| Message ID | 20230414151709.30352-1-jan.vrany@labware.com |
|---|---|
| State | New |
| Headers |
Return-Path: <gdb-patches-bounces+patchwork=sourceware.org@sourceware.org> X-Original-To: patchwork@sourceware.org Delivered-To: patchwork@sourceware.org Received: from server2.sourceware.org (localhost [IPv6:::1]) by sourceware.org (Postfix) with ESMTP id 6B6733857722 for <patchwork@sourceware.org>; Fri, 14 Apr 2023 15:17:46 +0000 (GMT) DKIM-Filter: OpenDKIM Filter v2.11.0 sourceware.org 6B6733857722 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=sourceware.org; s=default; t=1681485466; bh=NKTobG3TnVChDuMaLaDH9xU8tCJfnyAWkzNEM6bxfmA=; h=To:CC:Subject:Date:List-Id:List-Unsubscribe:List-Archive: List-Post:List-Help:List-Subscribe:From:Reply-To:From; b=lMUf/jKnYOxudyGgm1N2kCPg0YsnEhcJNiPkv3YmN3ArXrO7xmLFLZU4/QXkjLTpt Ru19whfeCcWJmFDeclixq2oMWHeudua66LRPz+7uEtU2/q6F1zQPFECk88WHFyDDdo RxZNhhtaSEXDPv1dFEpaK41KYejR/0Rdj4oKOGTU= X-Original-To: gdb-patches@sourceware.org Delivered-To: gdb-patches@sourceware.org Received: from us-smtp-delivery-114.mimecast.com (us-smtp-delivery-114.mimecast.com [170.10.133.114]) by sourceware.org (Postfix) with ESMTPS id EC89B3858D32 for <gdb-patches@sourceware.org>; Fri, 14 Apr 2023 15:17:21 +0000 (GMT) DMARC-Filter: OpenDMARC Filter v1.4.2 sourceware.org EC89B3858D32 Received: from NAM11-BN8-obe.outbound.protection.outlook.com (mail-bn8nam11lp2169.outbound.protection.outlook.com [104.47.58.169]) by relay.mimecast.com with ESMTP with STARTTLS (version=TLSv1.2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id us-mta-460-y9nP2qMxN4yOAqddJqEp1g-1; Fri, 14 Apr 2023 11:17:20 -0400 X-MC-Unique: y9nP2qMxN4yOAqddJqEp1g-1 Received: from SN7PR17MB6559.namprd17.prod.outlook.com (2603:10b6:806:350::13) by SN7PR17MB6820.namprd17.prod.outlook.com (2603:10b6:806:2dd::11) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.6298.30; Fri, 14 Apr 2023 15:17:17 +0000 Received: from SN7PR17MB6559.namprd17.prod.outlook.com ([fe80::13ad:be72:1d43:1189]) by SN7PR17MB6559.namprd17.prod.outlook.com ([fe80::13ad:be72:1d43:1189%6]) with mapi id 15.20.6298.030; Fri, 14 Apr 2023 15:17:17 +0000 To: gdb-patches@sourceware.org CC: Wenyan.Xin@windriver.com, Jan Vrany <jan.vrany@labware.com> Subject: [PATCH] gdb: fix post-hook execution for remote targets Date: Fri, 14 Apr 2023 17:17:09 +0200 Message-ID: <20230414151709.30352-1-jan.vrany@labware.com> X-Mailer: git-send-email 2.39.2 X-ClientProxiedBy: LO4P265CA0027.GBRP265.PROD.OUTLOOK.COM (2603:10a6:600:2ae::17) To SN7PR17MB6559.namprd17.prod.outlook.com (2603:10b6:806:350::13) MIME-Version: 1.0 X-MS-PublicTrafficType: Email X-MS-TrafficTypeDiagnostic: SN7PR17MB6559:EE_|SN7PR17MB6820:EE_ X-MS-Office365-Filtering-Correlation-Id: 0c3e3914-2b65-4891-83ef-08db3cfb558a X-MS-Exchange-SenderADCheck: 1 X-MS-Exchange-AntiSpam-Relay: 0 X-Microsoft-Antispam: BCL:0 X-Microsoft-Antispam-Message-Info: RRzQ5D8IsHaoPwqoYePaR42mrY8Y5DVormZYoFljnASNB2hywHGAW1Uh/TQn49Z/kAtmO4U0rsWgZdGmNpYbE1v6LsoLhYqho0v10kfc+UuzMxJ1mrYwIHhmiUNvyUAgaDsgVr0ShfGChuwGy5XCdzDQyBll43OhWZkXudCNp/uQHICHIKSG1uir7z2ZUxDhUx2d7KPUZ3/abFbf0vzpTyhT8nkdxAcOylzTc29Nw4p0NJiImwmarPSL811MVGOAUiSY8rF/ToquxlkkMTUbwh68jGKzDYFtTpV+kAKri22Bx+wB9eMiDJ4CLanHLkFIpkWETZuWVUlcWhBxxUwaA2xscUy/+0gt0uCpYY+yXq0wTuVrX22tQlXiEE5nAddFneqGqbBcJCj3p50+1Gemzt/Wh14R6dj/SBIq9P/cD75+6w76kH61Pw+nJz41+ssv2sfbXh0ZCNobfX5zu/ABbAIZIPwaXIlajmsu5i/pOkPv4oOmkvEl/xa4GOJjx56lHWZAdns544glJ5c8T+jzv+2QpqK4u5+efbtmDsa6I0o= X-Forefront-Antispam-Report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:SN7PR17MB6559.namprd17.prod.outlook.com; PTR:; CAT:NONE; SFS:(13230028)(376002)(39850400004)(136003)(346002)(366004)(396003)(451199021)(316002)(41300700001)(6506007)(1076003)(6512007)(86362001)(26005)(38100700002)(6486002)(186003)(6666004)(966005)(107886003)(2616005)(66556008)(66476007)(83380400001)(66946007)(6916009)(4326008)(36756003)(8936002)(8676002)(5660300002)(84970400001)(2906002)(44832011)(478600001); DIR:OUT; SFP:1101 X-MS-Exchange-AntiSpam-MessageData-ChunkCount: 1 X-MS-Exchange-AntiSpam-MessageData-0: 81tj+FmNN5se3uP7aJa9r8I+HarAY7/nVMBa+RAmRSeZjlrBri3pqLKXH/KhNDgV2XyhH/bZgVX3H0shyF4SAYLoX0In/QPzlD85ZcrxBD/fc/2uEeIQluYA2lvNpPpzlCQWh6I1ihEbMPt5TD8GFGpCyq7mY1exeWH5uagAPWXES4HZVU6tDS+lQ/BZhzt4JtzFnALyXsv8VyYFhIK38kBweZVVh60gWQhN8bZXGHNdTHvwNokvdNpMqXyyJejqVgO3iHORD5rTnhRRx7q4MbK5Wbv7EWW2YSty4tU30/42pOe5y6CvVeRaRFZYbpFRLdetJr7wSzGz4y7qxj/f6XrmDn3DsfXhlVHIiOQNM5Uvs7pR5LFC8m3+M5SPe/Cz3qit7cM6R2fpTaQZ3pTQfmcTkOKgucX8Q7NfUHeugMitI/XovOFKex+yUIYiJbUQbSMQbWFHVU2h10312/+Ddsb+ZZvHwuW8xBpzpudGN57y3b4li/1WGA62SnCX8NmwWzQz+4rHXeLLRX9uSQFnZwnRqw0UmhorsYkOgy+m2rFCmEI7KtITrYUwJyUsBAHh4M2gPeyvVXyUbYTRKfCIZidMo/iKcy4D02bLtXDu5e/xbbPsNfSH4EV7cpR1bdAB4e6b+Qlz1eF5dZ2Q60qEsG9dDFiVHmxHfIyBXIjiVFBXUYKmzvY2uv1frffZkhu9AMTzvWobkckKySxJHGQ5KPfbjgMMdXr4xBzUlYbabHQxiAT26q6l1Z1jo8c10xjKW7/3Sq8Qlht7+r7MrhIiZ5G0FzSfY0ioUguAEJyzFRlGaNCyJu+nCfyIdzUK5WU7Qn7od7q2snH4l6pp3+lPw8YwOj09Uk9rIFtY/qH1D8jeVAHByCx9yKXlTpisgFgQWtI60z0PfnvmRaPB7v9NNviSX29D6moSV/QSs76hVROExrlJgQIoIbRMtkPUhGWQjHBSaUqskpq4rjTXklib8woUwZLFvpD4lBQnxx126l75OzsaKTvPiUQpZqTFrbwlt5ClAti0Bq0P9EI3gb0zoEwbvrFCaA05oHZKvQchr5c5LFqXleuy/cirhskhv2JN2WB1UbBrGlbHlKuFmv/kd48VEWAzEirYg+H/vtadhyaP7Y2UBtdhzUfgWsxjVRMoEzbE2zDSokCqP4JwAwbWSY4tE+qdKNGBF93lyAsyES/CTyaONpSKEAJFj9ptplRv0O3HJyZo4YsOwmNbGthIuPQlQz6lDMenlC4XlSScbj06KT+ZvaVYFP/ZimTfYRdd1XHg2iZiyB9v+iIzpDZxOn0iVY5X0UhFhJbUniCpdovYkyTh+IDoAIzzxqre3XVsXOZPAw974R7i6nSre+tGnrVZeXvrSQbIzZ+WlwunMy0VyQ50jfQHCImuw6BPLWxNF0TZTBJCAWXxJ8FLQrAF4dE1Kbbgq5X29cYbSh5qf2+AZn4ltysW4MeeDFwM8Fbh7iIX08c56IFLFYBuCvYc+IorJ4ucl0lSr0D4kRhjTjht2O/H1vxLNadV6r4GhZMfusdbd4iCZkuElBArxjIIwY2vOLRVrJr3WV27F3o9sNXZzyuu1SVsGbgFw7ygfvZa X-OriginatorOrg: labware.com X-MS-Exchange-CrossTenant-Network-Message-Id: 0c3e3914-2b65-4891-83ef-08db3cfb558a X-MS-Exchange-CrossTenant-AuthSource: SN7PR17MB6559.namprd17.prod.outlook.com X-MS-Exchange-CrossTenant-AuthAs: Internal X-MS-Exchange-CrossTenant-OriginalArrivalTime: 14 Apr 2023 15:17:17.4693 (UTC) X-MS-Exchange-CrossTenant-FromEntityHeader: Hosted X-MS-Exchange-CrossTenant-Id: b5db0322-1aa0-4c0a-859c-ad0f96966f4c X-MS-Exchange-CrossTenant-MailboxType: HOSTED X-MS-Exchange-CrossTenant-UserPrincipalName: p6PfiJMZpaW/6yoxzAk07GSWC7kouLRlVXGLY9+aMr34unrVl/+DQ122thWJvCGU9U0+vjWpwy4PBBh326UurQ== X-MS-Exchange-Transport-CrossTenantHeadersStamped: SN7PR17MB6820 X-Mimecast-Spam-Score: 0 X-Mimecast-Originator: labware.com Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset=WINDOWS-1252 X-Spam-Status: No, score=-12.7 required=5.0 tests=BAYES_00, GIT_PATCH_0, KAM_DMARC_STATUS, RCVD_IN_DNSWL_NONE, SPF_HELO_NONE, SPF_PASS, TXREP, T_SCC_BODY_TEXT_LINE autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on server2.sourceware.org X-BeenThere: gdb-patches@sourceware.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: Gdb-patches mailing list <gdb-patches.sourceware.org> List-Unsubscribe: <https://sourceware.org/mailman/options/gdb-patches>, <mailto:gdb-patches-request@sourceware.org?subject=unsubscribe> List-Archive: <https://sourceware.org/pipermail/gdb-patches/> List-Post: <mailto:gdb-patches@sourceware.org> List-Help: <mailto:gdb-patches-request@sourceware.org?subject=help> List-Subscribe: <https://sourceware.org/mailman/listinfo/gdb-patches>, <mailto:gdb-patches-request@sourceware.org?subject=subscribe> From: Jan Vrany via Gdb-patches <gdb-patches@sourceware.org> Reply-To: Jan Vrany <jan.vrany@labware.com> Errors-To: gdb-patches-bounces+patchwork=sourceware.org@sourceware.org Sender: "Gdb-patches" <gdb-patches-bounces+patchwork=sourceware.org@sourceware.org> |
| Series |
gdb: fix post-hook execution for remote targets
|
|
Commit Message
Jan Vrany
April 14, 2023, 3:17 p.m. UTC
Commit b5661ff2 ("gdb: fix possible use-after-free when
executing commands") attempted to fix possible use-after-free
in case command redefines itself.
Commit 37e5833d ("gdb: fix command lookup in execute_command ()")
updated the previous fix to handle subcommands as well by using the
original command string to lookup the command again after its execution.
This fixed the test in gdb.base/define.exp but it turned out that it
does not work (at least) for "target remote" and "target extended-remote".
The problem is that the command buffer P passed to execute_command ()
gets overwritten in dont_repeat () while executing "target remote"
command itself:
#0 dont_repeat () at top.c:822
#1 0x000055555730982a in target_preopen (from_tty=1) at target.c:2483
#2 0x000055555711e911 in remote_target::open_1 (name=0x55555881c7fe ":1234", from_tty=1, extended_p=0)
at remote.c:5946
#3 0x000055555711d577 in remote_target::open (name=0x55555881c7fe ":1234", from_tty=1) at remote.c:5272
#4 0x00005555573062f2 in open_target (args=0x55555881c7fe ":1234", from_tty=1, command=0x5555589d0490)
at target.c:853
#5 0x0000555556ad22fa in cmd_func (cmd=0x5555589d0490, args=0x55555881c7fe ":1234", from_tty=1)
at cli/cli-decode.c:2737
#6 0x00005555573487fd in execute_command (p=0x55555881c802 "4", from_tty=1) at top.c:688
Therefore the second call to lookup_cmd () at line 697 fails to find
command because the original command string is gone.
This commit addresses this particular problem by creating a *copy* of
original command string for the sole purpose of using it after command
execution to lookup the command again. It may not be the most efficient
way but it's safer given that command buffer is shared and overwritten
in hard-to-foresee situations.
Tested on x86_64-linux.
PR 30249
Bug: https://sourceware.org/bugzilla/show_bug.cgi?id=30249
---
gdb/top.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
Comments
Polite ping. Jan On Fri, 2023-04-14 at 17:17 +0200, Jan Vrany wrote: > Commit b5661ff2 ("gdb: fix possible use-after-free when > executing commands") attempted to fix possible use-after-free > in case command redefines itself. > > Commit 37e5833d ("gdb: fix command lookup in execute_command ()") > updated the previous fix to handle subcommands as well by using the > original command string to lookup the command again after its execution. > > This fixed the test in gdb.base/define.exp but it turned out that it > does not work (at least) for "target remote" and "target extended-remote". > > The problem is that the command buffer P passed to execute_command () > gets overwritten in dont_repeat () while executing "target remote" > command itself: > > #0 dont_repeat () at top.c:822 > #1 0x000055555730982a in target_preopen (from_tty=1) at target.c:2483 > #2 0x000055555711e911 in remote_target::open_1 (name=0x55555881c7fe ":1234", from_tty=1, extended_p=0) > at remote.c:5946 > #3 0x000055555711d577 in remote_target::open (name=0x55555881c7fe ":1234", from_tty=1) at remote.c:5272 > #4 0x00005555573062f2 in open_target (args=0x55555881c7fe ":1234", from_tty=1, command=0x5555589d0490) > at target.c:853 > #5 0x0000555556ad22fa in cmd_func (cmd=0x5555589d0490, args=0x55555881c7fe ":1234", from_tty=1) > at cli/cli-decode.c:2737 > #6 0x00005555573487fd in execute_command (p=0x55555881c802 "4", from_tty=1) at top.c:688 > > Therefore the second call to lookup_cmd () at line 697 fails to find > command because the original command string is gone. > > This commit addresses this particular problem by creating a *copy* of > original command string for the sole purpose of using it after command > execution to lookup the command again. It may not be the most efficient > way but it's safer given that command buffer is shared and overwritten > in hard-to-foresee situations. > > Tested on x86_64-linux. > > PR 30249 > Bug: https://sourceware.org/bugzilla/show_bug.cgi?id=30249 > --- > gdb/top.c | 3 ++- > 1 file changed, 2 insertions(+), 1 deletion(-) > > diff --git a/gdb/top.c b/gdb/top.c > index 81f74f72f61..63798789553 100644 > --- a/gdb/top.c > +++ b/gdb/top.c > @@ -575,6 +575,7 @@ execute_command (const char *p, int from_tty) > struct cmd_list_element *c; > const char *line; > const char *cmd_start = p; > + std::string cmd_copy = p; > > auto cleanup_if_error = make_scope_exit (bpstat_clear_actions); > scoped_value_mark cleanup = prepare_execute_command (); > @@ -692,7 +693,7 @@ execute_command (const char *p, int from_tty) > We need to lookup the command again since during its execution, > a command may redefine itself. In this case, C pointer > becomes invalid so we need to look it up again. */ > - const char *cmd2 = cmd_start; > + const char *cmd2 = cmd_copy.c_str (); > c = lookup_cmd (&cmd2, cmdlist, "", nullptr, 1, 1); > if (c != nullptr) > execute_cmd_post_hook (c);
Polite ping 2. Jan On Wed, 2023-05-03 at 15:40 +0100, Jan Vrany wrote: > Polite ping. > > Jan > > On Fri, 2023-04-14 at 17:17 +0200, Jan Vrany wrote: > > Commit b5661ff2 ("gdb: fix possible use-after-free when > > executing commands") attempted to fix possible use-after-free > > in case command redefines itself. > > > > Commit 37e5833d ("gdb: fix command lookup in execute_command ()") > > updated the previous fix to handle subcommands as well by using the > > original command string to lookup the command again after its execution. > > > > This fixed the test in gdb.base/define.exp but it turned out that it > > does not work (at least) for "target remote" and "target extended-remote". > > > > The problem is that the command buffer P passed to execute_command () > > gets overwritten in dont_repeat () while executing "target remote" > > command itself: > > > > #0 dont_repeat () at top.c:822 > > #1 0x000055555730982a in target_preopen (from_tty=1) at target.c:2483 > > #2 0x000055555711e911 in remote_target::open_1 (name=0x55555881c7fe ":1234", from_tty=1, extended_p=0) > > at remote.c:5946 > > #3 0x000055555711d577 in remote_target::open (name=0x55555881c7fe ":1234", from_tty=1) at remote.c:5272 > > #4 0x00005555573062f2 in open_target (args=0x55555881c7fe ":1234", from_tty=1, command=0x5555589d0490) > > at target.c:853 > > #5 0x0000555556ad22fa in cmd_func (cmd=0x5555589d0490, args=0x55555881c7fe ":1234", from_tty=1) > > at cli/cli-decode.c:2737 > > #6 0x00005555573487fd in execute_command (p=0x55555881c802 "4", from_tty=1) at top.c:688 > > > > Therefore the second call to lookup_cmd () at line 697 fails to find > > command because the original command string is gone. > > > > This commit addresses this particular problem by creating a *copy* of > > original command string for the sole purpose of using it after command > > execution to lookup the command again. It may not be the most efficient > > way but it's safer given that command buffer is shared and overwritten > > in hard-to-foresee situations. > > > > Tested on x86_64-linux. > > > > PR 30249 > > Bug: https://sourceware.org/bugzilla/show_bug.cgi?id=30249 > > --- > > gdb/top.c | 3 ++- > > 1 file changed, 2 insertions(+), 1 deletion(-) > > > > diff --git a/gdb/top.c b/gdb/top.c > > index 81f74f72f61..63798789553 100644 > > --- a/gdb/top.c > > +++ b/gdb/top.c > > @@ -575,6 +575,7 @@ execute_command (const char *p, int from_tty) > > struct cmd_list_element *c; > > const char *line; > > const char *cmd_start = p; > > + std::string cmd_copy = p; > > > > auto cleanup_if_error = make_scope_exit (bpstat_clear_actions); > > scoped_value_mark cleanup = prepare_execute_command (); > > @@ -692,7 +693,7 @@ execute_command (const char *p, int from_tty) > > We need to lookup the command again since during its execution, > > a command may redefine itself. In this case, C pointer > > becomes invalid so we need to look it up again. */ > > - const char *cmd2 = cmd_start; > > + const char *cmd2 = cmd_copy.c_str (); > > c = lookup_cmd (&cmd2, cmdlist, "", nullptr, 1, 1); > > if (c != nullptr) > > execute_cmd_post_hook (c); >
>>>>> "Jan" == Jan Vrany via Gdb-patches <gdb-patches@sourceware.org> writes:
Sorry about the delay on this.
Jan> The problem is that the command buffer P passed to execute_command ()
Jan> gets overwritten in dont_repeat () while executing "target remote"
Jan> command itself:
Jan> #0 dont_repeat () at top.c:822
I wonder if it would be possible to reimplement dont_repeat so that it
does not overwrite the command. Like, could it just set a flag?
Jan> @@ -575,6 +575,7 @@ execute_command (const char *p, int from_tty)
Jan> struct cmd_list_element *c;
Jan> const char *line;
Jan> const char *cmd_start = p;
Jan> + std::string cmd_copy = p;
A bit after this, there's a null check for p:
/* This can happen when command_line_input hits end of file. */
if (p == NULL)
{
cleanup_if_error.release ();
return;
}
If that can really happen, then cmd_copy has to be created afterward the
check.
Is it possible to write a test case for this? Even one that only fails
with ASAN?
Tom
diff --git a/gdb/top.c b/gdb/top.c index 81f74f72f61..63798789553 100644 --- a/gdb/top.c +++ b/gdb/top.c @@ -575,6 +575,7 @@ execute_command (const char *p, int from_tty) struct cmd_list_element *c; const char *line; const char *cmd_start = p; + std::string cmd_copy = p; auto cleanup_if_error = make_scope_exit (bpstat_clear_actions); scoped_value_mark cleanup = prepare_execute_command (); @@ -692,7 +693,7 @@ execute_command (const char *p, int from_tty) We need to lookup the command again since during its execution, a command may redefine itself. In this case, C pointer becomes invalid so we need to look it up again. */ - const char *cmd2 = cmd_start; + const char *cmd2 = cmd_copy.c_str (); c = lookup_cmd (&cmd2, cmdlist, "", nullptr, 1, 1); if (c != nullptr) execute_cmd_post_hook (c);