From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mail-wm1-x335.google.com (mail-wm1-x335.google.com [IPv6:2a00:1450:4864:20::335]) by sourceware.org (Postfix) with ESMTPS id C9C3B38930ED for ; Fri, 5 Jun 2020 18:23:46 +0000 (GMT) DMARC-Filter: OpenDMARC Filter v1.3.2 sourceware.org C9C3B38930ED Authentication-Results: sourceware.org; dmarc=none (p=none dis=none) header.from=embecosm.com Authentication-Results: sourceware.org; spf=pass smtp.mailfrom=andrew.burgess@embecosm.com Received: by mail-wm1-x335.google.com with SMTP id r15so9997519wmh.5 for ; Fri, 05 Jun 2020 11:23:46 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=embecosm.com; s=google; h=from:to:cc:subject:date:message-id:mime-version :content-transfer-encoding; bh=2MiDZDvw1aVpeBA83s/zxyfdFwUGyuTeNXCKU/FYdY0=; b=TLDXRdTIRRA0GOmi1Yv2K58bcdoixHJY9lcaGgNvbE4ShR1A5o3hk56n+N3KjAGW8M +8XrUwSdiZnjtoraYyy6ZMg5XvU6ZicLWBJJ7FgMaULQOhzp3546j+YB1xGYjo2JaSXN snemFY0NuGWUtPyyLX75jfI/1KAr+KDeNt+ZqwmrMejGWCt9hxvPBumQXXBBmZhYCDai IkNDwzZ4VdRFdruznVSp6LQ2qpE4cujGWivYVArh0NCVE9OW1I4w/g99UcAkt3MTE9fQ +YeKMHa3e3iYj9gUOkeJ6A9AJKVBY9ezB4+loD+43CHRghoImG2bEF05PZDnb6Fqw6Qa ax+Q== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id:mime-version :content-transfer-encoding; bh=2MiDZDvw1aVpeBA83s/zxyfdFwUGyuTeNXCKU/FYdY0=; b=WTYqQ5NKkod7BjKkKVxwoSodSvgCAWmPWD0GfzI/81wmIy9oiWp8U0T5MCXVmx63sn 14pjp/bPMb4vcbAroHtwjUE6u5Hl1KMMBfk6WHgLV+JjEDD/USEWH/dpf3WU36LwDBoy sJgeEONQM9blHloyXIsD+0Zt8lDRAwkrfs8NCrc6lajmgvCjY/9z9QoGKfq20LulMq1z oZlJwasyERgwnoMeKPcjLo+AnsHAiBrKgikXRE5w4SpiMFwaG+z24ffFlJZRkhuK7IzK LBW5FWZsWLGU1FT6Qmgh0mnrJKVoBI5FYl1CpkhhXgykwtXLb5KuWQf6Zyt9pMpscyuj 9E1Q== X-Gm-Message-State: AOAM533qqMT3ClAi9T91mTNp4CN5gj7sF0IFmRz19ZgOhMunpV63gSJ6 LugA1vkBRNDCwV3FpCUMLblNNS/tA/M= X-Google-Smtp-Source: ABdhPJxXXXCnlpApAoSPv8m+8o26r4JTXPp5TDcmCvDewH+PVg8uynA2gEW/pPavMOGloWxqY8ztkw== X-Received: by 2002:a1c:b656:: with SMTP id g83mr3856313wmf.27.1591381425498; Fri, 05 Jun 2020 11:23:45 -0700 (PDT) Received: from localhost (host86-128-12-16.range86-128.btcentralplus.com. [86.128.12.16]) by smtp.gmail.com with ESMTPSA id y80sm13380781wmc.34.2020.06.05.11.23.44 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Fri, 05 Jun 2020 11:23:44 -0700 (PDT) From: Andrew Burgess To: gdb-patches@sourceware.org Subject: [PUSHED] gdb/python: Avoid use after free in py-tui.c Date: Fri, 5 Jun 2020 19:23:37 +0100 Message-Id: <20200605182337.981585-1-andrew.burgess@embecosm.com> X-Mailer: git-send-email 2.25.4 MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Spam-Status: No, score=-11.0 required=5.0 tests=BAYES_00, DKIM_SIGNED, DKIM_VALID, DKIM_VALID_AU, DKIM_VALID_EF, GIT_PATCH_0, RCVD_IN_BARRACUDACENTRAL, RCVD_IN_DNSWL_NONE, SPF_HELO_NONE, SPF_PASS, TXREP autolearn=ham autolearn_force=no version=3.4.2 X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on server2.sourceware.org X-BeenThere: gdb-patches@sourceware.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: Gdb-patches mailing list List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 05 Jun 2020 18:23:48 -0000 When setting the window title of a tui frame we do this: gdb::unique_xmalloc_ptr value = python_string_to_host_string (); ... win->window->title = value.get (); The problem here is that 'get ()' only borrows the pointer from value, when value goes out of scope the pointer will be freed. As a result, the tui frame will be left with a pointer to undefined memory contents. Instead we should be using 'value.release ()' to take ownership of the pointer from value. gdb/ChangeLog: * python/py-tui.c (gdbpy_tui_set_title): Use release, not get, to avoid use after free. --- gdb/ChangeLog | 5 +++++ gdb/python/py-tui.c | 2 +- 2 files changed, 6 insertions(+), 1 deletion(-) diff --git a/gdb/python/py-tui.c b/gdb/python/py-tui.c index ca88f85eb9f..f2c03395a0b 100644 --- a/gdb/python/py-tui.c +++ b/gdb/python/py-tui.c @@ -433,7 +433,7 @@ gdbpy_tui_set_title (PyObject *self, PyObject *newvalue, void *closure) if (value == nullptr) return -1; - win->window->title = value.get (); + win->window->title = value.release (); return 0; } -- 2.25.4