From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: by sourceware.org (Postfix, from userid 48) id 8FCC93858C41; Mon, 24 Jul 2023 07:13:04 +0000 (GMT) DKIM-Filter: OpenDKIM Filter v2.11.0 sourceware.org 8FCC93858C41 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=sourceware.org; s=default; t=1690182784; bh=u5wJeb1oTr1XuZd7KpAI9kMqpQDmNWQPREynfSmOdUk=; h=From:To:Subject:Date:In-Reply-To:References:From; b=Pcme9DcVeykxvEglWHzuHphjIBwF9K/P2mgOesFX5+rtY6wociW40Nc7K1u6z8D8c XDZxy4FErjWOBFLERmfw2tfipHRLGGNbczANDxOCBT0LRRCsHtE4yQi4Ic8FLQP1fY I4dOYglcLqC7JJfODx5mmORK8LHDgiXRBY/JaKwI= From: "vries at gcc dot gnu.org" To: gdb-prs@sourceware.org Subject: [Bug cli/29096] AddressSanitizer: heap-use-after-free in execute_command Date: Mon, 24 Jul 2023 07:13:03 +0000 X-Bugzilla-Reason: CC X-Bugzilla-Type: changed X-Bugzilla-Watch-Reason: None X-Bugzilla-Product: gdb X-Bugzilla-Component: cli X-Bugzilla-Version: HEAD X-Bugzilla-Keywords: X-Bugzilla-Severity: normal X-Bugzilla-Who: vries at gcc dot gnu.org X-Bugzilla-Status: RESOLVED X-Bugzilla-Resolution: FIXED X-Bugzilla-Priority: P2 X-Bugzilla-Assigned-To: unassigned at sourceware dot org X-Bugzilla-Target-Milestone: 13.1 X-Bugzilla-Flags: X-Bugzilla-Changed-Fields: target_milestone cc bug_status resolution Message-ID: In-Reply-To: References: Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable X-Bugzilla-URL: http://sourceware.org/bugzilla/ Auto-Submitted: auto-generated MIME-Version: 1.0 List-Id: https://sourceware.org/bugzilla/show_bug.cgi?id=3D29096 Tom de Vries changed: What |Removed |Added ---------------------------------------------------------------------------- Target Milestone|--- |13.1 CC| |vries at gcc dot gnu.org Status|UNCONFIRMED |RESOLVED Resolution|--- |FIXED --- Comment #1 from Tom de Vries --- This seems to have been fixed by this ( https://sourceware.org/git/?p=3Dbinutils-gdb.git;a=3Dcommit;h=3Db5661ff24f7= 111246b9e9b5f1cba5afe9d479daf ) commit: ... gdb: fix possible use-after-free when executing commands In principle, `execute_command()` does following: struct cmd_list_element *c; c =3D lookup_cmd ( ... ); ... /* If this command has been pre-hooked, run the hook first. */ execute_cmd_pre_hook (c); ... /* ...execute the command `c` ...*/ ... execute_cmd_post_hook (c); This may lead into use-after-free error. Imagine the command being executed is a user-defined Python command that redefines itself. In that case, struct `cmd_list_element` pointed to by `c` is deallocated during its execution so it is no longer valid when post hook is executed. To fix this case, this commit looks up the command once again after it is executed to get pointer to (possibly newly allocated) `cmd_list_element`. ... The patch was available in 13.1. There are two patches fixing fall-out, one of them backported to 13.1, the other one backported to 13.2. AFAIU, the correct milestone for this is 13.1. FWIW, IWBN to also have a test-case for this. --=20 You are receiving this mail because: You are on the CC list for the bug.=