16595 – gdb.base/readline-ask load -fsanitize=address error

Bug 16595 - gdb.base/readline-ask load -fsanitize=address error

Summary: gdb.base/readline-ask load -fsanitize=address error

Status:	RESOLVED FIXED

Alias:	None

Product:	binutils
Classification:	Unclassified
Component:	binutils (show other bugs)
Version:	2.25

Importance:	P2 normal
Target Milestone:	---
Assignee:	Jan Kratochvil

URL:
Keywords:

Depends on:
Blocks:

Reported:	2014-02-15 20:14 UTC by Jan Kratochvil
Modified:	2014-02-17 07:35 UTC (History)
CC List:	1 user (show)

See Also:
Host:	x86_64-unknown-linux-gnu
Target:
Build:
Last reconfirmed:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Jan Kratochvil 2014-02-15 20:14:54 UTC

(gdb) file .../gdb/testsuite/gdb.base/readline-ask
Reading symbols from .../gdb/testsuite/gdb.base/readline-ask...=================================================================
==5856== ERROR: AddressSanitizer: heap-buffer-overflow on address 0x601c0000c5c0 at pc 0x1124771 bp 0x7fffd23e95a0 sp 0x7fffd23e9590
READ of size 8 at 0x601c0000c5c0 thread T0
    #0 0x1124770 in simple_restore_output_info (.../gdb/gdb+0x1124770)
    #1 0x10ecd51 in bfd_map_over_sections (.../gdb/gdb+0x10ecd51)
    #2 0x1125150 in bfd_simple_get_relocated_section_contents (.../gdb/gdb+0x1125150)
    #3 0x9ca87e in default_symfile_relocate (.../gdb/gdb+0x9ca87e)
    #4 0x9ca98d in symfile_relocate_debug_section (.../gdb/gdb+0x9ca98d)
    #5 0xaf5609 in dwarf2_read_section (.../gdb/gdb+0xaf5609)
    #6 0xb0ce07 in dwarf2_build_psymtabs_hard (.../gdb/gdb+0xb0ce07)
    #7 0xb000de in dwarf2_build_psymtabs (.../gdb/gdb+0xb000de)
    #8 0x86c39d in read_psyms (.../gdb/gdb+0x86c39d)
    #9 0x9b0dd7 in require_partial_symbols (.../gdb/gdb+0x9b0dd7)
    #10 0x9be470 in read_symbols (.../gdb/gdb+0x9be470)
    #11 0x9bf2ec in syms_from_objfile_1 (.../gdb/gdb+0x9bf2ec)
    #12 0x9bf334 in syms_from_objfile (.../gdb/gdb+0x9bf334)
    #13 0x9bf54e in symbol_file_add_with_addrs (.../gdb/gdb+0x9bf54e)
    #14 0x9bf817 in symbol_file_add_from_bfd (.../gdb/gdb+0x9bf817)
    #15 0x9bf872 in symbol_file_add (.../gdb/gdb+0x9bf872)
    #16 0x9bf93f in symbol_file_add_main_1 (.../gdb/gdb+0x9bf93f)
    #17 0x9c1243 in symbol_file_command (.../gdb/gdb+0x9c1243)
    #18 0xab2f64 in file_command (.../gdb/gdb+0xab2f64)
    #19 0x7d6222 in do_cfunc (.../gdb/gdb+0x7d6222)
    #20 0x7ddc42 in cmd_func (.../gdb/gdb+0x7ddc42)
    #21 0xc90b83 in execute_command (.../gdb/gdb+0xc90b83)
    #22 0xa43ba6 in command_handler (.../gdb/gdb+0xa43ba6)
    #23 0xa44794 in command_line_handler (.../gdb/gdb+0xa44794)
    #24 0xd64719 in rl_callback_read_char (.../gdb/gdb+0xd64719)
    #25 0xa43044 in rl_callback_read_char_wrapper (.../gdb/gdb+0xa43044)
    #26 0xa43a9b in stdin_event_handler (.../gdb/gdb+0xa43a9b)
    #27 0xa3ff33 in handle_file_event (.../gdb/gdb+0xa3ff33)
    #28 0xa3e2d9 in process_event (.../gdb/gdb+0xa3e2d9)
    #29 0xa3e398 in gdb_do_one_event (.../gdb/gdb+0xa3e398)
    #30 0xa3e44a in start_event_loop (.../gdb/gdb+0xa3e44a)
    #31 0xa43076 in cli_command_loop (.../gdb/gdb+0xa43076)
    #32 0xa2b1f6 in current_interp_command_loop (.../gdb/gdb+0xa2b1f6)
    #33 0xa2da12 in captured_command_loop (.../gdb/gdb+0xa2da12)
    #34 0xa24cdb in catch_errors (.../gdb/gdb+0xa24cdb)
    #35 0xa2f955 in captured_main (.../gdb/gdb+0xa2f955)
    #36 0xa24cdb in catch_errors (.../gdb/gdb+0xa24cdb)
    #37 0xa2f994 in gdb_main (.../gdb/gdb+0xa2f994)
    #38 0x49210e in main (.../gdb/gdb+0x49210e)
    #39 0x320e621d64 in __libc_start_main (/lib64/libc.so.6+0x320e621d64)
    #40 0x491ed8 (.../gdb/gdb+0x491ed8)
0x601c0000c5c0 is located 0 bytes to the right of 160-byte region [0x601c0000c520,0x601c0000c5c0)

allocated by thread T0 here:
    #0 0x7fb859964219 (/lib64/libasan.so.0+0x16219)
    #1 0x1124f58 in bfd_simple_get_relocated_section_contents (.../gdb/gdb+0x1124f58)
    #2 0x9ca87e in default_symfile_relocate (.../gdb/gdb+0x9ca87e)
    #3 0x9ca98d in symfile_relocate_debug_section (.../gdb/gdb+0x9ca98d)
    #4 0xaf5609 in dwarf2_read_section (.../gdb/gdb+0xaf5609)
    #5 0xb0ce07 in dwarf2_build_psymtabs_hard (.../gdb/gdb+0xb0ce07)
    #6 0xb000de in dwarf2_build_psymtabs (.../gdb/gdb+0xb000de)
    #7 0x86c39d in read_psyms (.../gdb/gdb+0x86c39d)
    #8 0x9b0dd7 in require_partial_symbols (.../gdb/gdb+0x9b0dd7)
    #9 0x9be470 in read_symbols (.../gdb/gdb+0x9be470)
    #10 0x9bf2ec in syms_from_objfile_1 (.../gdb/gdb+0x9bf2ec)
    #11 0x9bf334 in syms_from_objfile (.../gdb/gdb+0x9bf334)
    #12 0x9bf54e in symbol_file_add_with_addrs (.../gdb/gdb+0x9bf54e)
    #13 0x9bf817 in symbol_file_add_from_bfd (.../gdb/gdb+0x9bf817)
    #14 0x9bf872 in symbol_file_add (.../gdb/gdb+0x9bf872)
    #15 0x9bf93f in symbol_file_add_main_1 (.../gdb/gdb+0x9bf93f)
    #16 0x9c1243 in symbol_file_command (.../gdb/gdb+0x9c1243)
    #17 0xab2f64 in file_command (.../gdb/gdb+0xab2f64)
    #18 0x7d6222 in do_cfunc (.../gdb/gdb+0x7d6222)
    #19 0x7ddc42 in cmd_func (.../gdb/gdb+0x7ddc42)
    #20 0xc90b83 in execute_command (.../gdb/gdb+0xc90b83)
    #21 0xa43ba6 in command_handler (.../gdb/gdb+0xa43ba6)
    #22 0xa44794 in command_line_handler (.../gdb/gdb+0xa44794)
    #23 0xd64719 in rl_callback_read_char (.../gdb/gdb+0xd64719)
    #24 0xa43044 in rl_callback_read_char_wrapper (.../gdb/gdb+0xa43044)
    #25 0xa43a9b in stdin_event_handler (.../gdb/gdb+0xa43a9b)
    #26 0xa3ff33 in handle_file_event (.../gdb/gdb+0xa3ff33)
    #27 0xa3e2d9 in process_event (.../gdb/gdb+0xa3e2d9)
    #28 0xa3e398 in gdb_do_one_event (.../gdb/gdb+0xa3e398)
    #29 0xa3e44a in start_event_loop (.../gdb/gdb+0xa3e44a)
SUMMARY: AddressSanitizer: heap-buffer-overflow ??:0 simple_restore_output_info

Comment 1 Jan Kratochvil 2014-02-15 20:16:20 UTC

This bug happens too often to analyze further -fsanitize=address errors.

Comment 2 Jan Kratochvil 2014-02-16 18:29:33 UTC

[patch] asan error on bfd bfd_simple_get_relocated_section_contents
https://sourceware.org/ml/binutils/2014-02/msg00096.html

Comment 3 Sourceware Commits 2014-02-17 07:34:11 UTC

This is an automated email from the git hooks/post-receive script. It was
generated because a ref change was pushed to the repository containing
the project "gdb and binutils".

The branch, master has been updated
       via  024a23103f04282872d4352302b1bfe04391a7a4 (commit)
      from  e7d1c40ce59ff355d2a51ff64a657c772eabbbfe (commit)

Those revisions listed above that are new to this repository have
not appeared on any other notification email; so we list those
revisions in full, below.

- Log -----------------------------------------------------------------
https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=024a23103f04282872d4352302b1bfe04391a7a4

commit 024a23103f04282872d4352302b1bfe04391a7a4
Author: Jan Kratochvil <jan.kratochvil@redhat.com>
Date:   Mon Feb 17 08:32:22 2014 +0100

    PR binutils/16595
    
    abfd->section_count unexpectedly changes between 218 and 248 in:
    
    150 bfd_simple_get_relocated_section_contents (bfd *abfd,
    [...]
    218   saved_offsets = malloc (sizeof (struct saved_output_info)
    219                           * abfd->section_count);
    [...]
    230	  _bfd_generic_link_add_symbols (abfd, &link_info);
    [...]
    248   bfd_map_over_sections (abfd, simple_restore_output_info, saved_offsets);
    
    _bfd_generic_link_add_symbols increases section_count
    
    and simple_restore_output_info later reads unallocated part of saved_offsets.
    
    READ of size 8 at 0x601c0000c5c0 thread T0
        #0 0x1124770 in simple_restore_output_info (.../gdb/gdb+0x1124770)
        #1 0x10ecd51 in bfd_map_over_sections (.../gdb/gdb+0x10ecd51)
        #2 0x1125150 in bfd_simple_get_relocated_section_contents (.../gdb/gdb+0x1125150)
    
    bfd/
    2014-02-17  Jan Kratochvil  <jan.kratochvil@redhat.com>
    
    	PR binutils/16595
    	* simple.c (struct saved_offsets): New.
    	(simple_save_output_info): Use it for ptr.
    	(simple_restore_output_info): Use it for ptr.  Check section_count.
    	(bfd_simple_get_relocated_section_contents): Use it for saved_offsets.

-----------------------------------------------------------------------

Summary of changes:
 bfd/ChangeLog |    8 ++++++++
 bfd/simple.c  |   42 +++++++++++++++++++++++++++++-------------
 2 files changed, 37 insertions(+), 13 deletions(-)

Comment 4 Jan Kratochvil 2014-02-17 07:35:36 UTC

Checked in.