From patchwork Thu Jun  9 16:33:33 2016
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Tom Tromey <tom@tromey.com>
X-Patchwork-Id: 12918
Received: (qmail 1961 invoked by alias); 9 Jun 2016 16:34:05 -0000
Mailing-List: contact gdb-patches-help@sourceware.org; run by ezmlm
Precedence: bulk
List-Id: <gdb-patches.sourceware.org>
List-Unsubscribe: <mailto:gdb-patches-unsubscribe-##L=##H@sourceware.org>
List-Subscribe: <mailto:gdb-patches-subscribe@sourceware.org>
List-Archive: <http://sourceware.org/ml/gdb-patches/>
List-Post: <mailto:gdb-patches@sourceware.org>
List-Help: <mailto:gdb-patches-help@sourceware.org>,
	<http://sourceware.org/ml/#faqs>
Sender: gdb-patches-owner@sourceware.org
Delivered-To: mailing list gdb-patches@sourceware.org
Received: (qmail 1890 invoked by uid 89); 9 Jun 2016 16:34:05 -0000
Authentication-Results: sourceware.org; auth=none
X-Virus-Found: No
X-Spam-SWARE-Status: No, score=-0.9 required=5.0 tests=AWL, BAYES_00,
	FSL_HELO_HOME, RCVD_IN_DNSWL_NONE,
	SPF_PASS autolearn=no version=3.3.2 spammy=HX-Identified-User:sentby,
	17210, HX-Identified-User:authed, HX-Identified-User:auth
X-HELO: gproxy7-pub.mail.unifiedlayer.com
Received: from gproxy7-pub.mail.unifiedlayer.com (HELO
	gproxy7-pub.mail.unifiedlayer.com) (70.40.196.235) by
	sourceware.org (qpsmtpd/0.93/v0.84-503-g423c35a) with SMTP;
	Thu, 09 Jun 2016 16:33:54 +0000
Received: (qmail 12569 invoked by uid 0); 9 Jun 2016 16:33:51 -0000
Received: from unknown (HELO CMOut01) (10.0.90.82) by
	gproxy7.mail.unifiedlayer.com with SMTP; 9 Jun 2016 16:33:51 -0000
Received: from box522.bluehost.com ([74.220.219.122])	by CMOut01 with id
	4gZk1t00E2f2jeq01gZnWi; Thu, 09 Jun 2016 10:33:47 -0600
X-Authority-Analysis: v=2.1 cv=OPe0g0qB c=1 sm=1 tr=0
	a=GsOEXm/OWkKvwdLVJsfwcA==:117 a=GsOEXm/OWkKvwdLVJsfwcA==:17
	a=L9H7d07YOLsA:10 a=9cW_t1CCXrUA:10 a=s5jvgZ67dGcA:10
	a=PnD2wP_eR3oA:10 a=-N9Dh3nx2ZYA:10 a=pD_ry4oyNxEA:10
	a=zstS-IiYAAAA:8 a=0FD05c-RAAAA:8 a=JKSGK1pAS0PBb1U04voA:9
	a=Z27PaE_HkN0RPfHR:21 a=jTcd-_2RnrFxOLRu:21
	a=4G6NA9xxw8l3yy4pmD5M:22 a=l1rpMCqCXRGZwUSuRcM3:22
Received: from [65.128.48.199] (port=34926 helo=bapiya.Home)	by
	box522.bluehost.com with esmtpsa
	(TLSv1.2:ECDHE-RSA-AES256-GCM-SHA384:256)	(Exim
	4.86_2)	(envelope-from <tom@tromey.com>)	id 1bB2tt-00054H-8C;
	Thu, 09 Jun 2016 10:33:45 -0600
From: Tom Tromey <tom@tromey.com>
To: gdb-patches@sourceware.org
Cc: Tom Tromey <tom@tromey.com>
Subject: [RFA] PR gdb/17210 - fix possible memory leak in read_memory_robust
Date: Thu,  9 Jun 2016 10:33:33 -0600
Message-Id: <1465490013-15336-1-git-send-email-tom@tromey.com>
X-Identified-User: {36111:box522.bluehost.com:elynrobi:tromey.com}
	{sentby:smtp auth 65.128.48.199 authed with tom+tromey.com}
X-Exim-ID: 1bB2tt-00054H-8C
X-Source-Sender: (bapiya.Home) [65.128.48.199]:34926
X-Source-Auth: tom+tromey.com
X-Email-Count: 0
X-Source-Cap: ZWx5bnJvYmk7ZWx5bnJvYmk7Ym94NTIyLmJsdWVob3N0LmNvbQ==

PR gdb/17210 concerns a possible memory leak in read_memory_robust.
The bug can happen because read_memory_robust allocates memory, does
not install any cleanups, and invokes QUIT.  Similarly, it target_read
calls QUIT, so it too can potentially throw.

The fix is to install cleanups to guard the allocated memory.

Built and regtested on x86-64 Fedora 23.  I couldn't think of a way to
test this, so no new test; and of course this means it should have
more careful review.

2016-06-09  Tom Tromey  <tom@tromey.com>

	PR gdb/17210:
	* target.c (free_memory_read_result_vector): Take a pointer to the
	VEC as an argument.
	(read_memory_robust): Install a cleanup for "result".
	* mi/mi-main.c (mi_cmd_data_read_memory_bytes): Update.
---
 gdb/ChangeLog    |  8 ++++++++
 gdb/mi/mi-main.c |  2 +-
 gdb/target.c     | 15 +++++++++++----
 3 files changed, 20 insertions(+), 5 deletions(-)

diff --git a/gdb/ChangeLog b/gdb/ChangeLog
index 9c09269..dc1c908 100644
--- a/gdb/ChangeLog
+++ b/gdb/ChangeLog
@@ -1,3 +1,11 @@
+2016-06-09  Tom Tromey  <tom@tromey.com>
+
+	PR gdb/17210:
+	* target.c (free_memory_read_result_vector): Take a pointer to the
+	VEC as an argument.
+	(read_memory_robust): Install a cleanup for "result".
+	* mi/mi-main.c (mi_cmd_data_read_memory_bytes): Update.
+
 2016-06-07  Simon Marchi  <simon.marchi@ericsson.com>
 
 	* mi/mi-interp.c (mi_record_changed): Add missing braces.
diff --git a/gdb/mi/mi-main.c b/gdb/mi/mi-main.c
index d53bcc7..0e048f3 100644
--- a/gdb/mi/mi-main.c
+++ b/gdb/mi/mi-main.c
@@ -1635,7 +1635,7 @@ mi_cmd_data_read_memory_bytes (char *command, char **argv, int argc)
 
   result = read_memory_robust (current_target.beneath, addr, length);
 
-  cleanups = make_cleanup (free_memory_read_result_vector, result);
+  cleanups = make_cleanup (free_memory_read_result_vector, &result);
 
   if (VEC_length (memory_read_result_s, result) == 0)
     error (_("Unable to read memory."));
diff --git a/gdb/target.c b/gdb/target.c
index c0ce46d..442d632 100644
--- a/gdb/target.c
+++ b/gdb/target.c
@@ -1793,15 +1793,15 @@ read_whatever_is_readable (struct target_ops *ops,
 void
 free_memory_read_result_vector (void *x)
 {
-  VEC(memory_read_result_s) *v = (VEC(memory_read_result_s) *) x;
+  VEC(memory_read_result_s) **v = (VEC(memory_read_result_s) **) x;
   memory_read_result_s *current;
   int ix;
 
-  for (ix = 0; VEC_iterate (memory_read_result_s, v, ix, current); ++ix)
+  for (ix = 0; VEC_iterate (memory_read_result_s, *v, ix, current); ++ix)
     {
       xfree (current->data);
     }
-  VEC_free (memory_read_result_s, v);
+  VEC_free (memory_read_result_s, *v);
 }
 
 VEC(memory_read_result_s) *
@@ -1810,6 +1810,8 @@ read_memory_robust (struct target_ops *ops,
 {
   VEC(memory_read_result_s) *result = 0;
   int unit_size = gdbarch_addressable_memory_unit_size (target_gdbarch ());
+  struct cleanup *cleanup = make_cleanup (free_memory_read_result_vector,
+					  &result);
 
   LONGEST xfered_total = 0;
   while (xfered_total < len)
@@ -1836,6 +1838,7 @@ read_memory_robust (struct target_ops *ops,
 	{
 	  LONGEST to_read = min (len - xfered_total, region_len);
 	  gdb_byte *buffer = (gdb_byte *) xmalloc (to_read * unit_size);
+	  struct cleanup *inner_cleanup = make_cleanup (xfree, buffer);
 
 	  LONGEST xfered_partial =
 	      target_read (ops, TARGET_OBJECT_MEMORY, NULL,
@@ -1846,7 +1849,7 @@ read_memory_robust (struct target_ops *ops,
 	    {
 	      /* Got an error reading full chunk.  See if maybe we can read
 		 some subrange.  */
-	      xfree (buffer);
+	      do_cleanups (inner_cleanup);
 	      read_whatever_is_readable (ops, offset + xfered_total,
 					 offset + xfered_total + to_read,
 					 unit_size, &result);
@@ -1855,6 +1858,8 @@ read_memory_robust (struct target_ops *ops,
 	  else
 	    {
 	      struct memory_read_result r;
+
+	      discard_cleanups (inner_cleanup);
 	      r.data = buffer;
 	      r.begin = offset + xfered_total;
 	      r.end = r.begin + xfered_partial;
@@ -1864,6 +1869,8 @@ read_memory_robust (struct target_ops *ops,
 	  QUIT;
 	}
     }
+
+  discard_cleanups (cleanup);
   return result;
 }