25723 – AddressSanitizer: heap-buffer-overflow in fixup_section

Bug 25723 - AddressSanitizer: heap-buffer-overflow in fixup_section

Summary: AddressSanitizer: heap-buffer-overflow in fixup_section

Status:	RESOLVED DUPLICATE of bug 29295

Alias:	None

Product:	gdb
Classification:	Unclassified
Component:	gdb (show other bugs)
Version:	HEAD

Importance:	P2 normal
Target Milestone:	---
Assignee:	Not yet assigned to anyone

URL:
Keywords:

Depends on:
Blocks:

Reported:	2020-03-25 16:55 UTC by Tom de Vries
Modified:	2022-06-30 11:20 UTC (History)
CC List:	1 user (show)

See Also:
Host:
Target:
Build:
Last reconfirmed:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Tom de Vries 2020-03-25 16:55:53 UTC

[ Could be related to PR25479: "AddressSanitizer: heap-buffer-overflow in lookup_minimal_symbol_by_pc_name" . Also there there's fixup_section in the call stack. ]

When building gdb with -fsanitize=address and running gdb.base/readline-ask.exp, I run into:
...
(gdb) PASS: gdb.base/readline-ask.exp: set height 3
p symbol_0=================================================================
==28590==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x60b00009b970 at pc 0x000001457d33 bp 0x
7ffe906679c0 sp 0x7ffe906679b8
READ of size 8 at 0x60b00009b970 thread T0
    #0 0x1457d32 in fixup_section(general_symbol_info*, unsigned long, objfile*) /data/gdb_versions/devel/src/gdb/
symtab.c:1720
    #1 0x14585cb in fixup_symbol_section(symbol*, objfile*) /data/gdb_versions/devel/src/gdb/symtab.c:1778
    #2 0xd484ca in var_decode_location /data/gdb_versions/devel/src/gdb/dwarf2/read.c:20507
    #3 0xd49ce9 in new_symbol /data/gdb_versions/devel/src/gdb/dwarf2/read.c:20699
    #4 0xd138fc in read_variable /data/gdb_versions/devel/src/gdb/dwarf2/read.c:13481
    #5 0xcfc8dc in process_die /data/gdb_versions/devel/src/gdb/dwarf2/read.c:9924
    #6 0xd0137a in read_file_scope /data/gdb_versions/devel/src/gdb/dwarf2/read.c:10826
    #7 0xcfc347 in process_die /data/gdb_versions/devel/src/gdb/dwarf2/read.c:9837
    #8 0xcfa9d5 in process_full_comp_unit /data/gdb_versions/devel/src/gdb/dwarf2/read.c:9594
    #9 0xcf0b69 in process_queue /data/gdb_versions/devel/src/gdb/dwarf2/read.c:8881
    #10 0xcc7679 in dw2_do_instantiate_symtab /data/gdb_versions/devel/src/gdb/dwarf2/read.c:2374
    #11 0xcf0e17 in dwarf2_psymtab::expand_psymtab(objfile*) /data/gdb_versions/devel/src/gdb/dwarf2/read.c:8908
    #12 0xcf0286 in dwarf2_psymtab::read_symtab(objfile*) /data/gdb_versions/devel/src/gdb/dwarf2/read.c:8764
    #13 0x12021fb in psymtab_to_symtab /data/gdb_versions/devel/src/gdb/psymtab.c:768
    #14 0x120612c in psym_expand_symtabs_matching /data/gdb_versions/devel/src/gdb/psymtab.c:1351
    #15 0x142f6eb in expand_symtabs_matching(gdb::function_view<bool (char const*, bool)>, lookup_name_info const&
, gdb::function_view<bool (char const*)>, gdb::function_view<void (compunit_symtab*)>, search_domain) /data/gdb_ve
rsions/devel/src/gdb/symfile.c:3788
    #16 0x147739f in default_collect_symbol_completion_matches_break_on(completion_tracker&, complete_symbol_mode,
 symbol_name_match_type, char const*, char const*, char const*, type_code) /data/gdb_versions/devel/src/gdb/symtab
.c:5692
    #17 0x14782b4 in default_collect_symbol_completion_matches(completion_tracker&, complete_symbol_mode, symbol_n
ame_match_type, char const*, char const*, type_code) /data/gdb_versions/devel/src/gdb/symtab.c:5795
    #18 0x1478343 in collect_symbol_completion_matches(completion_tracker&, complete_symbol_mode, symbol_name_matc
h_type, char const*, char const*) /data/gdb_versions/devel/src/gdb/symtab.c:5810
    #19 0xb91c1e in complete_files_symbols /data/gdb_versions/devel/src/gdb/completer.c:608
    #20 0xb94b74 in complete_expression(completion_tracker&, char const*, char const*) /data/gdb_versions/devel/sr
c/gdb/completer.c:1176
    #21 0xb94ce7 in expression_completer(cmd_list_element*, completion_tracker&, char const*, char const*) /data/g
db_versions/devel/src/gdb/completer.c:1188
    #22 0x11d6052 in print_command_completer(cmd_list_element*, completion_tracker&, char const*, char const*) /da
ta/gdb_versions/devel/src/gdb/printcmd.c:1238
    #23 0xb94ecd in complete_line_internal_normal_command /data/gdb_versions/devel/src/gdb/completer.c:1306
    #24 0xb95b49 in complete_line_internal_1 /data/gdb_versions/devel/src/gdb/completer.c:1531
    #25 0xb95bf8 in complete_line_internal /data/gdb_versions/devel/src/gdb/completer.c:1550
    #26 0xb97f43 in gdb_completion_word_break_characters_throw /data/gdb_versions/devel/src/gdb/completer.c:1996
    #27 0xb98200 in gdb_completion_word_break_characters() /data/gdb_versions/devel/src/gdb/completer.c:2034
    #28 0x16e7e3f in _rl_find_completion_word /data/gdb_versions/devel/src/readline/readline/complete.c:1076
    #29 0x16ec93d in rl_complete_internal /data/gdb_versions/devel/src/readline/readline/complete.c:2007
    #30 0x16e5b35 in rl_complete /data/gdb_versions/devel/src/readline/readline/complete.c:438
    #31 0x16d1bf2 in _rl_dispatch_subseq /data/gdb_versions/devel/src/readline/readline/readline.c:852
    #32 0x16d17d0 in _rl_dispatch /data/gdb_versions/devel/src/readline/readline/readline.c:798
    #33 0x16d100e in readline_internal_char /data/gdb_versions/devel/src/readline/readline/readline.c:632
    #34 0x171e274 in rl_callback_read_char /data/gdb_versions/devel/src/readline/readline/callback.c:262
    #35 0xdddde0 in gdb_rl_callback_read_char_wrapper_noexcept /data/gdb_versions/devel/src/gdb/event-top.c:176
    #36 0xdddfc0 in gdb_rl_callback_read_char_wrapper /data/gdb_versions/devel/src/gdb/event-top.c:193
    #37 0xddf1c2 in stdin_event_handler(int, void*) /data/gdb_versions/devel/src/gdb/event-top.c:515
    #38 0xdd9456 in handle_file_event /data/gdb_versions/devel/src/gdb/event-loop.c:701
    #39 0xdd9d5e in gdb_wait_for_event /data/gdb_versions/devel/src/gdb/event-loop.c:827
    #40 0xdd7b41 in gdb_do_one_event() /data/gdb_versions/devel/src/gdb/event-loop.c:313
    #41 0xdd7be1 in start_event_loop() /data/gdb_versions/devel/src/gdb/event-loop.c:337
    #42 0x109bde5 in captured_command_loop /data/gdb_versions/devel/src/gdb/main.c:360
    #43 0x109f30b in captured_main /data/gdb_versions/devel/src/gdb/main.c:1198
    #44 0x109f39b in gdb_main(captured_main_args*) /data/gdb_versions/devel/src/gdb/main.c:1213
    #45 0x8c288a in main /data/gdb_versions/devel/src/gdb/gdb.c:32
    #46 0x7fd7d12cef89 in __libc_start_main (/lib64/libc.so.6+0x20f89)
    #47 0x8c2699 in _start (/data/gdb_versions/devel/build/gdb/gdb+0x8c2699)

0x60b00009b970 is located 0 bytes to the right of 112-byte region [0x60b00009b900,0x60b00009b970)
allocated by thread T0 here:
    #0 0x7fd7d4238c20 in operator new(unsigned long) (/usr/lib64/libasan.so.4+0xddc20)
    #1 0xca0634 in __gnu_cxx::new_allocator<unsigned long>::allocate(unsigned long, void const*) /usr/include/c++/
7/ext/new_allocator.h:111
    #2 0xca05ab in std::allocator_traits<std::allocator<unsigned long> >::allocate(std::allocator<unsigned long>&,
 unsigned long) /usr/include/c++/7/bits/alloc_traits.h:436
    #3 0xca0181 in std::_Vector_base<unsigned long, std::allocator<unsigned long> >::_M_allocate(unsigned long) /u
sr/include/c++/7/bits/stl_vector.h:172
    #4 0x1438292 in std::vector<unsigned long, std::allocator<unsigned long> >::_M_default_append(unsigned long) /
usr/include/c++/7/bits/vector.tcc:571
    #5 0x14349b0 in std::vector<unsigned long, std::allocator<unsigned long> >::resize(unsigned long) /usr/include
/c++/7/bits/stl_vector.h:692
    #6 0x141ca49 in default_symfile_offsets(objfile*, std::vector<other_sections, std::allocator<other_sections> >
 const&) /data/gdb_versions/devel/src/gdb/symfile.c:638
    #7 0x141e53d in syms_from_objfile_1 /data/gdb_versions/devel/src/gdb/symfile.c:979
    #8 0x141e735 in syms_from_objfile /data/gdb_versions/devel/src/gdb/symfile.c:998
    #9 0x141f353 in symbol_file_add_with_addrs /data/gdb_versions/devel/src/gdb/symfile.c:1099
    #10 0x14200c8 in symbol_file_add_from_bfd(bfd*, char const*, enum_flags<symfile_add_flag>, std::vector<other_s
ections, std::allocator<other_sections> >*, enum_flags<objfile_flag>, objfile*) /data/gdb_versions/devel/src/gdb/s
ymfile.c:1181
    #11 0x14201d7 in symbol_file_add(char const*, enum_flags<symfile_add_flag>, std::vector<other_sections, std::a
llocator<other_sections> >*, enum_flags<objfile_flag>) /data/gdb_versions/devel/src/gdb/symfile.c:1194
    #12 0x14204e3 in symbol_file_add_main_1 /data/gdb_versions/devel/src/gdb/symfile.c:1217
    #13 0x1422c1c in symbol_file_command(char const*, int) /data/gdb_versions/devel/src/gdb/symfile.c:1661
    #14 0xde6506 in file_command /data/gdb_versions/devel/src/gdb/exec.c:536
    #15 0xaf9725 in do_const_cfunc /data/gdb_versions/devel/src/gdb/cli/cli-decode.c:107
    #16 0xb01361 in cmd_func(cmd_list_element*, char const*, int) /data/gdb_versions/devel/src/gdb/cli/cli-decode.
c:1952
    #17 0x1527385 in execute_command(char const*, int) /data/gdb_versions/devel/src/gdb/top.c:655
    #18 0xddf604 in command_handler(char const*) /data/gdb_versions/devel/src/gdb/event-top.c:587
    #19 0xddff12 in command_line_handler(std::unique_ptr<char, gdb::xfree_deleter<char> >&&) /data/gdb_versions/de
vel/src/gdb/event-top.c:772
    #20 0xdde235 in gdb_rl_callback_handler /data/gdb_versions/devel/src/gdb/event-top.c:218
    #21 0x171e465 in rl_callback_read_char /data/gdb_versions/devel/src/readline/readline/callback.c:281
    #22 0xdddde0 in gdb_rl_callback_read_char_wrapper_noexcept /data/gdb_versions/devel/src/gdb/event-top.c:176
    #23 0xdddfc0 in gdb_rl_callback_read_char_wrapper /data/gdb_versions/devel/src/gdb/event-top.c:193
    #24 0xddf1c2 in stdin_event_handler(int, void*) /data/gdb_versions/devel/src/gdb/event-top.c:515
    #25 0xdd9456 in handle_file_event /data/gdb_versions/devel/src/gdb/event-loop.c:701
    #26 0xdd9d5e in gdb_wait_for_event /data/gdb_versions/devel/src/gdb/event-loop.c:827
    #27 0xdd7b41 in gdb_do_one_event() /data/gdb_versions/devel/src/gdb/event-loop.c:313
    #28 0xdd7be1 in start_event_loop() /data/gdb_versions/devel/src/gdb/event-loop.c:337
    #29 0x109bde5 in captured_command_loop /data/gdb_versions/devel/src/gdb/main.c:360

SUMMARY: AddressSanitizer: heap-buffer-overflow /data/gdb_versions/devel/src/gdb/symtab.c:1720 in fixup_section(ge
neral_symbol_info*, unsigned long, objfile*)
Shadow bytes around the buggy address:
  0x0c168000b6d0: 00 00 00 00 00 00 
fa fa fa fa fa fa fa f
a 00 00
  0x0c168000b6e0: 00 00 00 00 00 00 
00 00 00 00 00 fa fa fa
 fa fa
  0x0c168000b6f0: fa fa fa fa 00 00 
00 00 00 00 00 00 00 00
 00 00
  0x0c168000b700: 00 fa fa fa fa fa 
fa fa fa fa fd fd fd 
fd fd fd
  0x0c168000b710: fd fd fd fd fd fd 
fd fd fa fa fa fa fa 
mfa fa fa
=>0x0c168000b720: 00 00 00 00 00 00 
00 00 00 00 00 00 00 00[
fa]fa
  0x0c168000b730: fa fa fa fa fa fa 
fd fd fd fd fd fd fd 
fd fd fd
  0x0c168000b740: fd fd fd fa fa fa 
fa fa fa fa fa fa fd 
fd fd fd
  0x0c168000b750: fd fd fd fd fd fd 
fd fd fd fd fa fa fa 
fa fa fa
  0x0c168000b760: fa fa 00 00 00 00 
00 00 00 00 00 00 00 00
 00 00
  0x0c168000b770: fa fa fa fa fa fa 
fa fa 00 00 00 00 00 0
0 00 00
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06
 07 
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==28590==ABORTING
...

Comment 1 Tom de Vries 2020-03-25 17:04:38 UTC

Also spotted with gdb.dwarf2/dw2-icc-opaque.exp.

Comment 2 Tom de Vries 2020-03-25 18:42:51 UTC

(In reply to Tom de Vries from comment #0)
> [ Could be related to PR25479: "AddressSanitizer: heap-buffer-overflow in
> lookup_minimal_symbol_by_pc_name" . Also there there's fixup_section in the
> call stack. ]
> 

Both gdb.base/readline-ask.exp and gdb.dwarf2/dw2-icc-opaque.exp bisect to commit 6a053cb1ff6, same as PR25479.

Comment 3 Tom de Vries 2022-06-29 13:12:18 UTC

(In reply to Tom de Vries from comment #1)
> Also spotted with gdb.dwarf2/dw2-icc-opaque.exp.

Filed as PR29295.

Comment 4 Tom de Vries 2022-06-30 11:20:30 UTC

Assert from PR 29295 also triggers for gdb.base/readline-ask.exp.

*** This bug has been marked as a duplicate of bug 29295 ***