Bug 24364 - Segmentation Fault loading 64-bit ELF binary
Summary: Segmentation Fault loading 64-bit ELF binary
Status: RESOLVED FIXED
Alias: None
Product: gdb
Classification: Unclassified
Component: gdb (show other bugs)
Version: 8.2
: P2 normal
Target Milestone: 9.1
Assignee: Paul Pluzhnikov
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2019-03-19 22:22 UTC by Josh Stroschein
Modified: 2019-06-17 18:35 UTC (History)
2 users (show)

See Also:
Host:
Target:
Build:
Last reconfirmed: 2019-06-16 00:00:00

Attachments
BT command from crash and several faulting test cases. (19.87 KB, application/zip)
2019-03-19 22:22 UTC, Josh Stroschein 		Details
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Josh Stroschein 2019-03-19 22:22:01 UTC 
Created attachment 11689 [details]
BT command from crash and several faulting test cases.

I used AFL fuzz to compile GDB from source and fuzz with a minimal test case - essentially a "hello world" 64 bit binary on Linux. After a few days of fuzzing, several unique crashes were observed, although they all appear to have the same root cause. I checked out GDB (binutils) from source and compiled with AFL-GCC. Versions are as follows:

OS: Ubuntu 16.04 LTS
Output from uname: 4.8.0-36-generic #36~16.04.1-Ubuntu SMP Sun Feb 5 09:39:57 UTC 2017
GCC version 5.4.0 20160609 (although I'm not sure if AFL uses this or a different version)
GDB configured as "x86_64-pc-linux-gnu"
GDB version 8.2.50.20190205-git

I've attached a zip that contains the faulting test cases and a text file with the call stack at the time of the crash (bt command results). Test cases execute without problem outside of a debugger, when attempting to run the test cases with GDB it crashes during the parsing of the binary. 

This is my first bug report, please let me know if you need any further information, if this is not an issue or if this is the wrong place! The error does seem to reside in the BFD library. However, I'm not very familiar with GDB internals nor the BFD library so I haven't found as much time as I'd have liked to dig deeper into this crash before reporting.

Thank you for your time,
Josh Stroschein
Comment 1 Tom Tromey 2019-04-09 19:40:56 UTC 
The stack looks like the failure is in the dtrace probe code:

(gdb) bt
#0  dtrace_process_dof (sect=0x14574c0, dof=0x0, probesp=0x1472650, objfile=0x1457c00)
    at dtrace-probe.c:531

... which isn't actually in BFD, so FWIW this bug is filed
in the right place.
Comment 2 Paul Pluzhnikov 2019-06-17 00:33:17 UTC 
I think this is the correct fix for it:

diff --git a/gdb/dtrace-probe.c b/gdb/dtrace-probe.c
index 52973784e9..f03a1cf376 100644
--- a/gdb/dtrace-probe.c
+++ b/gdb/dtrace-probe.c
@@ -856,13 +856,14 @@ dtrace_static_probe_ops::get_probes

          /* Read the contents of the DOF section and then process it to
             extract the information of any probe defined into it.  */
-         if (!bfd_malloc_and_get_section (abfd, sect, &dof))
+         if (bfd_malloc_and_get_section (abfd, sect, &dof))
+           dtrace_process_dof (sect, objfile, probesp,
+                               (struct dtrace_dof_hdr *) dof);
+         else
            complaint (_("could not obtain the contents of"
                         "section '%s' in objfile `%s'."),
                       sect->name, abfd->filename);
-
-         dtrace_process_dof (sect, objfile, probesp,
-                             (struct dtrace_dof_hdr *) dof);
+
          xfree (dof);
        }
     }

I'll mail it to gdb-patches shortly.
Comment 3 Sourceware Commits 2019-06-17 17:50:04 UTC 
The master branch has been updated by Paul Pluzhnikov <ppluzhnikov@sourceware.org>:

https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=ba9777bef059df0926ad5dd6813d5785cb652ccf

commit ba9777bef059df0926ad5dd6813d5785cb652ccf
Author: Paul Pluzhnikov <ppluzhnikov@google.com>
Date:   Mon Jun 17 10:49:15 2019 -0700

    PR gdb/24364: Don't call dtrace_process_dof with NULL dof.
Comment 4 Tom Tromey 2019-06-17 18:35:58 UTC 
Fixed.