diff options
| author | Tom Tromey <tom@tromey.com> | 2018-07-29 19:21:01 -0600 |
|---|---|---|
| committer | Tom Tromey <tom@tromey.com> | 2018-11-29 10:47:42 -0700 |
| commit | d105de22fc385da878e8db44c9503a7f30419322 (patch) | |
| tree | 0c14538cb98df9bb05c66cef9ca25286feab9bf7 /gdb/gdbserver/server.c | |
| parent | e368bf56d38afecd1ac0e19c9e9cb54e2bb4fad2 (diff) | |
| download | gdb-d105de22fc385da878e8db44c9503a7f30419322.zip gdb-d105de22fc385da878e8db44c9503a7f30419322.tar.gz gdb-d105de22fc385da878e8db44c9503a7f30419322.tar.bz2 | |
Fix use-after-free in gdbserver
-fsanitize=address pointed out a use-after-free in gdbserver. In
particular, handle_detach could reference "process" after it was
deleted by detach_inferior. Avoiding this also necessitated changing
target_ops::join to take a pid rather than a process_info*.
Tested by the buildbot using a few of the gdbserver builders.
gdb/gdbserver/ChangeLog
2018-11-29 Tom Tromey <tom@tromey.com>
* win32-low.c (win32_join): Take pid, not process.
* target.h (struct target_ops) <join>: Change argument type.
(join_inferior): Change argument name.
* spu-low.c (spu_join): Take pid, not process.
* server.c (handle_detach): Preserve pid before destroying
process.
* lynx-low.c (lynx_join): Take pid, not process.
* linux-low.c (linux_join): Take pid, not process.
Diffstat (limited to 'gdb/gdbserver/server.c')
| -rw-r--r-- | gdb/gdbserver/server.c | 10 |
1 files changed, 7 insertions, 3 deletions
diff --git a/gdb/gdbserver/server.c b/gdb/gdbserver/server.c index 4ec3548..a0be0d4 100644 --- a/gdb/gdbserver/server.c +++ b/gdb/gdbserver/server.c @@ -1255,11 +1255,15 @@ handle_detach (char *own_buf) fprintf (stderr, "Detaching from process %d\n", process->pid); stop_tracing (); + + /* We'll need this after PROCESS has been destroyed. */ + int pid = process->pid; + if (detach_inferior (process) != 0) write_enn (own_buf); else { - discard_queued_stop_replies (ptid_t (process->pid)); + discard_queued_stop_replies (ptid_t (pid)); write_ok (own_buf); if (extended_protocol || target_running ()) @@ -1269,7 +1273,7 @@ handle_detach (char *own_buf) and instead treat this like a normal program exit. */ cs.last_status.kind = TARGET_WAITKIND_EXITED; cs.last_status.value.integer = 0; - cs.last_ptid = ptid_t (process->pid); + cs.last_ptid = ptid_t (pid); current_thread = NULL; } @@ -1281,7 +1285,7 @@ handle_detach (char *own_buf) /* If we are attached, then we can exit. Otherwise, we need to hang around doing nothing, until the child is gone. */ - join_inferior (process); + join_inferior (pid); exit (0); } } |