From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from us-smtp-delivery-114.mimecast.com (us-smtp-delivery-114.mimecast.com [170.10.133.114]) by sourceware.org (Postfix) with ESMTPS id 35AB5388CF34 for ; Thu, 15 Dec 2022 12:58:23 +0000 (GMT) DMARC-Filter: OpenDMARC Filter v1.4.1 sourceware.org 35AB5388CF34 Authentication-Results: sourceware.org; dmarc=pass (p=none dis=none) header.from=labware.com Authentication-Results: sourceware.org; spf=pass smtp.mailfrom=labware.com Received: from NAM04-MW2-obe.outbound.protection.outlook.com (mail-mw2nam04lp2170.outbound.protection.outlook.com [104.47.73.170]) by relay.mimecast.com with ESMTP with STARTTLS (version=TLSv1.2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id us-mta-94-rb0xioHxPKmWsO3i_Nx6Nw-1; Thu, 15 Dec 2022 07:58:21 -0500 X-MC-Unique: rb0xioHxPKmWsO3i_Nx6Nw-1 Received: from DM6PR17MB3113.namprd17.prod.outlook.com (2603:10b6:5:6::10) by BY5PR17MB3810.namprd17.prod.outlook.com (2603:10b6:a03:239::19) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.5924.12; Thu, 15 Dec 2022 12:58:18 +0000 Received: from DM6PR17MB3113.namprd17.prod.outlook.com ([fe80::1729:3f69:5d95:b768]) by DM6PR17MB3113.namprd17.prod.outlook.com ([fe80::1729:3f69:5d95:b768%7]) with mapi id 15.20.5924.011; Thu, 15 Dec 2022 12:58:17 +0000 From: Jan Vrany To: gdb-patches@sourceware.org CC: Jan Vrany , simark@simark.ca Subject: Re: [PATCH] gdb: fix possible use-after-free when executing commands Date: Thu, 15 Dec 2022 12:57:51 +0000 Message-ID: <20221215125751.1622358-1-jan.vrany@labware.com> X-Mailer: git-send-email 2.35.1 In-Reply-To: <7d53e2da-c268-d859-8ddc-b86ac73ce840@simark.ca> References: <7d53e2da-c268-d859-8ddc-b86ac73ce840@simark.ca> X-ClientProxiedBy: LO4P123CA0001.GBRP123.PROD.OUTLOOK.COM (2603:10a6:600:150::6) To DM6PR17MB3113.namprd17.prod.outlook.com (2603:10b6:5:6::10) MIME-Version: 1.0 X-MS-PublicTrafficType: Email X-MS-TrafficTypeDiagnostic: DM6PR17MB3113:EE_|BY5PR17MB3810:EE_ X-MS-Office365-Filtering-Correlation-Id: a0f457b7-edae-4d04-c42c-08dade9c090f X-MS-Exchange-AtpMessageProperties: SA X-MS-Exchange-SenderADCheck: 1 X-MS-Exchange-AntiSpam-Relay: 0 X-Microsoft-Antispam: BCL:0 X-Microsoft-Antispam-Message-Info: IV3CP9ZJLGyYQIhrHBC5B0ZkyyFKtKQ7U/dmcTRG+45A8nzLVapSloukp3A/t8x1x2zjjdEaCcpHe1vOI8ojdxatYnxrmt82DeZhKigMSCV1YBp3/aMJYqll1yVzt/f4GRk614P0+leKR2XUrvy/cAtf69/CfytlpwK/DcI/xLRTkIxFRxffQl/WDVwhWwW43vSvpX49DA0SdzAc6oL2QnoZHeAomFnf3pKsUxnDOY4nehUJasr9FJ2v8SwA9wydpmZTqOKaWaCc2HrvGI86yW5cK6QOMxb6Y+C8x3yoS1EpAyf9xl6UtaQm9mzqR7CZMalIY7jdIMCelrhGIm4S/w8T0F/8fY5vr5H66eq5QqdHsX4klDHxOCVobpalnyGwchZ+ci04X50lzlwGHT4CRqJ4TQhjDYQ5fty3YDX8YyXkkK4bZSs0vd6JdsZ/ZiVT7HwLanxyngjUpd3Mvp6UY9wftrSnaya6XGXz9UYtagZWdqPCkgZaQWU9AlrLSYbiiTjX3/69A6Z2xlES4HDpCI19NAQyU6boaXkPetNnqItX08TpNO+7SCfRphextxWLg69PeOBRpDYhB5Gf7kVxaFjWTjkGTA8q2DUkunBKmKftt3bQxGeXVHWETJpD132pDTggiHiJoSZ3OiezR+7pyrPlm/cmcg4baRM6BtcHuitE9jJNoHOUk5PsPq8urWQk X-Forefront-Antispam-Report: CIP:255.255.255.255;CTRY:;LANG:en;SCL:1;SRV:;IPV:NLI;SFV:NSPM;H:DM6PR17MB3113.namprd17.prod.outlook.com;PTR:;CAT:NONE;SFS:(13230022)(4636009)(396003)(39840400004)(366004)(346002)(136003)(376002)(451199015)(36756003)(2906002)(8936002)(5660300002)(41300700001)(6916009)(83380400001)(38100700002)(86362001)(478600001)(6486002)(44832011)(6506007)(4326008)(6666004)(316002)(8676002)(66476007)(66946007)(2616005)(66556008)(26005)(1076003)(186003)(6512007)(21314003);DIR:OUT;SFP:1101 X-MS-Exchange-AntiSpam-MessageData-ChunkCount: 1 X-MS-Exchange-AntiSpam-MessageData-0: =?us-ascii?Q?5CPZqfw+mNwyn5xv7kWVZtuj3aNsxpNvGIaKZhdDvsAuSxZJUS97cefd1cwd?= =?us-ascii?Q?Wclqfl+52ZPuTsZjG6tJ4Odkk1WEv/VV0yT4z+RfpB1zW5GvHLamOh7kR60c?= =?us-ascii?Q?uXzf5o3H3K0DBc1gN90VKd1HFw/yvm8Oj+/EbCQrLzAk4qcqozxWGXcUXwDm?= =?us-ascii?Q?3zYkPg5dUoNJboJ3ilyNFxOaXKdco2fCpMvC08+5cy8LUm9rU39ZDEMoGs3l?= =?us-ascii?Q?62WrjZxC4Mzl38k7uwvs7Ssq+6+RkoILzD9zwoO1GPQWlk+uzalk7LwTST/7?= =?us-ascii?Q?XjUTF0Xo8/DX0J40GnmKZqR83H9fLLgfQpger4XSeK87fVckxkjU6gnKPBwY?= =?us-ascii?Q?a9kjyS6KyBRzyk22+8hWbyTSU9ZLgYpB3g45m1FpbfSPS6Lr5PemtFrRmgvn?= =?us-ascii?Q?qaahgoMZA6NIPe2R+bF43gAjaZoAkRQLzygUJjOPxYBWuCnPCRWSORelcJUf?= =?us-ascii?Q?JKVyywETD0VFvniooMdLrSKY8SiS0UlRQF046rwuOAMrh8CHEKBAj2v4HiYE?= =?us-ascii?Q?wp6IYqHTVDNqTEUuOiAZZdWipYghfoaWqxKIVb7ELYR5AJTi7D8yxXH90UWV?= =?us-ascii?Q?TGmfWlYQvkb8IVTR0BynIwv7AUg2yKnuta2yoCYQuAQnEcsoKTRLA6G7bA39?= =?us-ascii?Q?AsCoapR7sFFfQtwKZBXd4/+gW80X4OQwf0o1qYG4nFvm/m1iIM7Ulzhpcold?= =?us-ascii?Q?XY2sFLzxfVkqy08X3hpYi+s6Uaugnep28SoC6Nyu03Q3WDJBUJOX5EkjSmAu?= =?us-ascii?Q?lY9GxPgSU9zmnUfy1fGgFEX/wTPcqT2IWKTMJZRfuFvfG4OG5UxLWPAz37xG?= =?us-ascii?Q?6vJwztGtA9bmfxI8O6y3HkYFlidUQSi+JFYrkL0rAFP21GiR9rRas1fkfU2+?= =?us-ascii?Q?gUusAmlKiQwCJ9ub08xSxNXzmwL9Jw+7i419Gamv4MX3GM49dyHafqRr5Zd5?= =?us-ascii?Q?4YzG/aqNzcSN8YK7VY/Q9qiKSu/YY5yI5ERvfNUVTD4+1X9o5bs0EgPu+vF/?= =?us-ascii?Q?JUyV4aDXx6ZIJabY6vLvRVNG7cHaRiFe6abn3u/0EtJWAsuHZeyFzZ0CnCKV?= =?us-ascii?Q?zBb4Rkn9xetsYGn5W4ZPGZdb5XPV+ruDMo360GpAMCW+Fs/6w8eTnl4oFnQU?= =?us-ascii?Q?6wAmv7r/eE+p1mmjO0edEn8haT0/lbM75cB/yMwHaluTd79QE2Uy3fuyQPmw?= =?us-ascii?Q?+ctE/3J1YJgk/Ht2oQw1tcHMy6RkelguMTdVhPF8IX5vm0+zHrnuA+sisCw3?= =?us-ascii?Q?kDWz2PBUHEddVZg7nhTI1EahlPgWLRaXFYAvoBlSMsccp+dqc2h+jPVq6feg?= =?us-ascii?Q?iZiybPAVCNm6GqOfQGgPB70j+gDgby/QFfmRwOZSZ2dGPJGPxpvKUHaN2h0u?= =?us-ascii?Q?TE3IowjrXjyqi8M2K6L8GzXbedrft1+LcLIkfYcEV7uAQ/t7fSz4T+hW+utm?= =?us-ascii?Q?3E/UnXT1p7pryiDmGQfCTxSQGvpcQoWxMFDdf0GmZ9GJbLIfTKfRkfeHwag2?= =?us-ascii?Q?kyZK1BCTYvMqFQ2YijoQLX+MY4q/XKYRAWkhKEJXo08g7XKWhy2cplDRSaPr?= =?us-ascii?Q?uBvXa4uIUSxRTXzgHr2MOOQcRVKC0haW8WJHmafO?= X-OriginatorOrg: labware.com X-MS-Exchange-CrossTenant-Network-Message-Id: a0f457b7-edae-4d04-c42c-08dade9c090f X-MS-Exchange-CrossTenant-AuthSource: DM6PR17MB3113.namprd17.prod.outlook.com X-MS-Exchange-CrossTenant-AuthAs: Internal X-MS-Exchange-CrossTenant-OriginalArrivalTime: 15 Dec 2022 12:58:17.6201 (UTC) X-MS-Exchange-CrossTenant-FromEntityHeader: Hosted X-MS-Exchange-CrossTenant-Id: b5db0322-1aa0-4c0a-859c-ad0f96966f4c X-MS-Exchange-CrossTenant-MailboxType: HOSTED X-MS-Exchange-CrossTenant-UserPrincipalName: 8mFVmIfjeieFZRdh3XDm2ejKwnr0fHk3boPl4KPXzbljgA7LC39jiLbEIp2U+Je0awSeEohNKBocVple1JeKLA== X-MS-Exchange-Transport-CrossTenantHeadersStamped: BY5PR17MB3810 X-Mimecast-Spam-Score: 0 X-Mimecast-Originator: labware.com Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset=WINDOWS-1252 X-Spam-Status: No, score=-12.1 required=5.0 tests=BAYES_00,GIT_PATCH_0,KAM_DMARC_STATUS,RCVD_IN_DNSWL_NONE,SPF_HELO_NONE,SPF_PASS,TXREP autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on server2.sourceware.org List-Id: Hi Simon, > Hi Jan, > > >=20 > > > Do you think you could write a test to exercise that fix? > >=20 > > Maybe, though I'm not quite sure how to make it fail unless > > one uses ASAN or Valgrind to run it like you do. Will give it=20 > > stab.=20 > >=20 > > Jan >=20 > It's fine if it only fails with ASan / Valgrind enabled, that's the > point of these tools. They help catch bugs that would otherwise fly > under the radar. >=20 Maybe something like the patch below? With: * patch b5661ff2 ("gdb: fix possible use-after-free when executing command= s") reverted, * patch below applied * and GDB compiled with ASan, the new test fails for me. If I comment the redefinition: diff --git a/gdb/testsuite/gdb.python/py-cmd.exp b/gdb/testsuite/gdb.python= /py-cmd.exp index ce26f2d3040..ed628e77d31 100644 --- a/gdb/testsuite/gdb.python/py-cmd.exp +++ b/gdb/testsuite/gdb.python/py-cmd.exp @@ -82,7 +82,7 @@ gdb_test_multiline "input command redefining itself" \ " def invoke (self, arg, from_tty):" "" \ " print (\"redefine_cmd output, msg =3D %s\" % self._msg)" "" \ " self._msg =3D arg" "" \ - " redefine_cmd (arg)" "" \ + " #redefine_cmd (arg)" "" \ "redefine_cmd (\"XXX\")" "" \ "end" "" the test start to pass (since it is not redefining itself). HTH, Jan -- >8 -- Subject: [PATCH] gdb/testsuite: add test for Python commands redefining its= elf This commit add test that creates a Python command that redefines itself during its execution. This is to test use-after-free in execute_command (). This test needs run with ASan enabled in order to fail when it should. --- gdb/testsuite/gdb.python/py-cmd.exp | 23 +++++++++++++++++++++++ 1 file changed, 23 insertions(+) diff --git a/gdb/testsuite/gdb.python/py-cmd.exp b/gdb/testsuite/gdb.python= /py-cmd.exp index aa95a459f46..ce26f2d3040 100644 --- a/gdb/testsuite/gdb.python/py-cmd.exp +++ b/gdb/testsuite/gdb.python/py-cmd.exp @@ -71,6 +71,29 @@ gdb_test_multiline "input subcommand" \ =20 gdb_test "prefix_cmd subcmd ugh" "subcmd output, arg =3D ugh" "call subcmd= " =20 +# Test command redefining itself + +gdb_test_multiline "input command redefining itself" \ + "python" "" \ + "class redefine_cmd (gdb.Command):" "" \ + " def __init__ (self, msg):" "" \ + " super (redefine_cmd, self).__init__ (\"redefine_cmd\", gdb.COMMAND_= OBSCURE)" "" \ + " self._msg =3D msg" "" \ + " def invoke (self, arg, from_tty):" "" \ + " print (\"redefine_cmd output, msg =3D %s\" % self._msg)" "" \ + " self._msg =3D arg" "" \ + " redefine_cmd (arg)" "" \ + "redefine_cmd (\"XXX\")" "" \ + "end" "" + +gdb_test "redefine_cmd AAA" \ + "redefine_cmd output, msg =3D XXX" \ + "call command redefining itself 1" + +gdb_test "redefine_cmd BBB" \ + "redefine_cmd output, msg =3D AAA" \ + "call command redefining itself 2" + # Test prefix command using keyword arguments. =20 gdb_test_multiline "input prefix command, keyword arguments" \ --=20 2.35.1