30832 – Sending specific GDB Remote Serial Protocol commands with a certain timing results a read out of bound and SEGFAULT

Bug 30832 - Sending specific GDB Remote Serial Protocol commands with a certain timing results a read out of bound and SEGFAULT

Summary: Sending specific GDB Remote Serial Protocol commands with a certain timing re...

Status:	UNCONFIRMED

Alias:	None

Product:	gdb
Classification:	Unclassified
Component:	server (show other bugs)
Version:	HEAD

Importance:	P2 normal
Target Milestone:	---
Assignee:	Not yet assigned to anyone

URL:
Keywords:

Depends on:
Blocks:

Reported:	2023-09-07 17:54 UTC by M0NT3C4RL0
Modified:	2023-09-07 18:31 UTC (History)
CC List:	1 user (show)

See Also:
Host:
Target:
Build:
Last reconfirmed:

Attachments
Python3 script used to trigger the bug (445 bytes, text/x-python-script) 2023-09-07 17:54 UTC, M0NT3C4RL0	Details
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description M0NT3C4RL0 2023-09-07 17:54:35 UTC

Created attachment 15102 [details]
Python3 script used to trigger the bug

Hello GDB developers,
During a debug session with IDAPro 7.7 in conjunction with gdbserver running on Debian, I encountered a crash while IDA was trying to reconnect to the remote debugger.

I reproduced exactly all the “GDB serial Protocol” commands that I sent to gdbserver using a python script and the only error I got was SIGPIPE. I noticed that adding a sleep between the commands resulted in the same crash mentioned above.


After a little bit of trial and error I found that the combinantion of commands resulting in SEGFAULT was:

1) "+" --> (sleep one sencond after the response)
2) "QStartNoAckMode" --> (sleep one second after the response)
3) "%" --> (sleep one second after the response, and the string sent can be anything)

I was running gdbserver in my local network using "gdbserver localhost:23946 ~/Desktop/binary", the version of gdbserver is GNU gdbserver (Debian 13.2-1) 13.2 and gdbserver was configured as "x86_64-linux-gnu"

Usually if the commands are not sent with the right timing the only error raised is SIGPIPE and the program keeps running.
I found out that there is  a read out of bound during the call of the readchar (gdbserver/remote-utils.cc:847).

The variable readchar_bufcnt is decremented leading to a backward stack read out of bound causing a SEGMENTATION FAULT.

I have no clue why the inputs bypasses the checks and starts to read the stack.

If readchar_bufcnt < 0 in readchar (gdbserver/remote-utils.cc:847) would return -1.

gdbserver is installed using the packet manager (sudo apt install gdbserver)

I compiled the program with symbols and I got the same issue.

Thank you for your attention and support.
Vincenzo Cantatore Gianluca Parisi Vincenzo Turturro (M0NT3C4RL0 Team)

-- System Information:
Distributor ID: Kali
Description: Kali GNU/Linux Rolling
Release: 2023.3
Codename: kali-rolling
Architecture: x86_64

Kernel: Linux 5.10.0-kali3-amd64 (SMP w/2 CPU threads)
Kernel taint flags: TAINT_UNSIGNED_MODULE
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), LANGUAGE not set
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled

Versions of packages gdbserver depends on:
ii  libc6       2.37-6
ii  libgcc-s1   13.1.0-6
ii  libstdc++6  13.1.0-6

gdbserver recommends no packages.

gdbserver suggests no packages.

-- no debconf information