FreeChainXenon/binutils-gdb
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

Fix gdb/python/python.c use-after-free

Browse source 
Valgrind shows:

 ==26964== Invalid read of size 1
 ==26964==    at 0x6E14100: __GI_strcmp (strcmp.S:180)
 ==26964==    by 0x6DB55AA: setlocale (setlocale.c:238)
 ==26964==    by 0x4E0455: _initialize_python() (python.c:1731)
 ==26964==    by 0x786731: initialize_all_files() (init.c:319)
 ==26964==    by 0x72EF0A: gdb_init(char*) (top.c:1929)
 ==26964==    by 0x60BCAC: captured_main(void*) (main.c:863)
 ==26964==    by 0x606AD5: catch_errors(int (*)(void*), void*, char*, return_mask) (exceptions.c:234)
 ==26964==    by 0x60C608: gdb_main(captured_main_args*) (main.c:1165)
 ==26964==    by 0x40CAEC: main (gdb.c:32)
 ==26964==  Address 0x81d30a0 is 0 bytes inside a block of size 181 free'd
 ==26964==    at 0x4C29CF0: free (vg_replace_malloc.c:530)
 ==26964==    by 0x6DB5B65: setname (setlocale.c:201)
 ==26964==    by 0x6DB5B65: setlocale (setlocale.c:388)
 ==26964==    by 0x4E037F: _initialize_python() (python.c:1712)
 ==26964==    by 0x786731: initialize_all_files() (init.c:319)
 ==26964==    by 0x72EF0A: gdb_init(char*) (top.c:1929)
 ==26964==    by 0x60BCAC: captured_main(void*) (main.c:863)
 ==26964==    by 0x606AD5: catch_errors(int (*)(void*), void*, char*, return_mask) (exceptions.c:234)
 ==26964==    by 0x60C608: gdb_main(captured_main_args*) (main.c:1165)
 ==26964==    by 0x40CAEC: main (gdb.c:32)

The problem is doing this:

  oldloc = setlocale (LC_ALL, NULL);
  setlocale (LC_ALL, "");
  ...
  setlocale (LC_ALL, oldloc);

I.e., the second setlocale call frees 'oldloc'.

From http://pubs.opengroup.org/onlinepubs/9699919799/functions/setlocale.html :

 "The returned string pointer might be invalidated or the string
 content might be overwritten by a subsequent call to setlocale()."

gdb/ChangeLog:
2016-05-03  Pedro Alves <palves@redhat.com>

	PR python/20037
	* python/python.c (_initialize_python) [IS_PY3K]: xstrdup/xfree
	oldloc.
This commit is contained in:
Pedro Alves 2016-05-03 12:16:56 +01:00
parent 1aa9670288
commit 86f1abec45
2 changed files with 10 additions and 1 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

6
gdb/ChangeLog
View file

@ -1,3 +1,9 @@
2016-05-03 Pedro Alves <palves@redhat.com>
PR python/20037
* python/python.c (_initialize_python) [IS_PY3K]: xstrdup/xfree
oldloc.
2016-05-03 Pedro Alves <palves@redhat.com>
* python/python.c (_initialize_python) [IS_PY3K]: Remove dead

5
gdb/python/python.c
View file

@ -1708,22 +1708,25 @@ message == an error message without a stack will be printed."),
progname = concat (ldirname (python_libdir), SLASH_STRING, "bin",
SLASH_STRING, "python", (char *) NULL);
#ifdef IS_PY3K
oldloc = setlocale (LC_ALL, NULL);
oldloc = xstrdup (setlocale (LC_ALL, NULL));
setlocale (LC_ALL, "");
progsize = strlen (progname);
progname_copy = (wchar_t *) PyMem_Malloc ((progsize + 1) * sizeof (wchar_t));
if (!progname_copy)
{
xfree (oldloc);
fprintf (stderr, "out of memory\n");
return;
}
count = mbstowcs (progname_copy, progname, progsize + 1);
if (count == (size_t) -1)
{
xfree (oldloc);
fprintf (stderr, "Could not convert python path to string\n");
return;
}
setlocale (LC_ALL, oldloc);
xfree (oldloc);
/* Note that Py_SetProgramName expects the string it is passed to
remain alive for the duration of the program's execution, so