D0x7ffe37253f70 "main", bloc= k=3D0x0, domain=3DVAR_DOMAIN, is_a_field_of_this=3D0x0) at symtab.c:1896 #35 0x00005652ee5a192a in inspect_type (info=3D0x5652f01d0e00, ret_comp=3D0x5652effec990, finder=3D0x0, data=3D0x0) at cp-support.c:160 #36 0x00005652ee5a2573 in replace_typedefs (info=3D0x5652f01d0e00, ret_comp=3D0x5652effec990, finder=3D0x0, data=3D0x0) at cp-support.c:544 #37 0x00005652ee5a26ca in cp_canonicalize_string_full (During symbol readin= g: .debug_line address at offset 0x1d81f9 is 0 [in module /usr/src/gdb/gdb/gdb] string=3D0x5652f01d0fc0 "main", finder=3D0x0, data=3D0x0) at cp-support.c:5= 95 #38 0x00005652ee5a280a in cp_canonicalize_string_no_typedefs (string=3D0x5652f01d0fc0 "main") at cp-support.c:619 #39 0x00005652ee741a69 in find_linespec_symbols (state=3D0x7ffe372546c0, file_symtabs=3D0x5652f01d0e70, lookup_name=3D0x5652f01d0fc0 "main", name_match_type=3Dsymbol_name_match_type::WILD, symbols=3D0x7ffe37254340, minsyms=3D0x7ffe37254320) at linespec.c:3902 #40 0x00005652ee73c112 in linespec_parse_basic (parser=3D0x7ffe37254690) at linespec.c:1866 #41 0x00005652ee73e53e in parse_linespec (parser=3D0x7ffe37254690, arg=3D0x5652f01d0d60 "main", match_type=3Dsymbol_name_match_type::WILD) at linespec.c:2655 #42 0x00005652ee73f97d in event_location_to_sals (parser=3D0x7ffe37254690, location=3D0x5652f01d0d20) at linespec.c:3151 #43 0x00005652ee73fd81 in decode_line_full (location=3D0x5652f01d0d20, flag= s=3D1, search_pspace=3D0x0, default_symtab=3D0x0, default_line=3D0, canonical=3D0x7ffe37254ac0, select_mode=3D0x0, filter=3D0x0) at linespec.c:= 3230 #44 0x00005652ee4da613 in parse_breakpoint_sals (location=3D0x5652f01d0d20, canonical=3D0x7ffe37254ac0) at breakpoint.c:9037 #45 0x00005652ee4e59f1 in create_sals_from_location_default (location=3D0x5652f01d0d20, canonical=3D0x7ffe37254ac0, type_wanted=3Dbp_br= eakpoint) at breakpoint.c:13733 #46 0x00005652ee4e2e80 in bkpt_create_sals_from_location (location=3D0x5652f01d0d20, canonical=3D0x7ffe37254ac0, type_wanted=3Dbp_br= eakpoint) at breakpoint.c:12534 #47 0x00005652ee4daf23 in create_breakpoint (gdbarch=3D0x5652f0172dd0, location=3D0x5652f01d0d20, cond_string=3D0x0, thread=3D0, extra_string=3D0x= 0, parse_extra=3D1, tempflag=3D0, type_wanted=3Dbp_breakpoint, ignore_count=3D= 0, pending_break_support=3DAUTO_BOOLEAN_AUTO, ops=3D0x5652eefc4380 , from_tty=3D1, enabled=3D1, internal=3D0, flags=3D0) = at breakpoint.c:9253 #48 0x00005652ee4db77f in break_command_1 (arg=3D0x5652effec74a "", flag=3D= 0, from_tty=3D1) at breakpoint.c:9411 #49 0x00005652ee4dba68 in break_command (arg=3D0x5652effec746 "main", from_= tty=3D1) at breakpoint.c:9482 #50 0x00005652ee5434c2 in do_const_cfunc (c=3D0x5652f00e5ee0, args=3D0x5652= effec746 "main", from_tty=3D1) at cli/cli-decode.c:95 #51 0x00005652ee546c16 in cmd_func (cmd=3D0x5652f00e5ee0, args=3D0x5652effe= c746 "main", from_tty=3D1) at cli/cli-decode.c:2181 #52 0x00005652ee96c110 in execute_command (p=3D0x5652effec749 "n", from_tty= =3D1) at top.c:668 #53 0x00005652ee68afe5 in command_handler (command=3D0x5652effec740 "break = main") at event-top.c:588 #54 0x00005652ee68b420 in command_line_handler (rl=3D...) at event-top.c:773 #55 0x00005652ee68a7d1 in gdb_rl_callback_handler (rl=3D0x5652f01dbfe0 "bre= ak main") at event-top.c:219 #56 0x00005652eea1ec79 in rl_callback_read_char () at callback.c:281 #57 0x00005652ee68a641 in gdb_rl_callback_read_char_wrapper_noexcept () at event-top.c:177 #58 0x00005652ee68a6c8 in gdb_rl_callback_read_char_wrapper (client_data=3D0x5652effeb670) at event-top.c:194 #59 0x00005652ee68ae87 in stdin_event_handler (error=3D0, client_data=3D0x5652effeb670) at event-top.c:516 #60 0x00005652eeb434ca in handle_file_event (file_ptr=3D0x5652f0182560, ready_mask=3D1) at event-loop.cc:548 #61 0x00005652eeb43a65 in gdb_wait_for_event (block=3D1) at event-loop.cc:6= 73 #62 0x00005652eeb42962 in gdb_do_one_event () at event-loop.cc:215 #63 0x00005652ee78017b in start_event_loop () at main.c:356 #64 0x00005652ee78029c in captured_command_loop () at main.c:416 #65 0x00005652ee7819e3 in captured_main (data=3D0x7ffe37255230) at main.c:1= 253 #66 0x00005652ee781a49 in gdb_main (args=3D0x7ffe37255230) at main.c:1268 #67 0x00005652ee44d75f in main (argc=3D2, argv=3D0x7ffe37255348) at gdb.c:32 ``` --=20 You are receiving this mail because: You are on the CC list for the bug.=