From 59b59f08f6448a77730c8d8dde5871f1bf6806d0 Mon Sep 17 00:00:00 2001 From: Lancelot SIX Date: Fri, 1 Jan 2021 20:11:28 +0000 Subject: [PATCH] Avoid use after free with logging and debug redirect. This patch addresses PR gdb/27133. Before it, the following succession of commands would cause gdb to crash: set logging redirect on set logging debugredirect on set logging on The problem eventually comes down to a use after free. The function cli_interp_base::set_logging is called with a unique_ptr argument that holds a pointer to the redirection file. In the problematic use case, no-one ever took ownership of that pointer (as far as unique_ptr is concerned), so the call to its dtor at the end of the function causes the file object to be deleted. Any later use of the pointer to the redirection file is therefore an error. This patch ensures that the unique_ptr is released when required (so it does not assume ownership anymore). The internal logic of cli_interp_base::set_logging takes care of freeing the ui_file when it is not necessary anymore using the saved_output.file_to_delete field. gdb/ChangeLog: PR gdb/27133 * cli/cli-interp.c (cli_interp_base::set_logging): Ensure the unique_ptr is released when the wrapped pointer is kept for later use. gdb/testsuite/ChangeLog: PR gdb/27133 * gdb.base/ui-redirect.exp: Add test case that ensures that redirecting both logging and debug does not cause gdb to crash. --- gdb/ChangeLog | 7 +++++++ gdb/cli/cli-interp.c | 8 ++++++++ gdb/testsuite/ChangeLog | 7 +++++++ gdb/testsuite/gdb.base/ui-redirect.exp | 8 ++++++++ 4 files changed, 30 insertions(+) diff --git a/gdb/ChangeLog b/gdb/ChangeLog index 087e2041ba2..6cf6d40a247 100644 --- a/gdb/ChangeLog +++ b/gdb/ChangeLog @@ -1,3 +1,10 @@ +2021-01-27 Lancelot SIX + + PR gdb/27133 + * cli/cli-interp.c (cli_interp_base::set_logging): Ensure the + unique_ptr is released when the wrapped pointer is kept for later + use. + 2021-01-27 Matthew Malcomson * aarch64-tdep.c (aarch64_displaced_step_others): Account for diff --git a/gdb/cli/cli-interp.c b/gdb/cli/cli-interp.c index 424264a80eb..882384e9a91 100644 --- a/gdb/cli/cli-interp.c +++ b/gdb/cli/cli-interp.c @@ -430,6 +430,14 @@ cli_interp_base::set_logging (ui_file_up logfile, bool logging_redirect, saved_output.file_to_delete = tee; } + /* Make sure that the call to logfile's dtor does not delete the + underlying pointer if we still keep a reference to it. If + logfile_p is not referenced as the file_to_delete, then either + the logfile is not used (no redirection) and it should be + deleted, or a tee took ownership of the pointer. */ + if (logfile_p != nullptr && saved_output.file_to_delete == logfile_p) + logfile.release (); + gdb_stdout = logging_redirect ? logfile_p : tee; gdb_stdlog = debug_redirect ? logfile_p : tee; gdb_stderr = logging_redirect ? logfile_p : tee; diff --git a/gdb/testsuite/ChangeLog b/gdb/testsuite/ChangeLog index f20f041878e..814c6ded1e0 100644 --- a/gdb/testsuite/ChangeLog +++ b/gdb/testsuite/ChangeLog @@ -1,3 +1,10 @@ +2021-01-27 Lancelot SIX + + PR gdb/27133 + * gdb.base/ui-redirect.exp: Add test case that ensures that + redirecting both logging and debug does not cause gdb to crash. + + 2021-01-27 Matthew Malcomson * gdb.arch/insn-reloc.c: Add tests for BR and BLR. diff --git a/gdb/testsuite/gdb.base/ui-redirect.exp b/gdb/testsuite/gdb.base/ui-redirect.exp index af428000607..cb0749b80c2 100644 --- a/gdb/testsuite/gdb.base/ui-redirect.exp +++ b/gdb/testsuite/gdb.base/ui-redirect.exp @@ -140,3 +140,11 @@ with_test_prefix "redirect debugging" { gdb_test "set logging off" "Done logging to /dev/null\\." gdb_test "help" "List of classes of commands:.*" } + +with_test_prefix "redirect logging and debuging" { + gdb_test_no_output "set logging redirect on" + gdb_test_no_output "set logging debugredirect on" + gdb_test "set logging on" \ + "Redirecting output to /dev/null.*Redirecting debug output to /dev/null\\." + gdb_test "set logging off" "Done logging to /dev/null\\." +} -- 2.30.2