From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from smtp-out1.suse.de (smtp-out1.suse.de [IPv6:2a07:de40:b251:101:10:150:64:1]) by sourceware.org (Postfix) with ESMTPS id 192B73858D33 for ; Mon, 19 Feb 2024 15:05:12 +0000 (GMT) DMARC-Filter: OpenDMARC Filter v1.4.2 sourceware.org 192B73858D33 Authentication-Results: sourceware.org; dmarc=pass (p=none dis=none) header.from=suse.de Authentication-Results: sourceware.org; spf=pass smtp.mailfrom=suse.de ARC-Filter: OpenARC Filter v1.0.0 sourceware.org 192B73858D33 Authentication-Results: server2.sourceware.org; arc=none smtp.remote-ip=2a07:de40:b251:101:10:150:64:1 ARC-Seal: i=1; a=rsa-sha256; d=sourceware.org; s=key; t=1708355122; cv=none; b=r2mtzYd40ykUVRFbc9Ku6bX/V5EHaXK3/cSIX0RpdtFJwfvwNqv13mZ5YEXDlVJGk+oUY6CxyfYGo112WAc5AuA5N546HQ28Om+RIgc8yc0DF2xOu1qsODJIFxeFEIaaCSsl9ocB5Eqi6K7hgq3ghwRdBBMVIN1azv5sGXmdG14= ARC-Message-Signature: i=1; a=rsa-sha256; d=sourceware.org; s=key; t=1708355122; c=relaxed/simple; bh=AHG+K/ALDrAReWhF8ofsGmvu9/FxvdLoD6WfI9FMjC8=; h=DKIM-Signature:DKIM-Signature:DKIM-Signature:DKIM-Signature: Message-ID:Date:MIME-Version:Subject:To:From; b=rR8ikybNMumk5iLPglo7DeIdNvJEXsWvSAjC7uNc4xlO4Olm2dE6r2PVID0psFLsNsHaFYVCBHry4+6p59CTxgCrugop6DEWQhgNIufbq60Glx7l6xYpWJUc/1W3RI5oUCQDltJqrSUBhV15/WYr0jwpF3PhueNX63taGFfRCMo= ARC-Authentication-Results: i=1; server2.sourceware.org Received: from imap1.dmz-prg2.suse.org (imap1.dmz-prg2.suse.org [IPv6:2a07:de40:b281:104:10:150:64:97]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (No client certificate requested) by smtp-out1.suse.de (Postfix) with ESMTPS id F027B21E66; Mon, 19 Feb 2024 15:05:10 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=suse.de; s=susede2_rsa; t=1708355111; h=from:from:reply-to:date:date:message-id:message-id:to:to:cc:cc: mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=LWYdnBn20fuCAjBoCH8afNphVchFNZ1psEKE/PpXJgA=; b=XzurSXCWdBLfeLezwparn4mWpbN9nDphCGsA4YNa1efic8cg7ZEX/VuZherqDdq3FL595Q c+6msd+VzOCwSj6IRFZM+ToJ6sd+0CSlP9GWxeget93lLlVkpyptZ2JB9B1vUQrR/6wCD0 4zKaG26sV/xjislS+j+8lgzIjUQng00= DKIM-Signature: v=1; a=ed25519-sha256; c=relaxed/relaxed; d=suse.de; s=susede2_ed25519; t=1708355111; h=from:from:reply-to:date:date:message-id:message-id:to:to:cc:cc: mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=LWYdnBn20fuCAjBoCH8afNphVchFNZ1psEKE/PpXJgA=; b=ZZssnKtAseMK7PDBnOOznno5NgBroXytuWcAC1tMhKB+jquqoyYXUTFKMni+FlScVm42Gg xpzMiwUDarA7ftBw== DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=suse.de; s=susede2_rsa; t=1708355110; h=from:from:reply-to:date:date:message-id:message-id:to:to:cc:cc: mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=LWYdnBn20fuCAjBoCH8afNphVchFNZ1psEKE/PpXJgA=; b=nkRHRjmqhyDYxy1gZ50IHRvGx0wktqCczmgBuUOC5GpF/Dcx32Mtun6HpjZ9HXtd91z/eJ 3mcs6bO6jxHpKOmz5NLcuRJloFf+fvLy1VCpgbObBVsODqe4YeVNydr6BPRNKkvB0Iaa6C lJeHmfLNGSqIwbjk+P7LIS9FVJeUgSo= DKIM-Signature: v=1; a=ed25519-sha256; c=relaxed/relaxed; d=suse.de; s=susede2_ed25519; t=1708355110; h=from:from:reply-to:date:date:message-id:message-id:to:to:cc:cc: mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=LWYdnBn20fuCAjBoCH8afNphVchFNZ1psEKE/PpXJgA=; b=BZOmVc6Zak/7GYRXpPEtbo4bhM1yEpICR1wdFpQ+fLFcj3t4hUp2Bxmf75zas+bZCPmUCY qfROMGRZXsSgXsCw== Received: from imap1.dmz-prg2.suse.org (localhost [127.0.0.1]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (No client certificate requested) by imap1.dmz-prg2.suse.org (Postfix) with ESMTPS id D180013647; Mon, 19 Feb 2024 15:05:10 +0000 (UTC) Received: from dovecot-director2.suse.de ([2a07:de40:b281:106:10:150:64:167]) by imap1.dmz-prg2.suse.org with ESMTPSA id mCmwMSZu02XyagAAD6G6ig (envelope-from ); Mon, 19 Feb 2024 15:05:10 +0000 Message-ID: Date: Mon, 19 Feb 2024 16:04:59 +0100 MIME-Version: 1.0 User-Agent: Mozilla Thunderbird Subject: Re: [PATCH v2] [gdb] Fix heap-use-after-free in select_event_lwp Content-Language: en-US To: Pedro Alves , gdb-patches@sourceware.org Cc: Simon Marchi References: <20240123114830.20253-1-tdevries@suse.de> <830ab71f-8968-4ab0-b8e7-8a2884169d4c@palves.net> From: Tom de Vries In-Reply-To: <830ab71f-8968-4ab0-b8e7-8a2884169d4c@palves.net> Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 7bit X-Spam-Level: Authentication-Results: smtp-out1.suse.de; dkim=pass header.d=suse.de header.s=susede2_rsa header.b=nkRHRjmq; dkim=pass header.d=suse.de header.s=susede2_ed25519 header.b=BZOmVc6Z X-Rspamd-Server: rspamd2.dmz-prg2.suse.org X-Spamd-Result: default: False [-4.50 / 50.00]; ARC_NA(0.00)[]; RCVD_VIA_SMTP_AUTH(0.00)[]; R_DKIM_ALLOW(-0.20)[suse.de:s=susede2_rsa,suse.de:s=susede2_ed25519]; XM_UA_NO_VERSION(0.01)[]; FROM_HAS_DN(0.00)[]; RCPT_COUNT_THREE(0.00)[3]; TO_DN_SOME(0.00)[]; TO_MATCH_ENVRCPT_ALL(0.00)[]; MIME_GOOD(-0.10)[text/plain]; NEURAL_HAM_LONG(-1.00)[-1.000]; BAYES_HAM(-3.00)[100.00%]; RCVD_COUNT_THREE(0.00)[3]; DKIM_SIGNED(0.00)[suse.de:s=susede2_rsa,suse.de:s=susede2_ed25519]; DKIM_TRACE(0.00)[suse.de:+]; MX_GOOD(-0.01)[]; DBL_BLOCKED_OPENRESOLVER(0.00)[suse.de:dkim]; FUZZY_BLOCKED(0.00)[rspamd.com]; FROM_EQ_ENVFROM(0.00)[]; MIME_TRACE(0.00)[0:+]; NEURAL_HAM_SHORT(-0.20)[-1.000]; RCVD_TLS_ALL(0.00)[]; MID_RHS_MATCH_FROM(0.00)[] X-Spam-Score: -4.50 X-Rspamd-Queue-Id: F027B21E66 X-Spam-Status: No, score=-12.3 required=5.0 tests=BAYES_00,DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,GIT_PATCH_0,SPF_HELO_NONE,SPF_PASS,TXREP,T_SCC_BODY_TEXT_LINE autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on server2.sourceware.org List-Id: On 2/9/24 16:46, Pedro Alves wrote: > On 2024-01-23 11:48, Tom de Vries wrote: > >> Since heap-use-after-free is essentially an address sanitizer complaint, I >> also tried building gdb with -O0 -fsanitize=address, but with this setup it >> doesn't seem to trigger (0 times out of 10). >> >> The heap-use-after-free happens during the following scenario: >> - linux_nat_wait_1 selects an LWP thread T1 with a status to report. >> - it sets variable lp to point to the corresponding lwp_info. >> - it calls stop_callback and stop_wait_callback for all threads >> (because !target_is_non_stop_p ()). >> - it calls select_event_lwp to maybe pick another thread than T1, to prevent >> starvation. >> >> The problem seems to be the following: >> - while calling stop_wait_callback for all threads, it also does this for T1. >> While doing so, the corresponding lwp_info is deleted (callstack >> stop_wait_callback -> wait_lwp -> exit_lwp -> delete_lwp), leaving variable >> lp as a dangling pointer. >> - variable lp is passed to select_event_lwp, which derefences it, which causes >> the heap-use-after-free. >> >> Note that the comment here mentions "all other LWP's": >> ... >> /* Now stop all other LWP's ... */ >> iterate_over_lwps (minus_one_ptid, stop_callback); >> /* ... and wait until all of them have reported back that >> they're no longer running. */ >> iterate_over_lwps (minus_one_ptid, stop_wait_callback); >> ... >> which presumably means other than the one in lp, but the iterators >> don't skip lp. > > I think I'm missing something here. > > The reason the comments say "all other LWP's", and don't bother filtering out LP is that > lp->stopped should be true at this point, and the callbacks (both stop_callback and stop_wait_callback) > check that flag, and do nothing if set. I.e., they skip already-stopped threads, so they should > skip LP. > > It sounds like we were about to report a stop for a thread that isn't marked as stopped? > Now it looks to me that _that_ would be the bug to fix. Hi Pedro, thanks for the review. This patch adds an assert to catch the bug you mention, and a fix in wait_lwp: ... diff --git a/gdb/linux-nat.c b/gdb/linux-nat.c index e91c57ba239..5022da9abd2 100644 --- a/gdb/linux-nat.c +++ b/gdb/linux-nat.c @@ -2210,6 +2210,7 @@ wait_lwp (struct lwp_info *lp) core. Store it in lp->waitstatus, because lp->status would be ambiguous (W_EXITCODE(0,0) == 0). */ lp->waitstatus = host_status_to_waitstatus (status); + lp->stopped = 1; return 0; } @@ -3368,6 +3369,7 @@ linux_nat_wait_1 (ptid_t ptid, struct target_waitstatus *ourstatus, } gdb_assert (lp); + gdb_assert (lp->stopped); status = lp->status; lp->status = 0; ... This fixes the problem observed in the PR, and passes testing on x86_64-linux and aarch64-linux. WDYT? Thanks, - Tom > > Pedro Alves >