Ubuntu
gdb package

gdb crashed with SIGSEGV in response to strace command with no arguments

Bug #691814 reported by Eliah Kagan
14
This bug affects 2 people
Affects Status Importance Assigned to Milestone
gdb
Fix Released
Medium
gdb (Ubuntu)
Fix Released
Medium
Unassigned

Bug Description

Binary package hint: gdb

gdb (package version 7.2-1ubuntu3 on Maverick amd64) segfaults when given the strace command with no arguments:

ek@Apok:~$ gdb
GNU gdb (GDB) 7.2-ubuntu
Copyright (C) 2010 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law. Type "show copying"
and "show warranty" for details.
This GDB was configured as "x86_64-linux-gnu".
For bug reporting instructions, please see:
<http://www.gnu.org/software/gdb/bugs/>.
(gdb) strace
Segmentation fault (core dumped)

strace with arguments does not cause a crash, and appears to work correctly. This bug also occurs when gdb is debugging a running program and the strace commad is issued without arguments (i.e., it does not only happen in the trivial case shown above).

I am able to reproduce this bug on Maverick i386 (same gdb package version as above) and Natty i386 (gdb package version package version 7.2-1ubuntu6) as well.

ProblemType: Crash
DistroRelease: Ubuntu 10.10
Package: gdb 7.2-1ubuntu3
ProcVersionSignature: Ubuntu 2.6.35-24.42-generic 2.6.35.8
Uname: Linux 2.6.35-24-generic x86_64
Architecture: amd64
Date: Sat Dec 18 01:52:11 2010
ExecutablePath: /usr/bin/gdb
InstallationMedia: Xubuntu 10.04 "Lucid Lynx" - Beta amd64 (20100406)
ProcCmdline: gdb
ProcEnviron:
 SHELL=/bin/bash
 LC_MESSAGES=en_US.utf8
 LANG=en_US.utf8
 LANGUAGE=en_US.utf8
SegvAnalysis:
 Segfault happened at: 0x4be88a: repz cmpsb %es:(%rdi),%ds:(%rsi)
 PC (0x004be88a) ok
 source "%es:(%rdi)" (0x0069de12) ok
 destination "%ds:(%rsi)" (0x00000000) not located in a known VMA region (needed writable region)!
SegvReason: writing NULL VMA
Signal: 11
SourcePackage: gdb
StacktraceTop:
 ?? ()
 ?? ()
 ?? ()
 ?? ()
 ?? ()
Title: gdb crashed with SIGSEGV
UserGroups: adm admin cdrom lpadmin plugdev sambashare

Revision history for this message
In , Dennis Francis (dennisfrancis) wrote :

Created attachment 5120
Screen dump of debug procedure; Backtrace of gdb using gdb

Steps to reproduce
------------------
1. Start gdb
2. Load and start any arbitrary binary.
3. Issue the command 'strace' without any args
---> gdb segfaults !

As per GDB's internal doc
"""
(gdb) help strace
Set a static tracepoint at specified line, function or marker.

strace [LOCATION] [if CONDITION]
.....
.....
With no LOCATION, uses current execution address of
the selected stack frame
"""

Debug gdb using gdb
--------------------
1. Created a simple binary "trivial"
2. Started gdb
3. load and run gdb
   3.1. Load and start "trivial"
   3.2. issue 'strace' command
       ....<segfaults>
4. run bt

[See the attachment for the complete screen dump]

Backtrace generated in the parent gdb after the segfault
---------------------------------------------------------

#0 0xb7cca90d in strncmp () from /lib/libc.so.6
#1 0x08109ebd in create_breakpoint (gdbarch=0x8542578, arg=0x0, cond_string=0x0, thread=0, parse_condition_and_thread=1, tempflag=0,
    type_wanted=bp_static_tracepoint, ignore_count=0, pending_break_support=AUTO_BOOLEAN_AUTO, ops=0x0, from_tty=1, enabled=1) at breakpoint.c:7475
#2 0x0810f7cf in strace_command (arg=0x0, from_tty=1) at breakpoint.c:10908
#3 0x080c4beb in do_cfunc (c=0x8452368, args=0x0, from_tty=1) at ./cli/cli-decode.c:67
#4 0x080c72cb in cmd_func (cmd=0x8452368, args=0x0, from_tty=1) at ./cli/cli-decode.c:1771
#5 0x080578dd in execute_command (p=0x84309d6 "", from_tty=1) at top.c:422
#6 0x0816f27a in command_handler (command=0x84309d0 "strace") at event-top.c:498
#7 0x0816f7de in command_line_handler (rl=0x8511b48 "\300\241X\b(\033Q\b") at event-top.c:702
#8 0x0825992b in rl_callback_read_char () at callback.c:205
#9 0x0816e9e7 in rl_callback_read_char_wrapper (client_data=0x0) at event-top.c:178
#10 0x0816f172 in stdin_event_handler (error=0, client_data=0x0) at event-top.c:433
#11 0x0816deaa in handle_file_event (data=...) at event-loop.c:817
#12 0x0816d6ed in process_event () at event-loop.c:399
#13 0x0816d7b2 in gdb_do_one_event (data=0x0) at event-loop.c:464
#14 0x0816864a in catch_errors (func=0x816d6fb <gdb_do_one_event>, func_args=0x0, errstring=0x832968b "", mask=6) at exceptions.c:518
#15 0x080d9f48 in tui_command_loop (data=0x0) at ./tui/tui-interp.c:171
#16 0x08168d16 in current_interp_command_loop () at interps.c:291
#17 0x0804ebee in captured_command_loop (data=0x0) at ./main.c:227
#18 0x0816864a in catch_errors (func=0x804ebe3 <captured_command_loop>, func_args=0x0, errstring=0x830ac06 "", mask=6) at exceptions.c:518
#19 0x0804fa7e in captured_main (data=0xbffff480) at ./main.c:910
#20 0x0816864a in catch_errors (func=0x804ec24 <captured_main>, func_args=0xbffff480, errstring=0x830ac06 "", mask=6) at exceptions.c:518
#21 0x0804fab4 in gdb_main (args=0xbffff480) at ./main.c:919
#22 0x0804e973 in main (argc=1, argv=0xbffff544) at gdb.c:34

Looks like strncpy() dereferences the null pointer arg

I haven't tried any previous versions for the same issue.

Revision history for this message
In , Dennis Francis (dennisfrancis) wrote :

(In reply to comment #0)
>
> Looks like strncpy() dereferences the null pointer arg
>

Correction - strncmp() ( not strncpy() )

Revision history for this message
In , Marc-khouzam (marc-khouzam) wrote :

Fix posted at http://sourceware.org/ml/gdb-patches/2010-11/msg00438.html
I'm committing it now.

Revision history for this message
In , Marc-khouzam (marc-khouzam) wrote :

Committed fix to HEAD and 7_2
http://sourceware.org/ml/gdb-patches/2010-11/msg00440.html

Revision history for this message
In , Pedro-codesourcery (pedro-codesourcery) wrote :

Thanks Marc. Closing.

Revision history for this message
Eliah Kagan (degeneracypressure) wrote :
visibility: private → public
tags: added: i386 natty
Revision history for this message
Eliah Kagan (degeneracypressure) wrote :

There's a bug report on the upstream tracker that is *possibly* the same bug as this:
http://sourceware.org/bugzilla/show_bug.cgi?id=12271

I've inquired about the details. I'm unsure whether that bug occurs only when strace is run with no arguments (in which case this is probably the same bug), or whenever strace is run.

Revision history for this message
Eliah Kagan (degeneracypressure) wrote :

The original reporter (calimeroteknik at free dot fr, who filed the upstream bug report) has verified that this is the same bug.

Changed in gdb (Ubuntu):
status: New → Confirmed
Revision history for this message
In , Pedro-codesourcery (pedro-codesourcery) wrote :

*** Bug 12271 has been marked as a duplicate of this bug. ***

Revision history for this message
Eliah Kagan (degeneracypressure) wrote :

That upstream bug report has been found to be a duplicate of another upstream bug report:
http://sourceware.org/bugzilla/show_bug.cgi?id=12217

That bug was fixed in the upstream source last month, so I guess we just need a new downstream update for gdb in Ubuntu.

Revision history for this message
Eliah Kagan (degeneracypressure) wrote :

The old external bug watch (for Sourceware.org Bugzilla #12271) turned out to be an upstream duplicate -- this is the original bug report.

Revision history for this message
Eliah Kagan (degeneracypressure) wrote :

Sorry about the confusion -- I mean that sourceware-bugs #12217 is the original bug report, not that this Launchpad report came first.

Revision history for this message
Apport retracing service (apport) wrote :

Stacktrace:
 #0 0x00000000004be88a in evaluate_subexp_standard ()
 No symbol table info available.
 Cannot access memory at address 0xa
StacktraceTop: evaluate_subexp_standard ()
ThreadStacktrace:
 .
 Thread 1 (process 27552):
 #0 0x00000000004be88a in evaluate_subexp_standard ()
 No symbol table info available.
 Cannot access memory at address 0xa

Changed in gdb (Ubuntu):
importance: Undecided → Medium
tags: removed: need-amd64-retrace
Revision history for this message
Eliah Kagan (degeneracypressure) wrote :

I've checked to see if this has already been fixed in the Natty git sources (lp:ubuntu/gdb) -- it has not. But the latest upstream cvs sources compile on Natty and produce the desired behavior. (For example, running gdb with no arguments and immediately running the strace command with no arguments produces the output: "No default breakpoint address now."). I don't expect that any complications would arise, merging the upstream fix into the ubuntu/gdb sources.

Bug Watch Updater (bug-watch-updater)
Changed in gdb:
importance: Unknown → Medium
status: Unknown → Fix Released
Revision history for this message
Matthias Klose (doko) wrote :

apparently fixed in 14.04 LTS

Changed in gdb (Ubuntu):
status: Confirmed → Fix Released
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.