This is the mail archive of the
gdb-prs@sourceware.org
mailing list for the GDB project.
[Bug gdb/20037] New: Detected Use-After-Free Error
- From: "ian at geometrian dot com" <sourceware-bugzilla at sourceware dot org>
- To: gdb-prs at sourceware dot org
- Date: Tue, 03 May 2016 06:49:53 +0000
- Subject: [Bug gdb/20037] New: Detected Use-After-Free Error
- Auto-submitted: auto-generated
https://sourceware.org/bugzilla/show_bug.cgi?id=20037
Bug ID: 20037
Summary: Detected Use-After-Free Error
Product: gdb
Version: 7.11
Status: NEW
Severity: normal
Priority: P2
Component: gdb
Assignee: unassigned at sourceware dot org
Reporter: ian at geometrian dot com
Target Milestone: ---
GDB appears to have a use-after-free error. This was detected with libasan.
Consider the call:
LD_PRELOAD=libasan.so.2 gdb gdb
On an ARM-based test machine, it produces:
=================================================================
==11973==ERROR: AddressSanitizer: heap-use-after-free on address 0x72d03f40 at
pc 0x76a2079b bp 0x7ef47150 sp 0x7ef4715c
READ of size 2 at 0x72d03f40 thread T0
#0 0x76a20799 (/usr/lib/arm-linux-gnueabihf/libasan.so.2+0x42799)
0x72d03f40 is located 0 bytes inside of 181-byte region [0x72d03f40,0x72d03ff5)
freed by thread T0 here:
#0 0x76a5317d in free (/usr/lib/arm-linux-gnueabihf/libasan.so.2+0x7517d)
#1 0x3673ef (/usr/bin/gdb+0x3673ef)
previously allocated by thread T0 here:
#0 0x76a53393 in malloc (/usr/lib/arm-linux-gnueabihf/libasan.so.2+0x75393)
#1 0x3673ef (/usr/bin/gdb+0x3673ef)
SUMMARY: AddressSanitizer: heap-use-after-free ??:0 ??
Shadow bytes around the buggy address:
0x2e5a0790: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 05
0x2e5a07a0: fa fa fa fa fa fa fa fa 00 00 00 00 00 00 00 00
0x2e5a07b0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 06
0x2e5a07c0: fa fa fa fa fa fa fa fa 00 00 00 00 00 00 00 00
0x2e5a07d0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 05
=>0x2e5a07e0: fa fa fa fa fa fa fa fa[fd]fd fd fd fd fd fd fd
0x2e5a07f0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fa
0x2e5a0800: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x2e5a0810: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x2e5a0820: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x2e5a0830: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Heap right redzone: fb
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack partial redzone: f4
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
==11973==ABORTING
In an x86-64 VM, it produces:
=================================================================
==10105==ERROR: AddressSanitizer: heap-use-after-free on address 0x610000007e40
at pc 0x7f5ad3ec8205 bp 0x7ffd7f753a30 sp 0x7ffd7f7531d8
READ of size 2 at 0x610000007e40 thread T0
#0 0x7f5ad3ec8204 (/usr/lib/x86_64-linux-gnu/libasan.so.2+0x51204)
#1 0x502bb5 in _initialize_python (/usr/bin/gdb+0x502bb5)
#2 0x6df82f in initialize_all_files (/usr/bin/gdb+0x6df82f)
#3 0x69ee3c in gdb_init (/usr/bin/gdb+0x69ee3c)
#4 0x5cd734 (/usr/bin/gdb+0x5cd734)
#5 0x5c9d0c in catch_errors (/usr/bin/gdb+0x5c9d0c)
#6 0x5ce3ba in gdb_main (/usr/bin/gdb+0x5ce3ba)
#7 0x45ec74 in main (/usr/bin/gdb+0x45ec74)
#8 0x7f5ad1be082f in __libc_start_main
(/lib/x86_64-linux-gnu/libc.so.6+0x2082f)
#9 0x45ecb8 in _start (/usr/bin/gdb+0x45ecb8)
0x610000007e40 is located 0 bytes inside of 181-byte region
[0x610000007e40,0x610000007ef5)
freed by thread T0 here:
#0 0x7f5ad3f0f24a in __interceptor_free
(/usr/lib/x86_64-linux-gnu/libasan.so.2+0x9824a)
#1 0x7f5ad1beb3e5 in setlocale (/lib/x86_64-linux-gnu/libc.so.6+0x2b3e5)
previously allocated by thread T0 here:
#0 0x7f5ad3f0f54a in malloc
(/usr/lib/x86_64-linux-gnu/libasan.so.2+0x9854a)
#1 0x7f5ad1beaa9d (/lib/x86_64-linux-gnu/libc.so.6+0x2aa9d)
SUMMARY: AddressSanitizer: heap-use-after-free ??:0 ??
Shadow bytes around the buggy address:
0x0c207fff8f70: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 05
0x0c207fff8f80: fa fa fa fa fa fa fa fa 00 00 00 00 00 00 00 00
0x0c207fff8f90: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 06
0x0c207fff8fa0: fa fa fa fa fa fa fa fa 00 00 00 00 00 00 00 00
0x0c207fff8fb0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 05
=>0x0c207fff8fc0: fa fa fa fa fa fa fa fa[fd]fd fd fd fd fd fd fd
0x0c207fff8fd0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fa
0x0c207fff8fe0: fa fa fa fa fa fa fa fa 00 00 00 00 00 00 00 00
0x0c207fff8ff0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c207fff9000: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c207fff9010: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Heap right redzone: fb
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack partial redzone: f4
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
==10105==ABORTING
--
You are receiving this mail because:
You are on the CC list for the bug.