From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from us-smtp-delivery-124.mimecast.com (us-smtp-delivery-124.mimecast.com [170.10.129.124]) by sourceware.org (Postfix) with ESMTPS id 3C4143858D1E for ; Tue, 14 Feb 2023 17:05:17 +0000 (GMT) DMARC-Filter: OpenDMARC Filter v1.4.2 sourceware.org 3C4143858D1E Authentication-Results: sourceware.org; dmarc=pass (p=none dis=none) header.from=redhat.com Authentication-Results: sourceware.org; spf=pass smtp.mailfrom=redhat.com DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1676394316; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: in-reply-to:in-reply-to:references:references; bh=PJTNkyBrqZNt0dA4g1o3oh5GT04Sai2/2tBB7p3DJQQ=; b=UBAs1O3WhxtGMhWXyxcvaQcG6KFJbrVPzzJty+D40am5gMm0tt+E0V6sD6fQpk+lSJLUiO TnjmRtiAbsZ4wZKbK2fAxfoHBR+ey0PmvEknUKT1QDt7hMHrRR6Qf2epq39nsYz6wbClN0 tpSQcBo1Cil3Xh7fBCsahJtvM3xhoxw= Received: from mail-pg1-f200.google.com (mail-pg1-f200.google.com [209.85.215.200]) by relay.mimecast.com with ESMTP with STARTTLS (version=TLSv1.3, cipher=TLS_AES_128_GCM_SHA256) id us-mta-655-F4tNodY6Oz-zQxNq8YVUaA-1; Tue, 14 Feb 2023 12:05:15 -0500 X-MC-Unique: F4tNodY6Oz-zQxNq8YVUaA-1 Received: by mail-pg1-f200.google.com with SMTP id bj12-20020a056a02018c00b004fac0fa0f9eso6117774pgb.19 for ; Tue, 14 Feb 2023 09:05:14 -0800 (PST) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=PJTNkyBrqZNt0dA4g1o3oh5GT04Sai2/2tBB7p3DJQQ=; b=dwcnfZSYVKALTdtcqeArL2bBJHYtHgbvA4GSwrJiEx28zPMFiPJzo82eAfjwDmOPta rMMXbDcyMLmQQzIjTO/MwlEOooC7q+t2xTGmLtXdPcT29/+W3M4Os6S4zH4LsrrxYeOb xftzR/hFj6R8b6F8i9GsZWfGKEjrjT8Zy5i4ByNpSCXmbilbN0JnY+9iI2ZTXrP1kH5O Dwn1qiully4XjHHsee2DMY63PlrTq96sFOPW4Q6qftDC1/wDOoZJ88OJVL5SbY+3zo34 SmIzY1/Wm8ReMRNBRTX+Wj54QHMcZH2+UEJQbixvM/Li9pqNxFaTIAnjJjWCgKr8f9xg I0Lw== X-Gm-Message-State: AO0yUKWW75BKFUy45lYbE1o5P16pnr4rB7YiIH9BpF8aybfK6nB1MESO v68Q/KLUg4wdiNPfdzaisRuGFtUJBKuebcV+FHVf3gxDO2v4KWbNwytYGPNlel0pU1l8adYcrn+ 8l6cBoSaUtZkqvn6d2ZPbtDU7fQ97G0oe9Rj6mm4+ejuHyw== X-Received: by 2002:aa7:9886:0:b0:5a8:a82a:bd8d with SMTP id r6-20020aa79886000000b005a8a82abd8dmr527409pfl.34.1676394313645; Tue, 14 Feb 2023 09:05:13 -0800 (PST) X-Google-Smtp-Source: AK7set8FPP4lCjedy7tsUvzVzAE49Eg1yNEBgh18F8ISMRiVToRoSUry/1iMhMUFOIO56TldILXa6k1040n8exr0yag= X-Received: by 2002:aa7:9886:0:b0:5a8:a82a:bd8d with SMTP id r6-20020aa79886000000b005a8a82abd8dmr527403pfl.34.1676394313349; Tue, 14 Feb 2023 09:05:13 -0800 (PST) MIME-Version: 1.0 References: <20230211010805.3700057-1-tom@tromey.com> In-Reply-To: <20230211010805.3700057-1-tom@tromey.com> From: Alexandra Petlanova Hajkova Date: Tue, 14 Feb 2023 18:05:01 +0100 Message-ID: Subject: Re: [PATCH] Fix value chain use-after-free To: Tom Tromey Cc: gdb-patches@sourceware.org X-Mimecast-Spam-Score: 0 X-Mimecast-Originator: redhat.com Content-Type: multipart/alternative; boundary="0000000000008d135905f4abf7b8" X-Spam-Status: No, score=-4.0 required=5.0 tests=BAYES_00,DKIMWL_WL_HIGH,DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,HTML_MESSAGE,RCVD_IN_DNSWL_NONE,RCVD_IN_MSPIKE_H2,SPF_HELO_NONE,SPF_NONE,TXREP autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on server2.sourceware.org List-Id: --0000000000008d135905f4abf7b8 Content-Type: text/plain; charset="UTF-8" On Sat, Feb 11, 2023 at 2:08 AM Tom Tromey wrote: > Hannes filed a bug showing a crash, where a pretty-printer written in > Python could cause a use-after-free. He sent a patch, but I thought a > different approach was needed. > > In a much earlier patch (see bug #12533), we changed the Python code > to release new values from the value chain when constructing a > gdb.Value. The rationale for this is that if you write a command that > does a lot of computations in a loop, all the values will be kept live > by the value chain, resulting in gdb using a large amount of memory. > > However, suppose a value is passed to Python from some code in gdb > that needs to use the value after the call into Python. In this > scenario, value_to_value_object will still release the value -- and > because gdb code doesn't generally keep strong references to values (a > consequence of the ancient decision to use the value chain to avoid > memory management), this will result in a use-after-free. > > This scenario can happen, as it turns out, when a value is passed to > Python for pretty-printing. Now, normally this route boxes the value > via value_to_value_object_no_release, avoiding the problematic release > from the value chain. However, if you then call Value.cast, the > underlying value API might return the same value, when is then > released from the chain. > > This patch fixes the problem by changing how value boxing is done. > value_to_value_object no longer removes a value from the chain. > Instead, every spot in gdb that might construct new values uses a > scoped_value_mark to ensure that the requirements of bug #12533 are > met. And, because incoming values aren't ever released from the chain > (the Value.cast one comes earlier on the chain than the > scoped_value_mark), the bug can no longer occur. (Note that many > spots in the Python layer already take this approach, so not many > places needed to be touched.) > > In the future I think we should replace the use of raw "value *" with > value_ref_ptr pretty much everywhere. This will ensure lifetime > safety throughout gdb. > > The test case in this patch comes from Hannes' original patch. I only > made a trivial ("require") change to it. However, while this fails > for him, I can't make it fail on this machine; nevertheless, he tried > my patch and reported the bug as being fixed. > > 2.39.1 > > I think it's a good solution and I can confirm gdb.python/py-pp-cast.exp passes for me. But I wasn't able to apply the patch cleanly, I think it needs to be rebased. --0000000000008d135905f4abf7b8--