From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <SRS0=5w6H=4N=labware.com=jan.vrany@sourceware.org>
Received: from us-smtp-delivery-114.mimecast.com (us-smtp-delivery-114.mimecast.com [170.10.133.114])
	by sourceware.org (Postfix) with ESMTPS id 4C47038923FE
	for <gdb-patches@sourceware.org>; Thu, 15 Dec 2022 14:51:56 +0000 (GMT)
DMARC-Filter: OpenDMARC Filter v1.4.1 sourceware.org 4C47038923FE
Authentication-Results: sourceware.org; dmarc=pass (p=none dis=none) header.from=labware.com
Authentication-Results: sourceware.org; spf=pass smtp.mailfrom=labware.com
Received: from NAM12-MW2-obe.outbound.protection.outlook.com
 (mail-mw2nam12lp2040.outbound.protection.outlook.com [104.47.66.40]) by
 relay.mimecast.com with ESMTP with STARTTLS (version=TLSv1.2,
 cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id
 us-mta-364-bIN34jSMMBSjvazOIgT8vw-1; Thu, 15 Dec 2022 09:51:55 -0500
X-MC-Unique: bIN34jSMMBSjvazOIgT8vw-1
Received: from DM6PR17MB3113.namprd17.prod.outlook.com (2603:10b6:5:6::10) by
 CH3PR17MB6641.namprd17.prod.outlook.com (2603:10b6:610:12e::9) with Microsoft
 SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id
 15.20.5880.13; Thu, 15 Dec 2022 14:51:52 +0000
Received: from DM6PR17MB3113.namprd17.prod.outlook.com
 ([fe80::1729:3f69:5d95:b768]) by DM6PR17MB3113.namprd17.prod.outlook.com
 ([fe80::1729:3f69:5d95:b768%7]) with mapi id 15.20.5924.011; Thu, 15 Dec 2022
 14:51:52 +0000
From: Jan Vrany <jan.vrany@labware.com>
To: gdb-patches@sourceware.org
CC: Jan Vrany <jan.vrany@labware.com>,
	simark@simark.ca
Subject: Re: [PATCH] gdb: fix possible use-after-free when executing commands
Date: Thu, 15 Dec 2022 14:51:40 +0000
Message-ID: <20221215145140.39092-1-jan.vrany@labware.com>
X-Mailer: git-send-email 2.35.1
In-Reply-To: <7ced24a4-19d5-293e-b7d6-88d77d3aea7a@simark.ca>
References: <7ced24a4-19d5-293e-b7d6-88d77d3aea7a@simark.ca>
X-ClientProxiedBy: LO4P123CA0523.GBRP123.PROD.OUTLOOK.COM
 (2603:10a6:600:2c5::7) To DM6PR17MB3113.namprd17.prod.outlook.com
 (2603:10b6:5:6::10)
MIME-Version: 1.0
X-MS-PublicTrafficType: Email
X-MS-TrafficTypeDiagnostic: DM6PR17MB3113:EE_|CH3PR17MB6641:EE_
X-MS-Office365-Filtering-Correlation-Id: 1d2bc55d-274b-4752-b875-08dadeabe6e7
X-MS-Exchange-AtpMessageProperties: SA
X-MS-Exchange-SenderADCheck: 1
X-MS-Exchange-AntiSpam-Relay: 0
X-Microsoft-Antispam: BCL:0
X-Microsoft-Antispam-Message-Info: McXsiHYHfwGpGZb4ddYiOWtbyaKOsNlf/JAN2lcYp3GQXNHPD1kyf6wFN/26/Z/UvL6vSQ0VBEzA0OkeXgT/tgCEUVJGW7cMx/g/x+PfbmBb89A3Baw8WwGUjfWcDj+J2atyUujBnMvsA15pAF8jvkZPhgnuFHYLqwytCQ3HRugViND8aXHP6ObEv2BIFn16BW37oRsXoarULU5D8hTKTqEqYH/bST39OQX4rASAaRCItjRRs2VaGJ5zTYvUNQckfPDBC4CX7dVJGfkhNzYsB5gPhaNmDE7IQIdNVou35zXeUluIHO9KhQ3yKJyELoGO047xUilDAPiZf/yJP/WaJXRS0w82qO6wAZ3YPKyW21iJGiH27Yrc2Xya9TVeIsa52mvEMrVLwWIeaNF+mr3yr4HsdQKDY/d6l8rJGLgxWn03Bv5GBeKoVKTnxcNcCJE4qiFFaV8pl7O78sLoZm0aX6DPlRypANvCCpNOkmWWd0DqUlZQnUwvZdQJFN0R258atiZTVPvTunJv3o+3/gqgbKPC41aIQRBJ7YvEJLNKY+jk2VCGuh2w+ZRxPUN1H7LtSOlxxjRqV2ah9QtxlDGyI8liNb3OYKZ/7vI9YhA8uj/j3Qm9Qv3YIgHDurREnNAku9DNP5Ygw2cuQG+v+mlkb7gbVE1WWbn74Gv+b4ZPxq5QtJLyK7HyidAL/wPYV08X
X-Forefront-Antispam-Report: CIP:255.255.255.255;CTRY:;LANG:en;SCL:1;SRV:;IPV:NLI;SFV:NSPM;H:DM6PR17MB3113.namprd17.prod.outlook.com;PTR:;CAT:NONE;SFS:(13230022)(4636009)(396003)(136003)(366004)(39850400004)(376002)(346002)(451199015)(66946007)(36756003)(66476007)(66556008)(41300700001)(5660300002)(8936002)(316002)(6916009)(4326008)(8676002)(6666004)(83380400001)(38100700002)(1076003)(6486002)(86362001)(478600001)(26005)(6512007)(6506007)(186003)(2616005)(2906002)(44832011)(21314003);DIR:OUT;SFP:1101
X-MS-Exchange-AntiSpam-MessageData-ChunkCount: 1
X-MS-Exchange-AntiSpam-MessageData-0: =?us-ascii?Q?5wRUZP6Zx1AaLF4X5Az5s3LNlk85Duy6V7QIxZFY1aJBJt8BsqSsFo1UrmMa?=
 =?us-ascii?Q?9CRScu/b3UhfzY4KzTmsbA0x+XjhWOh1rpYa9gnrmulUFrI95DHb74LcKKD7?=
 =?us-ascii?Q?hdPjGIcJ5vOKAeRd/wc12/V7wBX7yshtV73c8SpomFZR/ODZyh6PqHqY59lo?=
 =?us-ascii?Q?5OqXuyJuF3MViKE3LGo72o1AFygYUdl5IhJ36pcJM3KdyeIBaS65mYNwJySj?=
 =?us-ascii?Q?C5PLpc3JgxEM9Suj3arcVCXWiOwE7lRG3OEMQisDgQ2u7LYDOaR4uOGxNd3/?=
 =?us-ascii?Q?VG/pR/kFwYqAS5RGuyXKICACtlhIjdmMr+KO8PM7AU955eotz+9kl1T5U/pb?=
 =?us-ascii?Q?vChb/1bfu2mqgG2Vgqzd8Ykv4GFU1ILaZvc96piVkNslSu0+O5NFRyaKwtHR?=
 =?us-ascii?Q?gnsb4WC/eu9XcA8K7oBz8K0vA4X1gBtyJ0r3dOCpz1E6DoiuWIUsuscx1HrI?=
 =?us-ascii?Q?4evHGZTP4PzMRVp10UUz/JeQb7qHUcpVDZbMCbRu34xEPeGwQecpZFFem2/N?=
 =?us-ascii?Q?JVZEyKeq6OkKBhudhISne+2/1wnLELo1dwfwqBje3twiqCvk2hhdSiqmcflm?=
 =?us-ascii?Q?XVIYt8i8NLE+6jTw+jU6WlaME2kbVP0VwoYpW6cYiDDyIIPH/VppVg3D+mob?=
 =?us-ascii?Q?mAKANFnMbziwCVIo+iWvtWp8CLauick0PvuZqh7U8JI1rsVkknEN5hQekgvb?=
 =?us-ascii?Q?STSRkVU9Xm5DcnczbwgjH0HE8r/jlziVRbT2Zp8K1zksQWADjC5tlTOo9t30?=
 =?us-ascii?Q?01yIcyOaZDAcP1c/ukUx+Lbbyzz41kGf5gCZ13hIgJb6lS4hOT+90ihdFyoR?=
 =?us-ascii?Q?0yaM6f6JNxXlbHl7RHyhXq2Y1gFKA0Baif3hWkh1hZqrbVGIiTYOREeO3tRK?=
 =?us-ascii?Q?7XI8rS5S6lAD7oa5cYT0DjwrEUCrU1/SXjwqdFAQPWF95VYcazrrHjBnHRaw?=
 =?us-ascii?Q?deRiKA31sTWXZUlQ25eQAnzVn1I6Q0SXirCINguOeDuHso99NhikoK+JEWZ/?=
 =?us-ascii?Q?VvFU2cEjdC3PkJzatq+t4M5ZD1mXiYJjAoprd/uxmbudOfiVKe1ssKwBKORU?=
 =?us-ascii?Q?q06Y6APfDLHXHqtM/mz40YFeGHX3O1HEuLgjTPnmHxfXNBrfaQYfvmcUHBHC?=
 =?us-ascii?Q?R32FyBDErVoVP7cOml+Bi5qIOPlRuGFSrdStDuecNDtWEWoiPOYQ9/eScyxv?=
 =?us-ascii?Q?Te8ho61QYXnzJ4A4BusdCf7FJktvByw1F4ebEOOPllENVSjLX9FLZf3/gpH/?=
 =?us-ascii?Q?bo7bIYiqB7sTBoQLYE3/xb9WWRjCv148GHZAWwsqn4XtCQmGMNToAMrJu126?=
 =?us-ascii?Q?VmNRfStuxZYpghANX/U25ngaMxGEk6UId4vDpRCNV2UVOZ3mOHmxGmP7d7bA?=
 =?us-ascii?Q?yQoWUlVSE4NGhF2MAIH3XxUQtDUDN12BEGTo5MFHI/hOYi8cWUOzS2vdV31K?=
 =?us-ascii?Q?XkLKijcRD1g5mUCUV0+8mxcp6SrxF5v9eILLRPHejczdiM/k/shzS0DE/ifZ?=
 =?us-ascii?Q?XBj2nC7DT2cyWA/amloZqaVAgEqEGbdA7e7+M/58oo4gkpYqsXOsrTgMZ2mZ?=
 =?us-ascii?Q?lG/FYGcTPCRMrlI3oz9oVOUh0Qk7Nbt3sGiovr6T?=
X-OriginatorOrg: labware.com
X-MS-Exchange-CrossTenant-Network-Message-Id: 1d2bc55d-274b-4752-b875-08dadeabe6e7
X-MS-Exchange-CrossTenant-AuthSource: DM6PR17MB3113.namprd17.prod.outlook.com
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-OriginalArrivalTime: 15 Dec 2022 14:51:52.3565
 (UTC)
X-MS-Exchange-CrossTenant-FromEntityHeader: Hosted
X-MS-Exchange-CrossTenant-Id: b5db0322-1aa0-4c0a-859c-ad0f96966f4c
X-MS-Exchange-CrossTenant-MailboxType: HOSTED
X-MS-Exchange-CrossTenant-UserPrincipalName: aa3C/lPhan/1dyUnKSCBgagVBj/8Sgixu1x51sWEpYrAKAg+vV9ax+0MY9sNqvzsvB2TnFUemI7riKVBbcGUrg==
X-MS-Exchange-Transport-CrossTenantHeadersStamped: CH3PR17MB6641
X-Mimecast-Spam-Score: 0
X-Mimecast-Originator: labware.com
Content-Transfer-Encoding: quoted-printable
Content-Type: text/plain; charset=WINDOWS-1252
X-Spam-Status: No, score=-12.1 required=5.0 tests=BAYES_00,GIT_PATCH_0,KAM_DMARC_STATUS,RCVD_IN_DNSWL_NONE,SPF_HELO_NONE,SPF_PASS,TXREP autolearn=ham autolearn_force=no version=3.4.6
X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on server2.sourceware.org
List-Id: <gdb-patches.sourceware.org>

> > +  "  def invoke (self, arg, from_tty):" "" \
> > +  "    print (\"redefine_cmd output, msg =3D %s\" % self._msg)" "" \
> > +  "    self._msg =3D arg" "" \
>=20
> Is it needed to assign arg to self._msg here?
>=20

It is not, but found it usefull when testing the test.
This way, one may only comment the next line and test would
pass, without need to tweak following `gdb_test` lines.
Removed in new version (below)

> > +  "    redefine_cmd (arg)" "" \
> > +  "redefine_cmd (\"XXX\")" "" \
> > +  "end" ""
> > +
> > +gdb_test "redefine_cmd AAA" \
> > +  "redefine_cmd output, msg =3D XXX" \
> > +  "call command redefining itself 1"
> > +
> > +gdb_test "redefine_cmd BBB" \
> > +  "redefine_cmd output, msg =3D AAA" \
> > +  "call command redefining itself 2"
> > +
>=20
> Note that in TCL code, we use an indent of 4 columns (and just like with
> C++ code, whole groups of 8 columns become a tab).
>=20
> In order to isolate the new test from the other tests in the file, can
> you put the new test into its own `proc_with_prefix` function, and start
> with a fresh GDB?  That would mean calling clean_restart at the
> beginning of the proc.

Done, hopefully this is what you meant. Also I put the test to the end
of the file, as it is now in its own function.

-- >8 --
Subject: [PATCH v2] gdb/testsuite: add test for Python commands redefining
 itself

This commit adds a test that creates a Python command that redefines
itself during its execution. This is to test use-after-free in
execute_command ().

This test needs run with ASan enabled in order to fail when it
should.
---
 gdb/testsuite/gdb.python/py-cmd.exp | 30 +++++++++++++++++++++++++++++
 1 file changed, 30 insertions(+)

diff --git a/gdb/testsuite/gdb.python/py-cmd.exp b/gdb/testsuite/gdb.python=
/py-cmd.exp
index aa95a459f46..48c3e18f1cc 100644
--- a/gdb/testsuite/gdb.python/py-cmd.exp
+++ b/gdb/testsuite/gdb.python/py-cmd.exp
@@ -300,3 +300,33 @@ gdb_test_multiple "test_multiline" $test {
 =09pass $test
     }
 }
+
+# Test command redefining itself
+
+proc_with_prefix test_command_redefining_itself {} {
+    # Start with a fresh gdb
+    clean_restart
+
+
+    gdb_test_multiline "input command redefining itself" \
+=09"python" "" \
+=09"class redefine_cmd (gdb.Command):" "" \
+=09"  def __init__ (self, msg):" "" \
+=09"    super (redefine_cmd, self).__init__ (\"redefine_cmd\", gdb.COMMAND=
_OBSCURE)" "" \
+=09"    self._msg =3D msg" "" \
+=09"  def invoke (self, arg, from_tty):" "" \
+=09"    print (\"redefine_cmd output, msg =3D %s\" % self._msg)" "" \
+=09"    redefine_cmd (arg)" "" \
+=09"redefine_cmd (\"XXX\")" "" \
+=09"end" ""
+
+    gdb_test "redefine_cmd AAA" \
+=09"redefine_cmd output, msg =3D XXX" \
+=09"call command redefining itself 1"
+
+    gdb_test "redefine_cmd BBB" \
+=09"redefine_cmd output, msg =3D AAA" \
+=09"call command redefining itself 2"
+}
+
+test_command_redefining_itself
--=20
2.35.1