From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <sourceware-bugzilla@sourceware.org>
Received: by sourceware.org (Postfix, from userid 48)
 id 7089E3857010; Sun, 29 Nov 2020 11:24:01 +0000 (GMT)
DKIM-Filter: OpenDKIM Filter v2.11.0 sourceware.org 7089E3857010
From: "vries at gcc dot gnu.org" <sourceware-bugzilla@sourceware.org>
To: gdb-prs@sourceware.org
Subject: [Bug remote/26614] AddressSanitizer: heap-use-after-free of
 extended_remote_target in remote_async_inferior_event_handler
Date: Sun, 29 Nov 2020 11:24:01 +0000
X-Bugzilla-Reason: CC
X-Bugzilla-Type: changed
X-Bugzilla-Watch-Reason: None
X-Bugzilla-Product: gdb
X-Bugzilla-Component: remote
X-Bugzilla-Version: HEAD
X-Bugzilla-Keywords: 
X-Bugzilla-Severity: normal
X-Bugzilla-Who: vries at gcc dot gnu.org
X-Bugzilla-Status: NEW
X-Bugzilla-Resolution: 
X-Bugzilla-Priority: P2
X-Bugzilla-Assigned-To: unassigned at sourceware dot org
X-Bugzilla-Target-Milestone: ---
X-Bugzilla-Flags: 
X-Bugzilla-Changed-Fields: 
Message-ID: <bug-26614-4717-62BatwUpop@http.sourceware.org/bugzilla/>
In-Reply-To: <bug-26614-4717@http.sourceware.org/bugzilla/>
References: <bug-26614-4717@http.sourceware.org/bugzilla/>
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
X-Bugzilla-URL: http://sourceware.org/bugzilla/
Auto-Submitted: auto-generated
MIME-Version: 1.0
X-BeenThere: gdb-prs@sourceware.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Gdb-prs mailing list <gdb-prs.sourceware.org>
List-Unsubscribe: <https://sourceware.org/mailman/options/gdb-prs>,
 <mailto:gdb-prs-request@sourceware.org?subject=unsubscribe>
List-Archive: <https://sourceware.org/pipermail/gdb-prs/>
List-Help: <mailto:gdb-prs-request@sourceware.org?subject=help>
List-Subscribe: <https://sourceware.org/mailman/listinfo/gdb-prs>,
 <mailto:gdb-prs-request@sourceware.org?subject=subscribe>
X-List-Received-Date: Sun, 29 Nov 2020 11:24:01 -0000

https://sourceware.org/bugzilla/show_bug.cgi?id=3D26614

--- Comment #11 from Tom de Vries <vries at gcc dot gnu.org> ---
As experiment, I tried:
...
diff --git a/gdb/remote.c b/gdb/remote.c
index 59075cb09f..4dd165255e 100644
--- a/gdb/remote.c
+++ b/gdb/remote.c
@@ -4084,6 +4084,7 @@ remote_target::~remote_target ()
     return;

   serial_close (rs->remote_desc);
+  rs->remote_desc =3D nullptr;

   /* We are destroying the remote target, so we should discard
      everything of this target.  */
@@ -4093,6 +4094,7 @@ remote_target::~remote_target ()
     delete_async_event_handler (&rs->remote_async_inferior_event_token);

   delete rs->notif_state;
+  rs->notif_state =3D nullptr;
 }

 /* Query the remote side for the text, data and bss offsets.  */
...

And got (again at run 28):
...
(gdb) PASS: gdb.multi/multi-target-continue.exp: continue: non-stop=3Don:
inferior 2
Remote debugging from host ::1, port 42904
Process
/home/vries/gdb_versions/devel/build/gdb/testsuite/outputs/gdb.multi/multi-=
target-continue/multi-target-continue
created; pid =3D 27519
monitor exit
(gdb) Killing process(es): 27519

FAIL: gdb.multi/multi-target-continue.exp: continue: non-stop=3Don: inferio=
r 5
(timeout)
Remote debugging from host ::1, port 43110
Process
/home/vries/gdb_versions/devel/build/gdb/testsuite/outputs/gdb.multi/multi-=
target-continue/multi-target-continue
created; pid =3D 27531
Thread 1 "gdb" received signal SIGSEGV, Segmentation fault.
0x00000000008e5a69 in std::equal_to<gdbarch*>::operator() (this=3D0x1f59be0,
__x=3D@0x7fffffffd100: 0x2264740, __y=3D<error reading variable>) at
/usr/include/c++/7/bits/stl_function.h:356
356           { return __x =3D=3D __y; }
+backtrace
#0  0x00000000008e5a69 in std::equal_to<gdbarch*>::operator() (this=3D0x1f5=
9be0,
__x=3D@0x7fffffffd100: 0x2264740, __y=3D<error reading variable>) at
/usr/include/c++/7/bits/stl_function.h:356
#1  0x00000000008e5085 in std::__detail::_Equal_helper<gdbarch*,
std::pair<gdbarch* const, remote_arch_state>, std::__detail::_Select1st,
std::equal_to<gdbarch*>, unsigned long, false>::_S_equals (__eq=3D...,
__extract=3D..., __k=3D@0x7fffffffd100: 0x2264740, __n=3D0x60) at
/usr/include/c++/7/bits/hashtable_policy.h:1444
#2  0x00000000008e4424 in std::__detail::_Hashtable_base<gdbarch*,
std::pair<gdbarch* const, remote_arch_state>, std::__detail::_Select1st,
std::equal_to<gdbarch*>, std::hash<gdbarch*>,
std::__detail::_Mod_range_hashing, std::__detail::_Default_ranged_hash,
std::__detail::_Hashtable_traits<false, false, true> >::_M_equals
(this=3D0x1f59be0, __k=3D@0x7fffffffd100: 0x2264740, __c=3D36063040, __n=3D=
0x60) at
/usr/include/c++/7/bits/hashtable_policy.h:1815
#3  0x00000000008e3077 in std::_Hashtable<gdbarch*, std::pair<gdbarch* cons=
t,
remote_arch_state>, std::allocator<std::pair<gdbarch* const, remote_arch_st=
ate>
>, std::__detail::_Select1st, std::equal_to<gdbarch*>, std::hash<gdbarch*>,
std::__detail::_Mod_range_hashing, std::__detail::_Default_ranged_hash,
std::__detail::_Prime_rehash_policy, std::__detail::_Hashtable_traits<false,
false, true> >::_M_find_before_node (this=3D0x1f59be0, __n=3D0,
__k=3D@0x7fffffffd100: 0x2264740, __code=3D36063040) at
/usr/include/c++/7/bits/hashtable.h:1551
#4  0x00000000008e167a in std::_Hashtable<gdbarch*, std::pair<gdbarch* cons=
t,
remote_arch_state>, std::allocator<std::pair<gdbarch* const, remote_arch_st=
ate>
>, std::__detail::_Select1st, std::equal_to<gdbarch*>, std::hash<gdbarch*>,
std::__detail::_Mod_range_hashing, std::__detail::_Default_ranged_hash,
std::__detail::_Prime_rehash_policy, std::__detail::_Hashtable_traits<false,
false, true> >::_M_find_node (this=3D0x1f59be0, __bkt=3D0, __key=3D@0x7ffff=
fffd100:
0x2264740, __c=3D36063040) at /usr/include/c++/7/bits/hashtable.h:642
#5  0x00000000008df5ac in std::_Hashtable<gdbarch*, std::pair<gdbarch* cons=
t,
remote_arch_state>, std::allocator<std::pair<gdbarch* const, remote_arch_st=
ate>
>, std::__detail::_Select1st, std::equal_to<gdbarch*>, std::hash<gdbarch*>,
std::__detail::_Mod_range_hashing, std::__detail::_Default_ranged_hash,
std::__detail::_Prime_rehash_policy, std::__detail::_Hashtable_traits<false,
false, true> >::find (this=3D0x1f59be0, __k=3D@0x7fffffffd100: 0x2264740) at
/usr/include/c++/7/bits/hashtable.h:1425
#6  0x00000000008ddc6b in std::unordered_map<gdbarch*, remote_arch_state,
std::hash<gdbarch*>, std::equal_to<gdbarch*>, std::allocator<std::pair<gdba=
rch*
const, remote_arch_state> > >::find (this=3D0x1f59be0, __x=3D@0x7fffffffd10=
0:
0x2264740) at /usr/include/c++/7/bits/unordered_map.h:920
#7  0x00000000008be731 in remote_state::get_remote_arch_state (this=3D0x1f5=
99a8,
gdbarch=3D0x2264740) at /home/vries/gdb_versions/devel/src/gdb/remote.c:1203
#8  0x00000000008be84f in remote_target::get_remote_state (this=3D0x1f59990=
) at
/home/vries/gdb_versions/devel/src/gdb/remote.c:1232
#9  0x00000000008da485 in remote_async_inferior_event_handler (data=3D0x1f5=
9990)
at /home/vries/gdb_versions/devel/src/gdb/remote.c:14171
#10 0x00000000004aa95e in check_async_event_handlers () at
/home/vries/gdb_versions/devel/src/gdb/async-event.c:295
#11 0x0000000000d0eaef in gdb_do_one_event () at
/home/vries/gdb_versions/devel/src/gdbsupport/event-loop.cc:194
#12 0x0000000000795ec7 in start_event_loop () at
/home/vries/gdb_versions/devel/src/gdb/main.c:356
#13 0x0000000000795fe7 in captured_command_loop () at
/home/vries/gdb_versions/devel/src/gdb/main.c:416
#14 0x0000000000797662 in captured_main (data=3D0x7fffffffd310) at
/home/vries/gdb_versions/devel/src/gdb/main.c:1253
#15 0x00000000007976c8 in gdb_main (args=3D0x7fffffffd310) at
/home/vries/gdb_versions/devel/src/gdb/main.c:1268
#16 0x0000000000415a9e in main (argc=3D5, argv=3D0x7fffffffd418) at
/home/vries/gdb_versions/devel/src/gdb/gdb.c:32
+quit
...

--=20
You are receiving this mail because:
You are on the CC list for the bug.=