[Bug exp/24698] New: heap-buffer-overflow in floatformat_to_doublest

vries at gcc dot gnu.org sourceware-bugzilla@sourceware.org
Tue Jun 18 16:33:00 GMT 2019 

https://sourceware.org/bugzilla/show_bug.cgi?id=24698

            Bug ID: 24698
           Summary: heap-buffer-overflow in floatformat_to_doublest
           Product: gdb
           Version: 7.11.1
            Status: NEW
          Severity: normal
          Priority: P2
         Component: exp
          Assignee: unassigned at sourceware dot org
          Reporter: vries at gcc dot gnu.org
  Target Milestone: ---

[ Filing FTR ]

System: SUSE Linux Enterprise Server 12 SP3, gcc 4.8.5, glibc 2.22, binutils
2.31.

Sources from 7.11.1 release ( https://ftp.gnu.org/gnu/gdb/gdb-7.11.1.tar.gz )
extracted at $pwd/src.

A gdb build using address sanitizer:
...
$ mkdir build
$ cd build
$ ../src/configure 
$ make CFLAGS="-fsanitize=address -O0 -g" LDFLAGS="-lasan"
...

When running this test:
...
$ export ASAN_SYMBOLIZER_PATH=/usr/bin/llvm-symbolizer;
$ export ASAN_OPTIONS=symbolize=1
$ make check "RUNTESTFLAGS=gdb.base/call-sc.exp --target_board=unix/-m32"
...

We run into:
...
(gdb) PASS: gdb.base/call-sc.exp: ptype foo; call-sc-tld long double
p/c fun()
=================================================================
==971683== ERROR: AddressSanitizer: heap-buffer-overflow on address
0x600400040a10 at pc 0xae6823 bp 0x7ffed7372f80 sp 0x7ffed7372f78
READ of size 16 at 0x600400040a10 thread T0
    #0 0xae6822 in floatformat_to_doublest
/home/tdevries/gdb/7.11.1/build/gdb/../../src/gdb/doublest.c:719
    #1 0xae7142 in extract_typed_floating
/home/tdevries/gdb/7.11.1/build/gdb/../../src/gdb/doublest.c:822
    #2 0x73d87f in unpack_long
/home/tdevries/gdb/7.11.1/build/gdb/../../src/gdb/value.c:2906
    #3 0x781c06 in print_scalar_formatted
/home/tdevries/gdb/7.11.1/build/gdb/../../src/gdb/printcmd.c:389
    #4 0x77782f in val_print_scalar_formatted
/home/tdevries/gdb/7.11.1/build/gdb/../../src/gdb/valprint.c:1230
    #5 0x7815b8 in print_formatted
/home/tdevries/gdb/7.11.1/build/gdb/../../src/gdb/printcmd.c:319
    #6 0x784223 in print_value
/home/tdevries/gdb/7.11.1/build/gdb/../../src/gdb/printcmd.c:976
    #7 0x78442f in print_command_1
/home/tdevries/gdb/7.11.1/build/gdb/../../src/gdb/printcmd.c:1007
    #8 0x78447e in print_command
/home/tdevries/gdb/7.11.1/build/gdb/../../src/gdb/printcmd.c:1015
    #9 0x5b00ba in do_cfunc
/home/tdevries/gdb/7.11.1/build/gdb/../../src/gdb/cli/cli-decode.c:105
    #10 0x5b76ff in cmd_func
/home/tdevries/gdb/7.11.1/build/gdb/../../src/gdb/cli/cli-decode.c:1885
    #11 0xac6952 in execute_command
/home/tdevries/gdb/7.11.1/build/gdb/../../src/gdb/top.c:475
    #12 0x850038 in command_handler
/home/tdevries/gdb/7.11.1/build/gdb/../../src/gdb/event-top.c:491
    #13 0x850c5c in command_line_handler
/home/tdevries/gdb/7.11.1/build/gdb/../../src/gdb/event-top.c:690
    #14 0xba2f89 in rl_callback_read_char
/home/tdevries/gdb/7.11.1/build/readline/../../src/readline/callback.c:220
    #15 0x84f4aa in rl_callback_read_char_wrapper
/home/tdevries/gdb/7.11.1/build/gdb/../../src/gdb/event-top.c:171
    #16 0x84ff68 in stdin_event_handler
/home/tdevries/gdb/7.11.1/build/gdb/../../src/gdb/event-top.c:430
    #17 0x84c92f in handle_file_event
/home/tdevries/gdb/7.11.1/build/gdb/../../src/gdb/event-loop.c:708
    #18 0x84d443 in gdb_wait_for_event
/home/tdevries/gdb/7.11.1/build/gdb/../../src/gdb/event-loop.c:834
    #19 0x84ad5b in gdb_do_one_event
/home/tdevries/gdb/7.11.1/build/gdb/../../src/gdb/event-loop.c:298
    #20 0x84ae59 in start_event_loop
/home/tdevries/gdb/7.11.1/build/gdb/../../src/gdb/event-loop.c:347
    #21 0x84f4dc in cli_command_loop
/home/tdevries/gdb/7.11.1/build/gdb/../../src/gdb/event-top.c:186
    #22 0x839cb4 in current_interp_command_loop
/home/tdevries/gdb/7.11.1/build/gdb/../../src/gdb/interps.c:317
    #23 0x83b593 in captured_command_loop
/home/tdevries/gdb/7.11.1/build/gdb/../../src/gdb/main.c:318
    #24 0x832450 in catch_errors
/home/tdevries/gdb/7.11.1/build/gdb/../../src/gdb/exceptions.c:240
    #25 0x83d6d1 in captured_main
/home/tdevries/gdb/7.11.1/build/gdb/../../src/gdb/main.c:1157
    #26 0x832450 in catch_errors
/home/tdevries/gdb/7.11.1/build/gdb/../../src/gdb/exceptions.c:240
    #27 0x83d6fa in gdb_main
/home/tdevries/gdb/7.11.1/build/gdb/../../src/gdb/main.c:1165
    #28 0x46f3d3 in main
/home/tdevries/gdb/7.11.1/build/gdb/../../src/gdb/gdb.c:32
    #29 0x7fe15b79b724 in __libc_start_main (/lib64/libc.so.6+0x20724)
    #30 0x46f1a8 in _start
/home/abuild/rpmbuild/BUILD/glibc-2.22/csu/../sysdeps/x86_64/start.S:118
0x600400040a1c is located 0 bytes to the right of 12-byte region
[0x600400040a10,0x600400040a1c)
allocated by thread T0 here:
    #0 0x7fe15ccbe915 in calloc (/usr/lib64/libasan.so.0+0x15915)
    #1 0xb3e3bc in xcalloc
/home/tdevries/gdb/7.11.1/build/gdb/../../src/gdb/common/common-utils.c:83
    #2 0xb3e408 in xzalloc
/home/tdevries/gdb/7.11.1/build/gdb/../../src/gdb/common/common-utils.c:93
    #3 0x736905 in allocate_value_contents
/home/tdevries/gdb/7.11.1/build/gdb/../../src/gdb/value.c:1036
    #4 0x73695f in allocate_value
/home/tdevries/gdb/7.11.1/build/gdb/../../src/gdb/value.c:1047
    #5 0x7ecbe9 in get_call_return_value
/home/tdevries/gdb/7.11.1/build/gdb/../../src/gdb/infcall.c:430
    #6 0x7ecf16 in call_thread_fsm_should_stop
/home/tdevries/gdb/7.11.1/build/gdb/../../src/gdb/infcall.c:520
    #7 0x83181f in thread_fsm_should_stop
/home/tdevries/gdb/7.11.1/build/gdb/../../src/gdb/thread-fsm.c:58
    #8 0x8047a6 in fetch_inferior_event
/home/tdevries/gdb/7.11.1/build/gdb/../../src/gdb/infrun.c:3938
    #9 0x8514fc in inferior_event_handler
/home/tdevries/gdb/7.11.1/build/gdb/../../src/gdb/inf-loop.c:44
    #10 0x5204a1 in handle_target_event
/home/tdevries/gdb/7.11.1/build/gdb/../../src/gdb/linux-nat.c:4360
    #11 0x84c92f in handle_file_event
/home/tdevries/gdb/7.11.1/build/gdb/../../src/gdb/event-loop.c:708
    #12 0x84d443 in gdb_wait_for_event
/home/tdevries/gdb/7.11.1/build/gdb/../../src/gdb/event-loop.c:834
    #13 0x84ad5b in gdb_do_one_event
/home/tdevries/gdb/7.11.1/build/gdb/../../src/gdb/event-loop.c:298
    #14 0xac642f in wait_sync_command_done
/home/tdevries/gdb/7.11.1/build/gdb/../../src/gdb/top.c:373
    #15 0x7ed1f2 in run_inferior_call
/home/tdevries/gdb/7.11.1/build/gdb/../../src/gdb/infcall.c:591
    #16 0x7eeb1b in call_function_by_hand_dummy
/home/tdevries/gdb/7.11.1/build/gdb/../../src/gdb/infcall.c:1128
    #17 0x7ed482 in call_function_by_hand
/home/tdevries/gdb/7.11.1/build/gdb/../../src/gdb/infcall.c:661
    #18 0x74bdc8 in evaluate_subexp_standard
/home/tdevries/gdb/7.11.1/build/gdb/../../src/gdb/eval.c:1770
    #19 0xa27122 in evaluate_subexp_c
/home/tdevries/gdb/7.11.1/build/gdb/../../src/gdb/c-lang.c:716
    #20 0x7428e0 in evaluate_subexp
/home/tdevries/gdb/7.11.1/build/gdb/../../src/gdb/eval.c:79
    #21 0x742c52 in evaluate_expression
/home/tdevries/gdb/7.11.1/build/gdb/../../src/gdb/eval.c:163
    #22 0x78435a in print_command_1
/home/tdevries/gdb/7.11.1/build/gdb/../../src/gdb/printcmd.c:1000
    #23 0x78447e in print_command
/home/tdevries/gdb/7.11.1/build/gdb/../../src/gdb/printcmd.c:1015
    #24 0x5b00ba in do_cfunc
/home/tdevries/gdb/7.11.1/build/gdb/../../src/gdb/cli/cli-decode.c:105
    #25 0x5b76ff in cmd_func
/home/tdevries/gdb/7.11.1/build/gdb/../../src/gdb/cli/cli-decode.c:1885
    #26 0xac6952 in execute_command
/home/tdevries/gdb/7.11.1/build/gdb/../../src/gdb/top.c:475
    #27 0x850038 in command_handler
/home/tdevries/gdb/7.11.1/build/gdb/../../src/gdb/event-top.c:491
    #28 0x850c5c in command_line_handler
/home/tdevries/gdb/7.11.1/build/gdb/../../src/gdb/event-top.c:690
    #29 0xba2f89 in rl_callback_read_char
/home/tdevries/gdb/7.11.1/build/readline/../../src/readline/callback.c:220
SUMMARY: AddressSanitizer: heap-buffer-overflow
/home/tdevries/gdb/7.11.1/build/gdb/../../src/gdb/doublest.c:719
floatformat_to_doublest
Shadow bytes around the buggy address:
  0x0c01000000f0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c0100000100: fa fa fd fa fa fa 04 fa fa fa fd fa fa fa fd fa
  0x0c0100000110: fa fa fd fd fa fa fd fd fa fa fd fd fa fa fd fd
  0x0c0100000120: fa fa fd fd fa fa fd fd fa fa fd fd fa fa fd fd
  0x0c0100000130: fa fa fd fd fa fa fd fd fa fa fd fd fa fa fd fd
=>0x0c0100000140: fa fa[00]04 fa fa fd fa fa fa fd fa fa fa 00 00
  0x0c0100000150: fa fa fd fd fa fa fd fd fa fa fd fd fa fa fd fd
  0x0c0100000160: fa fa fd fd fa fa fd fd fa fa fd fa fa fa fd fa
  0x0c0100000170: fa fa fd fa fa fa 00 fa fa fa 00 01 fa fa fd fd
  0x0c0100000180: fa fa fd fa fa fa fd fd fa fa fd fd fa fa 00 02
  0x0c0100000190: fa fa 00 04 fa fa fd fd fa fa 07 fa fa fa 07 fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:     fa
  Heap righ redzone:     fb
  Freed Heap region:     fd
  Stack left redzone:    f1
  Stack mid redzone:     f2
  Stack right redzone:   f3
  Stack partial redzone: f4
  Stack after return:    f5
  Stack use after scope: f8
  Global redzone:        f9
  Global init order:     f6
  Poisoned by user:      f7
  ASan internal:         fe
==971683== ABORTING
...

-- 
You are receiving this mail because:
You are on the CC list for the bug.

More information about the Gdb-prs mailing list