This is the mail archive of the gdb-prs@sourceware.org mailing list for the GDB project.

Index Nav:	[Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav:	[Date Prev] [Date Next]	[Thread Prev] [Thread Next]
Other format:	[Raw text]

[Bug python/20037] Detected Use-After-Free Error

From: "cvs-commit at gcc dot gnu.org" <sourceware-bugzilla at sourceware dot org>
To: gdb-prs at sourceware dot org
Date: Tue, 03 May 2016 11:19:57 +0000
Subject: [Bug python/20037] Detected Use-After-Free Error
Auto-submitted: auto-generated
References: <bug-20037-4717 at http dot sourceware dot org/bugzilla/>

https://sourceware.org/bugzilla/show_bug.cgi?id=20037

--- Comment #3 from cvs-commit at gcc dot gnu.org <cvs-commit at gcc dot gnu.org> ---
The gdb-7.11-branch branch has been updated by Pedro Alves
<palves@sourceware.org>:

https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=329dec6fc5f2efa83d626583135081b53abe8729

commit 329dec6fc5f2efa83d626583135081b53abe8729
Author: Pedro Alves <palves@redhat.com>
Date:   Tue May 3 12:16:56 2016 +0100

    Fix gdb/python/python.c use-after-free

    Valgrind shows:

     ==26964== Invalid read of size 1
     ==26964==    at 0x6E14100: __GI_strcmp (strcmp.S:180)
     ==26964==    by 0x6DB55AA: setlocale (setlocale.c:238)
     ==26964==    by 0x4E0455: _initialize_python() (python.c:1731)
     ==26964==    by 0x786731: initialize_all_files() (init.c:319)
     ==26964==    by 0x72EF0A: gdb_init(char*) (top.c:1929)
     ==26964==    by 0x60BCAC: captured_main(void*) (main.c:863)
     ==26964==    by 0x606AD5: catch_errors(int (*)(void*), void*, char*,
return_mask) (exceptions.c:234)
     ==26964==    by 0x60C608: gdb_main(captured_main_args*) (main.c:1165)
     ==26964==    by 0x40CAEC: main (gdb.c:32)
     ==26964==  Address 0x81d30a0 is 0 bytes inside a block of size 181 free'd
     ==26964==    at 0x4C29CF0: free (vg_replace_malloc.c:530)
     ==26964==    by 0x6DB5B65: setname (setlocale.c:201)
     ==26964==    by 0x6DB5B65: setlocale (setlocale.c:388)
     ==26964==    by 0x4E037F: _initialize_python() (python.c:1712)
     ==26964==    by 0x786731: initialize_all_files() (init.c:319)
     ==26964==    by 0x72EF0A: gdb_init(char*) (top.c:1929)
     ==26964==    by 0x60BCAC: captured_main(void*) (main.c:863)
     ==26964==    by 0x606AD5: catch_errors(int (*)(void*), void*, char*,
return_mask) (exceptions.c:234)
     ==26964==    by 0x60C608: gdb_main(captured_main_args*) (main.c:1165)
     ==26964==    by 0x40CAEC: main (gdb.c:32)

    The problem is doing this:

      oldloc = setlocale (LC_ALL, NULL);
      setlocale (LC_ALL, "");
      ...
      setlocale (LC_ALL, oldloc);

    I.e., the second setlocale call frees 'oldloc'.

    From
http://pubs.opengroup.org/onlinepubs/9699919799/functions/setlocale.html :

     "The returned string pointer might be invalidated or the string
     content might be overwritten by a subsequent call to setlocale()."

    gdb/ChangeLog:
    2016-05-03  Pedro Alves <palves@redhat.com>

        PR python/20037
        * python/python.c (_initialize_python) [IS_PY3K]: xstrdup/xfree
        oldloc.

-- 
You are receiving this mail because:
You are on the CC list for the bug.

References:
- [Bug gdb/20037] New: Detected Use-After-Free Error
  - From: ian at geometrian dot com

Index Nav:	[Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav:	[Date Prev] [Date Next]	[Thread Prev] [Thread Next]