From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from simark.ca (simark.ca [158.69.221.121]) by sourceware.org (Postfix) with ESMTPS id 9984A38533FA for ; Thu, 15 Dec 2022 13:53:24 +0000 (GMT) DMARC-Filter: OpenDMARC Filter v1.4.1 sourceware.org 9984A38533FA Authentication-Results: sourceware.org; dmarc=pass (p=none dis=none) header.from=simark.ca Authentication-Results: sourceware.org; spf=pass smtp.mailfrom=simark.ca Received: from [10.0.0.11] (unknown [217.28.27.60]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by simark.ca (Postfix) with ESMTPSA id 22F581E112; Thu, 15 Dec 2022 08:53:24 -0500 (EST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=simark.ca; s=mail; t=1671112404; bh=cDtKAgxGuq2/b4ZluaosOD02gM8bCo5N14QonRfQ1wE=; h=Date:Subject:To:References:From:In-Reply-To:From; b=KtnJrezJnHs1Bi7kc8TVvymzJ9q8Kt7MBY0QbGCvKNqDPG44r8z/TOfZ7neowyDiV VhwIxuKfWi7hBB6HkdY3vcsOrZMpkkcXoXs6X2TLa9ysvFPaUZLDx7Cvax+kGer65E zAQqAxyaqo1bygRAeH3JQYWZaAHmKuBuhuGBJqVU= Message-ID: <7ced24a4-19d5-293e-b7d6-88d77d3aea7a@simark.ca> Date: Thu, 15 Dec 2022 08:53:23 -0500 MIME-Version: 1.0 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101 Thunderbird/102.5.1 Subject: Re: [PATCH] gdb: fix possible use-after-free when executing commands Content-Language: en-US To: Jan Vrany , gdb-patches@sourceware.org References: <7d53e2da-c268-d859-8ddc-b86ac73ce840@simark.ca> <20221215125751.1622358-1-jan.vrany@labware.com> From: Simon Marchi In-Reply-To: <20221215125751.1622358-1-jan.vrany@labware.com> Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 7bit X-Spam-Status: No, score=-11.0 required=5.0 tests=BAYES_00,DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,GIT_PATCH_0,NICE_REPLY_A,SPF_HELO_PASS,SPF_PASS,TXREP autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on server2.sourceware.org List-Id: On 12/15/22 07:57, Jan Vrany via Gdb-patches wrote: > Hi Simon, > >> Hi Jan, >>>> >>>> Do you think you could write a test to exercise that fix? >>> >>> Maybe, though I'm not quite sure how to make it fail unless >>> one uses ASAN or Valgrind to run it like you do. Will give it >>> stab. >>> >>> Jan >> >> It's fine if it only fails with ASan / Valgrind enabled, that's the >> point of these tools. They help catch bugs that would otherwise fly >> under the radar. >> > > Maybe something like the patch below? Thanks for following up! > > With: > > * patch b5661ff2 ("gdb: fix possible use-after-free when executing commands") > reverted, > * patch below applied > * and GDB compiled with ASan, > > the new test fails for me. If I comment the redefinition: > > diff --git a/gdb/testsuite/gdb.python/py-cmd.exp b/gdb/testsuite/gdb.python/py-cmd.exp > index ce26f2d3040..ed628e77d31 100644 > --- a/gdb/testsuite/gdb.python/py-cmd.exp > +++ b/gdb/testsuite/gdb.python/py-cmd.exp > @@ -82,7 +82,7 @@ gdb_test_multiline "input command redefining itself" \ > " def invoke (self, arg, from_tty):" "" \ > " print (\"redefine_cmd output, msg = %s\" % self._msg)" "" \ > " self._msg = arg" "" \ > - " redefine_cmd (arg)" "" \ > + " #redefine_cmd (arg)" "" \ > "redefine_cmd (\"XXX\")" "" \ > "end" "" > > the test start to pass (since it is not redefining itself). > > HTH, Jan > > -- >8 -- > Subject: [PATCH] gdb/testsuite: add test for Python commands redefining itself > > This commit add test that creates a Python command that redefines "add" -> "adds a" > itself during its execution. This is to test use-after-free in > execute_command (). > > This test needs run with ASan enabled in order to fail when it > should. > --- > gdb/testsuite/gdb.python/py-cmd.exp | 23 +++++++++++++++++++++++ > 1 file changed, 23 insertions(+) > > diff --git a/gdb/testsuite/gdb.python/py-cmd.exp b/gdb/testsuite/gdb.python/py-cmd.exp > index aa95a459f46..ce26f2d3040 100644 > --- a/gdb/testsuite/gdb.python/py-cmd.exp > +++ b/gdb/testsuite/gdb.python/py-cmd.exp > @@ -71,6 +71,29 @@ gdb_test_multiline "input subcommand" \ > > gdb_test "prefix_cmd subcmd ugh" "subcmd output, arg = ugh" "call subcmd" > > +# Test command redefining itself > + > +gdb_test_multiline "input command redefining itself" \ > + "python" "" \ > + "class redefine_cmd (gdb.Command):" "" \ > + " def __init__ (self, msg):" "" \ > + " super (redefine_cmd, self).__init__ (\"redefine_cmd\", gdb.COMMAND_OBSCURE)" "" \ > + " self._msg = msg" "" \ > + " def invoke (self, arg, from_tty):" "" \ > + " print (\"redefine_cmd output, msg = %s\" % self._msg)" "" \ > + " self._msg = arg" "" \ Is it needed to assign arg to self._msg here? > + " redefine_cmd (arg)" "" \ > + "redefine_cmd (\"XXX\")" "" \ > + "end" "" > + > +gdb_test "redefine_cmd AAA" \ > + "redefine_cmd output, msg = XXX" \ > + "call command redefining itself 1" > + > +gdb_test "redefine_cmd BBB" \ > + "redefine_cmd output, msg = AAA" \ > + "call command redefining itself 2" > + Note that in TCL code, we use an indent of 4 columns (and just like with C++ code, whole groups of 8 columns become a tab). In order to isolate the new test from the other tests in the file, can you put the new test into its own `proc_with_prefix` function, and start with a fresh GDB? That would mean calling clean_restart at the beginning of the proc. Simon