Re: [patch] read_command_lines can return freed memory

Mirror of the gdb-patches mailing list
 help / color / mirror / Atom feed

* Re: [patch] read_command_lines can return freed memory
       [not found] <20010615080029.8484D40014@hackrat.com>
@ 2001-06-15  8:00 ` Fernando Nasser
  2001-06-15 11:40   ` Eirik Fuller
  0 siblings, 1 reply; 4+ messages in thread
From: Fernando Nasser @ 2001-06-15  8:00 UTC (permalink / raw)
  To: Eirik Fuller; +Cc: gdb-patches

Nice catch Eirik.  Thanks.

I guess this has gone unnoticed for so long because it only happens when
a control structure first line is invalid.  Anyway, we should think of a
more contrived example to create a test case...

W.r.t. the fix, I believe the missing pointer reset is in
free_command_lines().  I guess that was the creator's intention as the
argument implies that it will be modified (it is passed by reference).

Please try the attached patch.

Regards,
Fernando


Eirik Fuller wrote:
> 
> When sourcing a script file with improperly nested control statments,
> gdb can store a pointer to freed memory in a cmd_list_element struct,
> which can cause subsequent crashes.  One test case is to source this
> script file twice:
> 
> define  fp
>     set $frame = (long *) $arg0
>     while $frame[0] > $frame
>         printf "%08x: %08x %08x\n", $frame, $frame[0], $frame[1]
>         if $frame[1]
>             if ((uchar **)$frame)[1][-5] == 0xe8
>                 x/i $frame[1] - 5
>             else
>                 if ((uchar **)$frame)[1][-2] == 0xff
>                     x/i $frame[1] - 2
>                 else
>                     x/i $frame[1]
> #               end
>             end
>         else
>             x/i $frame[2]
>         end
>         set $frame = (long *) $frame[0]
>     end
> end
> 
> Removing the # results in a script file which can be sourced with no
> errors.  The patch included here prevents the crash.  Here's a
> ChangeLog entry:
> 
> 2001-06-15  Eirik Fuller  <eirik@hackrat.com>
> 
>         * cli/cli-script.c (read_command_lines): Don't return freed
>         memory.
> 
> Here's the patch:
> 
> --- gdb+dejagnu-20010615/gdb/cli/cli-script.c-  Tue Mar 13 14:29:14 2001
> +++ gdb+dejagnu-20010615/gdb/cli/cli-script.c   Thu Jun 14 22:53:17 2001
> @@ -995,7 +995,10 @@
>           discard_cleanups (old_chain);
>         }
>        else
> -       do_cleanups (old_chain);
> +       {
> +         do_cleanups (old_chain);
> +         head = NULL;
> +       }
>      }
> 
>    if (readline_end_hook)

-- 
Fernando Nasser
Red Hat Canada Ltd.                     E-Mail:  fnasser@redhat.com
2323 Yonge Street, Suite #300
Toronto, Ontario   M4P 2C9
Index: cli/cli-script.c
===================================================================
RCS file: /cvs/src/src/gdb/cli/cli-script.c,v
retrieving revision 1.6
diff -c -p -r1.6 cli-script.c
*** cli-script.c	2001/03/13 22:29:14	1.6
--- cli-script.c	2001/06/15 14:53:13
*************** free_command_lines (struct command_line 
*** 1028,1033 ****
--- 1028,1034 ----
        xfree (l);
        l = next;
      }
+   *lptr = NULL;
  }
  
  static void
From ac131313@cygnus.com Fri Jun 15 08:15:00 2001
From: Andrew Cagney <ac131313@cygnus.com>
To: Joel Brobecker <brobecker@act-europe.fr>
Cc: gdb-patches@sources.redhat.com
Subject: Re: [RFA] Add 2 persons in MAINTAINERS
Date: Fri, 15 Jun 2001 08:15:00 -0000
Message-id: <3B2A1AA5.30607@cygnus.com>
References: <20010615093709.B10775@act-europe.fr>
X-SW-Source: 2001-06/msg00290.html
Content-length: 34

It's an obvious fix :-)

	Andrew


^ permalink raw reply	[flat|nested] 4+ messages in thread

* Re: [patch] read_command_lines can return freed memory
  2001-06-15  8:00 ` [patch] read_command_lines can return freed memory Fernando Nasser
@ 2001-06-15 11:40   ` Eirik Fuller
  2001-06-15 12:04     ` Fernando Nasser
  0 siblings, 1 reply; 4+ messages in thread
From: Eirik Fuller @ 2001-06-15 11:40 UTC (permalink / raw)
  To: Fernando Nasser; +Cc: gdb-patches

I backed out the patch to read_command_lines, confirmed that the crash
occurs again, applied the patch to free_command_lines, and confirmed
that the crash no longer occurs.

I agree that patching free_command_lines is the right way to fix this.

> we should think of a more contrived example to create a test case...

Here's the simplest test case I've found which triggers the crash:

define f0
    set $f = $arg0
    if $f[1]
	if $f[2]
	    f2
	else
	    f1
    else

You can also add stuff after the second else.  As before, source that
file twice; the second time triggers the crash.  It's likely that the
details of the crash (including whether it occurs at all) vary from
platform to platform; I'm using a Debian x86 system with libc6 2.2.3.

Thanks,
Eirik

^ permalink raw reply	[flat|nested] 4+ messages in thread

* Re: [patch] read_command_lines can return freed memory
  2001-06-15 11:40   ` Eirik Fuller
@ 2001-06-15 12:04     ` Fernando Nasser
  2001-06-17  8:16       ` Fernando Nasser
  0 siblings, 1 reply; 4+ messages in thread
From: Fernando Nasser @ 2001-06-15 12:04 UTC (permalink / raw)
  To: Eirik Fuller; +Cc: Fernando Nasser, gdb-patches

Thanks for testing it and for the test case.  

If you agree, I will modify your changelog entry to:

2001-06-15  Eirik Fuller  <eirik@hackrat.com>

        * cli/cli-script.c (free_command_lines): Reset list pointer.

and check the second version of the patch in.

And thanks again for the bug report/fix.

Regards,
Fernando


Eirik Fuller wrote:
> 
> I backed out the patch to read_command_lines, confirmed that the crash
> occurs again, applied the patch to free_command_lines, and confirmed
> that the crash no longer occurs.
> 
> I agree that patching free_command_lines is the right way to fix this.
> 
> > we should think of a more contrived example to create a test case...
> 
> Here's the simplest test case I've found which triggers the crash:
> 
> define f0
>     set $f = $arg0
>     if $f[1]
>         if $f[2]
>             f2
>         else
>             f1
>     else
> 
> You can also add stuff after the second else.  As before, source that
> file twice; the second time triggers the crash.  It's likely that the
> details of the crash (including whether it occurs at all) vary from
> platform to platform; I'm using a Debian x86 system with libc6 2.2.3.
> 
> Thanks,
> Eirik

-- 
Fernando Nasser
Red Hat - Toronto                       E-Mail:  fnasser@redhat.com
2323 Yonge Street, Suite #300
Toronto, Ontario   M4P 2C9


^ permalink raw reply	[flat|nested] 4+ messages in thread

* Re: [patch] read_command_lines can return freed memory
  2001-06-15 12:04     ` Fernando Nasser
@ 2001-06-17  8:16       ` Fernando Nasser
  0 siblings, 0 replies; 4+ messages in thread
From: Fernando Nasser @ 2001-06-17  8:16 UTC (permalink / raw)
  To: Fernando Nasser; +Cc: Eirik Fuller, gdb-patches

Committed.

	From 2001-06-15  Eirik Fuller  <eirik@hackrat.com>
	* cli/cli-script.c (free_command_lines): Reset list pointer.


Index: cli/cli-script.c
===================================================================
RCS file: /cvs/src/src/gdb/cli/cli-script.c,v
retrieving revision 1.6
diff -c -p -r1.6 cli-script.c
*** cli-script.c	2001/03/13 22:29:14	1.6
--- cli-script.c	2001/06/17 15:14:21
*************** free_command_lines (struct command_line 
*** 1028,1033 ****
--- 1028,1034 ----
        xfree (l);
        l = next;
      }
+   *lptr = NULL;
  }
  
  static void

-- 
Fernando Nasser
Red Hat Canada Ltd.                     E-Mail:  fnasser@redhat.com
2323 Yonge Street, Suite #300
Toronto, Ontario   M4P 2C9


^ permalink raw reply	[flat|nested] 4+ messages in thread

end of thread, other threads:[~2001-06-17  8:16 UTC | newest]

Thread overview: 4+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
     [not found] <20010615080029.8484D40014@hackrat.com>
2001-06-15  8:00 ` [patch] read_command_lines can return freed memory Fernando Nasser
2001-06-15 11:40   ` Eirik Fuller
2001-06-15 12:04     ` Fernando Nasser
2001-06-17  8:16       ` Fernando Nasser

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox