This is the mail archive of the gdb-prs@sourceware.org mailing list for the GDB project.


Index Nav: [Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav: [Date Prev] [Date Next] [Thread Prev] [Thread Next]
Other format: [Raw text]

[Bug gdb/21103] New: Invalid read in read_dbx_symtab


https://sourceware.org/bugzilla/show_bug.cgi?id=21103

            Bug ID: 21103
           Summary: Invalid read in read_dbx_symtab
           Product: gdb
           Version: HEAD
            Status: UNCONFIRMED
          Severity: normal
          Priority: P2
         Component: gdb
          Assignee: unassigned at sourceware dot org
          Reporter: mvidal at gmail dot com
  Target Milestone: ---

Created attachment 9792
  --> https://sourceware.org/bugzilla/attachment.cgi?id=9792&action=edit
read_dbx_symtab invalid read

Hi there!

I've been fuzzing gdb with American Fuzzy Lop and AddressSanitizer. The
attached file causes a segmentation fault due to an invalid read.

Let me know if I should provide any additional information.

GNU gdb (GDB) 7.12.50.20170131-git
Copyright (C) 2017 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.  Type "show copying"
and "show warranty" for details.
This GDB was configured as "x86_64-pc-linux-gnu".
Type "show configuration" for configuration details.
For bug reporting instructions, please see:
<http://www.gnu.org/software/gdb/bugs/>.
Find the GDB manual and other documentation resources online at:
<http://www.gnu.org/software/gdb/documentation/>.
For help, type "help".
Type "apropos word" to search for commands related to "word"...
Reading symbols from
id:000013,sig:06,src:003207,op:havoc,rep:16...=================================================================
==23107==ERROR: AddressSanitizer: global-buffer-overflow on address
0x000002451444 at pc 0xb28dfb bp 0x7fff0614c4e0 sp 0x7fff0614c4d8
READ of size 1 at 0x000002451444 thread T0
    #0 0xb28dfa in read_dbx_symtab /home/maxi/binutils-gdb/gdb/dbxread.c:1125
    #1 0xb298f3 in dbx_symfile_read /home/maxi/binutils-gdb/gdb/dbxread.c:548
    #2 0x1182430 in read_symbols /home/maxi/binutils-gdb/gdb/symfile.c:870
    #3 0x1183869 in syms_from_objfile_1
/home/maxi/binutils-gdb/gdb/symfile.c:1071
    #4 0x1183869 in syms_from_objfile
/home/maxi/binutils-gdb/gdb/symfile.c:1087
    #5 0x1183869 in symbol_file_add_with_addrs
/home/maxi/binutils-gdb/gdb/symfile.c:1186
    #6 0x11872ae in symbol_file_add_from_bfd
/home/maxi/binutils-gdb/gdb/symfile.c:1277
    #7 0x11872ae in symbol_file_add /home/maxi/binutils-gdb/gdb/symfile.c:1290
    #8 0x11872ae in symbol_file_add_main_1
/home/maxi/binutils-gdb/gdb/symfile.c:1313
    #9 0x11872ae in symbol_file_add_main(char const*,
enum_flags<symfile_add_flag>) /home/maxi/binutils-gdb/gdb/symfile.c:1304
    #10 0xf494d0 in symbol_file_add_main_adapter
/home/maxi/binutils-gdb/gdb/main.c:427
    #11 0xf49c87 in catch_command_errors_const
/home/maxi/binutils-gdb/gdb/main.c:403
    #12 0xf4c903 in captured_main_1 /home/maxi/binutils-gdb/gdb/main.c:1045
    #13 0xf4c903 in captured_main /home/maxi/binutils-gdb/gdb/main.c:1140
    #14 0xf4c903 in gdb_main(captured_main_args*)
/home/maxi/binutils-gdb/gdb/main.c:1158
    #15 0x44bfaa in main /home/maxi/binutils-gdb/gdb/gdb.c:32
    #16 0x7f6c80edfb44 in __libc_start_main
(/lib/x86_64-linux-gnu/libc.so.6+0x21b44)
    #17 0x45e6ae (/home/maxi/binutils-gdb/gdb/gdb+0x45e6ae)

0x000002451444 is located 28 bytes to the left of global variable
'bincls_allocated' from 'dbxread.c' (0x2451460) of size 4
0x000002451444 is located 4 bytes to the right of global variable 'symbuf' from
'dbxread.c' (0x2445440) of size 49152
SUMMARY: AddressSanitizer: global-buffer-overflow
/home/maxi/binutils-gdb/gdb/dbxread.c:1125 read_dbx_symtab
Shadow bytes around the buggy address:
  0x000080482230: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x000080482240: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x000080482250: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x000080482260: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x000080482270: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x000080482280: 00 00 00 00 00 00 00 00[f9]f9 f9 f9 04 f9 f9 f9
  0x000080482290: f9 f9 f9 f9 00 f9 f9 f9 f9 f9 f9 f9 00 f9 f9 f9
  0x0000804822a0: f9 f9 f9 f9 04 f9 f9 f9 f9 f9 f9 f9 00 f9 f9 f9
  0x0000804822b0: f9 f9 f9 f9 04 f9 f9 f9 f9 f9 f9 f9 04 f9 f9 f9
  0x0000804822c0: f9 f9 f9 f9 04 f9 f9 f9 f9 f9 f9 f9 04 f9 f9 f9
  0x0000804822d0: f9 f9 f9 f9 04 f9 f9 f9 f9 f9 f9 f9 00 f9 f9 f9
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Heap right redzone:      fb
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack partial redzone:   f4
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Contiguous container OOB:fc
  ASan internal:           fe
==23107==ABORTING

-- 
You are receiving this mail because:
You are on the CC list for the bug.

Index Nav: [Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav: [Date Prev] [Date Next] [Thread Prev] [Thread Next]