From patchwork Wed Nov 28 17:24:12 2018 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Tom Tromey X-Patchwork-Id: 30362 Received: (qmail 121039 invoked by alias); 28 Nov 2018 17:24:40 -0000 Mailing-List: contact gdb-patches-help@sourceware.org; run by ezmlm Precedence: bulk List-Id: List-Unsubscribe: List-Subscribe: List-Archive: List-Post: List-Help: , Sender: gdb-patches-owner@sourceware.org Delivered-To: mailing list gdb-patches@sourceware.org Received: (qmail 120906 invoked by uid 89); 28 Nov 2018 17:24:30 -0000 Authentication-Results: sourceware.org; auth=none X-Spam-SWARE-Status: No, score=-26.9 required=5.0 tests=BAYES_00, GIT_PATCH_0, GIT_PATCH_1, GIT_PATCH_2, GIT_PATCH_3, RCVD_IN_DNSWL_NONE, SPF_HELO_PASS autolearn=ham version=3.3.2 spammy=destroying, UD:value.integer, UD:integer, alive X-HELO: gateway36.websitewelcome.com Received: from gateway36.websitewelcome.com (HELO gateway36.websitewelcome.com) (192.185.185.36) by sourceware.org (qpsmtpd/0.93/v0.84-503-g423c35a) with ESMTP; Wed, 28 Nov 2018 17:24:22 +0000 Received: from cm16.websitewelcome.com (cm16.websitewelcome.com [100.42.49.19]) by gateway36.websitewelcome.com (Postfix) with ESMTP id 3B615400F3A28 for ; Wed, 28 Nov 2018 10:33:51 -0600 (CST) Received: from box5379.bluehost.com ([162.241.216.53]) by cmsmtp with SMTP id S3ZQgE8uyaSeyS3ZQgQfV4; Wed, 28 Nov 2018 11:24:16 -0600 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=tromey.com; s=default; h=Message-Id:Date:Subject:Cc:To:From:Sender:Reply-To:MIME-Version :Content-Type:Content-Transfer-Encoding:Content-ID:Content-Description: Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID: In-Reply-To:References:List-Id:List-Help:List-Unsubscribe:List-Subscribe: List-Post:List-Owner:List-Archive; bh=3LTIliK6qaTXUdsvAYl34E6E0lcV7FPeqyi8cjyvY7g=; b=PP99gCUiUX7o3PbLAqc2vEFS0I DicWI/gmD57FaC0bYdNUN7XmPDX3c7ScYQf1/rJfkEZgAXW5GiSmcWWg9wjjrUd7wreO1NDK5c30J eaVXhGYOdE6lNy5RTcTeuTH9v; Received: from 97-122-190-66.hlrn.qwest.net ([97.122.190.66]:35920 helo=bapiya.Home) by box5379.bluehost.com with esmtpsa (TLSv1.2:ECDHE-RSA-AES256-GCM-SHA384:256) (Exim 4.91) (envelope-from ) id 1gS3ZQ-003wQn-06; Wed, 28 Nov 2018 11:24:16 -0600 From: Tom Tromey To: gdb-patches@sourceware.org Cc: Tom Tromey Subject: [PATCH] Fix use-after-free in gdbserver Date: Wed, 28 Nov 2018 10:24:12 -0700 Message-Id: <20181128172412.9353-1-tom@tromey.com> -fsanitize=address pointed out a use-after-free in gdbserver. In particular, handle_detach could reference "process" after it was deleted by detach_inferior. Avoiding this also necessitated changing target_ops::join to take a pid rather than a process_info*. Tested by the buildbot using a few of the gdbserver builders. gdb/gdbserver/ChangeLog 2018-11-28 Tom Tromey * win32-low.c (win32_join): Take pid, not process. * target.h (struct target_ops) : Change argument type. (join_inferior): Change argument name. * spu-low.c (spu_join): Take pid, not process. * server.c (handle_detach): Preserve pid before destroying process. * lynx-low.c (lynx_join): Take pid, not process. * linux-low.c (linux_join): Take pid, not process. --- gdb/gdbserver/ChangeLog | 11 +++++++++++ gdb/gdbserver/linux-low.c | 4 ++-- gdb/gdbserver/lynx-low.c | 2 +- gdb/gdbserver/server.c | 10 +++++++--- gdb/gdbserver/spu-low.c | 4 ++-- gdb/gdbserver/target.h | 8 ++++---- gdb/gdbserver/win32-low.c | 4 ++-- 7 files changed, 29 insertions(+), 14 deletions(-) diff --git a/gdb/gdbserver/linux-low.c b/gdb/gdbserver/linux-low.c index 701f3e863c..4d849279ca 100644 --- a/gdb/gdbserver/linux-low.c +++ b/gdb/gdbserver/linux-low.c @@ -1670,12 +1670,12 @@ linux_mourn (struct process_info *process) } static void -linux_join (process_info *proc) +linux_join (int pid) { int status, ret; do { - ret = my_waitpid (proc->pid, &status, 0); + ret = my_waitpid (pid, &status, 0); if (WIFEXITED (status) || WIFSIGNALED (status)) break; } while (ret != -1 || errno != ECHILD); diff --git a/gdb/gdbserver/lynx-low.c b/gdb/gdbserver/lynx-low.c index 6c5933bc47..3bf3588a71 100644 --- a/gdb/gdbserver/lynx-low.c +++ b/gdb/gdbserver/lynx-low.c @@ -562,7 +562,7 @@ lynx_mourn (struct process_info *proc) /* Implement the join target_ops method. */ static void -lynx_join (process_info *proc) +lynx_join (int pid) { /* The PTRACE_DETACH is sufficient to detach from the process. So no need to do anything extra. */ diff --git a/gdb/gdbserver/server.c b/gdb/gdbserver/server.c index 4ec3548d64..a0be0d4f7e 100644 --- a/gdb/gdbserver/server.c +++ b/gdb/gdbserver/server.c @@ -1255,11 +1255,15 @@ handle_detach (char *own_buf) fprintf (stderr, "Detaching from process %d\n", process->pid); stop_tracing (); + + /* We'll need this after PROCESS has been destroyed. */ + int pid = process->pid; + if (detach_inferior (process) != 0) write_enn (own_buf); else { - discard_queued_stop_replies (ptid_t (process->pid)); + discard_queued_stop_replies (ptid_t (pid)); write_ok (own_buf); if (extended_protocol || target_running ()) @@ -1269,7 +1273,7 @@ handle_detach (char *own_buf) and instead treat this like a normal program exit. */ cs.last_status.kind = TARGET_WAITKIND_EXITED; cs.last_status.value.integer = 0; - cs.last_ptid = ptid_t (process->pid); + cs.last_ptid = ptid_t (pid); current_thread = NULL; } @@ -1281,7 +1285,7 @@ handle_detach (char *own_buf) /* If we are attached, then we can exit. Otherwise, we need to hang around doing nothing, until the child is gone. */ - join_inferior (process); + join_inferior (pid); exit (0); } } diff --git a/gdb/gdbserver/spu-low.c b/gdb/gdbserver/spu-low.c index 83a31a203d..239c212639 100644 --- a/gdb/gdbserver/spu-low.c +++ b/gdb/gdbserver/spu-low.c @@ -362,12 +362,12 @@ spu_mourn (struct process_info *process) } static void -spu_join (process_info *proc) +spu_join (int pid) { int status, ret; do { - ret = waitpid (proc->pid, &status, 0); + ret = waitpid (pid, &status, 0); if (WIFEXITED (status) || WIFSIGNALED (status)) break; } while (ret != -1 || errno != ECHILD); diff --git a/gdb/gdbserver/target.h b/gdb/gdbserver/target.h index fce54e05ad..6f810b6db9 100644 --- a/gdb/gdbserver/target.h +++ b/gdb/gdbserver/target.h @@ -103,9 +103,9 @@ struct target_ops void (*mourn) (struct process_info *proc); - /* Wait for process PROC to exit. */ + /* Wait for process PID to exit. */ - void (*join) (process_info *proc); + void (*join) (int pid); /* Return 1 iff the thread with process ID PID is alive. */ @@ -530,8 +530,8 @@ int kill_inferior (process_info *proc); #define store_inferior_registers(regcache, regno) \ (*the_target->store_registers) (regcache, regno) -#define join_inferior(proc) \ - (*the_target->join) (proc) +#define join_inferior(pid) \ + (*the_target->join) (pid) #define target_supports_non_stop() \ (the_target->supports_non_stop ? (*the_target->supports_non_stop ) () : 0) diff --git a/gdb/gdbserver/win32-low.c b/gdb/gdbserver/win32-low.c index 4aed58d3b8..1ad71c7be9 100644 --- a/gdb/gdbserver/win32-low.c +++ b/gdb/gdbserver/win32-low.c @@ -873,9 +873,9 @@ win32_mourn (struct process_info *process) /* Implementation of target_ops::join. */ static void -win32_join (process_info *proc) +win32_join (int pid) { - HANDLE h = OpenProcess (PROCESS_ALL_ACCESS, FALSE, proc->pid); + HANDLE h = OpenProcess (PROCESS_ALL_ACCESS, FALSE, pid); if (h != NULL) { WaitForSingleObject (h, INFINITE);