public inbox for gdb-prs@sourceware.org help / color / mirror / Atom feed
From: "cvs-commit at gcc dot gnu.org" <sourceware-bugzilla@sourceware.org> To: gdb-prs@sourceware.org Subject: [Bug symtab/31697] heap-use-after-free in symtab Date: Tue, 07 May 2024 17:30:16 +0000 [thread overview] Message-ID: <bug-31697-4717-bQLlY7nfQi@http.sourceware.org/bugzilla/> (raw) In-Reply-To: <bug-31697-4717@http.sourceware.org/bugzilla/> https://sourceware.org/bugzilla/show_bug.cgi?id=31697 --- Comment #8 from Sourceware Commits <cvs-commit at gcc dot gnu.org> --- The master branch has been updated by Hannes Domani <ssbssa@sourceware.org>: https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=d68f983f88c7469befddcf221228070990cf25e1 commit d68f983f88c7469befddcf221228070990cf25e1 Author: Hannes Domani <ssbssa@yahoo.de> Date: Tue May 7 19:29:21 2024 +0200 Fix heap-use-after-free because all_objfiles_removed triggers tui_display_main Since gdb-10 there is a heap-use-after free happening if starting the target in TUI triggers a re-reading of symbols. It can be reproduced with: $ gdb -q -batch a.out -ex "tui enable" -ex "shell touch a.out" -ex start ==28392== Invalid read of size 1 ==28392== at 0x79E97E: lookup_global_or_static_symbol(char const*, block_enum, objfile*, domain_enum) (symtab.h:503) ==28392== by 0x79F859: lookup_global_symbol(char const*, block const*, domain_enum) (symtab.c:2641) ==28392== by 0x79F8E9: language_defn::lookup_symbol_nonlocal(char const*, block const*, domain_enum) const (symtab.c:2473) ==28392== by 0x7A66EE: lookup_symbol_aux(char const*, symbol_name_match_type, block const*, domain_enum, language, field_of_this_result*) (symtab.c:2150) ==28392== by 0x7A68C9: lookup_symbol_in_language(char const*, block const*, domain_enum, language, field_of_this_result*) (symtab.c:1958) ==28392== by 0x7A6A25: lookup_symbol(char const*, block const*, domain_enum, field_of_this_result*) (symtab.c:1970) ==28392== by 0x77120F: select_source_symtab() (source.c:319) ==28392== by 0x7EE2D5: tui_get_begin_asm_address(gdbarch**, unsigned long*) (tui-disasm.c:401) ==28392== by 0x807558: tui_display_main() (tui-winsource.c:55) ==28392== by 0x7937B5: clear_symtab_users(enum_flags<symfile_add_flag>) (functional:2464) ==28392== by 0x794F40: reread_symbols(int) (symfile.c:2690) ==28392== by 0x6497D1: run_command_1(char const*, int, run_how) (infcmd.c:398) ==28392== Address 0x4e67848 is 3,864 bytes inside a block of size 4,064 free'd ==28392== at 0x4A0A430: free (vg_replace_malloc.c:446) ==28392== by 0x936B63: _obstack_free (obstack.c:280) ==28392== by 0x79541E: reread_symbols(int) (symfile.c:2579) ==28392== by 0x6497D1: run_command_1(char const*, int, run_how) (infcmd.c:398) ==28392== by 0x4FFC45: cmd_func(cmd_list_element*, char const*, int) (cli-decode.c:2735) ==28392== by 0x7DAB50: execute_command(char const*, int) (top.c:575) ==28392== by 0x5D2B43: command_handler(char const*) (event-top.c:552) ==28392== by 0x5D3A50: command_line_handler(std::unique_ptr<char, gdb::xfree_deleter<char> >&&) (event-top.c:788) ==28392== by 0x5D1F4B: gdb_rl_callback_handler(char*) (event-top.c:259) ==28392== by 0x857B3F: rl_callback_read_char (callback.c:290) ==28392== by 0x5D215D: gdb_rl_callback_read_char_wrapper_noexcept() (event-top.c:195) ==28392== by 0x5D232F: gdb_rl_callback_read_char_wrapper(void*) (event-top.c:234) The problem is that tui_display_main is called by the all_objfiles_removed hook, which tries to access the symbol cache. This symbol cache is actually stale at this point, and would have been flushed immediately afterwards by that same all_objfiles_removed hook. It's not possible to tell the hook to call the observers in a specific order, but in this case the tui_all_objfiles_removed observer is actually not needed, since it only calls tui_display_main, and a 'main' can only be found if objfiles are added, not removed. So the fix is to simply remove the tui_all_objfiles_removed observer. The clearing of the source window (if symbols were removed by e.g. 'file' without arguments) still works, since this is done by the tui_before_prompt observer. Bug: https://sourceware.org/bugzilla/show_bug.cgi?id=31697 Approved-By: Tom Tromey <tom@tromey.com> -- You are receiving this mail because: You are on the CC list for the bug.
next prev parent reply other threads:[~2024-05-07 17:30 UTC|newest] Thread overview: 12+ messages / expand[flat|nested] mbox.gz Atom feed top 2024-05-03 11:43 [Bug symtab/31697] New: " ssbssa at sourceware dot org 2024-05-03 11:44 ` [Bug symtab/31697] " ssbssa at sourceware dot org 2024-05-03 11:46 ` ssbssa at sourceware dot org 2024-05-03 12:20 ` vries at gcc dot gnu.org 2024-05-03 12:31 ` vries at gcc dot gnu.org 2024-05-03 12:40 ` vries at gcc dot gnu.org 2024-05-03 12:49 ` vries at gcc dot gnu.org 2024-05-03 13:14 ` ssbssa at sourceware dot org 2024-05-04 12:11 ` ssbssa at sourceware dot org 2024-05-07 17:30 ` cvs-commit at gcc dot gnu.org [this message] 2024-05-07 17:32 ` ssbssa at sourceware dot org 2024-05-08 15:01 ` cvs-commit at gcc dot gnu.org
Reply instructions: You may reply publicly to this message via plain-text email using any one of the following methods: * Save the following mbox file, import it into your mail client, and reply-to-all from there: mbox Avoid top-posting and favor interleaved quoting: https://en.wikipedia.org/wiki/Posting_style#Interleaved_style * Reply using the --to, --cc, and --in-reply-to switches of git-send-email(1): git send-email \ --in-reply-to=bug-31697-4717-bQLlY7nfQi@http.sourceware.org/bugzilla/ \ --to=sourceware-bugzilla@sourceware.org \ --cc=gdb-prs@sourceware.org \ /path/to/YOUR_REPLY https://kernel.org/pub/software/scm/git/docs/git-send-email.html * If your mail client supports setting the In-Reply-To header via mailto: links, try the mailto: linkBe sure your reply has a Subject: header at the top and a blank line before the message body.
This is a public inbox, see mirroring instructions for how to clone and mirror all data and code used for this inbox; as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).