From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from gproxy3-pub.mail.unifiedlayer.com (gproxy3-pub.mail.unifiedlayer.com [69.89.30.42]) by sourceware.org (Postfix) with ESMTPS id BAD7B385063A for ; Fri, 9 Dec 2022 17:55:28 +0000 (GMT) DMARC-Filter: OpenDMARC Filter v1.4.1 sourceware.org BAD7B385063A Authentication-Results: sourceware.org; dmarc=none (p=none dis=none) header.from=tromey.com Authentication-Results: sourceware.org; spf=pass smtp.mailfrom=tromey.com Received: from cmgw10.mail.unifiedlayer.com (unknown [10.0.90.125]) by progateway5.mail.pro1.eigbox.com (Postfix) with ESMTP id 2F33E1004A263 for ; Fri, 9 Dec 2022 17:55:18 +0000 (UTC) Received: from box5379.bluehost.com ([162.241.216.53]) by cmsmtp with ESMTP id 3hafp4m7mYytv3hafpEFPN; Fri, 09 Dec 2022 17:55:18 +0000 X-Authority-Reason: nr=8 X-Authority-Analysis: v=2.4 cv=I9Gg+Psg c=1 sm=1 tr=0 ts=63937686 a=ApxJNpeYhEAb1aAlGBBbmA==:117 a=ApxJNpeYhEAb1aAlGBBbmA==:17 a=dLZJa+xiwSxG16/P+YVxDGlgEgI=:19 a=sHyYjHe8cH0A:10:nop_rcvd_month_year a=Qbun_eYptAEA:10:endurance_base64_authed_username_1 a=CCpqsmhAAAAA:8 a=iXzG5ja4c7uDZ8iQPBoA:9 a=ul9cdbp4aOFLsgKbc677:22 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=tromey.com; s=default; h=Content-Type:MIME-Version:Message-ID:In-Reply-To:Date:References :Subject:Cc:To:From:Sender:Reply-To:Content-Transfer-Encoding:Content-ID: Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc :Resent-Message-ID:List-Id:List-Help:List-Unsubscribe:List-Subscribe: List-Post:List-Owner:List-Archive; bh=C8N+SPug/x2mbyo0S3ZfCdY9rt7nneg2y+Y4ljjxnGQ=; b=ujEF0UFPk61FqSeFpV019vNlfZ dC16wsvZMInV86uPc6uTMuGLmgKm4kEWJHivOOo9kQ0FxLy8VOj3k2ixRnGd16xMVnfZ+LdLOOevl ftwRfWndbiAQuPKUyuCzl3zuW; Received: from 97-122-76-186.hlrn.qwest.net ([97.122.76.186]:56952 helo=murgatroyd) by box5379.bluehost.com with esmtpsa (TLS1.2) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.95) (envelope-from ) id 1p3haf-003qRK-D5; Fri, 09 Dec 2022 10:55:17 -0700 From: Tom Tromey To: Jan Vrany via Gdb-patches Cc: Jan Vrany Subject: Re: [PATCH] gdb: fix possible use-after-free when executing commands References: <20221208142014.84759-1-jan.vrany@labware.com> X-Attribution: Tom Date: Fri, 09 Dec 2022 10:55:14 -0700 In-Reply-To: <20221208142014.84759-1-jan.vrany@labware.com> (Jan Vrany via Gdb-patches's message of "Thu, 8 Dec 2022 14:20:14 +0000") Message-ID: <87pmcsh37h.fsf@tromey.com> User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/27.2 (gnu/linux) MIME-Version: 1.0 Content-Type: text/plain X-AntiAbuse: This header was added to track abuse, please include it with any abuse report X-AntiAbuse: Primary Hostname - box5379.bluehost.com X-AntiAbuse: Original Domain - sourceware.org X-AntiAbuse: Originator/Caller UID/GID - [47 12] / [47 12] X-AntiAbuse: Sender Address Domain - tromey.com X-BWhitelist: no X-Source-IP: 97.122.76.186 X-Source-L: No X-Exim-ID: 1p3haf-003qRK-D5 X-Source: X-Source-Args: X-Source-Dir: X-Source-Sender: 97-122-76-186.hlrn.qwest.net (murgatroyd) [97.122.76.186]:56952 X-Source-Auth: tom+tromey.com X-Email-Count: 8 X-Source-Cap: ZWx5bnJvYmk7ZWx5bnJvYmk7Ym94NTM3OS5ibHVlaG9zdC5jb20= X-Local-Domain: yes X-Spam-Status: No, score=-3022.3 required=5.0 tests=BAYES_00,DKIM_SIGNED,DKIM_VALID,JMQ_SPF_NEUTRAL,RCVD_IN_DNSWL_NONE,RCVD_IN_MSPIKE_H2,SPF_HELO_NONE,SPF_PASS,TXREP autolearn=no autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on server2.sourceware.org List-Id: >>>>> "Jan" == Jan Vrany via Gdb-patches writes: Jan> This may lead into use-after-free error. Imagine the command Jan> being executed is a user-defined Python command that redefines Jan> itself. In that case, struct `cmd_list_element` pointed to by Jan> `c` is deallocated during its execution so it is no longer valid Jan> when post hook is executed. Thanks for the patch. Your analysis makes sense to me. I wouldn't be surprised if there were other issues along these lines. Or if this were in bugzilla somewhere. Jan> + std::string c_name(c->name); Space before the paren. Also I think a comment here explaining why it's needed would be good. Jan> /* If this command has been post-hooked, run the hook last. */ Jan> - execute_cmd_post_hook (c); Jan> + c = lookup_cmd_exact (c_name.c_str (), cmdlist); Jan> + if (c != nullptr) Jan> + execute_cmd_post_hook (c); Perhaps a comment here as well explaining the need to redo the lookup. This is ok with these minor changes. thanks, Tom