public inbox for gdb-prs@sourceware.org help / color / mirror / Atom feed
From: "jan at vrany dot io" <sourceware-bugzilla@sourceware.org> To: gdb-prs@sourceware.org Subject: [Bug cli/29096] New: AddressSanitizer: heap-use-after-free in execute_command Date: Wed, 27 Apr 2022 12:00:11 +0000 [thread overview] Message-ID: <bug-29096-4717@http.sourceware.org/bugzilla/> (raw) https://sourceware.org/bugzilla/show_bug.cgi?id=29096 Bug ID: 29096 Summary: AddressSanitizer: heap-use-after-free in execute_command Product: gdb Version: HEAD Status: UNCONFIRMED Severity: normal Priority: P2 Component: cli Assignee: unassigned at sourceware dot org Reporter: jan at vrany dot io Target Milestone: --- When I build GDB with ASAN, I observe use-after-free error when executing Python command that redefines itself: $ cat /tmp/test.py class R(gdb.Command): def invoke(self, args, from_tty): print("R invoked!") R('R', gdb.COMMAND_MAINTENANCE) R('R', gdb.COMMAND_MAINTENANCE) jv@sao:~/Projects/gdb/origin_master$ ./gdb/gdb --quiet --data-director gdb/data-directory/ (gdb) source /tmp/test.py (gdb) R R invoked! ================================================================= ==247122==ERROR: AddressSanitizer: heap-use-after-free on address 0x6120000c5608 at pc 0x5561834259b3 bp 0x7ffea4a37020 sp 0x7ffea4a37018 READ of size 8 at 0x6120000c5608 thread T0 #0 0x5561834259b2 in execute_cmd_post_hook(cmd_list_element*) cli/cli-script.c:391 #1 0x556185201ee2 in execute_command(char const*, int) /home/jv/Projects/gdb/origin_master/gdb/top.c:704 #2 0x556183d64935 in command_handler(char const*) /home/jv/Projects/gdb/origin_master/gdb/event-top.c:598 #3 0x556183d6590f in command_line_handler(std::unique_ptr<char, gdb::xfree_deleter<char> >&&) /home/jv/Projects/gdb/origin_master/gdb/event-top.c:842 #4 0x556185349bbb in tui_command_line_handler tui/tui-interp.c:278 #5 0x556183d628d0 in gdb_rl_callback_handler /home/jv/Projects/gdb/origin_master/gdb/event-top.c:230 #6 0x556185802e78 in rl_callback_read_char /home/jv/Projects/gdb/origin_master/readline/readline/callback.c:287 #7 0x556183d6232d in gdb_rl_callback_read_char_wrapper_noexcept /home/jv/Projects/gdb/origin_master/gdb/event-top.c:188 #8 0x556183d62544 in gdb_rl_callback_read_char_wrapper /home/jv/Projects/gdb/origin_master/gdb/event-top.c:205 #9 0x556183d63f0c in stdin_event_handler(int, void*) /home/jv/Projects/gdb/origin_master/gdb/event-top.c:525 #10 0x556185b61109 in handle_file_event /home/jv/Projects/gdb/origin_master/gdbsupport/event-loop.cc:574 #11 0x556185b61a11 in gdb_wait_for_event /home/jv/Projects/gdb/origin_master/gdbsupport/event-loop.cc:700 #12 0x556185b5f863 in gdb_do_one_event() /home/jv/Projects/gdb/origin_master/gdbsupport/event-loop.cc:237 #13 0x5561843c78ef in start_event_loop /home/jv/Projects/gdb/origin_master/gdb/main.c:413 #14 0x5561843c7d0e in captured_command_loop /home/jv/Projects/gdb/origin_master/gdb/main.c:473 #15 0x5561843cd025 in captured_main /home/jv/Projects/gdb/origin_master/gdb/main.c:1335 #16 0x5561843cd102 in gdb_main(captured_main_args*) /home/jv/Projects/gdb/origin_master/gdb/main.c:1350 #17 0x556182a8c0b0 in main /home/jv/Projects/gdb/origin_master/gdb/gdb.c:32 #18 0x7f3e0d7b07fc in __libc_start_main ../csu/libc-start.c:332 #19 0x556182a8bea9 in _start (/home/jv/Projects/gdb/origin_master/gdb/gdb+0xa335ea9) 0x6120000c5608 is located 72 bytes inside of 288-byte region [0x6120000c55c0,0x6120000c56e0) freed by thread T0 here: #0 0x7f3e0ef9a937 in operator delete(void*) ../../../../src/libsanitizer/asan/asan_new_delete.cpp:160 #1 0x55618339904f in delete_cmd cli/cli-decode.c:1275 #2 0x5561833922b0 in do_add_cmd cli/cli-decode.c:189 #3 0x5561833932d7 in add_cmd(char const*, command_class, char const*, cmd_list_element**) cli/cli-decode.c:236 #4 0x5561848acf79 in cmdpy_init python/py-cmd.c:520 #5 0x7f3e0ea27619 in type_call ../Objects/typeobject.c:1133 previously allocated by thread T0 here: #0 0x7f3e0ef99f37 in operator new(unsigned long) ../../../../src/libsanitizer/asan/asan_new_delete.cpp:99 #1 0x556183392085 in do_add_cmd cli/cli-decode.c:185 #2 0x5561833932d7 in add_cmd(char const*, command_class, char const*, cmd_list_element**) cli/cli-decode.c:236 #3 0x5561848acf79 in cmdpy_init python/py-cmd.c:520 #4 0x7f3e0ea27619 in type_call ../Objects/typeobject.c:1133 SUMMARY: AddressSanitizer: heap-use-after-free cli/cli-script.c:391 in execute_cmd_post_hook(cmd_list_element*) Shadow bytes around the buggy address: 0x0c2480010a70: 00 00 00 00 00 00 00 00 00 00 00 00 fa fa fa fa 0x0c2480010a80: fa fa fa fa fa fa fa fa 00 00 00 00 00 00 00 00 0x0c2480010a90: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0c2480010aa0: 00 00 00 00 00 00 00 00 00 00 00 00 fa fa fa fa 0x0c2480010ab0: fa fa fa fa fa fa fa fa fd fd fd fd fd fd fd fd =>0x0c2480010ac0: fd[fd]fd fd fd fd fd fd fd fd fd fd fd fd fd fd 0x0c2480010ad0: fd fd fd fd fd fd fd fd fd fd fd fd fa fa fa fa 0x0c2480010ae0: fa fa fa fa fa fa fa fa 00 00 00 00 00 00 00 00 0x0c2480010af0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0c2480010b00: 00 00 00 00 00 00 00 00 00 00 00 00 fa fa fa fa 0x0c2480010b10: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa Shadow byte legend (one shadow byte represents 8 application bytes): Addressable: 00 Partially addressable: 01 02 03 04 05 06 07 Heap left redzone: fa Freed heap region: fd Stack left redzone: f1 Stack mid redzone: f2 Stack right redzone: f3 Stack after return: f5 Stack use after scope: f8 Global redzone: f9 Global init order: f6 Poisoned by user: f7 Container overflow: fc Array cookie: ac Intra object redzone: bb ASan internal: fe Left alloca redzone: ca Right alloca redzone: cb Shadow gap: cc ==247122==ABORTING Following tentative path seems to fix the problem, but needs more thinking. We probably also should re-fetch command also after execution pre-hook. diff --git a/gdb/top.c b/gdb/top.c index e776ac2d70e..995b754c2fc 100644 --- a/gdb/top.c +++ b/gdb/top.c @@ -623,6 +623,8 @@ execute_command (const char *p, int from_tty) } } + std::string c_name(c->name); + /* If this command has been pre-hooked, run the hook first. */ execute_cmd_pre_hook (c); @@ -662,7 +664,9 @@ execute_command (const char *p, int from_tty) maybe_wait_sync_command_done (was_sync); /* If this command has been post-hooked, run the hook last. */ - execute_cmd_post_hook (c); + c = lookup_cmd_exact (c_name.c_str (), cmdlist); + if (c != nullptr) + execute_cmd_post_hook (c); if (repeat_arguments != NULL && cmd_start == saved_command_line) { -- You are receiving this mail because: You are on the CC list for the bug.
next reply other threads:[~2022-04-27 12:00 UTC|newest] Thread overview: 3+ messages / expand[flat|nested] mbox.gz Atom feed top 2022-04-27 12:00 jan at vrany dot io [this message] 2022-04-27 12:00 ` [Bug cli/29096] " jan at vrany dot io 2023-07-24 7:13 ` vries at gcc dot gnu.org
Reply instructions: You may reply publicly to this message via plain-text email using any one of the following methods: * Save the following mbox file, import it into your mail client, and reply-to-all from there: mbox Avoid top-posting and favor interleaved quoting: https://en.wikipedia.org/wiki/Posting_style#Interleaved_style * Reply using the --to, --cc, and --in-reply-to switches of git-send-email(1): git send-email \ --in-reply-to=bug-29096-4717@http.sourceware.org/bugzilla/ \ --to=sourceware-bugzilla@sourceware.org \ --cc=gdb-prs@sourceware.org \ /path/to/YOUR_REPLY https://kernel.org/pub/software/scm/git/docs/git-send-email.html * If your mail client supports setting the In-Reply-To header via mailto: links, try the mailto: linkBe sure your reply has a Subject: header at the top and a blank line before the message body.
This is a public inbox, see mirroring instructions for how to clone and mirror all data and code used for this inbox; as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).