| Message ID | 20170323141724.1707affa@ThinkPad |
|---|---|
| State | New, archived |
| Headers |
Received: (qmail 78955 invoked by alias); 23 Mar 2017 13:17:50 -0000 Mailing-List: contact gdb-patches-help@sourceware.org; run by ezmlm Precedence: bulk List-Id: <gdb-patches.sourceware.org> List-Unsubscribe: <mailto:gdb-patches-unsubscribe-##L=##H@sourceware.org> List-Subscribe: <mailto:gdb-patches-subscribe@sourceware.org> List-Archive: <http://sourceware.org/ml/gdb-patches/> List-Post: <mailto:gdb-patches@sourceware.org> List-Help: <mailto:gdb-patches-help@sourceware.org>, <http://sourceware.org/ml/#faqs> Sender: gdb-patches-owner@sourceware.org Delivered-To: mailing list gdb-patches@sourceware.org Received: (qmail 78937 invoked by uid 89); 23 Mar 2017 13:17:50 -0000 Authentication-Results: sourceware.org; auth=none X-Virus-Found: No X-Spam-SWARE-Status: No, score=-24.3 required=5.0 tests=AWL, BAYES_00, GIT_PATCH_0, GIT_PATCH_1, GIT_PATCH_2, GIT_PATCH_3, KAM_LAZY_DOMAIN_SECURITY, RCVD_IN_DNSWL_LOW autolearn=ham version=3.3.2 spammy= X-HELO: mx0a-001b2d01.pphosted.com Received: from mx0a-001b2d01.pphosted.com (HELO mx0a-001b2d01.pphosted.com) (148.163.156.1) by sourceware.org (qpsmtpd/0.93/v0.84-503-g423c35a) with ESMTP; Thu, 23 Mar 2017 13:17:49 +0000 Received: from pps.filterd (m0098396.ppops.net [127.0.0.1]) by mx0a-001b2d01.pphosted.com (8.16.0.20/8.16.0.20) with SMTP id v2NDDxq2139760 for <gdb-patches@sourceware.org>; Thu, 23 Mar 2017 09:17:48 -0400 Received: from e06smtp12.uk.ibm.com (e06smtp12.uk.ibm.com [195.75.94.108]) by mx0a-001b2d01.pphosted.com with ESMTP id 29c3f39w7n-1 (version=TLSv1.2 cipher=AES256-SHA bits=256 verify=NOT) for <gdb-patches@sourceware.org>; Thu, 23 Mar 2017 09:17:48 -0400 Received: from localhost by e06smtp12.uk.ibm.com with IBM ESMTP SMTP Gateway: Authorized Use Only! Violators will be prosecuted for <gdb-patches@sourceware.org> from <prudo@linux.vnet.ibm.com>; Thu, 23 Mar 2017 13:17:45 -0000 Received: from b06cxnps3074.portsmouth.uk.ibm.com (9.149.109.194) by e06smtp12.uk.ibm.com (192.168.101.142) with IBM ESMTP SMTP Gateway: Authorized Use Only! Violators will be prosecuted; Thu, 23 Mar 2017 13:17:26 -0000 Received: from d06av22.portsmouth.uk.ibm.com (d06av22.portsmouth.uk.ibm.com [9.149.105.58]) by b06cxnps3074.portsmouth.uk.ibm.com (8.14.9/8.14.9/NCO v10.0) with ESMTP id v2NDHPGh12845528; Thu, 23 Mar 2017 13:17:25 GMT Received: from d06av22.portsmouth.uk.ibm.com (unknown [127.0.0.1]) by IMSVA (Postfix) with ESMTP id 032764C040; Thu, 23 Mar 2017 13:17:05 +0000 (GMT) Received: from d06av22.portsmouth.uk.ibm.com (unknown [127.0.0.1]) by IMSVA (Postfix) with ESMTP id D8CBB4C04A; Thu, 23 Mar 2017 13:17:04 +0000 (GMT) Received: from ThinkPad (unknown [9.152.212.148]) by d06av22.portsmouth.uk.ibm.com (Postfix) with ESMTP; Thu, 23 Mar 2017 13:17:04 +0000 (GMT) Date: Thu, 23 Mar 2017 14:17:24 +0100 From: Philipp Rudo <prudo@linux.vnet.ibm.com> To: Pedro Alves <palves@redhat.com> Cc: gdb-patches@sourceware.org Subject: [PATCH v2] Fix read after xfree in linux_nat_detach In-Reply-To: <4fd5805f-7763-9548-d743-45dd2aa1b17c@redhat.com> References: <20170322131132.98976-1-prudo@linux.vnet.ibm.com> <20170322131132.98976-2-prudo@linux.vnet.ibm.com> <1ba8e9a2-2155-cab4-a530-ef7344a40c33@redhat.com> <20170322181652.6d145e7f@ThinkPad> <4fd5805f-7763-9548-d743-45dd2aa1b17c@redhat.com> MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: quoted-printable X-TM-AS-GCONF: 00 x-cbid: 17032313-0008-0000-0000-0000040C5A40 X-IBM-AV-DETECTION: SAVI=unused REMOTE=unused XFE=unused x-cbparentid: 17032313-0009-0000-0000-00001CF34463 Message-Id: <20170323141724.1707affa@ThinkPad> X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10432:, , definitions=2017-03-23_12:, , signatures=0 X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0 spamscore=0 suspectscore=2 malwarescore=0 phishscore=0 adultscore=0 bulkscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.0.1-1702020001 definitions=main-1703230119 X-IsSubscribed: yes |
Commit Message
Philipp Rudo
March 23, 2017, 1:17 p.m. UTC
On Wed, 22 Mar 2017 17:26:27 +0000 Pedro Alves <palves@redhat.com> wrote: > On 03/22/2017 05:16 PM, Philipp Rudo wrote: > > > Looks like we can get simply rid of it. I'll see that I get a test > > case running which forks to verify it, tomorrow. > > This forks handling is the support for the "checkpoint" & > friends commands, covered by gdb.base/checkpoint.exp. > Doesn't seem to exercise detach yet though, unfortunately. I double checked, the same bug also happens when checkpointing. The fix now is simply to remove delete_lwp at the end of linux_nat_detach. Although testing detach would be good, I'm not sure if the testsuite would have found this bug. --- From ee3dced0b22cc1edb10a82aeb79ae35d78d665bc Mon Sep 17 00:00:00 2001 From: Philipp Rudo <prudo@linux.vnet.ibm.com> Date: Wed, 22 Mar 2017 13:53:50 +0100 Subject: [PATCH v2] Fix read after xfree in linux_nat_detach At the end of linux_nat_detach the main_lwp is deleted (delete_lwp). This is problematic as during detach (detach_one_lwp and linux_fork_detach) main_lwp already gets freed. Thus calling delete_lwp causes a read after free. Fix it by removing the unnecessary delete_lwp. gdb/ChangeLog: * linux-nat.c (linux_nat_detach): delete_lwp causes read after free. Remove it. --- gdb/linux-nat.c | 1 - 1 file changed, 1 deletion(-)
Comments
OK. On 03/23/2017 01:17 PM, Philipp Rudo wrote: > On Wed, 22 Mar 2017 17:26:27 +0000 > Pedro Alves <palves@redhat.com> wrote: > >> On 03/22/2017 05:16 PM, Philipp Rudo wrote: >> >>> Looks like we can get simply rid of it. I'll see that I get a test >>> case running which forks to verify it, tomorrow. >> >> This forks handling is the support for the "checkpoint" & >> friends commands, covered by gdb.base/checkpoint.exp. >> Doesn't seem to exercise detach yet though, unfortunately. > > I double checked, the same bug also happens when checkpointing. The > fix now is simply to remove delete_lwp at the end of linux_nat_detach. > > Although testing detach would be good, I'm not sure if the testsuite > would have found this bug. > > --- > > From ee3dced0b22cc1edb10a82aeb79ae35d78d665bc Mon Sep 17 00:00:00 2001 > From: Philipp Rudo <prudo@linux.vnet.ibm.com> > Date: Wed, 22 Mar 2017 13:53:50 +0100 > Subject: [PATCH v2] Fix read after xfree in linux_nat_detach > > At the end of linux_nat_detach the main_lwp is deleted (delete_lwp). > This is problematic as during detach (detach_one_lwp and > linux_fork_detach) main_lwp already gets freed. Thus calling > delete_lwp causes a read after free. Fix it by removing the > unnecessary delete_lwp. > > gdb/ChangeLog: > * linux-nat.c (linux_nat_detach): delete_lwp causes read after > free. Remove it. > --- > gdb/linux-nat.c | 1 - > 1 file changed, 1 deletion(-) > > diff --git a/gdb/linux-nat.c b/gdb/linux-nat.c > index dff0da5..efe7daf 100644 > --- a/gdb/linux-nat.c > +++ b/gdb/linux-nat.c > @@ -1549,7 +1549,6 @@ linux_nat_detach (struct target_ops *ops, const > char *args, int from_tty) > inf_ptrace_detach_success (ops); > } > - delete_lwp (main_lwp->ptid); > } > > /* Resume execution of the inferior process. If STEP is nonzero, >
Hi, I ran gdb under Valgrind and noticed that this patch hadn't been pushed yet. I've pushed it now. FYI, for some reason the patch was corrupt and I had to recreate it by hand: $ git am prudo Applying: Fix read after xfree in linux_nat_detach fatal: corrupt patch at line 26 Patch failed at 0001 Fix read after xfree in linux_nat_detach Thanks, Pedro Alves On 03/23/2017 01:42 PM, Pedro Alves wrote: > OK. > > On 03/23/2017 01:17 PM, Philipp Rudo wrote: >> On Wed, 22 Mar 2017 17:26:27 +0000 >> Pedro Alves <palves@redhat.com> wrote: >> >>> On 03/22/2017 05:16 PM, Philipp Rudo wrote: >>> >>>> Looks like we can get simply rid of it. I'll see that I get a test >>>> case running which forks to verify it, tomorrow. >>> >>> This forks handling is the support for the "checkpoint" & >>> friends commands, covered by gdb.base/checkpoint.exp. >>> Doesn't seem to exercise detach yet though, unfortunately. >> >> I double checked, the same bug also happens when checkpointing. The >> fix now is simply to remove delete_lwp at the end of linux_nat_detach. >> >> Although testing detach would be good, I'm not sure if the testsuite >> would have found this bug. >> >> --- >> >> From ee3dced0b22cc1edb10a82aeb79ae35d78d665bc Mon Sep 17 00:00:00 2001 >> From: Philipp Rudo <prudo@linux.vnet.ibm.com> >> Date: Wed, 22 Mar 2017 13:53:50 +0100 >> Subject: [PATCH v2] Fix read after xfree in linux_nat_detach >> >> At the end of linux_nat_detach the main_lwp is deleted (delete_lwp). >> This is problematic as during detach (detach_one_lwp and >> linux_fork_detach) main_lwp already gets freed. Thus calling >> delete_lwp causes a read after free. Fix it by removing the >> unnecessary delete_lwp. >> >> gdb/ChangeLog: >> * linux-nat.c (linux_nat_detach): delete_lwp causes read after >> free. Remove it. >> --- >> gdb/linux-nat.c | 1 - >> 1 file changed, 1 deletion(-) >> >> diff --git a/gdb/linux-nat.c b/gdb/linux-nat.c >> index dff0da5..efe7daf 100644 >> --- a/gdb/linux-nat.c >> +++ b/gdb/linux-nat.c >> @@ -1549,7 +1549,6 @@ linux_nat_detach (struct target_ops *ops, const >> char *args, int from_tty) >> inf_ptrace_detach_success (ops); >> } >> - delete_lwp (main_lwp->ptid); >> } >> >> /* Resume execution of the inferior process. If STEP is nonzero, >> > >
Hi Pedro, thanks for pushing. I think I found the reason the patch didn't apply. Instead of git send-email I just copy/pasted this patch to my mail client and it decided that it would be a good idea to wrap long lines ... > >> @@ -1549,7 +1549,6 @@ linux_nat_detach (struct target_ops *ops, const > >> char *args, int from_tty) Anyway I updated my settings so it shouldn't happen in the future. Thanks for the hint and sorry for the inconvenience. Thanks a lot Philipp On Tue, 11 Apr 2017 14:31:10 +0100 Pedro Alves <palves@redhat.com> wrote: > Hi, > > I ran gdb under Valgrind and noticed that this patch hadn't > been pushed yet. I've pushed it now. > > FYI, for some reason the patch was corrupt and I had to > recreate it by hand: > > $ git am prudo > Applying: Fix read after xfree in linux_nat_detach > fatal: corrupt patch at line 26 > Patch failed at 0001 Fix read after xfree in linux_nat_detach > > Thanks, > Pedro Alves > > On 03/23/2017 01:42 PM, Pedro Alves wrote: > > OK. > > > > On 03/23/2017 01:17 PM, Philipp Rudo wrote: > >> On Wed, 22 Mar 2017 17:26:27 +0000 > >> Pedro Alves <palves@redhat.com> wrote: > >> > >>> On 03/22/2017 05:16 PM, Philipp Rudo wrote: > >>> > >>>> Looks like we can get simply rid of it. I'll see that I get a test > >>>> case running which forks to verify it, tomorrow. > >>> > >>> This forks handling is the support for the "checkpoint" & > >>> friends commands, covered by gdb.base/checkpoint.exp. > >>> Doesn't seem to exercise detach yet though, unfortunately. > >> > >> I double checked, the same bug also happens when checkpointing. The > >> fix now is simply to remove delete_lwp at the end of linux_nat_detach. > >> > >> Although testing detach would be good, I'm not sure if the testsuite > >> would have found this bug. > >> > >> --- > >> > >> From ee3dced0b22cc1edb10a82aeb79ae35d78d665bc Mon Sep 17 00:00:00 2001 > >> From: Philipp Rudo <prudo@linux.vnet.ibm.com> > >> Date: Wed, 22 Mar 2017 13:53:50 +0100 > >> Subject: [PATCH v2] Fix read after xfree in linux_nat_detach > >> > >> At the end of linux_nat_detach the main_lwp is deleted (delete_lwp). > >> This is problematic as during detach (detach_one_lwp and > >> linux_fork_detach) main_lwp already gets freed. Thus calling > >> delete_lwp causes a read after free. Fix it by removing the > >> unnecessary delete_lwp. > >> > >> gdb/ChangeLog: > >> * linux-nat.c (linux_nat_detach): delete_lwp causes read after > >> free. Remove it. > >> --- > >> gdb/linux-nat.c | 1 - > >> 1 file changed, 1 deletion(-) > >> > >> diff --git a/gdb/linux-nat.c b/gdb/linux-nat.c > >> index dff0da5..efe7daf 100644 > >> --- a/gdb/linux-nat.c > >> +++ b/gdb/linux-nat.c > >> @@ -1549,7 +1549,6 @@ linux_nat_detach (struct target_ops *ops, const > >> char *args, int from_tty) > >> inf_ptrace_detach_success (ops); > >> } > >> - delete_lwp (main_lwp->ptid); > >> } > >> > >> /* Resume execution of the inferior process. If STEP is nonzero, > >> > > > > >
diff --git a/gdb/linux-nat.c b/gdb/linux-nat.c index dff0da5..efe7daf 100644 --- a/gdb/linux-nat.c +++ b/gdb/linux-nat.c @@ -1549,7 +1549,6 @@ linux_nat_detach (struct target_ops *ops, const char *args, int from_tty) inf_ptrace_detach_success (ops); } - delete_lwp (main_lwp->ptid); } /* Resume execution of the inferior process. If STEP is nonzero,