[Bug cli/29096] AddressSanitizer: heap-use-after-free in execute_command

public inbox for gdb-prs@sourceware.org
help / color / mirror / Atom feed

From: "vries at gcc dot gnu.org" <sourceware-bugzilla@sourceware.org>
To: gdb-prs@sourceware.org
Subject: [Bug cli/29096] AddressSanitizer: heap-use-after-free in execute_command
Date: Mon, 24 Jul 2023 07:13:03 +0000	[thread overview]
Message-ID: <bug-29096-4717-NbJdumkBEn@http.sourceware.org/bugzilla/> (raw)
In-Reply-To: <bug-29096-4717@http.sourceware.org/bugzilla/>

https://sourceware.org/bugzilla/show_bug.cgi?id=29096

Tom de Vries <vries at gcc dot gnu.org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
   Target Milestone|---                         |13.1
                 CC|                            |vries at gcc dot gnu.org
             Status|UNCONFIRMED                 |RESOLVED
         Resolution|---                         |FIXED

--- Comment #1 from Tom de Vries <vries at gcc dot gnu.org> ---
This seems to have been fixed by this (
https://sourceware.org/git/?p=binutils-gdb.git;a=commit;h=b5661ff24f7111246b9e9b5f1cba5afe9d479daf
) commit:
...
gdb: fix possible use-after-free when executing commands

In principle, `execute_command()` does following:

   struct cmd_list_element *c;
   c = lookup_cmd ( ... );
   ...
   /* If this command has been pre-hooked, run the hook first.  */
   execute_cmd_pre_hook (c);
   ...
   /* ...execute the command `c` ...*/
   ...
   execute_cmd_post_hook (c);

This may lead into use-after-free error.  Imagine the command
being executed is a user-defined Python command that redefines
itself.  In that case, struct `cmd_list_element` pointed to by
`c` is deallocated during its execution so it is no longer valid
when post hook is executed.

To fix this case, this commit looks up the command once again
after it is executed to get pointer to (possibly newly allocated)
`cmd_list_element`.
...

The patch was available in 13.1.

There are two patches fixing fall-out, one of them backported to 13.1, the
other one backported to 13.2.

AFAIU, the correct milestone for this is 13.1.

FWIW, IWBN to also have a test-case for this.

-- 
You are receiving this mail because:
You are on the CC list for the bug.

     prev parent reply	other threads:[~2023-07-24  7:13 UTC|newest]

Thread overview: 3+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2022-04-27 12:00 [Bug cli/29096] New: " jan at vrany dot io
2022-04-27 12:00 ` [Bug cli/29096] " jan at vrany dot io
2023-07-24  7:13 ` vries at gcc dot gnu.org [this message]

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=bug-29096-4717-NbJdumkBEn@http.sourceware.org/bugzilla/ \
    --to=sourceware-bugzilla@sourceware.org \
    --cc=gdb-prs@sourceware.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).