From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from simark.ca by simark.ca with LMTP id AL2EBEE1mmOx0gAAWB0awg (envelope-from ) for ; Wed, 14 Dec 2022 15:42:41 -0500 Received: by simark.ca (Postfix, from userid 112) id 105171E126; Wed, 14 Dec 2022 15:42:41 -0500 (EST) Authentication-Results: simark.ca; dkim=pass (1024-bit key; secure) header.d=sourceware.org header.i=@sourceware.org header.a=rsa-sha256 header.s=default header.b=YQ4Z1pnS; dkim-atps=neutral X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on simark.ca X-Spam-Level: X-Spam-Status: No, score=-8.0 required=5.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,MAILING_LIST_MULTI,NICE_REPLY_A, RCVD_IN_DNSWL_HI,RDNS_DYNAMIC,URIBL_BLOCKED autolearn=ham autolearn_force=no version=3.4.6 Received: from sourceware.org (ip-8-43-85-97.sourceware.org [8.43.85.97]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by simark.ca (Postfix) with ESMTPS id BF1781E0D3 for ; Wed, 14 Dec 2022 15:42:40 -0500 (EST) Received: from server2.sourceware.org (localhost [IPv6:::1]) by sourceware.org (Postfix) with ESMTP id 3A8F138475BA for ; Wed, 14 Dec 2022 20:42:40 +0000 (GMT) DKIM-Filter: OpenDKIM Filter v2.11.0 sourceware.org 3A8F138475BA DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=sourceware.org; s=default; t=1671050560; bh=yGTBfKHv+ZSJ5Gbv2Udzcgm3GiXQDM+fIhEa161k+To=; h=Date:Subject:To:References:In-Reply-To:List-Id:List-Unsubscribe: List-Archive:List-Post:List-Help:List-Subscribe:From:Reply-To: From; b=YQ4Z1pnSq9NS3LXMUTq65cv71ecVfUVznw1J7eBmmJMcfaOxMbCHou5G0kALKVxSc i7qXmMdANwEdT7Tk3gSGKFgdxdfHwpBj5ZFOVArUSBAkoXMLR4Y6vF8Q/R3kiT73ay FF4VYKhc++vXT5kXY2voUXlTXHRwswXolw2u+49c= Received: from simark.ca (simark.ca [158.69.221.121]) by sourceware.org (Postfix) with ESMTPS id B90EB3864A24 for ; Wed, 14 Dec 2022 20:42:20 +0000 (GMT) DMARC-Filter: OpenDMARC Filter v1.4.1 sourceware.org B90EB3864A24 Received: from [10.0.0.11] (unknown [217.28.27.60]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by simark.ca (Postfix) with ESMTPSA id 5BDE01E0D3; Wed, 14 Dec 2022 15:42:20 -0500 (EST) Message-ID: <7d53e2da-c268-d859-8ddc-b86ac73ce840@simark.ca> Date: Wed, 14 Dec 2022 15:42:20 -0500 MIME-Version: 1.0 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101 Thunderbird/102.5.1 Subject: Re: [PATCH] gdb: fix possible use-after-free when executing commands Content-Language: en-US To: =?UTF-8?Q?Jan_Vran=c3=bd?= , "gdb-patches@sourceware.org" References: <20221208142014.84759-1-jan.vrany@labware.com> <4b39de63ae0c8bb82375567aeba717340ed6c343.camel@labware.com> In-Reply-To: <4b39de63ae0c8bb82375567aeba717340ed6c343.camel@labware.com> Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit X-BeenThere: gdb-patches@sourceware.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: Gdb-patches mailing list List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , From: Simon Marchi via Gdb-patches Reply-To: Simon Marchi Errors-To: gdb-patches-bounces+public-inbox=simark.ca@sourceware.org Sender: "Gdb-patches" On 12/14/22 15:39, Jan Vraný wrote: > On Wed, 2022-12-14 at 14:52 -0500, Simon Marchi wrote: >> >> On 12/8/22 09:20, Jan Vrany via Gdb-patches wrote: >>> In principle, `execute_command()` does following: >>> >>> struct cmd_list_element *c; >>> c = lookup_cmd ( ... ); >>> ... >>> /* If this command has been pre-hooked, run the hook first. */ >>> execute_cmd_pre_hook (c); >>> ... >>> /* ...execute the command `c` ...*/ >>> ... >>> execute_cmd_post_hook (c); >>> >>> This may lead into use-after-free error. Imagine the command >>> being executed is a user-defined Python command that redefines >>> itself. In that case, struct `cmd_list_element` pointed to by >>> `c` is deallocated during its execution so it is no longer valid >>> when post hook is executed. >>> >>> To fix this case, this commit looks up the command once again >>> after it is executed to get pointer to (possibly newly allocated) >>> `cmd_list_element`. >> >> Hi Jan, >> >> Do you think you could write a test to exercise that fix? > > Maybe, though I'm not quite sure how to make it fail unless > one uses ASAN or Valgrind to run it like you do. Will give it > stab. > > Jan It's fine if it only fails with ASan / Valgrind enabled, that's the point of these tools. They help catch bugs that would otherwise fly under the radar. Simon