Ubuntu
gdb package

gdb crashes on startup if run as root via sudo and ~/.gdbinit exists

Bug #1069897 reported by James Hunt
16
This bug affects 3 people
Affects Status Importance Assigned to Milestone
gdb (Debian)
Fix Released
Unknown
gdb (Ubuntu)
Fix Released
Medium
Unassigned

Bug Description

If a program is run like this:

$ sudo gdb ./a.out

and ~/.gdbinit exists (even as an empty file), gdb will crash...

$ cat crash_gdb.c
#include <stdio.h>
#include <string.h>
#include <stdlib.h>

int
main(int argc,
        char *argv[])
{
    printf ("hello\n");
    exit (EXIT_SUCCESS);
}
$ gcc -g crash_gdb.c
$ ./a.out
hello
$ gdb ./a.out
GNU gdb (GDB) 7.5-ubuntu
Copyright (C) 2012 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law. Type "show copying"
and "show warranty" for details.
This GDB was configured as "i686-linux-gnu".
For bug reporting instructions, please see:
<http://www.gnu.org/software/gdb/bugs/>...
Reading symbols from /tmp/a.out...done.
(gdb) r
Starting program: /tmp/a.out
hello
[Inferior 1 (process 11779) exited normally]
(gdb) quit
$ sudo gdb ./a.out
GNU gdb (GDB) 7.5-ubuntu
Copyright (C) 2012 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law. Type "show copying"
and "show warranty" for details.
This GDB was configured as "i686-linux-gnu".
For bug reporting instructions, please see:
<http://www.gnu.org/software/gdb/bugs/>...
Reading symbols from /tmp/a.out...done.
(gdb) r
Starting program: /tmp/a.out
hello
[Inferior 1 (process 11839) exited normally]
(gdb) quit
$ ls ~/.gdbinit
ls: cannot access /home/james/.gdbinit: No such file or directory
$ touch ~/.gdbinit
$ sudo gdb ./a.out
GNU gdb (GDB) 7.5-ubuntu
Copyright (C) 2012 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law. Type "show copying"
and "show warranty" for details.
This GDB was configured as "i686-linux-gnu".
For bug reporting instructions, please see:
<http://www.gnu.org/software/gdb/bugs/>...

warning: not using untrusted file "/home/james/.gdbinit"
*** glibc detected *** gdb: double free or corruption (!prev): 0x092e1cb8 ***
======= Backtrace: =========
/lib/i386-linux-gnu/libc.so.6(+0x75ee2)[0xb7217ee2]
/lib/i386-linux-gnu/libc.so.6(fclose+0x154)[0xb7207424]
gdb[0x82b2475]
gdb[0x816f576]
gdb(do_cleanups+0x19)[0x816f5d1]
gdb[0x80f43e4]
gdb(source_script+0x20)[0x80f4437]
gdb(catch_command_errors+0x42)[0x81d4a7f]
gdb[0x81d6fcb]
gdb(catch_errors+0x4c)[0x81d49a9]
gdb(gdb_main+0x34)[0x81d752a]
gdb(main+0x4f)[0x80880eb]
/lib/i386-linux-gnu/libc.so.6(__libc_start_main+0xf3)[0xb71bb4d3]
gdb[0x8087fd1]
======= Memory map: ========
/lib/i386-linux-gnu/libc.so.6(+0x75ee2)[0xb71fdee2]
/lib/i386-linux-gnu/libc.so.6(fclose+0x154)[0xb71ed424]
gdb[0x82b2475]
gdb[0x816f576]
gdb(do_cleanups+0x19)[0x816f5d1]
gdb[0x80f43e4]
gdb(source_script+0x20)[0x80f4437]
gdb(catch_command_errors+0x42)[0x81d4a7f]
gdb[0x81d6fcb]
gdb(catch_errors+0x4c)[0x81d49a9]
gdb(gdb_main+0x34)[0x81d752a]
gdb(main+0x4f)[0x80880eb]
/lib/i386-linux-gnu/libc.so.6(__libc_start_main+0xf3)[0xb71a14d3]
gdb[0x8087fd1]
======= Memory map: ========
08048000-0852b000 r-xp 00000000 08:01 5769330 /usr/bin/gdb
0852b000-0852c000 r--p 004e2000 08:01 5769330 /usr/bin/gdb
0852c000-08536000 rw-p 004e3000 08:01 5769330 /usr/bin/gdb
08536000-08551000 rw-p 00000000 00:00 0
092dd000-09401000 rw-p 00000000 00:00 0 [heap]
b6e9e000-b6f64000 rw-p 00000000 00:00 0
b6f64000-b7164000 r--p 00000000 08:01 5767792 /usr/lib/locale/locale-archive
b7164000-b7166000 rw-p 00000000 00:00 0
b7166000-b7182000 r-xp 00000000 08:01 6032119 /lib/i386-linux-gnu/libgcc_s.so.1
b7182000-b7183000 r--p 0001b000 08:01 6032119 /lib/i386-linux-gnu/libgcc_s.so.1
b7183000-b7184000 rw-p 0001c000 08:01 6032119 /lib/i386-linux-gnu/libgcc_s.so.1
b7184000-b7186000 r-xp 00000000 08:01 6029579 /lib/i386-linux-gnu/libutil-2.15.so
b7186000-b7187000 r--p 00001000 08:01 6029579 /lib/i386-linux-gnu/libutil-2.15.so
b7187000-b7188000 rw-p 00002000 08:01 6029579 /lib/i386-linux-gnu/libutil-2.15.so
b7188000-b732b000 r-xp 00000000 08:01 6029603 /lib/i386-linux-gnu/libc-2.15.so
b732b000-b732c000 ---p 001a3000 08:01 6029603 /lib/i386-linux-gnu/libc-2.15.so
b732c000-b732e000 r--p 001a3000 08:01 6029603 /lib/i386-linux-gnu/libc-2.15.so
b732e000-b732f000 rw-p 001a5000 08:01 6029603 /lib/i386-linux-gnu/libc-2.15.so
b732f000-b7332000 rw-p 00000000 00:00 0
b7332000-b7357000 r-xp 00000000 08:01 6031384 /lib/i386-linux-gnu/libexpat.so.1.6.0
b7357000-b7359000 r--p 00025000 08:01 6031384 /lib/i386-linux-gnu/libexpat.so.1.6.0
b7359000-b735a000 rw-p 00027000 08:01 6031384 /lib/i386-linux-gnu/libexpat.so.1.6.0
b735a000-b75c2000 r-xp 00000000 08:01 5770182 /usr/lib/libpython2.7.so.1.0
b75c2000-b75c3000 ---p 00268000 08:01 5770182 /usr/lib/libpython2.7.so.1.0
b75c3000-b75c4000 r--p 00268000 08:01 5770182 /usr/lib/libpython2.7.so.1.0
b75c4000-b761a000 rw-p 00269000 08:01 5770182 /usr/lib/libpython2.7.so.1.0
b761a000-b7627000 rw-p 00000000 00:00 0
b7627000-b763e000 r-xp 00000000 08:01 6031346 /lib/i386-linux-gnu/libpthread-2.15.so
b763e000-b763f000 r--p 00016000 08:01 6031346 /lib/i386-linux-gnu/libpthread-2.15.so
b763f000-b7640000 rw-p 00017000 08:01 6031346 /lib/i386-linux-gnu/libpthread-2.15.so
b7640000-b7642000 rw-p 00000000 00:00 0
b7642000-b766c000 r-xp 00000000 08:01 6031349 /lib/i386-linux-gnu/libm-2.15.so
b766c000-b766d000 r--p 00029000 08:01 6031349 /lib/i386-linux-gnu/libm-2.15.so
b766d000-b766e000 rw-p 0002a000 08:01 6031349 /lib/i386-linux-gnu/libm-2.15.so
b766e000-b7685000 r-xp 00000000 08:01 6029334 /lib/i386-linux-gnu/libz.so.1.2.7
b7685000-b7686000 r--p 00016000 08:01 6029334 /lib/i386-linux-gnu/libz.so.1.2.7
b7686000-b7687000 rw-p 00017000 08:01 6029334 /lib/i386-linux-gnu/libz.so.1.2.7
b7687000-b76a3000 r-xp 00000000 08:01 6031372 /lib/i386-linux-gnu/libtinfo.so.5.9
b76a3000-b76a5000 r--p 0001b000 08:01 6031372 /lib/i386-linux-gnu/libtinfo.so.5.9
b76a5000-b76a6000 rw-p 0001d000 08:01 6031372 /lib/i386-linux-gnu/libtinfo.so.5.9
b76a6000-b76c6000 r-xp 00000000 08:01 6031376 /lib/i386-linux-gnu/libncurses.so.5.9
b76c6000-b76c7000 r--p 0001f000 08:01 6031376 /lib/i386-linux-gnu/libncurses.so.5.9
b76c7000-b76c8000 rw-p 00020000 08:01 6031376 /lib/i386-linux-gnu/libncurses.so.5.9
b76c8000-b76c9000 rw-p 00000000 00:00 0
b76c9000-b76cc000 r-xp 00000000 08:01 6031354 /lib/i386-linux-gnu/libdl-2.15.so
b76cc000-b76cd000 r--p 00002000 08:01 6031354 /lib/i386-linux-gnu/libdl-2.15.so
b76cd000-b76ce000 rw-p 00003000 08:01 6031354 /lib/i386-linux-gnu/libdl-2.15.so
b76ce000-b7703000 r-xp 00000000 08:01 6089775 /lib/i386-linux-gnu/libreadline.so.6.2
b7703000-b7704000 r--p 00035000 08:01 6089775 /lib/i386-linux-gnu/libreadline.so.6.2
b7704000-b7707000 rw-p 00036000 08:01 6089775 /lib/i386-linux-gnu/libreadline.so.6.2
b7707000-b7708000 rw-p 00000000 00:00 0
b7728000-b772f000 r--s 00000000 08:01 5910153 /usr/lib/i386-linux-gnu/gconv/gconv-modules.cache
b772f000-b7730000 r--p 002bd000 08:01 5767792 /usr/lib/locale/locale-archive
b7730000-b7732000 rw-p 00000000 00:00 0
b7732000-b7752000 r-xp 00000000 08:01 6031350 /lib/i386-linux-gnu/ld-2.15.so
b7752000-b7753000 r--p 0001f000 08:01 6031350 /lib/i386-linux-gnu/ld-2.15.so
b7753000-b7754000 rw-p 00020000 08:01 6031350 /lib/i386-linux-gnu/ld-2.15.so
bfdeb000-bfe0c000 rw-p 00000000 00:00 0 [stack]
$ rm ~/.gdbinit
$ sudo gdb ./a.out
GNU gdb (GDB) 7.5-ubuntu
Copyright (C) 2012 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law. Type "show copying"
and "show warranty" for details.
This GDB was configured as "i686-linux-gnu".
For bug reporting instructions, please see:
<http://www.gnu.org/software/gdb/bugs/>...
Reading symbols from /tmp/a.out...done.
(gdb) r
Starting program: /tmp/a.out
hello
[Inferior 1 (process 12057) exited normally]
(gdb) quit
$

Tags: quantal
Brian Murray (brian-murray)
tags: added: quantal
Changed in gdb (Ubuntu):
importance: Undecided → Medium
Revision history for this message
Launchpad Janitor (janitor) wrote :

Status changed to 'Confirmed' because the bug affects multiple users.

Changed in gdb (Ubuntu):
status: New → Confirmed
Revision history for this message
Dave Gilbert (ubuntu-treblig) wrote :
Download full text (4.6 KiB)

My full backtrace on this (quantal 64bit):
#0 0x00007f8710ffe425 in __GI_raise (sig=<optimised out>) at ../nptl/sysdeps/unix/sysv/linux/raise.c:64
        resultvar = 0
        pid = <optimised out>
        selftid = 9345
#1 0x00007f8711001b8b in __GI_abort () at abort.c:91
        save_stage = 2
        act = {__sigaction_handler = {sa_handler = 0x4, sa_sigaction = 0x4}, sa_mask = {__val = {5,
              140734568085900, 3, 140218083851975, 3, 140734568080586, 6, 140218083851979, 2, 140734568080606,
              2, 140218083842978, 1, 140218083851975, 3, 140734568080580}}, sa_flags = 12,
          sa_restorer = 0x7f8711143ecb}
        sigs = {__val = {32, 0 <repeats 15 times>}}
#2 0x00007f871103c39e in __libc_message (do_abort=2,
    fmt=0x7f8711146028 "*** glibc detected *** %s: %s: 0x%s ***\n")
    at ../sysdeps/unix/sysv/linux/libc_fatal.c:201
        ap = {{gp_offset = 40, fp_offset = 48, overflow_arg_area = 0x7fff51f02e40,
            reg_save_area = 0x7fff51f02d50}}
        ap_copy = {{gp_offset = 16, fp_offset = 48, overflow_arg_area = 0x7fff51f02e40,
            reg_save_area = 0x7fff51f02d50}}
        fd = 7
        on_2 = <optimised out>
        list = <optimised out>
        nlist = <optimised out>
        cp = <optimised out>
        written = <optimised out>
#3 0x00007f8711046b96 in malloc_printerr (action=3, str=0x7f8711146138 "double free or corruption (!prev)",
    ptr=<optimised out>) at malloc.c:5007
        buf = "0000000001a413d0"
        cp = <optimised out>
#4 0x00007f8711036815 in _IO_new_fclose (fp=0x1a413d0) at iofclose.c:88
        status = 0
#5 0x00000000006c42e3 in do_fclose_cleanup (arg=0x1a413d0) at /build/buildd/gdb-7.5/gdb/utils.c:234
        file = 0x1a413d0
#6 0x00000000005583b0 in do_my_cleanups (pmy_chain=0xbeca50 <cleanup_chain>,
    old_chain=0x83bea0 <sentinel_cleanup>) at /build/buildd/gdb-7.5/gdb/cleanups.c:155
        ptr = 0x1a36d40
#7 0x000000000055841d in do_cleanups (old_chain=0x83bea0 <sentinel_cleanup>)
    at /build/buildd/gdb-7.5/gdb/cleanups.c:177
No locals.
#8 0x00000000004d0d05 in source_script_with_search (file=0x1a3a140 "/home/dg/.gdbinit", from_tty=-1,
    search_path=0) at /build/buildd/gdb-7.5/gdb/cli/cli-cmds.c:621
---Type <return> to continue, or q <return> to quit---
        statbuf = {st_dev = 2065, st_ino = 1865834, st_nlink = 1, st_mode = 33204, st_uid = 1000,
          st_gid = 1000, __pad0 = 0, st_rdev = 0, st_size = 0, st_blksize = 4096, st_blocks = 0, st_atim = {
            tv_sec = 1353763933, tv_nsec = 376637381}, st_mtim = {tv_sec = 1353763932, tv_nsec = 668637382},
          st_ctim = {tv_sec = 1353763932, tv_nsec = 668637382}, __unused = {0, 0, 0}}
        fd = 7
        stream = 0x1a413d0
        full_path = 0x1989b60 "/home/dg/.gdbinit"
        old_cleanups = 0x83bea0 <sentinel_cleanup>
#9 0x00000000004d0d70 in source_script (file=0x1a3a140 "/home/dg/.gdbinit", from_tty=-1)
    at /build/buildd/gdb-7.5/gdb/cli/cli-cmds.c:642
No locals.
#10 0x00000000005c9cd7 in catch_command_errors (command=0x4d0d4b <source_script>,
    arg=0x1a3a140 "/home/dg/.gdbinit", from_tty=-1, mask=6) at /build/buildd/gdb-7.5/gdb/exceptions.c:573
        e = {reason =...

Read more...

Revision history for this message
Dave Gilbert (ubuntu-treblig) wrote :

This looks to me as a bug in a debian specific patch; see debian/patches/gdbinit-ownership.patch
+ warning ("not using untrusted file \"%s\"", file);
+ fclose (stream);
+ do_cleanups (old_cleanups);
+ return;

As far as I can tell from the weird cleanup system, the do_cleanups is fclose'ing stream as well, and that's why it fails.
commenting out the fclose(stream) there makes it work for me, and the fd is closed according to /proc/*/fd

Changed in gdb (Ubuntu):
status: Confirmed → Triaged
Bug Watch Updater (bug-watch-updater)
Changed in gdb (Debian):
status: Unknown → New
Revision history for this message
James Hunt (jamesodhunt) wrote :

I agree with Dave's comments in #3.

However, taking a closer look at gdb/cli/cli-cmds.c, I think further changes need to be made to remove all possibility of a crash. The behaviour of source_script_with_search() looks rather unusual in the para-phrased snippet below (my comments prefixed by '/* XXX: '):

#-----------------------------------

old_cleanups = make_cleanup (xfree, full_path);

make_cleanup_fclose (stream);

if (stream == NULL)
{
/* XXX: since a cleanup was added for 'stream' before checking it opened correctly, this appears to *guarantee* a crash if it didn't */
}

if (from_tty == -1)
{
    /* XXX: ? this is already been done above */
    make_cleanup_fclose (stream);
}
#-----------------------------------

Sebastien Bacher (seb128)
Changed in gdb (Ubuntu):
status: Triaged → Fix Committed
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package gdb - 7.5-0ubuntu3

---------------
gdb (7.5-0ubuntu3) raring; urgency=low

  * Remove excessive fclose in gdbinit patch (LP: #1069897)
 -- <email address hidden> (Dr. David Alan Gilbert) Sat, 24 Nov 2012 16:54:53 +0000

Changed in gdb (Ubuntu):
status: Fix Committed → Fix Released
Bug Watch Updater (bug-watch-updater)
Changed in gdb (Debian):
status: New → Fix Released
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.