Bug 30641 - AddressSanitizer: heap-buffer-overflow /home/root/sp/Dataset/Binutils/binutils_aflpp/gdb/coff-pe-read.c:284:10 in pe_as16(void*)
Summary: AddressSanitizer: heap-buffer-overflow /home/root/sp/Dataset/Binutils/binutil...
Status: RESOLVED FIXED
Alias: None
Product: gdb
Classification: Unclassified
Component: gdb (show other bugs)
Version: 13.1
: P2 normal
Target Milestone: ---
Assignee: Not yet assigned to anyone
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2023-07-15 06:36 UTC by 熊吉思汗
Modified: 2023-09-28 19:09 UTC (History)
3 users (show)

See Also:
Host:
Target:
Build:
Last reconfirmed:

Attachments
crash seed (308 bytes, application/octet-stream)
2023-07-15 06:36 UTC, 熊吉思汗 		Details
input file of -x option (128 bytes, text/plain)
2023-07-15 06:36 UTC, 熊吉思汗 		Details
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description 熊吉思汗 2023-07-15 06:36:16 UTC 
Created attachment 14971 [details]
crash seed

Hello GDB developers,
We recently conducted a fuzzing test on GDB and discovered a heap-use-after-free bug. We would like to provide a detailed description of the bug and seek your assistance in addressing it.

version:
gdb:GNU gdb (GDB) 13.0.50.20220805-git
gcc:gcc version 9.4.0 (Ubuntu 9.4.0-1ubuntu1~20.04.1)
ubuntu: 20.04

command to reproduce:
gdb -x command.gdb hbo
hbo is attached to this report.
command.gdb is attached to the first comment.


ASAN report:
=================================================================
==2662511==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x7fa83b269800 at pc 0x000000b13b4e bp 0x7ffdba8a9480 sp 0x7ffdba8a9478
READ of size 1 at 0x7fa83b269800 thread T0
    #0 0xb13b4d in pe_as16(void*) /home/root/sp/Dataset/Binutils/binutils_aflpp/gdb/coff-pe-read.c:284:10
    #1 0xb11af1 in read_pe_exported_syms(minimal_symbol_reader&, objfile*) /home/root/sp/Dataset/Binutils/binutils_aflpp/gdb/coff-pe-read.c:513:31
    #2 0xb1d543 in coff_read_minsyms(long, unsigned int, objfile*) /home/root/sp/Dataset/Binutils/binutils_aflpp/gdb/coffread.c:548:7
    #3 0xb1abd0 in coff_symfile_read(objfile*, enum_flags<symfile_add_flag>) /home/root/sp/Dataset/Binutils/binutils_aflpp/gdb/coffread.c:702:3
    #4 0x1bf6a0e in read_symbols(objfile*, enum_flags<symfile_add_flag>) /home/root/sp/Dataset/Binutils/binutils_aflpp/gdb/symfile.c:772:3
    #5 0x1c19531 in syms_from_objfile_1(objfile*, std::vector<other_sections, std::allocator<other_sections> >*, enum_flags<symfile_add_flag>) /home/root/sp/Dataset/Binutils/binutils_aflpp/gdb/symfile.c:968:3
    #6 0x1c180fd in syms_from_objfile(objfile*, std::vector<other_sections, std::allocator<other_sections> >*, enum_flags<symfile_add_flag>) /home/root/sp/Dataset/Binutils/binutils_aflpp/gdb/symfile.c:985:3
    #7 0x1be663c in symbol_file_add_with_addrs(bfd*, char const*, enum_flags<symfile_add_flag>, std::vector<other_sections, std::allocator<other_sections> >*, enum_flags<objfile_flag>, objfile*) /home/root/sp/Dataset/Binutils/binutils_aflpp/gdb/symfile.c:1088:3
    #8 0x1be70b3 in symbol_file_add_from_bfd(bfd*, char const*, enum_flags<symfile_add_flag>, std::vector<other_sections, std::allocator<other_sections> >*, enum_flags<objfile_flag>, objfile*) /home/root/sp/Dataset/Binutils/binutils_aflpp/gdb/symfile.c:1168:10
    #9 0x1be7459 in symbol_file_add(char const*, enum_flags<symfile_add_flag>, std::vector<other_sections, std::allocator<other_sections> >*, enum_flags<objfile_flag>) /home/root/sp/Dataset/Binutils/binutils_aflpp/gdb/symfile.c:1181:10
    #10 0x1be873e in symbol_file_add_main_1(char const*, enum_flags<symfile_add_flag>, enum_flags<objfile_flag>, unsigned long) /home/root/sp/Dataset/Binutils/binutils_aflpp/gdb/symfile.c:1205:29
    #11 0x1be82ea in symbol_file_add_main(char const*, enum_flags<symfile_add_flag>) /home/root/sp/Dataset/Binutils/binutils_aflpp/gdb/symfile.c:1196:3
    #12 0x15c8b73 in symbol_file_add_main_adapter(char const*, int) /home/root/sp/Dataset/Binutils/binutils_aflpp/gdb/main.c:540:3
    #13 0x15c6d2c in catch_command_errors(void (*)(char const*, int), char const*, int, bool) /home/root/sp/Dataset/Binutils/binutils_aflpp/gdb/main.c:513:7
    #14 0x15c433a in captured_main_1(captured_main_args*) /home/root/sp/Dataset/Binutils/binutils_aflpp/gdb/main.c:1212:8
    #15 0x15be28d in captured_main(void*) /home/root/sp/Dataset/Binutils/binutils_aflpp/gdb/main.c:1319:3
    #16 0x15be058 in gdb_main(captured_main_args*) /home/root/sp/Dataset/Binutils/binutils_aflpp/gdb/main.c:1344:7
    #17 0x4e4f12 in main /home/root/sp/Dataset/Binutils/binutils_aflpp/gdb/gdb.c:32:10
    #18 0x7fa86dd0f082 in __libc_start_main /build/glibc-SzIz7B/glibc-2.31/csu/../csu/libc-start.c:308:16
    #19 0x433ebd in _start (/home/root/sp/Fuzz/aflpp_fuzz/Binutils/document_group/batch_x/gdb_1/gdb+0x433ebd)

0x7fa83b269800 is located 0 bytes to the right of 262144-byte region [0x7fa83b229800,0x7fa83b269800)
allocated by thread T0 here:
    #0 0x4e242d in operator new(unsigned long) (/home/root/sp/Fuzz/aflpp_fuzz/Binutils/document_group/batch_x/gdb_1/gdb+0x4e242d)
    #1 0x627d92 in __gnu_cxx::new_allocator<unsigned char>::allocate(unsigned long, void const*) /usr/lib/gcc/x86_64-linux-gnu/10/../../../../include/c++/10/ext/new_allocator.h:115:27
    #2 0x627ca1 in std::allocator_traits<gdb::default_init_allocator<unsigned char, std::allocator<unsigned char> > >::allocate(gdb::default_init_allocator<unsigned char, std::allocator<unsigned char> >&, unsigned long) /usr/lib/gcc/x86_64-linux-gnu/10/../../../../include/c++/10/bits/alloc_traits.h:314:20
    #3 0x627661 in std::_Vector_base<unsigned char, gdb::default_init_allocator<unsigned char, std::allocator<unsigned char> > >::_M_allocate(unsigned long) /usr/lib/gcc/x86_64-linux-gnu/10/../../../../include/c++/10/bits/stl_vector.h:346:20
    #4 0x6b7121 in std::_Vector_base<unsigned char, gdb::default_init_allocator<unsigned char, std::allocator<unsigned char> > >::_M_create_storage(unsigned long) /usr/lib/gcc/x86_64-linux-gnu/10/../../../../include/c++/10/bits/stl_vector.h:361:33
    #5 0x6b6dd9 in std::_Vector_base<unsigned char, gdb::default_init_allocator<unsigned char, std::allocator<unsigned char> > >::_Vector_base(unsigned long, gdb::default_init_allocator<unsigned char, std::allocator<unsigned char> > const&) /usr/lib/gcc/x86_64-linux-gnu/10/../../../../include/c++/10/bits/stl_vector.h:305:9
    #6 0xa9ea40 in std::vector<unsigned char, gdb::default_init_allocator<unsigned char, std::allocator<unsigned char> > >::vector(unsigned long, gdb::default_init_allocator<unsigned char, std::allocator<unsigned char> > const&) /usr/lib/gcc/x86_64-linux-gnu/10/../../../../include/c++/10/bits/stl_vector.h:511:9
    #7 0xb1106b in read_pe_exported_syms(minimal_symbol_reader&, objfile*) /home/root/sp/Dataset/Binutils/binutils_aflpp/gdb/coff-pe-read.c:469:34
    #8 0xb1d543 in coff_read_minsyms(long, unsigned int, objfile*) /home/root/sp/Dataset/Binutils/binutils_aflpp/gdb/coffread.c:548:7
    #9 0xb1abd0 in coff_symfile_read(objfile*, enum_flags<symfile_add_flag>) /home/root/sp/Dataset/Binutils/binutils_aflpp/gdb/coffread.c:702:3
    #10 0x1bf6a0e in read_symbols(objfile*, enum_flags<symfile_add_flag>) /home/root/sp/Dataset/Binutils/binutils_aflpp/gdb/symfile.c:772:3
    #11 0x1c19531 in syms_from_objfile_1(objfile*, std::vector<other_sections, std::allocator<other_sections> >*, enum_flags<symfile_add_flag>) /home/root/sp/Dataset/Binutils/binutils_aflpp/gdb/symfile.c:968:3
    #12 0x1c180fd in syms_from_objfile(objfile*, std::vector<other_sections, std::allocator<other_sections> >*, enum_flags<symfile_add_flag>) /home/root/sp/Dataset/Binutils/binutils_aflpp/gdb/symfile.c:985:3
    #13 0x1be663c in symbol_file_add_with_addrs(bfd*, char const*, enum_flags<symfile_add_flag>, std::vector<other_sections, std::allocator<other_sections> >*, enum_flags<objfile_flag>, objfile*) /home/root/sp/Dataset/Binutils/binutils_aflpp/gdb/symfile.c:1088:3
    #14 0x1be70b3 in symbol_file_add_from_bfd(bfd*, char const*, enum_flags<symfile_add_flag>, std::vector<other_sections, std::allocator<other_sections> >*, enum_flags<objfile_flag>, objfile*) /home/root/sp/Dataset/Binutils/binutils_aflpp/gdb/symfile.c:1168:10
    #15 0x1be7459 in symbol_file_add(char const*, enum_flags<symfile_add_flag>, std::vector<other_sections, std::allocator<other_sections> >*, enum_flags<objfile_flag>) /home/root/sp/Dataset/Binutils/binutils_aflpp/gdb/symfile.c:1181:10
    #16 0x1be873e in symbol_file_add_main_1(char const*, enum_flags<symfile_add_flag>, enum_flags<objfile_flag>, unsigned long) /home/root/sp/Dataset/Binutils/binutils_aflpp/gdb/symfile.c:1205:29
    #17 0x1be82ea in symbol_file_add_main(char const*, enum_flags<symfile_add_flag>) /home/root/sp/Dataset/Binutils/binutils_aflpp/gdb/symfile.c:1196:3
    #18 0x15c8b73 in symbol_file_add_main_adapter(char const*, int) /home/root/sp/Dataset/Binutils/binutils_aflpp/gdb/main.c:540:3
    #19 0x15c6d2c in catch_command_errors(void (*)(char const*, int), char const*, int, bool) /home/root/sp/Dataset/Binutils/binutils_aflpp/gdb/main.c:513:7
    #20 0x15c433a in captured_main_1(captured_main_args*) /home/root/sp/Dataset/Binutils/binutils_aflpp/gdb/main.c:1212:8
    #21 0x15be28d in captured_main(void*) /home/root/sp/Dataset/Binutils/binutils_aflpp/gdb/main.c:1319:3
    #22 0x15be058 in gdb_main(captured_main_args*) /home/root/sp/Dataset/Binutils/binutils_aflpp/gdb/main.c:1344:7
    #23 0x4e4f12 in main /home/root/sp/Dataset/Binutils/binutils_aflpp/gdb/gdb.c:32:10
    #24 0x7fa86dd0f082 in __libc_start_main /build/glibc-SzIz7B/glibc-2.31/csu/../csu/libc-start.c:308:16

SUMMARY: AddressSanitizer: heap-buffer-overflow /home/root/sp/Dataset/Binutils/binutils_aflpp/gdb/coff-pe-read.c:284:10 in pe_as16(void*)
Shadow bytes around the buggy address:
  0x0ff5876452b0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0ff5876452c0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0ff5876452d0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0ff5876452e0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0ff5876452f0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x0ff587645300:[fa]fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0ff587645310: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0ff587645320: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0ff587645330: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0ff587645340: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0ff587645350: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==2662511==ABORTING

Thank you for your attention and support.
Best regards,
Michael Zhang.
Comment 1 熊吉思汗 2023-07-15 06:36:32 UTC 
Created attachment 14972 [details]
input file of -x option

input file of -x option
Comment 2 Keith Seitz 2023-07-26 19:48:50 UTC 
Trying this on origin/master, we have a slightly different segfault
location:

$ ./gdb -nx -q --data-directory data-directory hbo
BFD: hbo: warning: claims to have 0xffff relocs, without overflow
hbo: warning: claims to have 0xffff relocs, without overflow
hbo: warning: claims to have 0xffff relocs, without overflow
hbo: warning: claims to have 0xffff relocs, without overflow
Reading symbols from /home/keiths/rhbz/CVE/2023/39130/hbo...


Fatal signal: Segmentation fault
----- Backtrace -----
0x599064 gdb_internal_backtrace_1
	../../src/gdb/bt-utils.c:122
0x599107 _Z22gdb_internal_backtracev
	../../src/gdb/bt-utils.c:168
0x782fd4 handle_fatal_signal
	../../src/gdb/event-top.c:889
0x783140 handle_sigsegv
	../../src/gdb/event-top.c:962
0x7fea92e5fb6f ???
0x60ace0 add_pe_exported_sym
	../../src/gdb/coff-pe-read.c:138
0x60c3b9 _Z21read_pe_exported_symsR21minimal_symbol_readerP7objfile
	../../src/gdb/coff-pe-read.c:557
0x60e0bb coff_read_minsyms
	../../src/gdb/coffread.c:543
0x60e629 coff_symfile_read
	../../src/gdb/coffread.c:698
0xbd975e read_symbols
	../../src/gdb/symfile.c:772
0xbd9e0b syms_from_objfile_1
	../../src/gdb/symfile.c:966
0xbd9ecf syms_from_objfile
	../../src/gdb/symfile.c:983
0xbda3aa symbol_file_add_with_addrs
	../../src/gdb/symfile.c:1086
0xbda6eb _Z24symbol_file_add_from_bfdRKN3gdb7ref_ptrI3bfd18gdb_bfd_ref_policyEEPKc10enum_flagsI16symfile_add_flagEPSt6vectorI14other_sectionsSaISC_EES8_I12objfile_flagEP7objfile
	../../src/gdb/symfile.c:1166
0xbda73a _Z15symbol_file_addPKc10enum_flagsI16symfile_add_flagEPSt6vectorI14other_sectionsSaIS5_EES1_I12objfile_flagE
	../../src/gdb/symfile.c:1179
0xbda7ff symbol_file_add_main_1
	../../src/gdb/symfile.c:1203
0xbda7a6 _Z20symbol_file_add_mainPKc10enum_flagsI16symfile_add_flagE
	../../src/gdb/symfile.c:1194
0x90b1d7 symbol_file_add_main_adapter
	../../src/gdb/main.c:549
0x90b0ed catch_command_errors
	../../src/gdb/main.c:518
0x90c20e captured_main_1
	../../src/gdb/main.c:1203
0x90c820 captured_main
	../../src/gdb/main.c:1310
0x90c8bf _Z8gdb_mainP18captured_main_args
	../../src/gdb/main.c:1339
0x418c3c main
	../../src/gdb/gdb.c:32
---------------------
A fatal error internal to GDB has been detected, further
debugging is not possible.  GDB will now terminate.

This is a bug, please report it.  For instructions, see:
<https://www.gnu.org/software/gdb/bugs/>.

Segmentation fault (core dumped)

Can you confirm this is the correct segfault location for the supplied binary
(in origin/master)? Is the binary attached to this bug the one for 30640?

It appears that none of the binaries you supplied for 30639, 30640, or 30641
are correct for their respective bugs.
Comment 3 熊吉思汗 2023-07-29 07:44:23 UTC 
(In reply to Keith Seitz from comment #2)
> Trying this on origin/master, we have a slightly different segfault
> location:
> 
> $ ./gdb -nx -q --data-directory data-directory hbo
> BFD: hbo: warning: claims to have 0xffff relocs, without overflow
> hbo: warning: claims to have 0xffff relocs, without overflow
> hbo: warning: claims to have 0xffff relocs, without overflow
> hbo: warning: claims to have 0xffff relocs, without overflow
> Reading symbols from /home/keiths/rhbz/CVE/2023/39130/hbo...
> 
> 
> Fatal signal: Segmentation fault
> ----- Backtrace -----
> 0x599064 gdb_internal_backtrace_1
> 	../../src/gdb/bt-utils.c:122
> 0x599107 _Z22gdb_internal_backtracev
> 	../../src/gdb/bt-utils.c:168
> 0x782fd4 handle_fatal_signal
> 	../../src/gdb/event-top.c:889
> 0x783140 handle_sigsegv
> 	../../src/gdb/event-top.c:962
> 0x7fea92e5fb6f ???
> 0x60ace0 add_pe_exported_sym
> 	../../src/gdb/coff-pe-read.c:138
> 0x60c3b9 _Z21read_pe_exported_symsR21minimal_symbol_readerP7objfile
> 	../../src/gdb/coff-pe-read.c:557
> 0x60e0bb coff_read_minsyms
> 	../../src/gdb/coffread.c:543
> 0x60e629 coff_symfile_read
> 	../../src/gdb/coffread.c:698
> 0xbd975e read_symbols
> 	../../src/gdb/symfile.c:772
> 0xbd9e0b syms_from_objfile_1
> 	../../src/gdb/symfile.c:966
> 0xbd9ecf syms_from_objfile
> 	../../src/gdb/symfile.c:983
> 0xbda3aa symbol_file_add_with_addrs
> 	../../src/gdb/symfile.c:1086
> 0xbda6eb
> _Z24symbol_file_add_from_bfdRKN3gdb7ref_ptrI3bfd18gdb_bfd_ref_policyEEPKc10en
> um_flagsI16symfile_add_flagEPSt6vectorI14other_sectionsSaISC_EES8_I12objfile_
> flagEP7objfile
> 	../../src/gdb/symfile.c:1166
> 0xbda73a
> _Z15symbol_file_addPKc10enum_flagsI16symfile_add_flagEPSt6vectorI14other_sect
> ionsSaIS5_EES1_I12objfile_flagE
> 	../../src/gdb/symfile.c:1179
> 0xbda7ff symbol_file_add_main_1
> 	../../src/gdb/symfile.c:1203
> 0xbda7a6 _Z20symbol_file_add_mainPKc10enum_flagsI16symfile_add_flagE
> 	../../src/gdb/symfile.c:1194
> 0x90b1d7 symbol_file_add_main_adapter
> 	../../src/gdb/main.c:549
> 0x90b0ed catch_command_errors
> 	../../src/gdb/main.c:518
> 0x90c20e captured_main_1
> 	../../src/gdb/main.c:1203
> 0x90c820 captured_main
> 	../../src/gdb/main.c:1310
> 0x90c8bf _Z8gdb_mainP18captured_main_args
> 	../../src/gdb/main.c:1339
> 0x418c3c main
> 	../../src/gdb/gdb.c:32
> ---------------------
> A fatal error internal to GDB has been detected, further
> debugging is not possible.  GDB will now terminate.
> 
> This is a bug, please report it.  For instructions, see:
> <https://www.gnu.org/software/gdb/bugs/>.
> 
> Segmentation fault (core dumped)
> 
> Can you confirm this is the correct segfault location for the supplied binary
> (in origin/master)? Is the binary attached to this bug the one for 30640?
> 
> It appears that none of the binaries you supplied for 30639, 30640, or 30641
> are correct for their respective bugs.

Please ignore 30639, 30640, and 30641 bug report. I will use the latest origin/master gdb with asan to check these bug again. If these bug are still valid, I will submit new bug report. I am sorry for my mistake.
Comment 4 Abdul Basit 2023-09-28 08:10:41 UTC 
Regarding this issue and Bug 30640 there are CVEs linked to both issues.
https://nvd.nist.gov/vuln/detail/CVE-2023-39129
https://nvd.nist.gov/vuln/detail/CVE-2023-39130

@sihan2021 last comment on the ticket is following and afterwards there is no update: 
> Please ignore 30639, 30640, and 30641 bug report. I will use the latest origin/master gdb with asan to check these bug again.

Can you please confirm is there any update regarding this as CVEs are still open for all these issues and there is no update on these two issues.   I do not see any new issue link to these CVEs.  So if these are not valid issues then it would be helpful to update the related CVEs otherwise if they are valid issues then to update them with right info about security issue in gdb 13.1

Thanks
Comment 5 Simon Marchi 2023-09-28 14:32:06 UTC 
(In reply to Abdul Basit from comment #4)
> Regarding this issue and Bug 30640 there are CVEs linked to both issues.
> https://nvd.nist.gov/vuln/detail/CVE-2023-39129
> https://nvd.nist.gov/vuln/detail/CVE-2023-39130
> 
> @sihan2021 last comment on the ticket is following and afterwards there is
> no update: 
> > Please ignore 30639, 30640, and 30641 bug report. I will use the latest origin/master gdb with asan to check these bug again.
> 
> Can you please confirm is there any update regarding this as CVEs are still
> open for all these issues and there is no update on these two issues.   I do
> not see any new issue link to these CVEs.  So if these are not valid issues
> then it would be helpful to update the related CVEs otherwise if they are
> valid issues then to update them with right info about security issue in gdb
> 13.1
> 
> Thanks

They are likely valid issues.  If there is no update, it probably means nobody has looked into fixing them.
Comment 6 Keith Seitz 2023-09-28 14:44:37 UTC 
(In reply to Simon Marchi from comment #5)

> They are likely valid issues.  If there is no update, it probably means
> nobody has looked into fixing them.

I think this fixes it:

https://inbox.sourceware.org/gdb-patches/ZNRbSREoB52gfDWx@squeak.grove.modra.org/

It may be that this requires the fixes for 30640 and 30639, too. I don't remember. I tested all three COFF bugs on a branch containing all the patches.
Comment 7 Keith Seitz 2023-09-28 19:09:08 UTC 
Fixed by:

commit 2db20b97f1dc3e5dce3d6ed74a8a62f0dede8c80
Author: Alan Modra <amodra@gmail.com>
Date:   Wed Aug 9 09:58:36 2023 +0930

    gdb: warn unused result for bfd IO functions