binutils-gdb

mirror of https://sourceware.org/git/binutils-gdb.git synced 2024-12-15 04:31:49 +08:00

Go to file

Tom de Vries f19e22e922 [gdb] Fix dynamic-stack-buffer-overflow in linespec_lexer_lex_string When compiling gdb with '-lasan -fsanitizer=address' and running tests with 'export ASAN_OPTIONS="detect_leaks=0:alloc_dealloc_mismatch=0"', I run into: ... ERROR: GDB process no longer exists UNRESOLVED: gdb.linespec/cpls-abi-tag.exp: \ test_abi_tag: completion: at tag: tab complete "b test_abi_tag_function[abi:" ... In more detail: ... ==3637==ERROR: AddressSanitizer: dynamic-stack-buffer-overflow on address \ 0x7fff5952bbdd at pc 0x000000fe5c57 bp 0x7fff5952af30 sp 0x7fff5952af28 READ of size 1 at 0x7fff5952bbdd thread T0 #0 0xfe5c56 in linespec_lexer_lex_string src/gdb/linespec.c:727 #1 0xfe7473 in linespec_lexer_lex_one src/gdb/linespec.c:946 #2 0xfe799d in linespec_lexer_consume_token src/gdb/linespec.c:982 #3 0xff446d in parse_linespec src/gdb/linespec.c:2564 #4 0xff78be in linespec_complete(completion_tracker&, char const, \ symbol_name_match_type) src/gdb/linespec.c:2961 #5 0xb9299c in complete_address_and_linespec_locations \ src/gdb/completer.c:573 #6 0xb93e90 in location_completer(cmd_list_element, completion_tracker&, \ char const, char const) src/gdb/completer.c:919 #7 0xb940c5 in location_completer_handle_brkchars src/gdb/completer.c:956 #8 0xb957ec in complete_line_internal_normal_command \ src/gdb/completer.c:1208 #9 0xb96507 in complete_line_internal_1 src/gdb/completer.c:1430 #10 0xb965c2 in complete_line_internal src/gdb/completer.c:1449 #11 0xb98630 in gdb_completion_word_break_characters_throw \ src/gdb/completer.c:1862 #12 0xb98838 in gdb_completion_word_break_characters() \ src/gdb/completer.c:1897 #13 0x16c6362 in _rl_find_completion_word src/readline/complete.c:943 #14 0x16ca8d0 in rl_complete_internal src/readline/complete.c:1843 #15 0x16c460c in rl_complete src/readline/complete.c:408 #16 0x16b3368 in _rl_dispatch_subseq src/readline/readline.c:774 #17 0x16b3092 in _rl_dispatch src/readline/readline.c:724 #18 0x16b2939 in readline_internal_char src/readline/readline.c:552 #19 0x16f1fb0 in rl_callback_read_char src/readline/callback.c:201 #20 0xddc5a1 in gdb_rl_callback_read_char_wrapper_noexcept \ src/gdb/event-top.c:175 #21 0xddc773 in gdb_rl_callback_read_char_wrapper src/gdb/event-top.c:192 #22 0xddd9f5 in stdin_event_handler(int, void) src/gdb/event-top.c:514 #23 0xdd7d8f in handle_file_event src/gdb/event-loop.c:731 #24 0xdd8607 in gdb_wait_for_event src/gdb/event-loop.c:857 #25 0xdd629c in gdb_do_one_event() src/gdb/event-loop.c:321 #26 0xdd6344 in start_event_loop() src/gdb/event-loop.c:370 #27 0x10a7715 in captured_command_loop src/gdb/main.c:331 #28 0x10aa548 in captured_main src/gdb/main.c:1173 #29 0x10aa5d8 in gdb_main(captured_main_args) src/gdb/main.c:1188 #30 0x87bd35 in main src/gdb/gdb.c:32 #31 0x7fb0364c6f89 in __libc_start_main (/lib64/libc.so.6+0x20f89) #32 0x87bb49 in _start (build/gdb/gdb+0x87bb49) Address 0x7fff5952bbdd is located in stack of thread T0 at offset 557 in frame #0 0xb93702 in location_completer(cmd_list_element, completion_tracker&, \ char const, char const) src/gdb/completer.c:831 This frame has 4 object(s): [32, 40) 'copy' [96, 104) 'location' [160, 168) 'text' [224, 256) 'completion_info' <== Memory access at offset 557 overflows \ this variable HINT: this may be a false positive if your program uses some custom stack \ unwind mechanism or swapcontext (longjmp and C++ exceptions are* supported) SUMMARY: AddressSanitizer: dynamic-stack-buffer-overflow \ src/gdb/linespec.c:727 in linespec_lexer_lex_string Shadow bytes around the buggy address: 0x10006b29d720: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x10006b29d730: 00 00 00 00 00 00 f1 f1 f1 f1 00 f2 f2 f2 f2 f2 0x10006b29d740: f2 f2 00 f2 f2 f2 f2 f2 f2 f2 00 f2 f2 f2 f2 f2 0x10006b29d750: f2 f2 00 00 00 00 f3 f3 f3 f3 00 00 00 00 00 00 0x10006b29d760: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 =>0x10006b29d770: 00 00 00 00 ca ca ca ca 00 00 00[05]cb cb cb cb 0x10006b29d780: 00 00 00 00 00 00 00 00 00 00 00 00 f1 f1 f1 f1 0x10006b29d790: 00 f2 f2 f2 f2 f2 f2 f2 00 f2 f2 f2 f3 f3 f3 f3 0x10006b29d7a0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x10006b29d7b0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x10006b29d7c0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 Shadow byte legend (one shadow byte represents 8 application bytes): Addressable: 00 Partially addressable: 01 02 03 04 05 06 07 Heap left redzone: fa Freed heap region: fd Stack left redzone: f1 Stack mid redzone: f2 Stack right redzone: f3 Stack after return: f5 Stack use after scope: f8 Global redzone: f9 Global init order: f6 Poisoned by user: f7 Container overflow: fc Array cookie: ac Intra object redzone: bb ASan internal: fe Left alloca redzone: ca Right alloca redzone: cb ==3637==ABORTING ... The problem happens in linespec_lexer_lex_string when lexing "b test_abi_tag_function[abi:\0" (using a notation where we make the implicit terminating \0 explicit). We arrrive here with (PARSER_STREAM (parser)) == ":\0": ... /* Do not tokenize ABI tags such as "[abi:cxx11]". / else if (PARSER_STREAM (parser) - start > 4 && startswith (PARSER_STREAM (parser) - 4, "[abi")) ++(PARSER_STREAM (parser)); ... and consume ':', after which we end up here and consume '\0': ... / Advance the stream. / ++(PARSER_STREAM (parser)); ... after which (PARSER_STREAM (parser)) points past the end of the string. Fix this by removing the first "++(PARSER_STREAM (parser))", and add an assert to the second one to detect moving past the end-of-string. Build and tested on x86_64-linux. gdb/ChangeLog: 2019-06-10 Tom de Vries <tdevries@suse.de> PR gdb/24611 linespec.c (linespec_lexer_lex_string): Remove incorrect "++(PARSER_STREAM (parser))" for "[abi"-prefixed colon. Add assert.		2019-06-10 20:17:14 +02:00
bfd	Add support for NetBSD/sh3 core file sections. Merge multiple copies of auxv section creation into one function.	2019-06-10 14:41:35 +01:00
binutils	Fix printing large decimal values in strings.	2019-06-10 15:30:02 +01:00
config
contrib
cpu
elfcpp
etc
gas	gas: Add .enqcmd and noenqcmd directives	2019-06-06 07:57:52 -07:00
gdb	[gdb] Fix dynamic-stack-buffer-overflow in linespec_lexer_lex_string	2019-06-10 20:17:14 +02:00
gold	Fix a missing include of <string>	2019-06-10 12:26:33 +02:00
gprof
include	libctf: fix the type of ctf_enum.cte_value	2019-06-04 17:05:08 +01:00
intl
ld	LD/doc: Clarify `-rpath' option's semantics WRT link-time dependencies	2019-06-07 19:25:21 +01:00
libctf	libctf: avoid strndup	2019-06-07 13:46:39 +01:00
libdecnumber
libiberty
opcodes	i386: Check vector length for EVEX vextractfXX and vinsertfXX	2019-06-05 10:27:28 -07:00
readline
sim
texinfo
zlib
.cvsignore
.gitattributes
.gitignore
ar-lib
ChangeLog	Revert patch that disables building libctf for non-ELF based targets.	2019-06-03 16:28:15 +01:00
compile
config-ml.in
config.guess
config.rpath
config.sub
configure	Revert patch that disables building libctf for non-ELF based targets.	2019-06-03 16:28:15 +01:00
configure.ac	Revert patch that disables building libctf for non-ELF based targets.	2019-06-03 16:28:15 +01:00
COPYING
COPYING3
COPYING3.LIB
COPYING.LIB
COPYING.LIBGLOSS
COPYING.NEWLIB
depcomp
djunpack.bat
install-sh
libtool.m4
lt~obsolete.m4
ltgcc.m4
ltmain.sh
ltoptions.m4
ltsugar.m4
ltversion.m4
MAINTAINERS
Makefile.def
Makefile.in
Makefile.tpl
makefile.vms
missing
mkdep
mkinstalldirs
move-if-change
multilib.am
README
README-maintainer-mode
setup.com
src-release.sh
symlink-tree
test-driver
ylwrap

README

		   README for GNU development tools

This directory contains various GNU compilers, assemblers, linkers, 
debuggers, etc., plus their support routines, definitions, and documentation.

If you are receiving this as part of a GDB release, see the file gdb/README.
If with a binutils release, see binutils/README;  if with a libg++ release,
see libg++/README, etc.  That'll give you info about this
package -- supported targets, how to use it, how to report bugs, etc.

It is now possible to automatically configure and build a variety of
tools with one command.  To build all of the tools contained herein,
run the ``configure'' script here, e.g.:

	./configure 
	make

To install them (by default in /usr/local/bin, /usr/local/lib, etc),
then do:
	make install

(If the configure script can't determine your type of computer, give it
the name as an argument, for instance ``./configure sun4''.  You can
use the script ``config.sub'' to test whether a name is recognized; if
it is, config.sub translates it to a triplet specifying CPU, vendor,
and OS.)

If you have more than one compiler on your system, it is often best to
explicitly set CC in the environment before running configure, and to
also set CC when running make.  For example (assuming sh/bash/ksh):

	CC=gcc ./configure
	make

A similar example using csh:

	setenv CC gcc
	./configure
	make

Much of the code and documentation enclosed is copyright by
the Free Software Foundation, Inc.  See the file COPYING or
COPYING.LIB in the various directories, for a description of the
GNU General Public License terms under which you can copy the files.

REPORTING BUGS: Again, see gdb/README, binutils/README, etc., for info
on where and how to report problems.