From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: by sourceware.org (Postfix, from userid 48) id 80CCD385E83A; Tue, 7 May 2024 17:30:18 +0000 (GMT) DKIM-Filter: OpenDKIM Filter v2.11.0 sourceware.org 80CCD385E83A DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=sourceware.org; s=default; t=1715103018; bh=jWNcfkzo0E/Nxk/SwACvdQ9jn5YLXcqJBuNGDX3zVDY=; h=From:To:Subject:Date:In-Reply-To:References:From; b=OTxlHIIQ3iYUHfXXfNnh18Lq9PO4xxz9Wob6PQ9+SyDOnsIvOiwBeW9zQaKQJmmZU /EB2u6HxdL6m6ZmRii5yGX7gY9sGBmXCHgpIalBEIS/PYAYmB6olcMy2sAFVHa4dw5 7Ul7befxSmQKfKuqDHCWbdaX2Qc/EBxRHn4s/bxM= From: "cvs-commit at gcc dot gnu.org" To: gdb-prs@sourceware.org Subject: [Bug symtab/31697] heap-use-after-free in symtab Date: Tue, 07 May 2024 17:30:16 +0000 X-Bugzilla-Reason: CC X-Bugzilla-Type: changed X-Bugzilla-Watch-Reason: None X-Bugzilla-Product: gdb X-Bugzilla-Component: symtab X-Bugzilla-Version: HEAD X-Bugzilla-Keywords: X-Bugzilla-Severity: normal X-Bugzilla-Who: cvs-commit at gcc dot gnu.org X-Bugzilla-Status: NEW X-Bugzilla-Resolution: X-Bugzilla-Priority: P2 X-Bugzilla-Assigned-To: unassigned at sourceware dot org X-Bugzilla-Target-Milestone: --- X-Bugzilla-Flags: X-Bugzilla-Changed-Fields: Message-ID: In-Reply-To: References: Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable X-Bugzilla-URL: http://sourceware.org/bugzilla/ Auto-Submitted: auto-generated MIME-Version: 1.0 List-Id: https://sourceware.org/bugzilla/show_bug.cgi?id=3D31697 --- Comment #8 from Sourceware Commits --- The master branch has been updated by Hannes Domani : https://sourceware.org/git/gitweb.cgi?p=3Dbinutils-gdb.git;h=3Dd68f983f88c7= 469befddcf221228070990cf25e1 commit d68f983f88c7469befddcf221228070990cf25e1 Author: Hannes Domani Date: Tue May 7 19:29:21 2024 +0200 Fix heap-use-after-free because all_objfiles_removed triggers tui_display_main Since gdb-10 there is a heap-use-after free happening if starting the target in TUI triggers a re-reading of symbols. It can be reproduced with: $ gdb -q -batch a.out -ex "tui enable" -ex "shell touch a.out" -ex start =3D=3D28392=3D=3D Invalid read of size 1 =3D=3D28392=3D=3D at 0x79E97E: lookup_global_or_static_symbol(char c= onst*, block_enum, objfile*, domain_enum) (symtab.h:503) =3D=3D28392=3D=3D by 0x79F859: lookup_global_symbol(char const*, blo= ck const*, domain_enum) (symtab.c:2641) =3D=3D28392=3D=3D by 0x79F8E9: language_defn::lookup_symbol_nonlocal= (char const*, block const*, domain_enum) const (symtab.c:2473) =3D=3D28392=3D=3D by 0x7A66EE: lookup_symbol_aux(char const*, symbol_name_match_type, block const*, domain_enum, language, field_of_this_result*) (symtab.c:2150) =3D=3D28392=3D=3D by 0x7A68C9: lookup_symbol_in_language(char const*= , block const*, domain_enum, language, field_of_this_result*) (symtab.c:1958) =3D=3D28392=3D=3D by 0x7A6A25: lookup_symbol(char const*, block cons= t*, domain_enum, field_of_this_result*) (symtab.c:1970) =3D=3D28392=3D=3D by 0x77120F: select_source_symtab() (source.c:319) =3D=3D28392=3D=3D by 0x7EE2D5: tui_get_begin_asm_address(gdbarch**, = unsigned long*) (tui-disasm.c:401) =3D=3D28392=3D=3D by 0x807558: tui_display_main() (tui-winsource.c:5= 5) =3D=3D28392=3D=3D by 0x7937B5: clear_symtab_users(enum_flags) (functional:2464) =3D=3D28392=3D=3D by 0x794F40: reread_symbols(int) (symfile.c:2690) =3D=3D28392=3D=3D by 0x6497D1: run_command_1(char const*, int, run_h= ow) (infcmd.c:398) =3D=3D28392=3D=3D Address 0x4e67848 is 3,864 bytes inside a block of s= ize 4,064 free'd =3D=3D28392=3D=3D at 0x4A0A430: free (vg_replace_malloc.c:446) =3D=3D28392=3D=3D by 0x936B63: _obstack_free (obstack.c:280) =3D=3D28392=3D=3D by 0x79541E: reread_symbols(int) (symfile.c:2579) =3D=3D28392=3D=3D by 0x6497D1: run_command_1(char const*, int, run_h= ow) (infcmd.c:398) =3D=3D28392=3D=3D by 0x4FFC45: cmd_func(cmd_list_element*, char cons= t*, int) (cli-decode.c:2735) =3D=3D28392=3D=3D by 0x7DAB50: execute_command(char const*, int) (to= p.c:575) =3D=3D28392=3D=3D by 0x5D2B43: command_handler(char const*) (event-t= op.c:552) =3D=3D28392=3D=3D by 0x5D3A50: command_line_handler(std::unique_ptr<= char, gdb::xfree_deleter >&&) (event-top.c:788) =3D=3D28392=3D=3D by 0x5D1F4B: gdb_rl_callback_handler(char*) (event= -top.c:259) =3D=3D28392=3D=3D by 0x857B3F: rl_callback_read_char (callback.c:290) =3D=3D28392=3D=3D by 0x5D215D: gdb_rl_callback_read_char_wrapper_noe= xcept() (event-top.c:195) =3D=3D28392=3D=3D by 0x5D232F: gdb_rl_callback_read_char_wrapper(voi= d*) (event-top.c:234) The problem is that tui_display_main is called by the all_objfiles_remo= ved hook, which tries to access the symbol cache. This symbol cache is actually stale at this point, and would have been flushed immediately afterwards by that same all_objfiles_removed hook. It's not possible to tell the hook to call the observers in a specific order, but in this case the tui_all_objfiles_removed observer is actual= ly not needed, since it only calls tui_display_main, and a 'main' can only be found if objfiles are added, not removed. So the fix is to simply remove the tui_all_objfiles_removed observer. The clearing of the source window (if symbols were removed by e.g. 'fil= e' without arguments) still works, since this is done by the tui_before_prompt observer. Bug: https://sourceware.org/bugzilla/show_bug.cgi?id=3D31697 Approved-By: Tom Tromey --=20 You are receiving this mail because: You are on the CC list for the bug.=