When:
- building trunk gdb with '-fsanitize=address -lasan',
- running gdb tests with "export ASAN_OPTIONS=detect_leaks=0",
I run into a heap-buffer-overflow failure for
gdb.base/utf8-identifiers.exp.
In more detail, the libasan error report looks like this:
...
=================================================================
==22340==ERROR: AddressSanitizer: heap-buffer-overflow on address
0x619000054a80 at pc 0x7fcd0306b4c9 bp 0x7fffb1a8d880 sp 0x7fffb1a8d030
READ of size 32766 at 0x619000054a80 thread T0
#0 0x7fcd0306b4c8 (/usr/lib64/libasan.so.4+0xae4c8)
#1 0x15f12a1 in update_line
/data/gdb_versions/devel/src/readline/display.c:1377
#2 0x15f03cb in rl_redisplay
/data/gdb_versions/devel/src/readline/display.c:1204
#3 0x15bf932 in readline_internal_setup
/data/gdb_versions/devel/src/readline/readline.c:394
#4 0x15fe723 in _rl_callback_newline
/data/gdb_versions/devel/src/readline/callback.c:89
#5 0x15fe7ef in rl_callback_handler_install
/data/gdb_versions/devel/src/readline/callback.c:102
#6 0xd7bce6 in gdb_rl_callback_handler_install(char const*)
/data/gdb_versions/devel/src/gdb/event-top.c:319
#7 0xd7c0c6 in display_gdb_prompt(char const*)
/data/gdb_versions/devel/src/gdb/event-top.c:409
#8 0xd7d6c1 in command_line_handler(std::unique_ptr<char,
gdb::xfree_deleter<char> >&&)
/data/gdb_versions/devel/src/gdb/event-top.c:776
#9 0xd7b92a in gdb_rl_callback_handler
/data/gdb_versions/devel/src/gdb/event-top.c:217
#10 0x15ff479 in rl_callback_read_char
/data/gdb_versions/devel/src/readline/callback.c:220
#11 0xd7b4d5 in gdb_rl_callback_read_char_wrapper_noexcept
/data/gdb_versions/devel/src/gdb/event-top.c:175
#12 0xd7b6b5 in gdb_rl_callback_read_char_wrapper
/data/gdb_versions/devel/src/gdb/event-top.c:192
#13 0xd7c8aa in stdin_event_handler(int, void*)
/data/gdb_versions/devel/src/gdb/event-top.c:514
#14 0xd76ca7 in handle_file_event
/data/gdb_versions/devel/src/gdb/event-loop.c:731
#15 0xd7751f in gdb_wait_for_event
/data/gdb_versions/devel/src/gdb/event-loop.c:857
#16 0xd7547e in gdb_do_one_event()
/data/gdb_versions/devel/src/gdb/event-loop.c:321
#17 0xd75526 in start_event_loop()
/data/gdb_versions/devel/src/gdb/event-loop.c:370
#18 0x101b04c in captured_command_loop
/data/gdb_versions/devel/src/gdb/main.c:331
#19 0x101de73 in captured_main
/data/gdb_versions/devel/src/gdb/main.c:1173
#20 0x101df03 in gdb_main(captured_main_args*)
/data/gdb_versions/devel/src/gdb/main.c:1188
#21 0x872dba in main /data/gdb_versions/devel/src/gdb/gdb.c:32
#22 0x7fcd00f2ff49 in __libc_start_main (/lib64/libc.so.6+0x20f49)
#23 0x872bc9 in _start (/data/gdb_versions/devel/build/gdb/gdb+0x872bc9)
0x619000054a80 is located 0 bytes to the right of 1024-byte region
[0x619000054680,0x619000054a80)
allocated by thread T0 here:
#0 0x7fcd03099510 in malloc (/usr/lib64/libasan.so.4+0xdc510)
#1 0xae0078 in xmalloc
/data/gdb_versions/devel/src/gdb/common/common-utils.c:44
#2 0x15eaccb in init_line_structures
/data/gdb_versions/devel/src/readline/display.c:458
#3 0x15eb4d8 in rl_redisplay
/data/gdb_versions/devel/src/readline/display.c:526
#4 0x15bf932 in readline_internal_setup
/data/gdb_versions/devel/src/readline/readline.c:394
#5 0x15fe723 in _rl_callback_newline
/data/gdb_versions/devel/src/readline/callback.c:89
#6 0x15fe7ef in rl_callback_handler_install
/data/gdb_versions/devel/src/readline/callback.c:102
#7 0xd7bce6 in gdb_rl_callback_handler_install(char const*)
/data/gdb_versions/devel/src/gdb/event-top.c:319
#8 0xd7c0c6 in display_gdb_prompt(char const*)
/data/gdb_versions/devel/src/gdb/event-top.c:409
#9 0xaa041b in cli_interp_base::pre_command_loop()
/data/gdb_versions/devel/src/gdb/cli/cli-interp.c:286
#10 0xf5342a in interp_pre_command_loop(interp*)
/data/gdb_versions/devel/src/gdb/interps.c:320
#11 0x101b047 in captured_command_loop
/data/gdb_versions/devel/src/gdb/main.c:328
#12 0x101de73 in captured_main
/data/gdb_versions/devel/src/gdb/main.c:1173
#13 0x101df03 in gdb_main(captured_main_args*)
/data/gdb_versions/devel/src/gdb/main.c:1188
#14 0x872dba in main /data/gdb_versions/devel/src/gdb/gdb.c:32
#15 0x7fcd00f2ff49 in __libc_start_main (/lib64/libc.so.6+0x20f49)
SUMMARY: AddressSanitizer: heap-buffer-overflow
(/usr/lib64/libasan.so.4+0xae4c8)
Shadow bytes around the buggy address:
0x0c3280002900: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c3280002910: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c3280002920: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c3280002930: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c3280002940: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x0c3280002950:[fa]fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c3280002960: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c3280002970: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c3280002980: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c3280002990: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c32800029a0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
==22340==ABORTING
...
I've written an assert in rl_redisplay that formulates the error condition:
...
@@ -1387,6 +1389,10 @@ rl_redisplay (void)
cpos_adjusted = 0;
+ assert (last_lmargin + (_rl_screenwidth + visible_wrap_offset)
+ <= line_size);
+ assert (lmargin + (_rl_screenwidth + (lmargin ? 0 : wrap_offset))
+ <= line_size);
update_line (&visible_line[last_lmargin],
&invisible_line[lmargin],
0,
_rl_screenwidth + visible_wrap_offset,
_rl_screenwidth + (lmargin ? 0 : wrap_offset),
0);
...
which triggers without needing the address sanitizer (or even an executable),
like this:
...
$ TERM=dumb gdb -q -ex "set width 0"
gdb: src/display.c:1393: rl_redisplay: Assertion
`last_lmargin + (_rl_screenwidth + visible_wrap_offset) <= line_size'
failed.
Aborted (core dumped)
...
The basic problem is this: visible_line and invisible_line have length
line_size, but the update_line call assumes that line_size is at least
_rl_screenwidth + 1. Executing "set width 0" sets _rl_screenwidth to 32766 but
doesn't affect line_size, which is initialized to 1024.
Fix this by ensuring in init_line_structures and rl_redisplay that line_size
is at least _rl_screenwidth + 1.
Tested on x86_64-linux.
Reviewed by readline maintainer (
https://sourceware.org/ml/gdb-patches/2019-05/msg00566.html ).
readline/ChangeLog.gdb:
2019-07-12 Tom de Vries <tdevries@suse.de>
Chet Ramey <chet.ramey@case.edu>
PR cli/24514
* readline/display.c (init_line_structures, rl_redisplay): Ensure
line_size is at least _rl_screenwidth + 1.
These changes were already accepted upstream in Readline,
but GDB did not yet import a newer Readline version.
readline/Changelog.gdb:
* util.c: Include rlshell.h.
(_rl_tropen) [_WIN32 && !__CYGWIN__]: Open the trace file in the
user's temporary directory.
* tcap.h [HAVE_NCURSES_TERMCAP_H]: Include ncurses/termcap.h.
* input.c (w32_isatty) [_WIN32 && !__CYGWIN__]: New function, to
replace isatty that is not reliable enough on MS-Windows.
(isatty) [_WIN32 && !__CYGWIN__]: Redirect to w32_isatty.
(rl_getc): Call _getch, not getch, which could be an ncurses
function when linked with ncurses, in which case getch will return
EOF for any keystroke, because there's no curses window.
* tilde.c (tilde_expand_word) [_WIN32]:
* histfile.c (history_filename) [_WIN32]: Windows-specific
environment variable to replace HOME if that is undefined.
* funmap.c (default_funmap): Compile rl_paste_from_clipboard on
all Windows platforms, not just Cygwin.
* readline.h (rl_paste_from_clipboard): Include declaration for
all Windows platforms.
* display.c (insert_some_chars, delete_chars): Don't use the
MinGW-specific code if linked with ncurses.
* configure.in:
* config.h.in: Support ncurses/termcap.h. The configure script
was updated accordingly.
* complete.c [_WIN32 && !__CYGWIN__]: Initialize
_rl_completion_case_fold to 1.
(printable_part, rl_filename_completion_function)
[_WIN32 && !__CYGWIN__]: Handle the drive letter.
This reverts commit b558ff043d41ba8d17a82f5f9ae5f9dade66160e.
This reverts commit 4a11f2065906976675808364ddbd1c0f77eea41f.
The initial import commit failed to retain local changes made to
readline's configure.in (and the commit message erroneously stated that
there were no local changes that needed to be reapplied). Also the
import caused a couple of build errors and a scattering of testsuite
regressions throughout many arches. It's probably better to start over
with this import, hopefully more carefully next time.
This patch syncs our upstream copy of readline from version 6.2 to the
latest version, 7.0 alpha (released July 10 2015).
I essentially copied what was done the last time readline was synced,
when Jan updated to readline 6.2 in 2011:
http://sourceware.org/ml/gdb-patches/2011-05/msg00003.html
Procedure:
1. I extracted the readline-7.0-alpha tarball on top of readline/.
2. I deleted all the new files under doc/ that were deliberately omitted
before.
3. I regenerated readline/configure and readline/examples/rlfe/configure
using autoconf 2.64. No other configure files need regenerating.
4. I updated the function gdb_printable_part in completer.c with a
trivial change made to the readline function it is based off of,
printable_part in readline/complete.c. There is more work to be done in
completer.c to sync it with readline/complete.c, but it is non-trivial
and should probably be done separately anyway.
Local patches that had to be reapplied:
None. readline 7.0 alpha contains all of our local readline
patches.
New files in readline/:
colors.{c,h}
examples/{hist_erasedups,hist_purgecmd,rl-callbacktest,rlbasic}.c
parse-colors.{c,h}
readline.pc.in
configure.ac
Deleted files in readline/:
configure.in
Regressions:
After the sync there is one testsuite regression, the test
"signal SIGINT" in gdb.gdb/selftest.exp which now FAILs. Previously,
the readline 6.2 SIGINT handler would temporarily reinstall the
underlying application's SIGINT handler and immediately re-raise SIGINT
so that the orginal handler gets invoked. But now (since readline 6.3)
its SIGINT handler does not re-raise SIGINT or directly invoke the
original handler; it now sets a flag marking that SIGINT was raised, and
waits until readline explicitly has control to call the application's
SIGINT handler. Anyway, because SIGINT is no longer re-raised from
within readline's SIGINT handler, doing "signal SIGINT" with a stopped
inferior gdb process will no longer resume and then immediately stop the
process (since there is no 2nd SIGINT to immediately catch). Instead,
the inferior gdb process will now just print "Quit" and continue to run.
So with this commit, this particular test case is adjusted to reflect
this change in behavior (we now have to send a 2nd SIGINT manually to
stop it).
Aside from this one testsuite regression, I personally noticed no
regression in user-visible behavior. Though I only tested on x86_64
and on i686 Debian Stretch.
Getting this kind of change in at the start of the GDB 7.11 development
cycle will allow us to get a lot of passive testing from developers and
from bleeding-edge users.
readline/ChangeLog.gdb:
Import readline 7.0 alpha
* configure: Regenerate.
* examples/rlfe/configure: Regenerate.
gdb/ChangeLog:
* completer.c (gdb_printable_part): Sync with readline function
it is based off of.
gdb/testsuite/ChangeLog:
* gdb.gdb/selftest.exp (test_with_self): Update test to now
expect the GDB inferior to no longer immediately stop after
being resumed with "signal SIGINT".
* rltty.c (block_sigint, release_sigint): Rename to...
(_rl_block_sigint, _rl_release_sigint): ...these and make them global.
* rltty.h (_rl_block_sigint, _rl_release_sigint): New prototypes.
* display.c (rl_redisplay): Wrap the function by the calls to
_RL_BLOCK_SIGINT and _RL_RELEASE_SIGINT.
* readline/complete.c (pwd.h): Guard with HAVE_PWD_H.
(getpwent): Guard with HAVE_GETPWENT.
(rl_username_completion_function): Guard use of getpwent.
(endpwent): Likewise.
* readline/config.h.in (HAVE_FCNTL): New macro.
(HAVE_GETPWENT): Likewise.
(HAVE_GETPWNAM): Likewise.
(HAVE_GETPWUID): Likewise.
(HAVE_KILL): Likewise.
(HAVE_PWD_H): Likewise.
* readline/configure: Regenerated.
* readline/configure.in: Handle MinGW when cross compiling. Check for
getpwnam, getpwent, getpwuid, kill, and pwd.h.
* readline/display.c (rl_clear_screen): Treat Windows like DOS.
(insert_some_chars): Likewise.
(delete_chars): Likewise.
* readline/shell.c (pwd.h): Guard with HAVE_PWD_H.
(getpwuid): Guard with HAVE_GETPWUID.
(sh_unset_nodelay_mode): Guard use of fnctl with HAVE_FNCTL_H.
* readline/signals.c (rl_signal_handler): Don't use SIGALRM or
SIGQUIT if not defined. Use "raise" if "kill" is not available.
(rl_set_signals): Don't set handlers for SIGQUIT or SIGALRM if
they are not defined.
(rl_clear_signals): Likewise.
* readline/tilde.c (pwd.h): Guard with HAVE_PWD_H.
(getpwuid): Guard declaration with HAVE_GETPWUID.
(getpwnam): Guard declaration with HAVE_GETPWNAM.
(tilde_expand_word): Guard use of getpwnam with HAVE_GETPWNAM.
that don't define SIGWINCH.
* terminal.c (_rl_get_screen_size) [__DJGPP__]: Compute the
screen width and height using console I/O.
(_rl_init_terminal_io) [__MSDOS__]: Zero out all the _rl_term_*
variables. Convert to _rl_* naming scheme.
(_rl_set_cursor) [__MSDOS__]: Ifdef away this function.
* display.c (_rl_move_vert) [__MSDOS__]: Don't use undeclared
variable `l'. Use `delta' instead recomputing its value anew.
Assign -delta to i instead of the other way around.
is up-to-date.
(space_to_eol) [__GO32__]: Clear the screen and home the cursor.
(insert_some_chars) [__GO32__]: Don't write directly to the screen in DJGPP
versions 2.x (it doesn't work).
(delete_chars) [__GO32__]: Ditto.