From patchwork Wed Mar 22 13:11:32 2017 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Philipp Rudo X-Patchwork-Id: 19699 Received: (qmail 55492 invoked by alias); 22 Mar 2017 13:11:42 -0000 Mailing-List: contact gdb-patches-help@sourceware.org; run by ezmlm Precedence: bulk List-Id: List-Unsubscribe: List-Subscribe: List-Archive: List-Post: List-Help: , Sender: gdb-patches-owner@sourceware.org Delivered-To: mailing list gdb-patches@sourceware.org Received: (qmail 55357 invoked by uid 89); 22 Mar 2017 13:11:41 -0000 Authentication-Results: sourceware.org; auth=none X-Virus-Found: No X-Spam-SWARE-Status: No, score=-25.4 required=5.0 tests=AWL, BAYES_00, GIT_PATCH_0, GIT_PATCH_1, GIT_PATCH_2, GIT_PATCH_3, KAM_LAZY_DOMAIN_SECURITY, RCVD_IN_DNSWL_LOW autolearn=ham version=3.3.2 spammy= X-HELO: mx0a-001b2d01.pphosted.com Received: from mx0b-001b2d01.pphosted.com (HELO mx0a-001b2d01.pphosted.com) (148.163.158.5) by sourceware.org (qpsmtpd/0.93/v0.84-503-g423c35a) with ESMTP; Wed, 22 Mar 2017 13:11:39 +0000 Received: from pps.filterd (m0098414.ppops.net [127.0.0.1]) by mx0b-001b2d01.pphosted.com (8.16.0.20/8.16.0.20) with SMTP id v2MD4KFD028565 for ; Wed, 22 Mar 2017 09:11:39 -0400 Received: from e06smtp12.uk.ibm.com (e06smtp12.uk.ibm.com [195.75.94.108]) by mx0b-001b2d01.pphosted.com with ESMTP id 29b9vqmfqa-1 (version=TLSv1.2 cipher=AES256-SHA bits=256 verify=NOT) for ; Wed, 22 Mar 2017 09:11:38 -0400 Received: from localhost by e06smtp12.uk.ibm.com with IBM ESMTP SMTP Gateway: Authorized Use Only! Violators will be prosecuted for from ; Wed, 22 Mar 2017 13:11:37 -0000 Received: from b06cxnps3074.portsmouth.uk.ibm.com (9.149.109.194) by e06smtp12.uk.ibm.com (192.168.101.142) with IBM ESMTP SMTP Gateway: Authorized Use Only! Violators will be prosecuted; Wed, 22 Mar 2017 13:11:34 -0000 Received: from d06av26.portsmouth.uk.ibm.com (d06av26.portsmouth.uk.ibm.com [9.149.105.62]) by b06cxnps3074.portsmouth.uk.ibm.com (8.14.9/8.14.9/NCO v10.0) with ESMTP id v2MDBXhd11665878 for ; Wed, 22 Mar 2017 13:11:33 GMT Received: from d06av26.portsmouth.uk.ibm.com (unknown [127.0.0.1]) by IMSVA (Postfix) with ESMTP id 27C42AE04D for ; Wed, 22 Mar 2017 13:11:05 +0000 (GMT) Received: from d06av26.portsmouth.uk.ibm.com (unknown [127.0.0.1]) by IMSVA (Postfix) with ESMTP id 0D0BDAE055 for ; Wed, 22 Mar 2017 13:11:05 +0000 (GMT) Received: from tuxmaker.boeblingen.de.ibm.com (unknown [9.152.85.9]) by d06av26.portsmouth.uk.ibm.com (Postfix) with ESMTPS for ; Wed, 22 Mar 2017 13:11:04 +0000 (GMT) From: Philipp Rudo To: gdb-patches@sourceware.org Subject: [PATCH] Fix read after xfree in linux_nat_detach Date: Wed, 22 Mar 2017 14:11:32 +0100 In-Reply-To: <20170322131132.98976-1-prudo@linux.vnet.ibm.com> References: <20170322131132.98976-1-prudo@linux.vnet.ibm.com> X-TM-AS-GCONF: 00 x-cbid: 17032213-0008-0000-0000-0000040AC6C9 X-IBM-AV-DETECTION: SAVI=unused REMOTE=unused XFE=unused x-cbparentid: 17032213-0009-0000-0000-00001CEEEC80 Message-Id: <20170322131132.98976-2-prudo@linux.vnet.ibm.com> X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10432:, , definitions=2017-03-22_11:, , signatures=0 X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0 spamscore=0 suspectscore=1 malwarescore=0 phishscore=0 adultscore=0 bulkscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.0.1-1702020001 definitions=main-1703220115 X-IsSubscribed: yes At the end of linux_nat_detach there is a check whether the inferior has a fork. If no fork exists the main_lwp is detached (detach_one_lwp) and later, outside the check, deleted (delete_lwp). This is problematic as detach_one_lwp also calls delete_lwp freeing main_lwp. Thus the second call to delete_lwp reads from already freed memory. Fix this by removing delete_lwp at the end of detach_one_lwp. gdb/ChangeLog: * linux-nat.c (detach_one_lwp): Remove call to delete_lwp. (detach_callback): Add call to delete_lwp and rename ... (detach_and_delete_callback): ... to this. (linux_nat_detach): Adjust. --- gdb/linux-nat.c | 11 ++++++----- 1 file changed, 6 insertions(+), 5 deletions(-) diff --git a/gdb/linux-nat.c b/gdb/linux-nat.c index 73ef2d4..b578f69 100644 --- a/gdb/linux-nat.c +++ b/gdb/linux-nat.c @@ -1483,18 +1483,19 @@ detach_one_lwp (struct lwp_info *lp, int *signo_p) target_pid_to_str (lp->ptid), strsignal (signo)); } - - delete_lwp (lp->ptid); } static int -detach_callback (struct lwp_info *lp, void *data) +detach_and_delete_callback (struct lwp_info *lp, void *data) { /* We don't actually detach from the thread group leader just yet. If the thread group exits, we must reap the zombie clone lwps before we're able to reap the leader. */ if (ptid_get_lwp (lp->ptid) != ptid_get_pid (lp->ptid)) - detach_one_lwp (lp, NULL); + { + detach_one_lwp (lp, NULL); + delete_lwp (lp->ptid); + } return 0; } @@ -1516,7 +1517,7 @@ linux_nat_detach (struct target_ops *ops, const char *args, int from_tty) they're no longer running. */ iterate_over_lwps (pid_to_ptid (pid), stop_wait_callback, NULL); - iterate_over_lwps (pid_to_ptid (pid), detach_callback, NULL); + iterate_over_lwps (pid_to_ptid (pid), detach_and_delete_callback, NULL); /* Only the initial process should be left right now. */ gdb_assert (num_lwps (ptid_get_pid (inferior_ptid)) == 1);