From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mail-wm1-x331.google.com (mail-wm1-x331.google.com [IPv6:2a00:1450:4864:20::331]) by sourceware.org (Postfix) with ESMTPS id 3E5E13840C1E for ; Fri, 5 Jun 2020 20:14:21 +0000 (GMT) DMARC-Filter: OpenDMARC Filter v1.3.2 sourceware.org 3E5E13840C1E Authentication-Results: sourceware.org; dmarc=none (p=none dis=none) header.from=embecosm.com Authentication-Results: sourceware.org; spf=pass smtp.mailfrom=andrew.burgess@embecosm.com Received: by mail-wm1-x331.google.com with SMTP id d128so10244437wmc.1 for ; Fri, 05 Jun 2020 13:14:21 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=embecosm.com; s=google; h=date:from:to:cc:subject:message-id:references:mime-version :content-disposition:in-reply-to; bh=b9/hf2DRT+U7QiDT9TuP/9y7J54UoXpkh+ZZ/SiiMPE=; b=gRTDBbI4Sm8sdkRljyc6dcGrUBNaw0IUufEZzPYudInMQpXGfdg/f1+UELufdL0T/Y RhgGY4lpb+I1aff+6e/4LvskBvhvZo1zmEKVIbJE+ZIxgPscgRTbZDDnh/Ij8LdbVrX9 pgPcV3NknHJd8J3AzH/4JOa6qkpY+/18BVqHpSftDdiSnQNP8C0aBqLxGTmMiNgZ7ZNe JDYiYXz7gga/bqzx5G/9R2U/Hm/K8mXXnV41l48pH5ZpzYf2dgYtPp767lQGCEvS3qvd iS3+cgTNFF7ooxPuKAfwM+by8/Rg/GyYYG4yRTKv2apP5S+tlpsNEeXHxgBRjecSo0zh svxg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:date:from:to:cc:subject:message-id:references :mime-version:content-disposition:in-reply-to; bh=b9/hf2DRT+U7QiDT9TuP/9y7J54UoXpkh+ZZ/SiiMPE=; b=K5Phtd6vSw5qshYDPPRmANNx9l3pOw7xvrTUjh4JU76kYGTUAAonHONHjdE1unqp7U G9j7l5bSgpvnEeqc1zFnXo9N9E6ahHClmiVrmvGzCaq7uDCQbpJ7EO11y91XfCKRABh6 RvpMal0GsmIfQ0ETONvHIuLB4rhNf6WI5jWrf10CplfPSkgZZEZMKxxkKA8JoTolktjx nUnlj28FLVhy9C4Tpmm0J7yLjg/G+bkdtCHH85TIm5HjUMvs+ruNhrijP4XdkeUg+see RtwkXU3IVBXT94FwAi+JFoURqOGFQOp/TvamQFhesgTi5aqvv1WOwFYAwwKM8nGD4l+Y VZzw== X-Gm-Message-State: AOAM533YdCO5ItNKiPpG/V1JrJghbHpIj8nNEN5QanbD9x2ul21NaGT+ kRkUuw8+XuynVYjzApnkiwluSVVzEhg= X-Google-Smtp-Source: ABdhPJykEfExDZ3CYaVA82voAAtbuCS2EMefANSBIvHiHMo+tttifUusLJzlfS3/HZqCgPbCHj5R8Q== X-Received: by 2002:a1c:b104:: with SMTP id a4mr4118263wmf.24.1591388060291; Fri, 05 Jun 2020 13:14:20 -0700 (PDT) Received: from localhost (host86-128-12-16.range86-128.btcentralplus.com. [86.128.12.16]) by smtp.gmail.com with ESMTPSA id e10sm13281254wrn.11.2020.06.05.13.14.19 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Fri, 05 Jun 2020 13:14:19 -0700 (PDT) Date: Fri, 5 Jun 2020 21:14:18 +0100 From: Andrew Burgess To: Tom Tromey Cc: gdb-patches@sourceware.org Subject: Re: [PUSHED] gdb/python: Avoid use after free in py-tui.c Message-ID: <20200605201418.GE3522@embecosm.com> References: <20200605182337.981585-1-andrew.burgess@embecosm.com> <87v9k5gy07.fsf@tromey.com> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <87v9k5gy07.fsf@tromey.com> X-Operating-System: Linux/5.5.17-200.fc31.x86_64 (x86_64) X-Uptime: 21:13:20 up 46 days, 11:48, X-Editor: GNU Emacs [ http://www.gnu.org/software/emacs ] X-Spam-Status: No, score=-3.6 required=5.0 tests=BAYES_00, DKIM_SIGNED, DKIM_VALID, DKIM_VALID_AU, DKIM_VALID_EF, RCVD_IN_BARRACUDACENTRAL, RCVD_IN_DNSWL_NONE, SPF_HELO_NONE, SPF_PASS, TXREP, URIBL_CSS, URIBL_CSS_A autolearn=no autolearn_force=no version=3.4.2 X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on server2.sourceware.org X-BeenThere: gdb-patches@sourceware.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: Gdb-patches mailing list List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 05 Jun 2020 20:14:22 -0000 * Tom Tromey [2020-06-05 12:37:12 -0600]: > >>>>> "Andrew" == Andrew Burgess writes: > > Andrew> When setting the window title of a tui frame we do this: > Andrew> gdb::unique_xmalloc_ptr value > Andrew> = python_string_to_host_string (); > Andrew> ... > Andrew> win-> window->title = value.get (); > > Andrew> The problem here is that 'get ()' only borrows the pointer from value, > Andrew> when value goes out of scope the pointer will be freed. As a result, > Andrew> the tui frame will be left with a pointer to undefined memory > Andrew> contents. > > This does not make sense to me, because tui_win_info::title is a > std::string. > > Andrew> Instead we should be using 'value.release ()' to take ownership of the > Andrew> pointer from value. > > I suspect this introduces a memory leak instead. My apologies. I have reverted the commit. Sorry for the noise. Thanks, Andrew