[gdb] Fix dynamic-stack-buffer-overflow in linespec_lexer_lex_string
When compiling gdb with '-lasan -fsanitizer=address' and running tests with
'export ASAN_OPTIONS="detect_leaks=0:alloc_dealloc_mismatch=0"', I run into:
...
ERROR: GDB process no longer exists
UNRESOLVED: gdb.linespec/cpls-abi-tag.exp: \
test_abi_tag: completion: at tag: tab complete "b test_abi_tag_function[abi:"
...
In more detail:
...
==3637==ERROR: AddressSanitizer: dynamic-stack-buffer-overflow on address \
0x7fff5952bbdd at pc 0x000000fe5c57 bp 0x7fff5952af30 sp 0x7fff5952af28
READ of size 1 at 0x7fff5952bbdd thread T0
#0 0xfe5c56 in linespec_lexer_lex_string src/gdb/linespec.c:727
#1 0xfe7473 in linespec_lexer_lex_one src/gdb/linespec.c:946
#2 0xfe799d in linespec_lexer_consume_token src/gdb/linespec.c:982
#3 0xff446d in parse_linespec src/gdb/linespec.c:2564
#4 0xff78be in linespec_complete(completion_tracker&, char const*, \
symbol_name_match_type) src/gdb/linespec.c:2961
#5 0xb9299c in complete_address_and_linespec_locations \
src/gdb/completer.c:573
#6 0xb93e90 in location_completer(cmd_list_element*, completion_tracker&, \
char const*, char const*) src/gdb/completer.c:919
#7 0xb940c5 in location_completer_handle_brkchars src/gdb/completer.c:956
#8 0xb957ec in complete_line_internal_normal_command \
src/gdb/completer.c:1208
#9 0xb96507 in complete_line_internal_1 src/gdb/completer.c:1430
#10 0xb965c2 in complete_line_internal src/gdb/completer.c:1449
#11 0xb98630 in gdb_completion_word_break_characters_throw \
src/gdb/completer.c:1862
#12 0xb98838 in gdb_completion_word_break_characters() \
src/gdb/completer.c:1897
#13 0x16c6362 in _rl_find_completion_word src/readline/complete.c:943
#14 0x16ca8d0 in rl_complete_internal src/readline/complete.c:1843
#15 0x16c460c in rl_complete src/readline/complete.c:408
#16 0x16b3368 in _rl_dispatch_subseq src/readline/readline.c:774
#17 0x16b3092 in _rl_dispatch src/readline/readline.c:724
#18 0x16b2939 in readline_internal_char src/readline/readline.c:552
#19 0x16f1fb0 in rl_callback_read_char src/readline/callback.c:201
#20 0xddc5a1 in gdb_rl_callback_read_char_wrapper_noexcept \
src/gdb/event-top.c:175
#21 0xddc773 in gdb_rl_callback_read_char_wrapper src/gdb/event-top.c:192
#22 0xddd9f5 in stdin_event_handler(int, void*) src/gdb/event-top.c:514
#23 0xdd7d8f in handle_file_event src/gdb/event-loop.c:731
#24 0xdd8607 in gdb_wait_for_event src/gdb/event-loop.c:857
#25 0xdd629c in gdb_do_one_event() src/gdb/event-loop.c:321
#26 0xdd6344 in start_event_loop() src/gdb/event-loop.c:370
#27 0x10a7715 in captured_command_loop src/gdb/main.c:331
#28 0x10aa548 in captured_main src/gdb/main.c:1173
#29 0x10aa5d8 in gdb_main(captured_main_args*) src/gdb/main.c:1188
#30 0x87bd35 in main src/gdb/gdb.c:32
#31 0x7fb0364c6f89 in __libc_start_main (/lib64/libc.so.6+0x20f89)
#32 0x87bb49 in _start (build/gdb/gdb+0x87bb49)
Address 0x7fff5952bbdd is located in stack of thread T0 at offset 557 in frame
#0 0xb93702 in location_completer(cmd_list_element*, completion_tracker&, \
char const*, char const*) src/gdb/completer.c:831
This frame has 4 object(s):
[32, 40) 'copy'
[96, 104) 'location'
[160, 168) 'text'
[224, 256) 'completion_info' <== Memory access at offset 557 overflows \
this variable
HINT: this may be a false positive if your program uses some custom stack \
unwind mechanism or swapcontext
(longjmp and C++ exceptions *are* supported)
SUMMARY: AddressSanitizer: dynamic-stack-buffer-overflow \
src/gdb/linespec.c:727 in linespec_lexer_lex_string
Shadow bytes around the buggy address:
0x10006b29d720: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x10006b29d730: 00 00 00 00 00 00 f1 f1 f1 f1 00 f2 f2 f2 f2 f2
0x10006b29d740: f2 f2 00 f2 f2 f2 f2 f2 f2 f2 00 f2 f2 f2 f2 f2
0x10006b29d750: f2 f2 00 00 00 00 f3 f3 f3 f3 00 00 00 00 00 00
0x10006b29d760: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x10006b29d770: 00 00 00 00 ca ca ca ca 00 00 00[05]cb cb cb cb
0x10006b29d780: 00 00 00 00 00 00 00 00 00 00 00 00 f1 f1 f1 f1
0x10006b29d790: 00 f2 f2 f2 f2 f2 f2 f2 00 f2 f2 f2 f3 f3 f3 f3
0x10006b29d7a0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x10006b29d7b0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x10006b29d7c0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
==3637==ABORTING
...
The problem happens in linespec_lexer_lex_string when lexing
"b test_abi_tag_function[abi:\0" (using a notation where we make the implicit
terminating \0 explicit).
We arrrive here with (PARSER_STREAM (parser)) == ":\0":
...
/* Do not tokenize ABI tags such as "[abi:cxx11]". */
else if (PARSER_STREAM (parser) - start > 4
&& startswith (PARSER_STREAM (parser) - 4, "[abi"))
++(PARSER_STREAM (parser));
...
and consume ':', after which we end up here and consume '\0':
...
/* Advance the stream. */
++(PARSER_STREAM (parser));
...
after which (PARSER_STREAM (parser)) points past the end of the string.
Fix this by removing the first "++(PARSER_STREAM (parser))", and add an assert
to the second one to detect moving past the end-of-string.
Build and tested on x86_64-linux.
gdb/ChangeLog:
2019-06-10 Tom de Vries <tdevries@suse.de>
PR gdb/24611
* linespec.c (linespec_lexer_lex_string): Remove incorrect
"++(PARSER_STREAM (parser))" for "[abi"-prefixed colon. Add assert.
projects / binutils-gdb.git / commit