aboutsummaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorPedro Alves <palves@redhat.com>2016-05-03 12:16:56 +0100
committerPedro Alves <palves@redhat.com>2016-05-03 12:16:56 +0100
commit86f1abec458df24ea7d4a38a7b3e21861c5b9bd8 (patch)
treec559abcd6d720378382bd750c7cc1e42918316e1
parent1aa96702887a9c0f66b5d7cab034bf6718796708 (diff)
downloadgdb-86f1abec458df24ea7d4a38a7b3e21861c5b9bd8.zip
gdb-86f1abec458df24ea7d4a38a7b3e21861c5b9bd8.tar.gz
gdb-86f1abec458df24ea7d4a38a7b3e21861c5b9bd8.tar.bz2
Fix gdb/python/python.c use-after-free
Valgrind shows: ==26964== Invalid read of size 1 ==26964== at 0x6E14100: __GI_strcmp (strcmp.S:180) ==26964== by 0x6DB55AA: setlocale (setlocale.c:238) ==26964== by 0x4E0455: _initialize_python() (python.c:1731) ==26964== by 0x786731: initialize_all_files() (init.c:319) ==26964== by 0x72EF0A: gdb_init(char*) (top.c:1929) ==26964== by 0x60BCAC: captured_main(void*) (main.c:863) ==26964== by 0x606AD5: catch_errors(int (*)(void*), void*, char*, return_mask) (exceptions.c:234) ==26964== by 0x60C608: gdb_main(captured_main_args*) (main.c:1165) ==26964== by 0x40CAEC: main (gdb.c:32) ==26964== Address 0x81d30a0 is 0 bytes inside a block of size 181 free'd ==26964== at 0x4C29CF0: free (vg_replace_malloc.c:530) ==26964== by 0x6DB5B65: setname (setlocale.c:201) ==26964== by 0x6DB5B65: setlocale (setlocale.c:388) ==26964== by 0x4E037F: _initialize_python() (python.c:1712) ==26964== by 0x786731: initialize_all_files() (init.c:319) ==26964== by 0x72EF0A: gdb_init(char*) (top.c:1929) ==26964== by 0x60BCAC: captured_main(void*) (main.c:863) ==26964== by 0x606AD5: catch_errors(int (*)(void*), void*, char*, return_mask) (exceptions.c:234) ==26964== by 0x60C608: gdb_main(captured_main_args*) (main.c:1165) ==26964== by 0x40CAEC: main (gdb.c:32) The problem is doing this: oldloc = setlocale (LC_ALL, NULL); setlocale (LC_ALL, ""); ... setlocale (LC_ALL, oldloc); I.e., the second setlocale call frees 'oldloc'. From http://pubs.opengroup.org/onlinepubs/9699919799/functions/setlocale.html : "The returned string pointer might be invalidated or the string content might be overwritten by a subsequent call to setlocale()." gdb/ChangeLog: 2016-05-03 Pedro Alves <palves@redhat.com> PR python/20037 * python/python.c (_initialize_python) [IS_PY3K]: xstrdup/xfree oldloc.
-rw-r--r--gdb/ChangeLog6
-rw-r--r--gdb/python/python.c5
2 files changed, 10 insertions, 1 deletions
diff --git a/gdb/ChangeLog b/gdb/ChangeLog
index c5b7325..8627cb7 100644
--- a/gdb/ChangeLog
+++ b/gdb/ChangeLog
@@ -1,5 +1,11 @@
2016-05-03 Pedro Alves <palves@redhat.com>
+ PR python/20037
+ * python/python.c (_initialize_python) [IS_PY3K]: xstrdup/xfree
+ oldloc.
+
+2016-05-03 Pedro Alves <palves@redhat.com>
+
* python/python.c (_initialize_python) [IS_PY3K]: Remove dead
code.
diff --git a/gdb/python/python.c b/gdb/python/python.c
index ea9cf85..c706644 100644
--- a/gdb/python/python.c
+++ b/gdb/python/python.c
@@ -1708,22 +1708,25 @@ message == an error message without a stack will be printed."),
progname = concat (ldirname (python_libdir), SLASH_STRING, "bin",
SLASH_STRING, "python", (char *) NULL);
#ifdef IS_PY3K
- oldloc = setlocale (LC_ALL, NULL);
+ oldloc = xstrdup (setlocale (LC_ALL, NULL));
setlocale (LC_ALL, "");
progsize = strlen (progname);
progname_copy = (wchar_t *) PyMem_Malloc ((progsize + 1) * sizeof (wchar_t));
if (!progname_copy)
{
+ xfree (oldloc);
fprintf (stderr, "out of memory\n");
return;
}
count = mbstowcs (progname_copy, progname, progsize + 1);
if (count == (size_t) -1)
{
+ xfree (oldloc);
fprintf (stderr, "Could not convert python path to string\n");
return;
}
setlocale (LC_ALL, oldloc);
+ xfree (oldloc);
/* Note that Py_SetProgramName expects the string it is passed to
remain alive for the duration of the program's execution, so