[binutils-gdb/gdb-7.11-branch] Fix gdb/python/python.c use-after-free

public inbox for gdb-testers@sourceware.org
help / color / mirror / Atom feed

From: sergiodj+buildbot@sergiodj.net
To: gdb-testers@sourceware.org
Subject: [binutils-gdb/gdb-7.11-branch] Fix gdb/python/python.c use-after-free
Date: Tue, 03 May 2016 11:55:00 -0000	[thread overview]
Message-ID: <329dec6fc5f2efa83d626583135081b53abe8729@gdb-build> (raw)

*** TEST RESULTS FOR COMMIT 329dec6fc5f2efa83d626583135081b53abe8729 ***

Author: Pedro Alves <palves@redhat.com>
Branch: gdb-7.11-branch
Commit: 329dec6fc5f2efa83d626583135081b53abe8729

Fix gdb/python/python.c use-after-free

Valgrind shows:

 ==26964== Invalid read of size 1
 ==26964==    at 0x6E14100: __GI_strcmp (strcmp.S:180)
 ==26964==    by 0x6DB55AA: setlocale (setlocale.c:238)
 ==26964==    by 0x4E0455: _initialize_python() (python.c:1731)
 ==26964==    by 0x786731: initialize_all_files() (init.c:319)
 ==26964==    by 0x72EF0A: gdb_init(char*) (top.c:1929)
 ==26964==    by 0x60BCAC: captured_main(void*) (main.c:863)
 ==26964==    by 0x606AD5: catch_errors(int (*)(void*), void*, char*, return_mask) (exceptions.c:234)
 ==26964==    by 0x60C608: gdb_main(captured_main_args*) (main.c:1165)
 ==26964==    by 0x40CAEC: main (gdb.c:32)
 ==26964==  Address 0x81d30a0 is 0 bytes inside a block of size 181 free'd
 ==26964==    at 0x4C29CF0: free (vg_replace_malloc.c:530)
 ==26964==    by 0x6DB5B65: setname (setlocale.c:201)
 ==26964==    by 0x6DB5B65: setlocale (setlocale.c:388)
 ==26964==    by 0x4E037F: _initialize_python() (python.c:1712)
 ==26964==    by 0x786731: initialize_all_files() (init.c:319)
 ==26964==    by 0x72EF0A: gdb_init(char*) (top.c:1929)
 ==26964==    by 0x60BCAC: captured_main(void*) (main.c:863)
 ==26964==    by 0x606AD5: catch_errors(int (*)(void*), void*, char*, return_mask) (exceptions.c:234)
 ==26964==    by 0x60C608: gdb_main(captured_main_args*) (main.c:1165)
 ==26964==    by 0x40CAEC: main (gdb.c:32)

The problem is doing this:

  oldloc = setlocale (LC_ALL, NULL);
  setlocale (LC_ALL, "");
  ...
  setlocale (LC_ALL, oldloc);

I.e., the second setlocale call frees 'oldloc'.

>From http://pubs.opengroup.org/onlinepubs/9699919799/functions/setlocale.html :

 "The returned string pointer might be invalidated or the string
 content might be overwritten by a subsequent call to setlocale()."

gdb/ChangeLog:
2016-05-03  Pedro Alves <palves@redhat.com>

	PR python/20037
	* python/python.c (_initialize_python) [IS_PY3K]: xstrdup/xfree
	oldloc.

next             reply	other threads:[~2016-05-03 11:55 UTC|newest]

Thread overview: 18+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2016-05-03 11:55 sergiodj+buildbot [this message]
2016-05-03 11:55 ` Failures on RHEL-s390x-m64, branch gdb-7.11-branch sergiodj+buildbot
2016-05-03 13:32 ` Failures on Fedora-i686, " sergiodj+buildbot
2016-05-03 13:38 ` Failures on Fedora-x86_64-m32, " sergiodj+buildbot
2016-05-03 13:46 ` Failures on Fedora-x86_64-native-extended-gdbserver-m64, " sergiodj+buildbot
2016-05-03 13:49 ` Failures on Fedora-x86_64-native-gdbserver-m64, " sergiodj+buildbot
2016-05-03 13:55 ` Failures on AIX-POWER7-plain, " sergiodj+buildbot
2016-05-03 13:57 ` Failures on Fedora-x86_64-m64, " sergiodj+buildbot
2016-05-03 13:58 ` Failures on Fedora-x86_64-native-gdbserver-m32, " sergiodj+buildbot
2016-05-03 14:09 ` Failures on Fedora-s390x-m64, " sergiodj+buildbot
2016-05-03 14:24 ` Failures on Fedora-x86_64-native-extended-gdbserver-m32, " sergiodj+buildbot
2016-05-03 18:31 ` Failures on Debian-i686, " sergiodj+buildbot
2016-05-03 19:00 ` Failures on Debian-i686-native-extended-gdbserver, " sergiodj+buildbot
2016-05-03 20:00 ` Failures on Debian-x86_64-native-extended-gdbserver-m64, " sergiodj+buildbot
2016-05-04  2:12 ` Failures on Fedora-ppc64be-native-extended-gdbserver-m64, " sergiodj+buildbot
2016-05-04  3:06 ` Failures on Debian-s390x-native-extended-gdbserver-m64, " sergiodj+buildbot
2016-05-04  4:36 ` Failures on Fedora-ppc64le-cc-with-index, " sergiodj+buildbot
2016-05-04  4:52 ` Failures on Fedora-ppc64le-native-gdbserver-m64, " sergiodj+buildbot

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=329dec6fc5f2efa83d626583135081b53abe8729@gdb-build \
    --to=sergiodj+buildbot@sergiodj.net \
    --cc=gdb-testers@sourceware.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).