21321 – AddressSanitizer: heap-use-after-free in gdbserver/linux-low.c

Bug 21321 - AddressSanitizer: heap-use-after-free in gdbserver/linux-low.c

Summary: AddressSanitizer: heap-use-after-free in gdbserver/linux-low.c

Status:	NEW

Alias:	None

Product:	gdb
Classification:	Unclassified
Component:	server (show other bugs)
Version:	HEAD

Importance:	P2 normal
Target Milestone:	---
Assignee:	Not yet assigned to anyone

URL:
Keywords:

Depends on:
Blocks:

Reported:	2017-03-28 11:46 UTC by Yao Qi
Modified:	2019-07-26 14:05 UTC (History)
CC List:	1 user (show)

See Also:
Host:
Target:
Build:
Last reconfirmed:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Yao Qi 2017-03-28 11:46:23 UTC

I build GDBserver with CXXFLAGS='-O0 -g3 -fsanitize=address', and run GDB tests with GDBserver like this,

$ make check RUNTESTFLAGS="--target_board='native-gdbserver' process-dies-while-detaching.exp"

I get the asan error,

(gdb) FAIL: gdb.threads/process-dies-while-detaching.exp: single-process: continue: killed outside: continue
Remote debugging from host 127.0.0.1^M
=================================================================^M
^[[1m^[[31m==26184==ERROR: AddressSanitizer: heap-use-after-free on address 0x611000020b10 at pc 0x48026c bp 0x7fff34b15a20 sp 0x7fff34b15a18^M
^[[1m^[[0m^[[1m^[[34mWRITE of size 4 at 0x611000020b10 thread T0^[[1m^[[0m^M
    #0 0x48026b in linux_wait_1 /home/yao/SourceCode/gnu/gdb/git/gdb/gdbserver/linux-low.c:3845^M
    #1 0x4811ea in linux_wait /home/yao/SourceCode/gnu/gdb/git/gdb/gdbserver/linux-low.c:3990^M
    #2 0x453fea in target_wait(ptid, target_waitstatus*, int) /home/yao/SourceCode/gnu/gdb/git/gdb/gdbserver/target.c:268^M
    #3 0x453a8a in mywait(ptid, target_waitstatus*, int, int) /home/yao/SourceCode/gnu/gdb/git/gdb/gdbserver/target.c:214^M
    #4 0x44b53b in resume /home/yao/SourceCode/gnu/gdb/git/gdb/gdbserver/server.c:2786^M
.......
^M
^[[1m^[[32m0x611000020b10 is located 80 bytes inside of 216-byte region [0x611000020ac0,0x611000020b98)^M
^[[1m^[[0m^[[1m^[[35mfreed by thread T0 here:^[[1m^[[0m^M
    #0 0x2b1500432631 in __interceptor_free (/usr/lib/x86_64-linux-gnu/libasan.so.1+0x54631)^M
    #1 0x4722e8 in delete_lwp /home/yao/SourceCode/gnu/gdb/git/gdb/gdbserver/linux-low.c:415^M
    #2 0x47a7ed in linux_low_filter_event /home/yao/SourceCode/gnu/gdb/git/gdb/gdbserver/linux-low.c:2504^M
    #3 0x47bdc0 in linux_wait_for_event_filtered /home/yao/SourceCode/gnu/gdb/git/gdb/gdbserver/linux-low.c:2800^M
    #4 0x481c1f in wait_for_sigstop /home/yao/SourceCode/gnu/gdb/git/gdb/gdbserver/linux-low.c:4150^M
    #5 0x482660 in stop_all_lwps /home/yao/SourceCode/gnu/gdb/git/gdb/gdbserver/linux-low.c:4287^M
    #6 0x48018b in linux_wait_1 /home/yao/SourceCode/gnu/gdb/git/gdb/gdbserver/linux-low.c:3813^M
    #7 0x4811ea in linux_wait /home/yao/SourceCode/gnu/gdb/git/gdb/gdbserver/linux-low.c:3990^M
...^M
^[[1m^[[35mpreviously allocated by thread T0 here:^[[1m^[[0m^M
    #0 0x2b15004329a1 in __interceptor_calloc (/usr/lib/x86_64-linux-gnu/libasan.so.1+0x549a1)^M
    #1 0x4147b6 in xcalloc /home/yao/SourceCode/gnu/gdb/git/gdb/gdbserver/../common/common-utils.c:83^M
    #2 0x4748c0 in add_lwp /home/yao/SourceCode/gnu/gdb/git/gdb/gdbserver/linux-low.c:937^M
    #3 0x4731a3 in handle_extended_wait /home/yao/SourceCode/gnu/gdb/git/gdb/gdbserver/linux-low.c:624^M
    #4 0x47ac69 in linux_low_filter_event /home/yao/SourceCode/gnu/gdb/git/gdb/gdbserver/linux-low.c:2568^M
    #5 0x47bdc0 in linux_wait_for_event_filtered /home/yao/SourceCode/gnu/gdb/git/gdb/gdbserver/linux-low.c:2800^.

Comment 1 Tom de Vries 2019-07-26 14:05:44 UTC

Reproduced with current master:
... 
(gdb) PASS: gdb.threads/process-dies-while-detaching.exp: single-process: continue: killed outside: get integer valueof "mypid"
Executing on target: kill -9 26684    (timeout = 300)
spawn -ignore SIGHUP kill -9 26684
continue
Continuing.
Remote connection closed
(gdb) FAIL: gdb.threads/process-dies-while-detaching.exp: single-process: continue: killed outside: continue
Remote debugging from host 127.0.0.1, port 37196
=================================================================
==26676==ERROR: AddressSanitizer: heap-use-after-free on address 0x611000038e90 at pc 0x0000004d72bd bp 0x7fff9fb67530 sp 0x7fff9fb67528
WRITE of size 4 at 0x611000038e90 thread T0
    #0 0x4d72bc in linux_wait_1 /data/gdb_versions/devel/src/gdb/gdbserver/linux-low.c:3707
    #1 0x4d8529 in linux_wait /data/gdb_versions/devel/src/gdb/gdbserver/linux-low.c:3852
    #2 0x49b809 in target_wait(ptid_t, target_waitstatus*, int) /data/gdb_versions/devel/src/gdb/gdbserver/target.c:243
    #3 0x49afd3 in mywait(ptid_t, target_waitstatus*, int, int) /data/gdb_versions/devel/src/gdb/gdbserver/target.c:189
    #4 0x48a225 in resume /data/gdb_versions/devel/src/gdb/gdbserver/server.c:2879
    #5 0x489d89 in handle_v_cont /data/gdb_versions/devel/src/gdb/gdbserver/server.c:2838
    #6 0x48b93b in handle_v_requests(char*, int, int*) /data/gdb_versions/devel/src/gdb/gdbserver/server.c:3121
    #7 0x493456 in process_serial_event /data/gdb_versions/devel/src/gdb/gdbserver/server.c:4361
    #8 0x4936e8 in handle_serial_event(int, void*) /data/gdb_versions/devel/src/gdb/gdbserver/server.c:4394
    #9 0x458562 in handle_file_event /data/gdb_versions/devel/src/gdb/gdbserver/event-loop.c:418
    #10 0x4570a4 in process_event /data/gdb_versions/devel/src/gdb/gdbserver/event-loop.c:174
    #11 0x458f18 in start_event_loop() /data/gdb_versions/devel/src/gdb/gdbserver/event-loop.c:537
    #12 0x48fd7e in captured_main /data/gdb_versions/devel/src/gdb/gdbserver/server.c:3867
    #13 0x4901e0 in main /data/gdb_versions/devel/src/gdb/gdbserver/server.c:3953
    #14 0x7f39b6258f89 in __libc_start_main (/lib64/libc.so.6+0x20f89)
    #15 0x413059 in _start (/data/gdb_versions/devel/build/gdb/gdbserver/gdbserver+0x413059)

0x611000038e90 is located 80 bytes inside of 224-byte region [0x611000038e40,0x611000038f20)
freed by thread T0 here:
    #0 0x7f39b6c19280 in __interceptor_free (/usr/lib64/libasan.so.5+0xeb280)
    #1 0x4c3f4c in delete_lwp /data/gdb_versions/devel/src/gdb/gdbserver/linux-low.c:428
    #2 0x4cfb08 in linux_low_filter_event /data/gdb_versions/devel/src/gdb/gdbserver/linux-low.c:2437
    #3 0x4d19e5 in linux_wait_for_event_filtered /data/gdb_versions/devel/src/gdb/gdbserver/linux-low.c:2735
    #4 0x4d9279 in wait_for_sigstop /data/gdb_versions/devel/src/gdb/gdbserver/linux-low.c:4007
    #5 0x4d9e5f in stop_all_lwps /data/gdb_versions/devel/src/gdb/gdbserver/linux-low.c:4149
    #6 0x4d7187 in linux_wait_1 /data/gdb_versions/devel/src/gdb/gdbserver/linux-low.c:3675
    #7 0x4d8529 in linux_wait /data/gdb_versions/devel/src/gdb/gdbserver/linux-low.c:3852
    #8 0x49b809 in target_wait(ptid_t, target_waitstatus*, int) /data/gdb_versions/devel/src/gdb/gdbserver/target.c:243
    #9 0x49afd3 in mywait(ptid_t, target_waitstatus*, int, int) /data/gdb_versions/devel/src/gdb/gdbserver/target.c:189
    #10 0x48a225 in resume /data/gdb_versions/devel/src/gdb/gdbserver/server.c:2879
    #11 0x489d89 in handle_v_cont /data/gdb_versions/devel/src/gdb/gdbserver/server.c:2838
    #12 0x48b93b in handle_v_requests(char*, int, int*) /data/gdb_versions/devel/src/gdb/gdbserver/server.c:3121
    #13 0x493456 in process_serial_event /data/gdb_versions/devel/src/gdb/gdbserver/server.c:4361
    #14 0x4936e8 in handle_serial_event(int, void*) /data/gdb_versions/devel/src/gdb/gdbserver/server.c:4394
    #15 0x458562 in handle_file_event /data/gdb_versions/devel/src/gdb/gdbserver/event-loop.c:418
    #16 0x4570a4 in process_event /data/gdb_versions/devel/src/gdb/gdbserver/event-loop.c:174
    #17 0x458f18 in start_event_loop() /data/gdb_versions/devel/src/gdb/gdbserver/event-loop.c:537
    #18 0x48fd7e in captured_main /data/gdb_versions/devel/src/gdb/gdbserver/server.c:3867
    #19 0x4901e0 in main /data/gdb_versions/devel/src/gdb/gdbserver/server.c:3953
    #20 0x7f39b6258f89 in __libc_start_main (/lib64/libc.so.6+0x20f89)

previously allocated by thread T0 here:
    #0 0x7f39b6c197e8 in calloc (/usr/lib64/libasan.so.5+0xeb7e8)
    #1 0x413205 in xcalloc /data/gdb_versions/devel/src/gdb/gdbserver/../alloc.c:100
    #2 0x4e81d4 in xcnew<lwp_info> /data/gdb_versions/devel/src/gdb/gdbserver/../gdbsupport/poison.h:122
    #3 0x4c7400 in add_lwp /data/gdb_versions/devel/src/gdb/gdbserver/linux-low.c:954
    #4 0x4c550a in handle_extended_wait /data/gdb_versions/devel/src/gdb/gdbserver/linux-low.c:638
    #5 0x4d0071 in linux_low_filter_event /data/gdb_versions/devel/src/gdb/gdbserver/linux-low.c:2501
    #6 0x4d19e5 in linux_wait_for_event_filtered /data/gdb_versions/devel/src/gdb/gdbserver/linux-low.c:2735
    #7 0x4d1fb0 in linux_wait_for_event /data/gdb_versions/devel/src/gdb/gdbserver/linux-low.c:2823
    #8 0x4d39b8 in linux_wait_1 /data/gdb_versions/devel/src/gdb/gdbserver/linux-low.c:3129
    #9 0x4d8529 in linux_wait /data/gdb_versions/devel/src/gdb/gdbserver/linux-low.c:3852
    #10 0x49b809 in target_wait(ptid_t, target_waitstatus*, int) /data/gdb_versions/devel/src/gdb/gdbserver/target.c:243
    #11 0x49afd3 in mywait(ptid_t, target_waitstatus*, int, int) /data/gdb_versions/devel/src/gdb/gdbserver/target.c:189
    #12 0x48a225 in resume /data/gdb_versions/devel/src/gdb/gdbserver/server.c:2879
    #13 0x489d89 in handle_v_cont /data/gdb_versions/devel/src/gdb/gdbserver/server.c:2838
    #14 0x48b93b in handle_v_requests(char*, int, int*) /data/gdb_versions/devel/src/gdb/gdbserver/server.c:3121
    #15 0x493456 in process_serial_event /data/gdb_versions/devel/src/gdb/gdbserver/server.c:4361
    #16 0x4936e8 in handle_serial_event(int, void*) /data/gdb_versions/devel/src/gdb/gdbserver/server.c:4394
    #17 0x458562 in handle_file_event /data/gdb_versions/devel/src/gdb/gdbserver/event-loop.c:418
    #18 0x4570a4 in process_event /data/gdb_versions/devel/src/gdb/gdbserver/event-loop.c:174
    #19 0x458f18 in start_event_loop() /data/gdb_versions/devel/src/gdb/gdbserver/event-loop.c:537
    #20 0x48fd7e in captured_main /data/gdb_versions/devel/src/gdb/gdbserver/server.c:3867
    #21 0x4901e0 in main /data/gdb_versions/devel/src/gdb/gdbserver/server.c:3953
    #22 0x7f39b6258f89 in __libc_start_main (/lib64/libc.so.6+0x20f89)

SUMMARY: AddressSanitizer: heap-use-after-free /data/gdb_versions/devel/src/gdb/gdbserver/linux-low.c:3707 in linux_wait_1
Shadow bytes around the buggy address:
  0x0c227ffff180: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c227ffff190: fd fd fd fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c227ffff1a0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c227ffff1b0: fd fd fd fd fd fd fd fd fd fd fd fa fa fa fa fa
  0x0c227ffff1c0: fa fa fa fa fa fa fa fa fd fd fd fd fd fd fd fd
=>0x0c227ffff1d0: fd fd[fd]fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c227ffff1e0: fd fd fd fd fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c227ffff1f0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c227ffff200: fd fd fd fd fd fd fd fd fd fd fd fa fa fa fa fa
  0x0c227ffff210: fa fa fa fa fa fa fa fa fd fd fd fd fd fd fd fd
  0x0c227ffff220: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==26676==ABORTING
PASS: gdb.threads/process-dies-while-detaching.exp: single-process: continue: killed outside: server exits
...