21103 – Invalid read in read_dbx_symtab

Bug 21103 - Invalid read in read_dbx_symtab

Summary: Invalid read in read_dbx_symtab

Status:	UNCONFIRMED

Alias:	None

Product:	gdb
Classification:	Unclassified
Component:	gdb (show other bugs)
Version:	HEAD

Importance:	P2 normal
Target Milestone:	---
Assignee:	Not yet assigned to anyone

URL:
Keywords:

Depends on:
Blocks:

Reported:	2017-02-02 18:08 UTC by Maximiliano Gomez Vidal
Modified:	2017-02-02 18:30 UTC (History)
CC List:	1 user (show)

See Also:
Host:
Target:
Build:
Last reconfirmed:

Attachments
read_dbx_symtab invalid read (35 bytes, application/octet-stream) 2017-02-02 18:08 UTC, Maximiliano Gomez Vidal	Details
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Maximiliano Gomez Vidal 2017-02-02 18:08:23 UTC

Created attachment 9792 [details]
read_dbx_symtab invalid read

Hi there!

I've been fuzzing gdb with American Fuzzy Lop and AddressSanitizer. The attached file causes a segmentation fault due to an invalid read.

Let me know if I should provide any additional information.

GNU gdb (GDB) 7.12.50.20170131-git
Copyright (C) 2017 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.  Type "show copying"
and "show warranty" for details.
This GDB was configured as "x86_64-pc-linux-gnu".
Type "show configuration" for configuration details.
For bug reporting instructions, please see:
<http://www.gnu.org/software/gdb/bugs/>.
Find the GDB manual and other documentation resources online at:
<http://www.gnu.org/software/gdb/documentation/>.
For help, type "help".
Type "apropos word" to search for commands related to "word"...
Reading symbols from id:000013,sig:06,src:003207,op:havoc,rep:16...=================================================================
==23107==ERROR: AddressSanitizer: global-buffer-overflow on address 0x000002451444 at pc 0xb28dfb bp 0x7fff0614c4e0 sp 0x7fff0614c4d8
READ of size 1 at 0x000002451444 thread T0
    #0 0xb28dfa in read_dbx_symtab /home/maxi/binutils-gdb/gdb/dbxread.c:1125
    #1 0xb298f3 in dbx_symfile_read /home/maxi/binutils-gdb/gdb/dbxread.c:548
    #2 0x1182430 in read_symbols /home/maxi/binutils-gdb/gdb/symfile.c:870
    #3 0x1183869 in syms_from_objfile_1 /home/maxi/binutils-gdb/gdb/symfile.c:1071
    #4 0x1183869 in syms_from_objfile /home/maxi/binutils-gdb/gdb/symfile.c:1087
    #5 0x1183869 in symbol_file_add_with_addrs /home/maxi/binutils-gdb/gdb/symfile.c:1186
    #6 0x11872ae in symbol_file_add_from_bfd /home/maxi/binutils-gdb/gdb/symfile.c:1277
    #7 0x11872ae in symbol_file_add /home/maxi/binutils-gdb/gdb/symfile.c:1290
    #8 0x11872ae in symbol_file_add_main_1 /home/maxi/binutils-gdb/gdb/symfile.c:1313
    #9 0x11872ae in symbol_file_add_main(char const*, enum_flags<symfile_add_flag>) /home/maxi/binutils-gdb/gdb/symfile.c:1304
    #10 0xf494d0 in symbol_file_add_main_adapter /home/maxi/binutils-gdb/gdb/main.c:427
    #11 0xf49c87 in catch_command_errors_const /home/maxi/binutils-gdb/gdb/main.c:403
    #12 0xf4c903 in captured_main_1 /home/maxi/binutils-gdb/gdb/main.c:1045
    #13 0xf4c903 in captured_main /home/maxi/binutils-gdb/gdb/main.c:1140
    #14 0xf4c903 in gdb_main(captured_main_args*) /home/maxi/binutils-gdb/gdb/main.c:1158
    #15 0x44bfaa in main /home/maxi/binutils-gdb/gdb/gdb.c:32
    #16 0x7f6c80edfb44 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x21b44)
    #17 0x45e6ae (/home/maxi/binutils-gdb/gdb/gdb+0x45e6ae)

0x000002451444 is located 28 bytes to the left of global variable 'bincls_allocated' from 'dbxread.c' (0x2451460) of size 4
0x000002451444 is located 4 bytes to the right of global variable 'symbuf' from 'dbxread.c' (0x2445440) of size 49152
SUMMARY: AddressSanitizer: global-buffer-overflow /home/maxi/binutils-gdb/gdb/dbxread.c:1125 read_dbx_symtab
Shadow bytes around the buggy address:
  0x000080482230: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x000080482240: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x000080482250: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x000080482260: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x000080482270: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x000080482280: 00 00 00 00 00 00 00 00[f9]f9 f9 f9 04 f9 f9 f9
  0x000080482290: f9 f9 f9 f9 00 f9 f9 f9 f9 f9 f9 f9 00 f9 f9 f9
  0x0000804822a0: f9 f9 f9 f9 04 f9 f9 f9 f9 f9 f9 f9 00 f9 f9 f9
  0x0000804822b0: f9 f9 f9 f9 04 f9 f9 f9 f9 f9 f9 f9 04 f9 f9 f9
  0x0000804822c0: f9 f9 f9 f9 04 f9 f9 f9 f9 f9 f9 f9 04 f9 f9 f9
  0x0000804822d0: f9 f9 f9 f9 04 f9 f9 f9 f9 f9 f9 f9 00 f9 f9 f9
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Heap right redzone:      fb
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack partial redzone:   f4
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Contiguous container OOB:fc
  ASan internal:           fe
==23107==ABORTING