public inbox for gdb-prs@sourceware.org
help / color / mirror / Atom feed
* [Bug gdb/26742] New: benign use after free at gdbserver/inferiors.cc:107
@ 2020-10-15 23:44 msebor at gmail dot com
2020-10-20 16:31 ` [Bug gdb/26742] " tromey at sourceware dot org
` (2 more replies)
0 siblings, 3 replies; 4+ messages in thread
From: msebor at gmail dot com @ 2020-10-15 23:44 UTC (permalink / raw)
To: gdb-prs
https://sourceware.org/bugzilla/show_bug.cgi?id=26742
Bug ID: 26742
Summary: benign use after free at gdbserver/inferiors.cc:107
Product: gdb
Version: unknown
Status: UNCONFIRMED
Severity: normal
Priority: P2
Component: gdb
Assignee: unassigned at sourceware dot org
Reporter: msebor at gmail dot com
Target Milestone: ---
Building the latest Binutils/GDB with an experimental version of GCC turns up
the following (benign) instance of using a pointer after it has been freed:
/src/binutils-gdb/gdbserver/inferiors.cc: In function ‘void
remove_thread(thread
_info*)’:
/src/binutils-gdb/gdbserver/inferiors.cc:107:3: warning: use after free
[-Wuse-after-free]
107 | if (current_thread == thread)
| ^~
/src/binutils-gdb/gdbserver/inferiors.cc:95:8: note: freed by ‘void
free(void*)’ here
95 | free (thread);
| ~~~~~^~~~~~~~
The function with the warning is this:
void
remove_thread (struct thread_info *thread)
{
if (thread->btrace != NULL)
target_disable_btrace (thread->btrace);
discard_queued_stop_replies (ptid_of (thread));
all_threads.remove (thread);
free_one_thread (thread);
if (current_thread == thread)
current_thread = NULL;
}
A pointer (and all its copies) becomes indeterminate after it has been freed
and using its value is, strictly speaking, undefined. To avoid the warning,
perform the pointer equality test before calling free_one_thread().
--
You are receiving this mail because:
You are on the CC list for the bug.
^ permalink raw reply [flat|nested] 4+ messages in thread
* [Bug gdb/26742] benign use after free at gdbserver/inferiors.cc:107
2020-10-15 23:44 [Bug gdb/26742] New: benign use after free at gdbserver/inferiors.cc:107 msebor at gmail dot com
@ 2020-10-20 16:31 ` tromey at sourceware dot org
2020-10-20 16:36 ` cvs-commit at gcc dot gnu.org
2020-10-20 16:36 ` tromey at sourceware dot org
2 siblings, 0 replies; 4+ messages in thread
From: tromey at sourceware dot org @ 2020-10-20 16:31 UTC (permalink / raw)
To: gdb-prs
https://sourceware.org/bugzilla/show_bug.cgi?id=26742
Tom Tromey <tromey at sourceware dot org> changed:
What |Removed |Added
----------------------------------------------------------------------------
CC| |tromey at sourceware dot org
Last reconfirmed| |2020-10-20
Target Milestone|--- |11.1
Status|UNCONFIRMED |NEW
Ever confirmed|0 |1
Assignee|unassigned at sourceware dot org |tromey at sourceware dot org
--
You are receiving this mail because:
You are on the CC list for the bug.
^ permalink raw reply [flat|nested] 4+ messages in thread
* [Bug gdb/26742] benign use after free at gdbserver/inferiors.cc:107
2020-10-15 23:44 [Bug gdb/26742] New: benign use after free at gdbserver/inferiors.cc:107 msebor at gmail dot com
2020-10-20 16:31 ` [Bug gdb/26742] " tromey at sourceware dot org
@ 2020-10-20 16:36 ` cvs-commit at gcc dot gnu.org
2020-10-20 16:36 ` tromey at sourceware dot org
2 siblings, 0 replies; 4+ messages in thread
From: cvs-commit at gcc dot gnu.org @ 2020-10-20 16:36 UTC (permalink / raw)
To: gdb-prs
https://sourceware.org/bugzilla/show_bug.cgi?id=26742
--- Comment #1 from cvs-commit at gcc dot gnu.org <cvs-commit at gcc dot gnu.org> ---
The master branch has been updated by Tom Tromey <tromey@sourceware.org>:
https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=a9b45cb77662d0bb8d312140eee94146f34bd3ce
commit a9b45cb77662d0bb8d312140eee94146f34bd3ce
Author: Tom Tromey <tromey@adacore.com>
Date: Tue Oct 20 10:28:58 2020 -0600
Fix undefined behavior in gdbserver
PR gdb/26742 points out some undefined behavior in gdbserver. The bug
is that remove_thread does:
free_one_thread (thread);
if (current_thread == thread)
current_thread = NULL;
However, the equality check is undefined, because "thread" has already
been freed.
This patch fixes the bug by moving the check earlier.
Tested on x86-64 Fedora 32.
2020-10-20 Tom Tromey <tromey@adacore.com>
PR gdb/26742:
* inferiors.cc (remove_thread): Clear current_thread before
freeing the thread.
--
You are receiving this mail because:
You are on the CC list for the bug.
^ permalink raw reply [flat|nested] 4+ messages in thread
* [Bug gdb/26742] benign use after free at gdbserver/inferiors.cc:107
2020-10-15 23:44 [Bug gdb/26742] New: benign use after free at gdbserver/inferiors.cc:107 msebor at gmail dot com
2020-10-20 16:31 ` [Bug gdb/26742] " tromey at sourceware dot org
2020-10-20 16:36 ` cvs-commit at gcc dot gnu.org
@ 2020-10-20 16:36 ` tromey at sourceware dot org
2 siblings, 0 replies; 4+ messages in thread
From: tromey at sourceware dot org @ 2020-10-20 16:36 UTC (permalink / raw)
To: gdb-prs
https://sourceware.org/bugzilla/show_bug.cgi?id=26742
Tom Tromey <tromey at sourceware dot org> changed:
What |Removed |Added
----------------------------------------------------------------------------
Resolution|--- |FIXED
Status|NEW |RESOLVED
--- Comment #2 from Tom Tromey <tromey at sourceware dot org> ---
Fixed.
I'm not sure if it is worth pulling this to the gdb 10 branch or not.
--
You are receiving this mail because:
You are on the CC list for the bug.
^ permalink raw reply [flat|nested] 4+ messages in thread
end of thread, other threads:[~2020-10-20 16:36 UTC | newest]
Thread overview: 4+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2020-10-15 23:44 [Bug gdb/26742] New: benign use after free at gdbserver/inferiors.cc:107 msebor at gmail dot com
2020-10-20 16:31 ` [Bug gdb/26742] " tromey at sourceware dot org
2020-10-20 16:36 ` cvs-commit at gcc dot gnu.org
2020-10-20 16:36 ` tromey at sourceware dot org
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).