jxx13 at psu dot edu
2018-09-14 14:50:20 UTC
https://sourceware.org/bugzilla/show_bug.cgi?id=23657
Bug ID: 23657
Summary: Out of bound memory access
Product: gdb
Version: HEAD
Status: UNCONFIRMED
Severity: critical
Priority: P2
Component: gdb
Assignee: unassigned at sourceware dot org
Reporter: jxx13 at psu dot edu
Target Milestone: ---
Created attachment 11246
--> https://sourceware.org/bugzilla/attachment.cgi?id=11246&action=edit
Sample to trigger the bug
Our fuzzer finds the following bug:
dwarf2read.c:19513:
19508 if (str_offset >= sect->size)
19509 error (_("%s pointing outside of %s section [in module %s]"),
19510 form_name, sect_name, bfd_get_filename (abfd));
19511 gdb_assert (HOST_CHAR_BIT == 8);
19512 if (sect->buffer[str_offset] == '\0')
Line 19508 compares the access index with the size of section. This size, which
is specified in the target, can be arbitrary value. Making it to be
0xffffffffffffffff (on X64), the comparison never works. This leads to out of
bound access at line 19512.
An test case running on x86_64 CentOS Linux 7 is attached. It can stably crash
the most recent version of GDB on github.
Stack trace:
Program received signal SIGSEGV, Segmentation fault.
0x0000000000586cb3 in read_indirect_string_at_offset_from (objfile=<optimized
out>, str_offset=<optimized out>, sect=0xfe5db8, form_name=0x900f18
"DW_FORM_strp", sect_name=0x8fb438 ".debug_str", abfd=<optimized out>) at
dwarf2read.c:19513
19513 return NULL;
Missing separate debuginfos, use: debuginfo-install expat-2.1.0-10.el7_3.x86_64
glibc-2.17-196.el7.x86_64 gmp-6.0.0-12.el7_1.x86_64 libgcc-4.8.5-16.el7.x86_64
libstdc++-4.8.5-16.el7.x86_64 mpfr-3.1.1-4.el7.x86_64
ncurses-libs-5.9-13.20130511.el7.x86_64 python-libs-2.7.5-58.el7.x86_64
xz-libs-5.2.2-1.el7.x86_64
(gdb) info stack
#0 0x0000000000586cb3 in read_indirect_string_at_offset_from
(objfile=<optimized out>, str_offset=<optimized out>, sect=0xfe5db8,
form_name=0x900f18 "DW_FORM_strp", sect_name=0x8fb438 ".debug_str",
abfd=<optimized out>) at dwarf2read.c:19513
#1 0x0000000000589919 in read_indirect_line_string_at_offset
(str_offset=<optimized out>, abfd=<optimized out>,
dwarf2_per_objfile=<optimized out>) at dwarf2read.c:19539
#2 read_indirect_line_string (bytes_read_ptr=<optimized out>,
cu_header=<optimized out>, buf=<optimized out>, abfd=<optimized out>,
dwarf2_per_objfile=<optimized out>) at dwarf2read.c:19595
#3 read_attribute_value (reader=***@entry=0x7fffffffdd20,
attr=***@entry=0x7fffffffda60, form=14, implicit_const=-1,
info_ptr=0x7fffef2d6773 "S\227\003") at dwarf2read.c:19077
#4 0x000000000058d179 in read_attribute (info_ptr=<optimized out>,
abbrev=<optimized out>, attr=0x7fffffffda60, reader=0x7fffffffdd20) at
dwarf2read.c:19242
#5 partial_die_info::read (this=***@entry=0x7fffffffdb30,
reader=***@entry=0x7fffffffdd20, abbrev=..., info_ptr=<optimized out>) at
dwarf2read.c:18562
#6 0x000000000058d972 in load_partial_dies
(reader=***@entry=0x7fffffffdd20, info_ptr=***@entry=0x7fffef2d6772
"\002S\227\003", building_psymtab=***@entry=1) at
dwarf2read.c:18370
#7 0x000000000059e11b in process_psymtab_comp_unit_reader
(reader=***@entry=0x7fffffffdd20, info_ptr=0x7fffef2d6772 "\002S\227\003",
comp_unit_die=0x1014d40, has_children=<optimized out>,
data=***@entry=0x7fffffffddb0) at dwarf2read.c:8030
#8 0x00000000005903f6 in init_cutu_and_read_dies
(this_cu=***@entry=0xfe6070, abbrev_table=<optimized out>,
***@entry=0x0, use_existing_cu=***@entry=0,
keep=***@entry=0, skip_partial=***@entry=false,
die_reader_func=0x59dd60 <process_psymtab_comp_unit_reader(die_reader_specs
const*, gdb_byte const*, die_info*, int, void*)>, data=0x7fffffffddb0) at
dwarf2read.c:7664
#9 0x0000000000593c3b in process_psymtab_comp_unit (this_cu=0xfe6070,
want_partial_unit=***@entry=0,
pretend_language=***@entry=language_minimal) at dwarf2read.c:8121
#10 0x00000000005a2988 in dwarf2_build_psymtabs_hard
(dwarf2_per_objfile=0xfe5ca0) at dwarf2read.c:8481
#11 dwarf2_build_psymtabs (objfile=0xfda160) at dwarf2read.c:6305
#12 0x00000000006469ec in require_partial_symbols
(objfile=***@entry=0xfda160, verbose=***@entry=0) at psymtab.c:86
#13 0x0000000000697b45 in read_symbols (objfile=***@entry=0xfda160,
add_flags=..., ***@entry=...) at symfile.c:817
#14 0x0000000000697373 in syms_from_objfile_1 (add_flags=...,
addrs=0x7fffffffdf70, objfile=0xfda160) at symfile.c:996
#15 syms_from_objfile (add_flags=..., addrs=0x20, objfile=0xfda160) at
symfile.c:1012
#16 symbol_file_add_with_addrs (abfd=<optimized out>,
name=***@entry=0x7fffffffe567 "/tmp/binutils-2.30/binutils/objdump",
add_flags=..., ***@entry=..., addrs=***@entry=0x0, flags=...,
***@entry=..., parent=***@entry=0x0) at symfile.c:1119
#17 0x00000000006986ca in symbol_file_add_from_bfd (parent=0x0, flags=...,
addrs=0x0, add_flags=..., name=0x7fffffffe567
"/tmp/binutils-2.30/binutils/objdump", abfd=<optimized out>) at symfile.c:1204
#18 symbol_file_add (name=***@entry=0x7fffffffe567
"/tmp/binutils-2.30/binutils/objdump", add_flags=***@entry=...,
addrs=***@entry=0x0, flags=***@entry=...) at symfile.c:1217
#19 0x0000000000698742 in symbol_file_add_main_1
(args=***@entry=0x7fffffffe567 "/tmp/binutils-2.30/binutils/objdump",
add_flags=..., flags=***@entry=..., reloff=***@entry=0) at symfile.c:1240
#20 0x000000000069878d in symbol_file_add_main (args=***@entry=0x7fffffffe567
"/tmp/binutils-2.30/binutils/objdump", add_flags=..., ***@entry=...) at
symfile.c:1231
#21 0x0000000000617663 in symbol_file_add_main_adapter
(arg=***@entry=0x7fffffffe567 "/tmp/binutils-2.30/binutils/objdump",
from_tty=***@entry=1) at main.c:403
#22 0x00000000006176f8 in catch_command_errors (command=***@entry=0x617650
<symbol_file_add_main_adapter(char const*, int)>, arg=***@entry=0x7fffffffe567
"/tmp/binutils-2.30/binutils/objdump", from_tty=1) at main.c:379
#23 0x000000000061859d in captured_main_1 (context=0x7fffffffe0b0,
this=<optimized out>) at main.c:1053
#24 captured_main (data=0x7fffffffe0b0) at main.c:1163
#25 gdb_main (args=***@entry=0x7fffffffe1e0) at main.c:1189
#26 0x000000000040f1d5 in main (argc=<optimized out>, argv=<optimized out>) at
gdb.c:32
Bug ID: 23657
Summary: Out of bound memory access
Product: gdb
Version: HEAD
Status: UNCONFIRMED
Severity: critical
Priority: P2
Component: gdb
Assignee: unassigned at sourceware dot org
Reporter: jxx13 at psu dot edu
Target Milestone: ---
Created attachment 11246
--> https://sourceware.org/bugzilla/attachment.cgi?id=11246&action=edit
Sample to trigger the bug
Our fuzzer finds the following bug:
dwarf2read.c:19513:
19508 if (str_offset >= sect->size)
19509 error (_("%s pointing outside of %s section [in module %s]"),
19510 form_name, sect_name, bfd_get_filename (abfd));
19511 gdb_assert (HOST_CHAR_BIT == 8);
19512 if (sect->buffer[str_offset] == '\0')
Line 19508 compares the access index with the size of section. This size, which
is specified in the target, can be arbitrary value. Making it to be
0xffffffffffffffff (on X64), the comparison never works. This leads to out of
bound access at line 19512.
An test case running on x86_64 CentOS Linux 7 is attached. It can stably crash
the most recent version of GDB on github.
Stack trace:
Program received signal SIGSEGV, Segmentation fault.
0x0000000000586cb3 in read_indirect_string_at_offset_from (objfile=<optimized
out>, str_offset=<optimized out>, sect=0xfe5db8, form_name=0x900f18
"DW_FORM_strp", sect_name=0x8fb438 ".debug_str", abfd=<optimized out>) at
dwarf2read.c:19513
19513 return NULL;
Missing separate debuginfos, use: debuginfo-install expat-2.1.0-10.el7_3.x86_64
glibc-2.17-196.el7.x86_64 gmp-6.0.0-12.el7_1.x86_64 libgcc-4.8.5-16.el7.x86_64
libstdc++-4.8.5-16.el7.x86_64 mpfr-3.1.1-4.el7.x86_64
ncurses-libs-5.9-13.20130511.el7.x86_64 python-libs-2.7.5-58.el7.x86_64
xz-libs-5.2.2-1.el7.x86_64
(gdb) info stack
#0 0x0000000000586cb3 in read_indirect_string_at_offset_from
(objfile=<optimized out>, str_offset=<optimized out>, sect=0xfe5db8,
form_name=0x900f18 "DW_FORM_strp", sect_name=0x8fb438 ".debug_str",
abfd=<optimized out>) at dwarf2read.c:19513
#1 0x0000000000589919 in read_indirect_line_string_at_offset
(str_offset=<optimized out>, abfd=<optimized out>,
dwarf2_per_objfile=<optimized out>) at dwarf2read.c:19539
#2 read_indirect_line_string (bytes_read_ptr=<optimized out>,
cu_header=<optimized out>, buf=<optimized out>, abfd=<optimized out>,
dwarf2_per_objfile=<optimized out>) at dwarf2read.c:19595
#3 read_attribute_value (reader=***@entry=0x7fffffffdd20,
attr=***@entry=0x7fffffffda60, form=14, implicit_const=-1,
info_ptr=0x7fffef2d6773 "S\227\003") at dwarf2read.c:19077
#4 0x000000000058d179 in read_attribute (info_ptr=<optimized out>,
abbrev=<optimized out>, attr=0x7fffffffda60, reader=0x7fffffffdd20) at
dwarf2read.c:19242
#5 partial_die_info::read (this=***@entry=0x7fffffffdb30,
reader=***@entry=0x7fffffffdd20, abbrev=..., info_ptr=<optimized out>) at
dwarf2read.c:18562
#6 0x000000000058d972 in load_partial_dies
(reader=***@entry=0x7fffffffdd20, info_ptr=***@entry=0x7fffef2d6772
"\002S\227\003", building_psymtab=***@entry=1) at
dwarf2read.c:18370
#7 0x000000000059e11b in process_psymtab_comp_unit_reader
(reader=***@entry=0x7fffffffdd20, info_ptr=0x7fffef2d6772 "\002S\227\003",
comp_unit_die=0x1014d40, has_children=<optimized out>,
data=***@entry=0x7fffffffddb0) at dwarf2read.c:8030
#8 0x00000000005903f6 in init_cutu_and_read_dies
(this_cu=***@entry=0xfe6070, abbrev_table=<optimized out>,
***@entry=0x0, use_existing_cu=***@entry=0,
keep=***@entry=0, skip_partial=***@entry=false,
die_reader_func=0x59dd60 <process_psymtab_comp_unit_reader(die_reader_specs
const*, gdb_byte const*, die_info*, int, void*)>, data=0x7fffffffddb0) at
dwarf2read.c:7664
#9 0x0000000000593c3b in process_psymtab_comp_unit (this_cu=0xfe6070,
want_partial_unit=***@entry=0,
pretend_language=***@entry=language_minimal) at dwarf2read.c:8121
#10 0x00000000005a2988 in dwarf2_build_psymtabs_hard
(dwarf2_per_objfile=0xfe5ca0) at dwarf2read.c:8481
#11 dwarf2_build_psymtabs (objfile=0xfda160) at dwarf2read.c:6305
#12 0x00000000006469ec in require_partial_symbols
(objfile=***@entry=0xfda160, verbose=***@entry=0) at psymtab.c:86
#13 0x0000000000697b45 in read_symbols (objfile=***@entry=0xfda160,
add_flags=..., ***@entry=...) at symfile.c:817
#14 0x0000000000697373 in syms_from_objfile_1 (add_flags=...,
addrs=0x7fffffffdf70, objfile=0xfda160) at symfile.c:996
#15 syms_from_objfile (add_flags=..., addrs=0x20, objfile=0xfda160) at
symfile.c:1012
#16 symbol_file_add_with_addrs (abfd=<optimized out>,
name=***@entry=0x7fffffffe567 "/tmp/binutils-2.30/binutils/objdump",
add_flags=..., ***@entry=..., addrs=***@entry=0x0, flags=...,
***@entry=..., parent=***@entry=0x0) at symfile.c:1119
#17 0x00000000006986ca in symbol_file_add_from_bfd (parent=0x0, flags=...,
addrs=0x0, add_flags=..., name=0x7fffffffe567
"/tmp/binutils-2.30/binutils/objdump", abfd=<optimized out>) at symfile.c:1204
#18 symbol_file_add (name=***@entry=0x7fffffffe567
"/tmp/binutils-2.30/binutils/objdump", add_flags=***@entry=...,
addrs=***@entry=0x0, flags=***@entry=...) at symfile.c:1217
#19 0x0000000000698742 in symbol_file_add_main_1
(args=***@entry=0x7fffffffe567 "/tmp/binutils-2.30/binutils/objdump",
add_flags=..., flags=***@entry=..., reloff=***@entry=0) at symfile.c:1240
#20 0x000000000069878d in symbol_file_add_main (args=***@entry=0x7fffffffe567
"/tmp/binutils-2.30/binutils/objdump", add_flags=..., ***@entry=...) at
symfile.c:1231
#21 0x0000000000617663 in symbol_file_add_main_adapter
(arg=***@entry=0x7fffffffe567 "/tmp/binutils-2.30/binutils/objdump",
from_tty=***@entry=1) at main.c:403
#22 0x00000000006176f8 in catch_command_errors (command=***@entry=0x617650
<symbol_file_add_main_adapter(char const*, int)>, arg=***@entry=0x7fffffffe567
"/tmp/binutils-2.30/binutils/objdump", from_tty=1) at main.c:379
#23 0x000000000061859d in captured_main_1 (context=0x7fffffffe0b0,
this=<optimized out>) at main.c:1053
#24 captured_main (data=0x7fffffffe0b0) at main.c:1163
#25 gdb_main (args=***@entry=0x7fffffffe1e0) at main.c:1189
#26 0x000000000040f1d5 in main (argc=<optimized out>, argv=<optimized out>) at
gdb.c:32
--
You are receiving this mail because:
You are on the CC list for the bug.
You are receiving this mail because:
You are on the CC list for the bug.