Re: [PATCH] [readline] Fix double free in _rl_scxt_dispose

public inbox for gdb-patches@sourceware.org
 help / color / mirror / Atom feed

From: Simon Marchi <simark@simark.ca>
To: Tom de Vries <tdevries@suse.de>,
	chet.ramey@case.edu, gdb-patches@sourceware.org,
	bug-readline@gnu.org
Subject: Re: [PATCH] [readline] Fix double free in _rl_scxt_dispose
Date: Mon, 29 May 2023 12:43:11 -0400	[thread overview]
Message-ID: <99bfd888-0794-b2ba-c8e9-1a3b14ea5d13@simark.ca> (raw)
In-Reply-To: <6f27566e-7339-16a1-54d2-3e8317588e9b@suse.de>

On 5/28/23 04:20, Tom de Vries via Gdb-patches wrote:
> On 5/27/23 21:10, Chet Ramey wrote:
>> On 5/23/23 12:04 PM, Tom de Vries wrote:
>>
>>> Both these issues need fixing independently, though after fixing the first we
>>> no longer trigger the second.
>>
>> Thanks for the report. These are both good fixes.
> 
> Thanks for the review.
> 
> Added test-case and committed.
> 
> Thanks,
> - Tom

Hi Tom,

ASan sees a double-free in the test:

==144635==ERROR: AddressSanitizer: attempting double-free on 0x60200001ae90 in thread T0:
    #0 0x7f39ef4dfdc2 in __interceptor_free /usr/src/debug/gcc/gcc/libsanitizer/asan/asan_malloc_linux.cpp:52
    #1 0x7f39ef3cef65 in _rl_scxt_dispose (/usr/lib/libreadline.so.8+0x25f65) (BuildId: 092e91fc4361b0ef94561e3ae03a75f69398acbb)
    #2 0x7f39ef3d0f5d in _rl_isearch_cleanup (/usr/lib/libreadline.so.8+0x27f5d) (BuildId: 092e91fc4361b0ef94561e3ae03a75f69398acbb)
    #3 0x7f39ef3e42ec in rl_callback_read_char (/usr/lib/libreadline.so.8+0x3b2ec) (BuildId: 092e91fc4361b0ef94561e3ae03a75f69398acbb)
    #4 0x5649f96ec632 in gdb_rl_callback_read_char_wrapper_noexcept /home/smarchi/src/binutils-gdb/gdb/event-top.c:192
    #5 0x5649f96ec88a in gdb_rl_callback_read_char_wrapper /home/smarchi/src/binutils-gdb/gdb/event-top.c:225
    #6 0x5649fafd3641 in stdin_event_handler /home/smarchi/src/binutils-gdb/gdb/ui.c:155
    #7 0x5649fb6dbe79 in handle_file_event /home/smarchi/src/binutils-gdb/gdbsupport/event-loop.cc:573
    #8 0x5649fb6dc80f in gdb_wait_for_event /home/smarchi/src/binutils-gdb/gdbsupport/event-loop.cc:694
    #9 0x5649fb6da468 in gdb_do_one_event(int) /home/smarchi/src/binutils-gdb/gdbsupport/event-loop.cc:264
    #10 0x5649f9e61094 in start_event_loop /home/smarchi/src/binutils-gdb/gdb/main.c:412
    #11 0x5649f9e615a6 in captured_command_loop /home/smarchi/src/binutils-gdb/gdb/main.c:476
    #12 0x5649f9e66b5c in captured_main /home/smarchi/src/binutils-gdb/gdb/main.c:1320
    #13 0x5649f9e66c99 in gdb_main(captured_main_args*) /home/smarchi/src/binutils-gdb/gdb/main.c:1339
    #14 0x5649f83b758d in main /home/smarchi/src/binutils-gdb/gdb/gdb.c:32
    #15 0x7f39eda3984f  (/usr/lib/libc.so.6+0x2384f) (BuildId: 2f005a79cd1a8e385972f5a102f16adba414d75e)
    #16 0x7f39eda39909 in __libc_start_main (/usr/lib/libc.so.6+0x23909) (BuildId: 2f005a79cd1a8e385972f5a102f16adba414d75e)
    #17 0x5649f83b7354 in _start (/home/smarchi/build/binutils-gdb/gdb/gdb+0xb0f0354) (BuildId: 2bb3933a88a2426705e531a680e7075402ea19f8)

0x60200001ae90 is located 0 bytes inside of 1-byte region [0x60200001ae90,0x60200001ae91)
freed by thread T0 here:
    #0 0x7f39ef4dfdc2 in __interceptor_free /usr/src/debug/gcc/gcc/libsanitizer/asan/asan_malloc_linux.cpp:52
    #1 0x7f39ef3cef65 in _rl_scxt_dispose (/usr/lib/libreadline.so.8+0x25f65) (BuildId: 092e91fc4361b0ef94561e3ae03a75f69398acbb)

previously allocated by thread T0 here:
    #0 0x7f39ef4e1369 in __interceptor_malloc /usr/src/debug/gcc/gcc/libsanitizer/asan/asan_malloc_linux.cpp:69
    #1 0x5649f865bca2 in xmalloc /home/smarchi/src/binutils-gdb/gdb/alloc.c:57
    #2 0x7f39ef3eb6da  (/usr/lib/libreadline.so.8+0x426da) (BuildId: 092e91fc4361b0ef94561e3ae03a75f69398acbb)

SUMMARY: AddressSanitizer: double-free /usr/src/debug/gcc/gcc/libsanitizer/asan/asan_malloc_linux.cpp:52 in __interceptor_free

Simon

next prev parent reply	other threads:[~2023-05-29 16:43 UTC|newest]

Thread overview: 8+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2023-05-23 16:04 Tom de Vries
2023-05-24 18:13 ` Andrew Burgess
2023-05-24 18:31   ` Tom de Vries
2023-05-24 18:39     ` Chet Ramey
2023-05-27 19:10 ` Chet Ramey
2023-05-28  8:20   ` Tom de Vries
2023-05-29 16:43     ` Simon Marchi [this message]
2023-05-29 16:50       ` Tom de Vries

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=99bfd888-0794-b2ba-c8e9-1a3b14ea5d13@simark.ca \
    --to=simark@simark.ca \
    --cc=bug-readline@gnu.org \
    --cc=chet.ramey@case.edu \
    --cc=gdb-patches@sourceware.org \
    --cc=tdevries@suse.de \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).