Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
[gdb] Fix heap-buffer-overflow in cp_find_first_component_aux
When compiling gdb with '-lasan -fsanitizer=address' and running tests with: - export ASAN_OPTIONS="detect_leaks=0:alloc_dealloc_mismatch=0", - target board cc-with-gdb-index, - the "[gdb/testsuite] Fix gdb.base/break-probes.exp with native-gdbserver" commit reverted to avoid running into PR24617, we get with gdb.arch/amd64-init-x87-values.exp: ... ==31229==ERROR: AddressSanitizer: heap-buffer-overflow on address \ 0x62500098c93c at pc 0x000000bcc748 bp 0x7ffe39487660 sp 0x7ffe39487658 READ of size 1 at 0x62500098c93c thread T0 #0 0xbcc747 in cp_find_first_component_aux src/gdb/cp-support.c:999 riscvarchive#1 0xbcc6e9 in cp_find_first_component(char const*) \ src/gdb/cp-support.c:977 riscvarchive#2 0xcc2cf3 in mapped_index_base::build_name_components() \ src/gdb/dwarf2read.c:4499 riscvarchive#3 0xcc3322 in dw2_expand_symtabs_matching_symbol src/gdb/dwarf2read.c:4552 riscvarchive#4 0xcc817f in dw2_expand_symtabs_matching src/gdb/dwarf2read.c:5228 riscvarchive#5 0xfe8f48 in iterate_over_all_matching_symtabs src/gdb/linespec.c:1147 riscvarchive#6 0x1003506 in add_matching_symbols_to_info src/gdb/linespec.c:4413 riscvarchive#7 0xffe21b in find_function_symbols src/gdb/linespec.c:3886 riscvarchive#8 0xffe4a2 in find_linespec_symbols src/gdb/linespec.c:3914 riscvarchive#9 0xfee3ad in linespec_parse_basic src/gdb/linespec.c:1865 riscvarchive#10 0xff5128 in parse_linespec src/gdb/linespec.c:2655 riscvarchive#11 0xff8872 in event_location_to_sals src/gdb/linespec.c:3150 riscvarchive#12 0xff90a8 in decode_line_full(event_location const*, int, \ program_space*, symtab*, int, linespec_result*, \ char const*, char const*) src/gdb/linespec.c:3230 riscvarchive#13 0x9ce449 in parse_breakpoint_sals src/gdb/breakpoint.c:9057 riscvarchive#14 0x9ea022 in create_sals_from_location_default src/gdb/breakpoint.c:13708 riscvarchive#15 0x9e2c1f in bkpt_create_sals_from_location src/gdb/breakpoint.c:12514 riscvarchive#16 0x9cff06 in create_breakpoint(gdbarch*, event_location const*, \ char const*, int, char const*, int, int, bptype, int, \ auto_boolean, breakpoint_ops const*, int, int, int, \ unsigned int) src/gdb/breakpoint.c:9238 riscvarchive#17 0x9d114a in break_command_1 src/gdb/breakpoint.c:9402 riscvarchive#18 0x9d1b60 in break_command(char const*, int) src/gdb/breakpoint.c:9473 riscvarchive#19 0xac96aa in do_const_cfunc src/gdb/cli/cli-decode.c:106 riscvarchive#20 0xad0e5a in cmd_func(cmd_list_element*, char const*, int) \ src/gdb/cli/cli-decode.c:1892 riscvarchive#21 0x15226f6 in execute_command(char const*, int) src/gdb/top.c:630 riscvarchive#22 0xddde37 in command_handler(char const*) src/gdb/event-top.c:586 riscvarchive#23 0xdde7c1 in command_line_handler(std::unique_ptr<char, \ gdb::xfree_deleter<char> >&&) src/gdb/event-top.c:773 riscvarchive#24 0xddc9e8 in gdb_rl_callback_handler src/gdb/event-top.c:217 riscvarchive#25 0x16f2198 in rl_callback_read_char src/readline/callback.c:220 riscvarchive#26 0xddc5a1 in gdb_rl_callback_read_char_wrapper_noexcept \ src/gdb/event-top.c:175 riscvarchive#27 0xddc773 in gdb_rl_callback_read_char_wrapper src/gdb/event-top.c:192 riscvarchive#28 0xddd9f5 in stdin_event_handler(int, void*) src/gdb/event-top.c:514 riscvarchive#29 0xdd7d8f in handle_file_event src/gdb/event-loop.c:731 riscvarchive#30 0xdd8607 in gdb_wait_for_event src/gdb/event-loop.c:857 riscvarchive#31 0xdd629c in gdb_do_one_event() src/gdb/event-loop.c:321 riscvarchive#32 0xdd6344 in start_event_loop() src/gdb/event-loop.c:370 riscvarchive#33 0x10a7715 in captured_command_loop src/gdb/main.c:331 riscvarchive#34 0x10aa548 in captured_main src/gdb/main.c:1173 riscvarchive#35 0x10aa5d8 in gdb_main(captured_main_args*) src/gdb/main.c:1188 riscvarchive#36 0x87bd35 in main src/gdb/gdb.c:32 riscvarchive#37 0x7f16e1434f89 in __libc_start_main (/lib64/libc.so.6+0x20f89) riscvarchive#38 0x87bb49 in _start (build/gdb/gdb+0x87bb49) 0x62500098c93c is located 0 bytes to the right of 8252-byte region \ [0x62500098a900,0x62500098c93c) allocated by thread T0 here: #0 0x7f16e359a600 in malloc (/usr/lib64/libasan.so.5+0xeb600) riscvarchive#1 0x1742ddf in bfd_malloc src/bfd/libbfd.c:275 riscvarchive#2 0x1738824 in bfd_get_full_section_contents src/bfd/compress.c:253 riscvarchive#3 0xe30044 in gdb_bfd_map_section(bfd_section*, unsigned long*) \ src/gdb/gdb_bfd.c:704 riscvarchive#4 0xcb56bf in dwarf2_read_section(objfile*, dwarf2_section_info*) \ src/gdb/dwarf2read.c:2539 riscvarchive#5 0xd5bcd0 in get_gdb_index_contents_from_section<dwarf2_per_objfile> \ src/gdb/dwarf2read.c:6217 riscvarchive#6 0xd7fc7d in gdb::function_view<gdb::array_view<unsigned char const> \ (...) const src/gdb/common/function-view.h:284 riscvarchive#7 0xd7fddd in gdb::function_view<gdb::array_view<unsigned char const> \ (...) src/gdb/common/function-view.h:278 riscvarchive#8 0xd730cf in gdb::function_view<gdb::array_view<unsigned char const> \ (...) const src/gdb/common/function-view.h:247 riscvarchive#9 0xcbc7ee in dwarf2_read_gdb_index src/gdb/dwarf2read.c:3582 riscvarchive#10 0xcce731 in dwarf2_initialize_objfile(objfile*, dw_index_kind*) \ src/gdb/dwarf2read.c:6297 riscvarchive#11 0xdb88c4 in elf_symfile_read src/gdb/elfread.c:1256 riscvarchive#12 0x141262a in read_symbols src/gdb/symfile.c:798 riscvarchive#13 0x14140a7 in syms_from_objfile_1 src/gdb/symfile.c:1000 riscvarchive#14 0x1414393 in syms_from_objfile src/gdb/symfile.c:1017 riscvarchive#15 0x1414fb7 in symbol_file_add_with_addrs src/gdb/symfile.c:1124 riscvarchive#16 0x14159b7 in symbol_file_add_from_bfd(bfd*, char const*, \ enum_flags<symfile_add_flag>, std::vector<other_sections, \ std::allocator<other_sections> >*, \ enum_flags<objfile_flag>, objfile*) src/gdb/symfile.c:1203 riscvarchive#17 0x1415b6c in symbol_file_add(char const*, enum_flags<symfile_add_flag>, std::vector<other_sections, \ std::allocator<other_sections> >*, \ enum_flags<objfile_flag>) src/gdb/symfile.c:1216 riscvarchive#18 0x1415f2f in symbol_file_add_main_1 src/gdb/symfile.c:1240 riscvarchive#19 0x1418599 in symbol_file_command(char const*, int) \ src/gdb/symfile.c:1675 riscvarchive#20 0xde2fa6 in file_command src/gdb/exec.c:433 riscvarchive#21 0xac96aa in do_const_cfunc src/gdb/cli/cli-decode.c:106 riscvarchive#22 0xad0e5a in cmd_func(cmd_list_element*, char const*, int) \ src/gdb/cli/cli-decode.c:1892 riscvarchive#23 0x15226f6 in execute_command(char const*, int) src/gdb/top.c:630 riscvarchive#24 0xddde37 in command_handler(char const*) src/gdb/event-top.c:586 riscvarchive#25 0xdde7c1 in command_line_handler(std::unique_ptr<char, \ gdb::xfree_deleter<char> >&&) src/gdb/event-top.c:773 riscvarchive#26 0xddc9e8 in gdb_rl_callback_handler src/gdb/event-top.c:217 riscvarchive#27 0x16f2198 in rl_callback_read_char src/readline/callback.c:220 riscvarchive#28 0xddc5a1 in gdb_rl_callback_read_char_wrapper_noexcept \ src/gdb/event-top.c:175 riscvarchive#29 0xddc773 in gdb_rl_callback_read_char_wrapper src/gdb/event-top.c:192 SUMMARY: AddressSanitizer: heap-buffer-overflow src/gdb/cp-support.c:999 in \ cp_find_first_component_aux Shadow bytes around the buggy address: 0x0c4a801298d0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0c4a801298e0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0c4a801298f0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0c4a80129900: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0c4a80129910: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 =>0x0c4a80129920: 00 00 00 00 00 00 00[04]fa fa fa fa fa fa fa fa 0x0c4a80129930: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c4a80129940: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c4a80129950: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c4a80129960: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c4a80129970: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa Shadow byte legend (one shadow byte represents 8 application bytes): Addressable: 00 Partially addressable: 01 02 03 04 05 06 07 Heap left redzone: fa Freed heap region: fd Stack left redzone: f1 Stack mid redzone: f2 Stack right redzone: f3 Stack after return: f5 Stack use after scope: f8 Global redzone: f9 Global init order: f6 Poisoned by user: f7 Container overflow: fc Array cookie: ac Intra object redzone: bb ASan internal: fe Left alloca redzone: ca Right alloca redzone: cb ==31229==ABORTING ... The problem happens as follows. The executable amd64-init-x87-values gets an index (due to target board cc-with-gdb-index), which looks as follows: ... Hex dump of section '.gdb_index': 0x00000000 08000000 18000000 28000000 28000000 ........(...(... 0x00000010 3c000000 3c200000 00000000 00000000 <...< .......... 0x00000020 2e000000 00000000 d4004000 00000000 ..........@..... 0x00000030 db004000 00000000 00000000 00000000 ..@............. 0x00000040 00000000 00000000 00000000 00000000 ................ 0x00000050 00000000 00000000 00000000 00000000 ................ ... more zeroes ... 0x00002010 00000000 00000000 00000000 00000000 ................ 0x00002020 00000000 00000000 00000000 00000000 ................ 0x00002030 00000000 00000000 00000000 ............ ... The structure of this index is: ... header : [0x0, 0x18) : size 0x18 culist : [0x18 ,0x28) : size 0x10 typesculist : [0x28, 0x28) : size 0x0 adress area : [0x28, 0x3c) : size 0x14 symbol table : [0x3c, 0x203c) : size 0x2000 constant pool: [0x203c, 0x203c): size 0x0 EOF : 0x203c ... Note that the symbol table consists entirely of empty slots (where an empty slot is a pair of 32-bit zeroes), and that the constant pool is empty. The problem happens here in mapped_index_base::build_name_components: ... auto count = this->symbol_name_count (); for (offset_type idx = 0; idx < count; idx++) { if (this->symbol_name_slot_invalid (idx)) continue; const char *name = this->symbol_name_at (idx); ... when accessing the slot at idx == 0 in the symbol table, symbol_name_slot_invalid returns false so we calculate name, which is calculated using 'constant_pool + symbol_table[idx].name', which means we get name == constant_pool. And given that the constant pool is empty, name now points past the memory allocated for the index, and when we access name[0] for the first time in cp_find_first_component_aux, we run into the heap-buffer-overflow. Fix this by fixing the definition of symbol_name_slot_invalid: ... - return bucket.name == 0 && bucket.vec; + return bucket.name == 0 && bucket.vec == 0; ... Tested on x86_64-linux. gdb/ChangeLog: 2019-06-10 Tom de Vries <[email protected]> PR gdb/24618 * dwarf2read.c (struct mapped_index::symbol_name_slot_invalid): Make sure an empty slot (defined by a 32-bit zero pair) is recognized as invalid.
- Loading branch information