From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: (qmail 83172 invoked by alias); 17 Oct 2017 10:07:13 -0000 Mailing-List: contact gdb-help@sourceware.org; run by ezmlm Precedence: bulk List-Id: List-Subscribe: List-Archive: List-Post: List-Help: , Sender: gdb-owner@sourceware.org Received: (qmail 83141 invoked by uid 89); 17 Oct 2017 10:07:13 -0000 Authentication-Results: sourceware.org; auth=none X-Virus-Found: No X-Spam-SWARE-Status: No, score=-26.9 required=5.0 tests=BAYES_00,GIT_PATCH_0,GIT_PATCH_1,GIT_PATCH_2,GIT_PATCH_3,RP_MATCHES_RCVD,SPF_HELO_PASS,SPF_PASS autolearn=ham version=3.3.2 spammy=1042, 1081, online X-HELO: hqemgate15.nvidia.com Received: from hqemgate15.nvidia.com (HELO hqemgate15.nvidia.com) (216.228.121.64) by sourceware.org (qpsmtpd/0.93/v0.84-503-g423c35a) with ESMTP; Tue, 17 Oct 2017 10:07:06 +0000 Received: from hqpgpgate101.nvidia.com (Not Verified[216.228.121.13]) by hqemgate15.nvidia.com id ; Tue, 17 Oct 2017 03:06:42 -0700 Received: from HQMAIL108.nvidia.com ([172.20.161.6]) by hqpgpgate101.nvidia.com (PGP Universal service); Tue, 17 Oct 2017 03:06:54 -0700 X-PGP-Universal: processed; by hqpgpgate101.nvidia.com on Tue, 17 Oct 2017 03:06:54 -0700 Received: from UKMAIL102.nvidia.com (10.26.138.15) by HQMAIL108.nvidia.com (172.18.146.13) with Microsoft SMTP Server (TLS) id 15.0.1293.2; Tue, 17 Oct 2017 10:06:02 +0000 Received: from localhost.localdomain (10.21.45.12) by UKMAIL102.nvidia.com (10.26.138.15) with Microsoft SMTP Server (TLS) id 15.0.1293.2; Tue, 17 Oct 2017 10:05:58 +0000 Subject: Heap corruption and crash reading syscall XML data To: References: <20171010091214.GC7617@waldemar-brodkorb.de> From: Dmitry Antipov Message-ID: Date: Tue, 17 Oct 2017 10:07:00 -0000 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101 Thunderbird/52.3.0 MIME-Version: 1.0 In-Reply-To: <20171010091214.GC7617@waldemar-brodkorb.de> Content-Type: text/plain; charset="utf-8"; format=flowed Content-Transfer-Encoding: 7bit X-ClientProxiedBy: UKMAIL102.nvidia.com (10.26.138.15) To UKMAIL102.nvidia.com (10.26.138.15) X-IsSubscribed: yes X-SW-Source: 2017-10/txt/msg00044.txt.bz2 HEAD at 0301ce1486b1450f219202677f30d0fa97335419, configure --prefix=/home/dantipov/.local/gdb-8.0.50 --with-python=no --with-guile=no \ --disable-nls --disable-binutils --disable-gprof --disable-gold --disable-gas --disable-ld $ ~/.local/gdb-8.0.50/bin/gdb GNU gdb (GDB) 8.0.50.20171017-git Copyright (C) 2017 Free Software Foundation, Inc. License GPLv3+: GNU GPL version 3 or later This is free software: you are free to change and redistribute it. There is NO WARRANTY, to the extent permitted by law. Type "show copying" and "show warranty" for details. This GDB was configured as "x86_64-pc-linux-gnu". Type "show configuration" for configuration details. For bug reporting instructions, please see: . Find the GDB manual and other documentation resources online at: . For help, type "help". Type "apropos word" to search for commands related to "word". (gdb) catch syscall [TAB] ==> *** Error in `/home/dantipov/.local/gdb-8.0.50/bin/gdb': double free or corruption (!prev): 0x00000000025bce50 *** ======= Backtrace: ========= /lib64/libc.so.6(+0x7c8dc)[0x7ff7336848dc] /lib64/libc.so.6(+0x87789)[0x7ff73368f789] /lib64/libc.so.6(cfree+0x16e)[0x7ff7336950ee] /home/dantipov/.local/gdb-8.0.50/bin/gdb[0x5aca4c] /home/dantipov/.local/gdb-8.0.50/bin/gdb[0x433c5c] /home/dantipov/.local/gdb-8.0.50/bin/gdb[0x439bf1] /home/dantipov/.local/gdb-8.0.50/bin/gdb[0x7ace7b] /home/dantipov/.local/gdb-8.0.50/bin/gdb[0x7aebc9] /home/dantipov/.local/gdb-8.0.50/bin/gdb[0x7aed1f] /home/dantipov/.local/gdb-8.0.50/bin/gdb[0x7af2de] /home/dantipov/.local/gdb-8.0.50/bin/gdb[0x55c235] /home/dantipov/.local/gdb-8.0.50/bin/gdb[0x5afa69] /home/dantipov/.local/gdb-8.0.50/bin/gdb[0x5afdcc] /home/dantipov/.local/gdb-8.0.50/bin/gdb[0x5aff23] /home/dantipov/.local/gdb-8.0.50/bin/gdb[0x5b03b3] /home/dantipov/.local/gdb-8.0.50/bin/gdb[0x5b12a6] /home/dantipov/.local/gdb-8.0.50/bin/gdb[0x5b137e] /home/dantipov/.local/gdb-8.0.50/bin/gdb[0x7c3bb7] /home/dantipov/.local/gdb-8.0.50/bin/gdb[0x7c5504] /home/dantipov/.local/gdb-8.0.50/bin/gdb[0x7c2c86] /home/dantipov/.local/gdb-8.0.50/bin/gdb[0x7bcd26] /home/dantipov/.local/gdb-8.0.50/bin/gdb[0x7bcb76] /home/dantipov/.local/gdb-8.0.50/bin/gdb[0x7bc81b] /home/dantipov/.local/gdb-8.0.50/bin/gdb[0x7d55c4] /home/dantipov/.local/gdb-8.0.50/bin/gdb[0x63cd82] /home/dantipov/.local/gdb-8.0.50/bin/gdb[0x63cdde] /home/dantipov/.local/gdb-8.0.50/bin/gdb[0x63d48b] /home/dantipov/.local/gdb-8.0.50/bin/gdb[0x63b94c] /home/dantipov/.local/gdb-8.0.50/bin/gdb[0x63bed7] /home/dantipov/.local/gdb-8.0.50/bin/gdb[0x63adec] /home/dantipov/.local/gdb-8.0.50/bin/gdb[0x63ae24] /home/dantipov/.local/gdb-8.0.50/bin/gdb[0x6b5811] /home/dantipov/.local/gdb-8.0.50/bin/gdb[0x6b6b2c] /home/dantipov/.local/gdb-8.0.50/bin/gdb[0x6b6bf2] /home/dantipov/.local/gdb-8.0.50/bin/gdb[0x407a2e] /lib64/libc.so.6(__libc_start_main+0xea)[0x7ff73362850a] /home/dantipov/.local/gdb-8.0.50/bin/gdb[0x40793a] [...memory map skipped...] Backtrace: #0 __GI_raise (sig=sig@entry=6) at ../sysdeps/unix/sysv/linux/raise.c:51 #1 0x00007fc9cdeb54a0 in __GI_abort () at abort.c:89 #2 0x00007fc9cdef98e1 in __libc_message (do_abort=do_abort@entry=2, fmt=fmt@entry=0x7fc9ce016140 "*** Error in `%s': %s: 0x%s ***\n") at ../sysdeps/posix/libc_fatal.c:175 #3 0x00007fc9cdf04789 in malloc_printerr (ar_ptr=, ptr=, str=0x7fc9ce016558 "double free or corruption (!prev)", action=) at malloc.c:5077 #4 _int_free (av=, p=, have_lock=0) at malloc.c:3873 #5 0x00007fc9cdf0a0ee in __GI___libc_free (mem=) at malloc.c:2947 #6 0x00000000005aca4c in xfree (ptr=0x1aeee50) at ../../gdb/common/common-utils.c:101 #7 0x0000000000433c5c in gdb::xfree_deleter::operator() (this=0x7fff98a23c68, ptr=0x1aeee50 "8\213$\316\311\177") at ../../gdb/common/gdb_unique_ptr.h:34 #8 0x0000000000439bf1 in std::unique_ptr >::reset (this=0x7fff98a23c68, __p=0x1aeee50 "8\213$\316\311\177") at /usr/include/c++/7/bits/unique_ptr.h:376 #9 0x00000000007ace7b in xml_fetch_content_from_file (filename=0x92129a "syscalls/i386-linux.xml", baton=0x19c5370) at ../../gdb/xml-support.c:1042 #10 0x00000000007aebc9 in xml_init_syscalls_info (filename=0x92129a "syscalls/i386-linux.xml") at ../../gdb/xml-syscall.c:366 #11 0x00000000007aed1f in init_syscalls_info (gdbarch=0x1ad3f30) at ../../gdb/xml-syscall.c:398 #12 0x00000000007af2de in get_syscall_names (gdbarch=0x1ad3f30) at ../../gdb/xml-syscall.c:618 #13 0x000000000055c235 in catch_syscall_completer (cmd=0x1a7eef0, tracker=..., text=0x7fff98a23e4e "", word=0x7fff98a23e4e "") at ../../gdb/break-catch-syscall.c:585 #14 0x00000000005afa69 in complete_line_internal_normal_command (tracker=..., command=0x7fff98a23e40 "catch syscall ", word=0x7fff98a23e4e "", cmd_args=0x7fff98a23e4e "", reason=handle_completions, c=0x1a7eef0) at ../../gdb/completer.c:1209 #15 0x00000000005afdcc in complete_line_internal_1 (tracker=..., text=0x1a71720 "", line_buffer=0x1adec50 "catch syscall ", point=14, reason=handle_completions) at ../../gdb/completer.c:1372 #16 0x00000000005aff23 in complete_line_internal (tracker=..., text=0x1a71720 "", line_buffer=0x1adec50 "catch syscall ", point=14, reason=handle_completions) at ../../gdb/completer.c:1443 #17 0x00000000005b03b3 in complete_line (tracker=..., text=0x1a71720 "", line_buffer=0x1adec50 "catch syscall ", point=14) at ../../gdb/completer.c:1558 #18 0x00000000005b12a6 in gdb_rl_attempted_completion_function_throw (text=0x1a71720 "", start=14, end=14) at ../../gdb/completer.c:2096 #19 0x00000000005b137e in gdb_rl_attempted_completion_function (text=0x1a71720 "", start=14, end=14) at ../../gdb/completer.c:2132 #20 0x00000000007c3bb7 in gen_completion_matches (text=0x1a71720 "", start=14, end=14, our_func=0x7c5df5 , found_quote=0, quote_char=0) at ../../readline/complete.c:1081 #21 0x00000000007c5504 in rl_complete_internal (what_to_do=9) at ../../readline/complete.c:1849 #22 0x00000000007c2c86 in rl_complete (ignore=1, invoking_key=9) at ../../readline/complete.c:408 #23 0x00000000007bcd26 in _rl_dispatch_subseq (key=9, map=0xc639c0 , got_subseq=0) at ../../readline/readline.c:774 #24 0x00000000007bcb76 in _rl_dispatch (key=-840223077, map=0xc639c0 ) at ../../readline/readline.c:724 #25 0x00000000007bc81b in readline_internal_char () at ../../readline/readline.c:552 #26 0x00000000007d55c4 in rl_callback_read_char () at ../../readline/callback.c:201 #27 0x000000000063cd82 in gdb_rl_callback_read_char_wrapper_noexcept () at ../../gdb/event-top.c:175 #28 0x000000000063cdde in gdb_rl_callback_read_char_wrapper (client_data=0x19c5bb0) at ../../gdb/event-top.c:192 #29 0x000000000063d48b in stdin_event_handler (error=0, client_data=0x19c5bb0) at ../../gdb/event-top.c:511 #30 0x000000000063b94c in handle_file_event (file_ptr=0x1adf690, ready_mask=1) at ../../gdb/event-loop.c:733 #31 0x000000000063bed7 in gdb_wait_for_event (block=1) at ../../gdb/event-loop.c:859 #32 0x000000000063adec in gdb_do_one_event () at ../../gdb/event-loop.c:347 #33 0x000000000063ae24 in start_event_loop () at ../../gdb/event-loop.c:371 #34 0x00000000006b5811 in captured_command_loop () at ../../gdb/main.c:324 #35 0x00000000006b6b2c in captured_main (data=0x7fff98a24400) at ../../gdb/main.c:1147 #36 0x00000000006b6bf2 in gdb_main (args=0x7fff98a24400) at ../../gdb/main.c:1163 #37 0x0000000000407a2e in main (argc=1, argv=0x7fff98a24508) at ../../gdb/gdb.c:32 It doesn't crash if 'text' buffer in xml_fetch_content_from_file () is large enough to avoid xrealloc (), e.g. diff --git a/gdb/xml-support.c b/gdb/xml-support.c index 76d03b90c7..4004f86e30 100644 --- a/gdb/xml-support.c +++ b/gdb/xml-support.c @@ -1016,7 +1016,7 @@ xml_fetch_content_from_file (const char *filename, void *baton) return NULL; /* Read in the whole file, one chunk at a time. */ - len = 4096; + len = 131072; offset = 0; gdb::unique_xmalloc_ptr text ((char *) xmalloc (len)); while (1) Dmitry