Bug 16594

Summary: info os processes -fsanitize=address error
Product: gdb Reporter: Jan Kratochvil <jan>
Component: gdbAssignee: Jan Kratochvil <jan>
Status: RESOLVED FIXED    
Severity: normal CC: jan
Priority: P2    
Version: HEAD   
Target Milestone: ---   
Host: x86_64-unknown-linux-gnu Target:
Build: Last reconfirmed:

Description Jan Kratochvil 2014-02-15 20:10:39 UTC
print port
$8 = 36414
(gdb) PASS: gdb.base/info-os.exp: get socket port number
info os processes
=================================================================
==5795== ERROR: AddressSanitizer: heap-use-after-free on address 0x600600214974 at pc 0x757a92 bp 0x7fff95dd9f00 sp 0x7fff95dd9ef0
READ of size 4 at 0x600600214974 thread T0
    #0 0x757a91 in get_cores_used_by_process (/home/jkratoch/redhat/gdb-clean/gdb/gdb+0x757a91)
    #1 0x757f19 in linux_xfer_osdata_processes (/home/jkratoch/redhat/gdb-clean/gdb/gdb+0x757f19)
    #2 0x75cf41 in linux_common_xfer_osdata (/home/jkratoch/redhat/gdb-clean/gdb/gdb+0x75cf41)
    #3 0x7542fd in linux_nat_xfer_osdata (/home/jkratoch/redhat/gdb-clean/gdb/gdb+0x7542fd)
    #4 0x7543d7 in linux_xfer_partial (/home/jkratoch/redhat/gdb-clean/gdb/gdb+0x7543d7)
    #5 0x752c2c in linux_nat_xfer_partial (/home/jkratoch/redhat/gdb-clean/gdb/gdb+0x752c2c)
    #6 0xa9506e in default_xfer_partial (/home/jkratoch/redhat/gdb-clean/gdb/gdb+0xa9506e)
    #7 0xa940ff in target_xfer_partial (/home/jkratoch/redhat/gdb-clean/gdb/gdb+0xa940ff)
    #8 0xa95182 in target_read_partial (/home/jkratoch/redhat/gdb-clean/gdb/gdb+0xa95182)
    #9 0xa9622a in target_read_alloc_1 (/home/jkratoch/redhat/gdb-clean/gdb/gdb+0xa9622a)
    #10 0xa963f6 in target_read_stralloc (/home/jkratoch/redhat/gdb-clean/gdb/gdb+0xa963f6)
    #11 0xa98bcb in target_get_osdata (/home/jkratoch/redhat/gdb-clean/gdb/gdb+0xa98bcb)
    #12 0xcfe77e in get_osdata (/home/jkratoch/redhat/gdb-clean/gdb/gdb+0xcfe77e)
    #13 0xcfea5a in info_osdata_command (/home/jkratoch/redhat/gdb-clean/gdb/gdb+0xcfea5a)
    #14 0x7d6222 in do_cfunc (/home/jkratoch/redhat/gdb-clean/gdb/gdb+0x7d6222)
    #15 0x7ddc42 in cmd_func (/home/jkratoch/redhat/gdb-clean/gdb/gdb+0x7ddc42)
    #16 0xc90b83 in execute_command (/home/jkratoch/redhat/gdb-clean/gdb/gdb+0xc90b83)
    #17 0xa43ba6 in command_handler (/home/jkratoch/redhat/gdb-clean/gdb/gdb+0xa43ba6)
    #18 0xa44794 in command_line_handler (/home/jkratoch/redhat/gdb-clean/gdb/gdb+0xa44794)
    #19 0xd64719 in rl_callback_read_char (/home/jkratoch/redhat/gdb-clean/gdb/gdb+0xd64719)
    #20 0xa43044 in rl_callback_read_char_wrapper (/home/jkratoch/redhat/gdb-clean/gdb/gdb+0xa43044)
    #21 0xa43a9b in stdin_event_handler (/home/jkratoch/redhat/gdb-clean/gdb/gdb+0xa43a9b)
    #22 0xa3ff33 in handle_file_event (/home/jkratoch/redhat/gdb-clean/gdb/gdb+0xa3ff33)
    #23 0xa3e2d9 in process_event (/home/jkratoch/redhat/gdb-clean/gdb/gdb+0xa3e2d9)
    #24 0xa3e398 in gdb_do_one_event (/home/jkratoch/redhat/gdb-clean/gdb/gdb+0xa3e398)
    #25 0xa3e44a in start_event_loop (/home/jkratoch/redhat/gdb-clean/gdb/gdb+0xa3e44a)
    #26 0xa43076 in cli_command_loop (/home/jkratoch/redhat/gdb-clean/gdb/gdb+0xa43076)
    #27 0xa2b1f6 in current_interp_command_loop (/home/jkratoch/redhat/gdb-clean/gdb/gdb+0xa2b1f6)
    #28 0xa2da12 in captured_command_loop (/home/jkratoch/redhat/gdb-clean/gdb/gdb+0xa2da12)
    #29 0xa24cdb in catch_errors (/home/jkratoch/redhat/gdb-clean/gdb/gdb+0xa24cdb)
    #30 0xa2f955 in captured_main (/home/jkratoch/redhat/gdb-clean/gdb/gdb+0xa2f955)
    #31 0xa24cdb in catch_errors (/home/jkratoch/redhat/gdb-clean/gdb/gdb+0xa24cdb)
    #32 0xa2f994 in gdb_main (/home/jkratoch/redhat/gdb-clean/gdb/gdb+0xa2f994)
    #33 0x49210e in main (/home/jkratoch/redhat/gdb-clean/gdb/gdb+0x49210e)
    #34 0x320e621d64 in __libc_start_main (/lib64/libc.so.6+0x320e621d64)
    #35 0x491ed8 (/home/jkratoch/redhat/gdb-clean/gdb/gdb+0x491ed8)
0x600600214974 is located 1 bytes to the right of 19-byte region [0x600600214960,0x600600214973)

freed by thread T0 here:
    #0 0x7ff6151f50f9 (/lib64/libasan.so.0+0x160f9)
    #1 0xd1a8b0 in xfree (/home/jkratoch/redhat/gdb-clean/gdb/gdb+0xd1a8b0)
    #2 0x7574c5 in commandline_from_pid (/home/jkratoch/redhat/gdb-clean/gdb/gdb+0x7574c5)
    #3 0x757dc1 in linux_xfer_osdata_processes (/home/jkratoch/redhat/gdb-clean/gdb/gdb+0x757dc1)
    #4 0x75cf41 in linux_common_xfer_osdata (/home/jkratoch/redhat/gdb-clean/gdb/gdb+0x75cf41)
    #5 0x7542fd in linux_nat_xfer_osdata (/home/jkratoch/redhat/gdb-clean/gdb/gdb+0x7542fd)
    #6 0x7543d7 in linux_xfer_partial (/home/jkratoch/redhat/gdb-clean/gdb/gdb+0x7543d7)
    #7 0x752c2c in linux_nat_xfer_partial (/home/jkratoch/redhat/gdb-clean/gdb/gdb+0x752c2c)
    #8 0xa9506e in default_xfer_partial (/home/jkratoch/redhat/gdb-clean/gdb/gdb+0xa9506e)
    #9 0xa940ff in target_xfer_partial (/home/jkratoch/redhat/gdb-clean/gdb/gdb+0xa940ff)
    #10 0xa95182 in target_read_partial (/home/jkratoch/redhat/gdb-clean/gdb/gdb+0xa95182)
    #11 0xa9622a in target_read_alloc_1 (/home/jkratoch/redhat/gdb-clean/gdb/gdb+0xa9622a)
    #12 0xa963f6 in target_read_stralloc (/home/jkratoch/redhat/gdb-clean/gdb/gdb+0xa963f6)
    #13 0xa98bcb in target_get_osdata (/home/jkratoch/redhat/gdb-clean/gdb/gdb+0xa98bcb)
    #14 0xcfe77e in get_osdata (/home/jkratoch/redhat/gdb-clean/gdb/gdb+0xcfe77e)
    #15 0xcfea5a in info_osdata_command (/home/jkratoch/redhat/gdb-clean/gdb/gdb+0xcfea5a)
    #16 0x7d6222 in do_cfunc (/home/jkratoch/redhat/gdb-clean/gdb/gdb+0x7d6222)
    #17 0x7ddc42 in cmd_func (/home/jkratoch/redhat/gdb-clean/gdb/gdb+0x7ddc42)
    #18 0xc90b83 in execute_command (/home/jkratoch/redhat/gdb-clean/gdb/gdb+0xc90b83)
    #19 0xa43ba6 in command_handler (/home/jkratoch/redhat/gdb-clean/gdb/gdb+0xa43ba6)
    #20 0xa44794 in command_line_handler (/home/jkratoch/redhat/gdb-clean/gdb/gdb+0xa44794)
    #21 0xd64719 in rl_callback_read_char (/home/jkratoch/redhat/gdb-clean/gdb/gdb+0xd64719)
    #22 0xa43044 in rl_callback_read_char_wrapper (/home/jkratoch/redhat/gdb-clean/gdb/gdb+0xa43044)
    #23 0xa43a9b in stdin_event_handler (/home/jkratoch/redhat/gdb-clean/gdb/gdb+0xa43a9b)
    #24 0xa3ff33 in handle_file_event (/home/jkratoch/redhat/gdb-clean/gdb/gdb+0xa3ff33)
    #25 0xa3e2d9 in process_event (/home/jkratoch/redhat/gdb-clean/gdb/gdb+0xa3e2d9)
    #26 0xa3e398 in gdb_do_one_event (/home/jkratoch/redhat/gdb-clean/gdb/gdb+0xa3e398)
    #27 0xa3e44a in start_event_loop (/home/jkratoch/redhat/gdb-clean/gdb/gdb+0xa3e44a)
    #28 0xa43076 in cli_command_loop (/home/jkratoch/redhat/gdb-clean/gdb/gdb+0xa43076)
    #29 0xa2b1f6 in current_interp_command_loop (/home/jkratoch/redhat/gdb-clean/gdb/gdb+0xa2b1f6)

previously allocated by thread T0 here:
    #0 0x7ff6151f5219 (/lib64/libasan.so.0+0x16219)
    #1 0x320e674db7 in _IO_vasprintf (/lib64/libc.so.6+0x320e674db7)
SUMMARY: AddressSanitizer: heap-use-after-free ??:0 get_cores_used_by_process
Comment 1 Jan Kratochvil 2014-02-17 21:29:38 UTC
[patch] Fix crash on process name "(sd-pam)" (PR 16594)
https://sourceware.org/ml/gdb-patches/2014-02/msg00547.html
Comment 2 Sourceware Commits 2014-02-21 17:42:30 UTC
This is an automated email from the git hooks/post-receive script. It was
generated because a ref change was pushed to the repository containing
the project "gdb and binutils".

The branch, master has been updated
       via  184cd07257b5dd74a4eb9f6857fc6dd785f53492 (commit)
      from  dcf893b581c440902d68a0095967acd4ae7ae8d1 (commit)

Those revisions listed above that are new to this repository have
not appeared on any other notification email; so we list those
revisions in full, below.

- Log -----------------------------------------------------------------
https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=184cd07257b5dd74a4eb9f6857fc6dd785f53492

commit 184cd07257b5dd74a4eb9f6857fc6dd785f53492
Author: Jan Kratochvil <jan.kratochvil@redhat.com>
Date:   Fri Feb 21 18:39:40 2014 +0100

    Fix crash on process name "(sd-pam)" (PR 16594).
    
    info os processes -fsanitize=address error
    https://sourceware.org/bugzilla/show_bug.cgi?id=16594
    
    info os processes
    =================================================================
    ==5795== ERROR: AddressSanitizer: heap-use-after-free on address
    0x600600214974 at pc 0x757a92 bp 0x7fff95dd9f00 sp 0x7fff95dd9ef0
    READ of size 4 at 0x600600214974 thread T0
        #0 0x757a91 in get_cores_used_by_process (.../gdb/gdb+0x757a91)
    
    At least Fedora 20 has process(es):
     6678 ?        Ss     0:00 /usr/lib/systemd/systemd --user
     6680 ?        S      0:00  \_ (sd-pam)
    
    and GDB "info os processes" crashes on it as /proc/6680/stat contains:
    
    6680 ((sd-pam)) S 6678 6678 6678 0 -1 1077961024 33 0 0 0 0 0 0 0 20 0 1 0 18568 73768960 120 18446744073709551615 1 1
    0 0 0 0 0 4096 0 18446744073709551615 0 0 17 6 0 0 0 0 0 0 0 0 0 0 0 0 0
    
    and GDB fails to find the proper end of the process name "((sd-pam))".
    Therefore it reads core number off-by-one (it reads 17 instead of 6) and
    overruns the array.
    
    (1) Make the process name parsing more foolproof.
    
    (2) Do not trust the parsed number from /proc/PID/stat and verify it against
        the array size.
    
    I noticed that 'ps' gets this right, so I've peeked at its
    sources, and it just looks for the first ')' starting at
    the end.
    
    https://gitorious.org/procps/procps/source/dc072aced7250fed9b01fb05f0d672678752a63e:proc/readproc.c
    
    Look for stat2proc.
    
    Given ps does that, I believe the kernel won't ever be changed
    in a way that would break it.  So it sounds like could do strrchr
    from the end of stat just as well without worry, which is simpler.
    
    gdb/
    2014-02-21  Jan Kratochvil  <jan.kratochvil@redhat.com>
    
    	PR gdb/16594
    	* common/linux-osdata.c (linux_common_core_of_thread): Find the end of
    	process name.
    	(get_cores_used_by_process): New parameter num_cores, use it.
    	(linux_xfer_osdata_processes): Pass num_cores to it.
    	* linux-tdep.c (linux_info_proc, linux_fill_prpsinfo): Find the end of
    	process name.
    
    Message-ID: <20140217212826.GA15080@host2.jankratochvil.net>

-----------------------------------------------------------------------

Summary of changes:
 gdb/ChangeLog             |   10 ++++++++++
 gdb/common/linux-osdata.c |   16 ++++++----------
 gdb/linux-tdep.c          |   18 +++++++++++-------
 3 files changed, 27 insertions(+), 17 deletions(-)
Comment 3 Jan Kratochvil 2014-02-21 17:43:08 UTC
Checked in.