This is the mail archive of the
gdb-prs@sourceware.org
mailing list for the GDB project.
[Bug gdb/22417] New: Get garbage data when reading .interp section
- From: "qiyao at gcc dot gnu.org" <sourceware-bugzilla at sourceware dot org>
- To: gdb-prs at sourceware dot org
- Date: Fri, 10 Nov 2017 14:43:57 +0000
- Subject: [Bug gdb/22417] New: Get garbage data when reading .interp section
- Auto-submitted: auto-generated
https://sourceware.org/bugzilla/show_bug.cgi?id=22417
Bug ID: 22417
Summary: Get garbage data when reading .interp section
Product: gdb
Version: HEAD
Status: NEW
Severity: normal
Priority: P2
Component: gdb
Assignee: unassigned at sourceware dot org
Reporter: qiyao at gcc dot gnu.org
Target Milestone: ---
Build GDB with asan.
start GDBserver,
$ ./gdbserver/gdbserver :1234
./testsuite/outputs/gdb.base/catch-syscall/catch-syscall
start GDB,
$ ./gdb -data-directory=$PWD/data-directory -ex "b main" -ex "target remote
:1234" -ex "c" -ex "catch syscall execve" -ex "set do_execve = 1" -ex "c" -ex
"c" -ex "c" -ex "c" ./testsuite/outputs/gdb.base/catch-syscall/catch-syscall
...
...
Breakpoint 1, main (argc=1, argv=0x7fffffffe3d8)
at
/home/yao.qi/SourceCode/gnu/build-with-asan/gdb/testsuite/../../../binutils-gdb/gdb/testsuite/gdb.base/catch-syscall.c:47
47 {
Continuing.
[Inferior 1 (process 22322) exited normally]
start GDBserver again, and type command in GDB again,
(gdb) target remote :1234
`target:/home/yao.qi/SourceCode/gnu/build-with-asan/gdb/testsuite/outputs/gdb.base/catch-syscall/catch-syscall'
has disappeared; keeping its symbols.
Remote debugging using :1234
=================================================================
==22332==ERROR: AddressSanitizer: heap-buffer-overflow on address
0x60300004a4ec at pc 0x7f2be286820b bp 0x7fff37d48e40 sp 0x7fff37d485e8
READ of size 29 at 0x60300004a4ec thread T0
#0 0x7f2be286820a in __interceptor_strlen
(/usr/lib/x86_64-linux-gnu/libasan.so.2+0x7020a)
#1 0xf6745d in xstrdup ../../binutils-gdb/libiberty/xstrdup.c:33
#2 0xb71293 in solib_find_1 ../../binutils-gdb/gdb/solib.c:218
#3 0xb7214f in solib_find(char const*, int*)
../../binutils-gdb/gdb/solib.c:462
#4 0xb72391 in solib_bfd_open(char*) ../../binutils-gdb/gdb/solib.c:503
#5 0x46352c in enable_break ../../binutils-gdb/gdb/solib-svr4.c:2336
#6 0x466a3c in svr4_solib_create_inferior_hook
../../binutils-gdb/gdb/solib-svr4.c:3059
#7 0xb75a71 in solib_create_inferior_hook(int)
../../binutils-gdb/gdb/solib.c:1232
#8 0xa0e8f9 in post_create_inferior(target_ops*, int)
../../binutils-gdb/gdb/infcmd.c:492
#9 0xa28c17 in start_remote(int) ../../binutils-gdb/gdb/infrun.c:3241
#10 0x4ea1b8 in remote_start_remote ../../binutils-gdb/gdb/remote.c:4287
#11 0x4eceef in remote_open_1 ../../binutils-gdb/gdb/remote.c:5144
#12 0x4ea5ff in remote_open ../../binutils-gdb/gdb/remote.c:4382
#13 0xc0ede1 in open_target ../../binutils-gdb/gdb/target.c:358
#14 0x5560e6 in do_sfunc ../../binutils-gdb/gdb/cli/cli-decode.c:138
#15 0x55d6f4 in cmd_func(cmd_list_element*, char*, int)
../../binutils-gdb/gdb/cli/cli-decode.c:1952
#16 0xc42804 in execute_command(char*, int)
../../binutils-gdb/gdb/top.c:608
#17 0x978192 in command_handler(char*)
../../binutils-gdb/gdb/event-top.c:583
#18 0x978a00 in command_line_handler(char*)
../../binutils-gdb/gdb/event-top.c:773
#19 0x97700a in gdb_rl_callback_handler
../../binutils-gdb/gdb/event-top.c:213
#20 0xce9782 in rl_callback_read_char
../../binutils-gdb/readline/callback.c:220
#21 0x976cb7 in gdb_rl_callback_read_char_wrapper_noexcept
../../binutils-gdb/gdb/event-top.c:175
#22 0x976e3b in gdb_rl_callback_read_char_wrapper
../../binutils-gdb/gdb/event-top.c:192
#23 0x977d43 in stdin_event_handler(int, void*)
../../binutils-gdb/gdb/event-top.c:511
#24 0x9741fa in handle_file_event ../../binutils-gdb/gdb/event-loop.c:733
#25 0x974a6c in gdb_wait_for_event ../../binutils-gdb/gdb/event-loop.c:859
#26 0x9728ed in gdb_do_one_event() ../../binutils-gdb/gdb/event-loop.c:347
#27 0x9729b5 in start_event_loop() ../../binutils-gdb/gdb/event-loop.c:371
#28 0xa885b5 in captured_command_loop ../../binutils-gdb/gdb/main.c:329
#29 0xa8af58 in captured_main ../../binutils-gdb/gdb/main.c:1152
#30 0xa8b0d5 in gdb_main(captured_main_args*)
../../binutils-gdb/gdb/main.c:1168
#31 0x40fb88 in main ../../binutils-gdb/gdb/gdb.c:32
#32 0x7f2be0b7882f in __libc_start_main
(/lib/x86_64-linux-gnu/libc.so.6+0x2082f)
#33 0x40f9e8 in _start
(/home/yao.qi/SourceCode/gnu/build-with-asan/gdb/gdb+0x40f9e8)
0x60300004a4ec is located 0 bytes to the right of 28-byte region
[0x60300004a4d0,0x60300004a4ec)
allocated by thread T0 here:
#0 0x7f2be2890602 in malloc
(/usr/lib/x86_64-linux-gnu/libasan.so.2+0x98602)
#1 0x83a171 in xmalloc ../../binutils-gdb/gdb/common/common-utils.c:44
#2 0x45c948 in find_program_interpreter
../../binutils-gdb/gdb/solib-svr4.c:587
#3 0x4634b9 in enable_break ../../binutils-gdb/gdb/solib-svr4.c:2313
#4 0x466a3c in svr4_solib_create_inferior_hook
../../binutils-gdb/gdb/solib-svr4.c:3059
#5 0xb75a71 in solib_create_inferior_hook(int)
../../binutils-gdb/gdb/solib.c:1232
#6 0xa0e8f9 in post_create_inferior(target_ops*, int)
../../binutils-gdb/gdb/infcmd.c:492
#7 0xa28c17 in start_remote(int) ../../binutils-gdb/gdb/infrun.c:3241
#8 0x4ea1b8 in remote_start_remote ../../binutils-gdb/gdb/remote.c:4287
#9 0x4eceef in remote_open_1 ../../binutils-gdb/gdb/remote.c:5144
#10 0x4ea5ff in remote_open ../../binutils-gdb/gdb/remote.c:4382
#11 0xc0ede1 in open_target ../../binutils-gdb/gdb/target.c:358
#12 0x5560e6 in do_sfunc ../../binutils-gdb/gdb/cli/cli-decode.c:138
#13 0x55d6f4 in cmd_func(cmd_list_element*, char*, int)
../../binutils-gdb/gdb/cli/cli-decode.c:1952
#14 0xc42804 in execute_command(char*, int)
../../binutils-gdb/gdb/top.c:608
#15 0x978192 in command_handler(char*)
../../binutils-gdb/gdb/event-top.c:583
#16 0x978a00 in command_line_handler(char*)
../../binutils-gdb/gdb/event-top.c:773
#17 0x97700a in gdb_rl_callback_handler
../../binutils-gdb/gdb/event-top.c:213
#18 0xce9782 in rl_callback_read_char
../../binutils-gdb/readline/callback.c:220
#19 0x976e3b in gdb_rl_callback_read_char_wrapper
../../binutils-gdb/gdb/event-top.c:192
#20 0x977d43 in stdin_event_handler(int, void*)
../../binutils-gdb/gdb/event-top.c:511
#21 0x9741fa in handle_file_event ../../binutils-gdb/gdb/event-loop.c:733
#22 0x974a6c in gdb_wait_for_event ../../binutils-gdb/gdb/event-loop.c:859
#23 0x9728ed in gdb_do_one_event() ../../binutils-gdb/gdb/event-loop.c:347
#24 0x9729b5 in start_event_loop() ../../binutils-gdb/gdb/event-loop.c:371
#25 0xa885b5 in captured_command_loop ../../binutils-gdb/gdb/main.c:329
#26 0xa8af58 in captured_main ../../binutils-gdb/gdb/main.c:1152
#27 0xa8b0d5 in gdb_main(captured_main_args*)
../../binutils-gdb/gdb/main.c:1168
#28 0x40fb88 in main ../../binutils-gdb/gdb/gdb.c:32
#29 0x7f2be0b7882f in __libc_start_main
(/lib/x86_64-linux-gnu/libc.so.6+0x2082f)
-------------------------------------
I debug gdb a little bit, set breakpoint on find_program_interpreter, and looks
it returns garbage data, because abfd->iovec is not correctly set,
196 nread = abfd->iovec->bread (abfd, ptr, size);
(gdb) p abfd->iovec
$3 = (const struct bfd_iovec *) 0x13d9240 <opncls_iovec>
(gdb) p abfd
$4 = (bfd *) 0x612000031e40
(gdb) p *abfd
$5 = {filename = 0x60b00003ca50
"target:/home/yao.qi/SourceCode/gnu/build-with-asan/gdb/testsuite/outputs/gdb.base/catch-syscall/catch-syscall",
xvec = 0x13e3080 <x86_64_elf64_vec>, iostream = 0x62100042cd10, iovec =
0x13d9240 <opncls_iovec>, lru_prev = 0x0, lru_next = 0x0, where = 568,
mtime = 1510322635, id = 9, format = bfd_object, direction = read_direction,
flags = 33042, cacheable = 0, target_defaulted = 1, opened_once = 0,
mtime_set = 0, no_export = 0, output_has_begun = 0, has_armap = 0,
is_thin_archive = 0, selective_search = 0, is_linker_output = 0,
is_linker_input = 0,
plugin_format = bfd_plugin_unknown, lto_output = 0, plugin_dummy_bfd = 0x0,
origin = 0, proxy_origin = 0, section_htab = {table = 0x621000444910,
newfunc = 0xd2a6fd <bfd_section_hash_newfunc>, memory = 0x603000038c50,
size = 61, count = 32, entsize = 304, frozen = 0}, sections = 0x62100042b990,
section_last = 0x621000445360, section_count = 32, archive_pass = 0,
start_address = 4195952, outsymbols = 0x0, symcount = 0, dynsymcount = 0,
arch_info = 0x14163c0 <bfd_x86_64_arch>, arelt_data = 0x0, my_archive = 0x0,
archive_next = 0x0, archive_head = 0x0, nested_archives = 0x0, link = {
next = 0x0, hash = 0x0}, tdata = {aout_data = 0x62100042cd38, aout_ar_data
= 0x62100042cd38, oasys_obj_data = 0x62100042cd38,
oasys_ar_data = 0x62100042cd38, coff_obj_data = 0x62100042cd38, pe_obj_data
= 0x62100042cd38, xcoff_obj_data = 0x62100042cd38, ecoff_obj_data =
0x62100042cd38, ieee_data = 0x62100042cd38, ieee_ar_data = 0x62100042cd38,
srec_data = 0x62100042cd38, verilog_data = 0x62100042cd38,
ihex_data = 0x62100042cd38, tekhex_data = 0x62100042cd38, elf_obj_data =
0x62100042cd38, nlm_obj_data = 0x62100042cd38, bout_data = 0x62100042cd38,
mmo_data = 0x62100042cd38, sun_core_data = 0x62100042cd38, sco5_core_data =
0x62100042cd38, trad_core_data = 0x62100042cd38, som_data = 0x62100042cd38,
hpux_core_data = 0x62100042cd38, hppabsd_core_data = 0x62100042cd38,
sgi_core_data = 0x62100042cd38, lynx_core_data = 0x62100042cd38,
osf_core_data = 0x62100042cd38, cisco_core_data = 0x62100042cd38,
versados_data = 0x62100042cd38, netbsd_core_data = 0x62100042cd38,
mach_o_data = 0x62100042cd38, mach_o_fat_data = 0x62100042cd38, plugin_data
= 0x62100042cd38, pef_data = 0x62100042cd38, pef_xlib_data = 0x62100042cd38,
sym_data = 0x62100042cd38, any = 0x62100042cd38}, usrdata = 0x60b00003c9a0,
memory = 0x603000038c80, build_id = 0x62100042a8d0}
--
You are receiving this mail because:
You are on the CC list for the bug.