This is the mail archive of the
gdb@sourceware.org
mailing list for the GDB project.
Re: Heap corruption and crash reading syscall XML data
- From: Pedro Alves <palves at redhat dot com>
- To: Dmitry Antipov <dantipov at nvidia dot com>, gdb at sourceware dot org
- Date: Tue, 17 Oct 2017 12:30:05 +0100
- Subject: Re: Heap corruption and crash reading syscall XML data
- Authentication-results: sourceware.org; auth=none
- Authentication-results: ext-mx02.extmail.prod.ext.phx2.redhat.com; dmarc=none (p=none dis=none) header.from=redhat.com
- Authentication-results: ext-mx02.extmail.prod.ext.phx2.redhat.com; spf=fail smtp.mailfrom=palves at redhat dot com
- Dmarc-filter: OpenDMARC Filter v1.3.2 mx1.redhat.com A4B0F883B0
- References: <20171010091214.GC7617@waldemar-brodkorb.de> <a4b9576c-0b14-1a43-322b-9284552d1a8e@nvidia.com>
On 10/17/2017 11:05 AM, Dmitry Antipov wrote:
> HEAD at 0301ce1486b1450f219202677f30d0fa97335419,
>
> configure --prefix=/home/dantipov/.local/gdb-8.0.50 --with-python=no
> --with-guile=no \
> --disable-nls --disable-binutils --disable-gprof --disable-gold
> --disable-gas --disable-ld
>
> $ ~/.local/gdb-8.0.50/bin/gdb
> GNU gdb (GDB) 8.0.50.20171017-git
> Copyright (C) 2017 Free Software Foundation, Inc.
> License GPLv3+: GNU GPL version 3 or later
> <http://gnu.org/licenses/gpl.html>
> This is free software: you are free to change and redistribute it.
> There is NO WARRANTY, to the extent permitted by law. Type "show copying"
> and "show warranty" for details.
> This GDB was configured as "x86_64-pc-linux-gnu".
> Type "show configuration" for configuration details.
> For bug reporting instructions, please see:
> <http://www.gnu.org/software/gdb/bugs/>.
> Find the GDB manual and other documentation resources online at:
> <http://www.gnu.org/software/gdb/documentation/>.
> For help, type "help".
> Type "apropos word" to search for commands related to "word".
> (gdb) catch syscall [TAB]
I'm seeing this too. Valgrind shows:
(gdb) catch syscall
==3687== Thread 1:
==3687== Invalid free() / delete / delete[] / realloc()
==3687== at 0x4C29CF0: free (vg_replace_malloc.c:530)
==3687== by 0x610862: xfree(void*) (common-utils.c:101)
==3687== by 0x440D5D: gdb::xfree_deleter<char>::operator()(char*) const (gdb_unique_ptr.h:34)
==3687== by 0x446CC6: std::unique_ptr<char, gdb::xfree_deleter<char> >::reset(char*) (unique_ptr.h:344)
==3687== by 0x81BE50: xml_fetch_content_from_file(char const*, void*) (xml-support.c:1042)
==3687== by 0x81DA86: xml_init_syscalls_info(char const*) (xml-syscall.c:366)
==3687== by 0x81DBDD: init_syscalls_info(gdbarch*) (xml-syscall.c:398)
==3687== by 0x81E131: get_syscall_by_number(gdbarch*, int, syscall*) (xml-syscall.c:599)
==3687== by 0x5BE86F: catch_syscall_command_1(char*, int, cmd_list_element*) (break-catch-syscall.c:481)
==3687== by 0x4B46B1: do_sfunc(cmd_list_element*, char*, int) (cli-decode.c:138)
==3687== by 0x4B76B8: cmd_func(cmd_list_element*, char*, int) (cli-decode.c:1952)
==3687== by 0x7E91C7: execute_command(char*, int) (top.c:615)
==3687== Address 0x14332ae0 is 0 bytes inside a block of size 4,096 free'd
==3687== at 0x4C2AB8B: realloc (vg_replace_malloc.c:785)
==3687== by 0x610792: xrealloc (common-utils.c:62)
==3687== by 0x81BE3E: xml_fetch_content_from_file(char const*, void*) (xml-support.c:1042)
==3687== by 0x81DA86: xml_init_syscalls_info(char const*) (xml-syscall.c:366)
==3687== by 0x81DBDD: init_syscalls_info(gdbarch*) (xml-syscall.c:398)
==3687== by 0x81E131: get_syscall_by_number(gdbarch*, int, syscall*) (xml-syscall.c:599)
==3687== by 0x5BE86F: catch_syscall_command_1(char*, int, cmd_list_element*) (break-catch-syscall.c:481)
==3687== by 0x4B46B1: do_sfunc(cmd_list_element*, char*, int) (cli-decode.c:138)
==3687== by 0x4B76B8: cmd_func(cmd_list_element*, char*, int) (cli-decode.c:1952)
==3687== by 0x7E91C7: execute_command(char*, int) (top.c:615)
==3687== by 0x6A422D: command_handler(char*) (event-top.c:583)
==3687== by 0x6A45F2: command_line_handler(char*) (event-top.c:773)
==3687== Block was alloc'd at
==3687== at 0x4C28BF6: malloc (vg_replace_malloc.c:299)
==3687== by 0x61073C: xmalloc (common-utils.c:44)
==3687== by 0x81BD49: xml_fetch_content_from_file(char const*, void*) (xml-support.c:1021)
==3687== by 0x81DA86: xml_init_syscalls_info(char const*) (xml-syscall.c:366)
==3687== by 0x81DBDD: init_syscalls_info(gdbarch*) (xml-syscall.c:398)
==3687== by 0x81E131: get_syscall_by_number(gdbarch*, int, syscall*) (xml-syscall.c:599)
==3687== by 0x5BE86F: catch_syscall_command_1(char*, int, cmd_list_element*) (break-catch-syscall.c:481)
==3687== by 0x4B46B1: do_sfunc(cmd_list_element*, char*, int) (cli-decode.c:138)
==3687== by 0x4B76B8: cmd_func(cmd_list_element*, char*, int) (cli-decode.c:1952)
==3687== by 0x7E91C7: execute_command(char*, int) (top.c:615)
==3687== by 0x6A422D: command_handler(char*) (event-top.c:583)
==3687== by 0x6A45F2: command_line_handler(char*) (event-top.c:773)
==3687==
Catchpoint 2 (any syscall)
I'm testing this fix:
diff --git a/gdb/xml-support.c b/gdb/xml-support.c
index 76d03b9..42a4c91 100644
--- a/gdb/xml-support.c
+++ b/gdb/xml-support.c
@@ -1039,7 +1039,7 @@ xml_fetch_content_from_file (const char *filename, void *baton)
break;
len = len * 2;
- text.reset ((char *) xrealloc (text.get (), len));
+ text.reset ((char *) xrealloc (text.release (), len));
}
text.get ()[offset] = '\0';