bug-readline
[Top][All Lists]
Advanced
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [PATCH] [readline] Fix double free in _rl_scxt_dispose

From: Simon Marchi
Subject: Re: [PATCH] [readline] Fix double free in _rl_scxt_dispose
Date: Mon, 29 May 2023 12:43:11 -0400
User-agent: Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101 Thunderbird/102.11.1 
On 5/28/23 04:20, Tom de Vries via Gdb-patches wrote:
> On 5/27/23 21:10, Chet Ramey wrote:
>> On 5/23/23 12:04 PM, Tom de Vries wrote:
>>
>>> Both these issues need fixing independently, though after fixing the first 
>>> we
>>> no longer trigger the second.
>>
>> Thanks for the report. These are both good fixes.
> 
> Thanks for the review.
> 
> Added test-case and committed.
> 
> Thanks,
> - Tom

Hi Tom,

ASan sees a double-free in the test:

==144635==ERROR: AddressSanitizer: attempting double-free on 0x60200001ae90 in 
thread T0:
    #0 0x7f39ef4dfdc2 in __interceptor_free 
/usr/src/debug/gcc/gcc/libsanitizer/asan/asan_malloc_linux.cpp:52
    #1 0x7f39ef3cef65 in _rl_scxt_dispose (/usr/lib/libreadline.so.8+0x25f65) 
(BuildId: 092e91fc4361b0ef94561e3ae03a75f69398acbb)
    #2 0x7f39ef3d0f5d in _rl_isearch_cleanup 
(/usr/lib/libreadline.so.8+0x27f5d) (BuildId: 
092e91fc4361b0ef94561e3ae03a75f69398acbb)
    #3 0x7f39ef3e42ec in rl_callback_read_char 
(/usr/lib/libreadline.so.8+0x3b2ec) (BuildId: 
092e91fc4361b0ef94561e3ae03a75f69398acbb)
    #4 0x5649f96ec632 in gdb_rl_callback_read_char_wrapper_noexcept 
/home/smarchi/src/binutils-gdb/gdb/event-top.c:192
    #5 0x5649f96ec88a in gdb_rl_callback_read_char_wrapper 
/home/smarchi/src/binutils-gdb/gdb/event-top.c:225
    #6 0x5649fafd3641 in stdin_event_handler 
/home/smarchi/src/binutils-gdb/gdb/ui.c:155
    #7 0x5649fb6dbe79 in handle_file_event 
/home/smarchi/src/binutils-gdb/gdbsupport/event-loop.cc:573
    #8 0x5649fb6dc80f in gdb_wait_for_event 
/home/smarchi/src/binutils-gdb/gdbsupport/event-loop.cc:694
    #9 0x5649fb6da468 in gdb_do_one_event(int) 
/home/smarchi/src/binutils-gdb/gdbsupport/event-loop.cc:264
    #10 0x5649f9e61094 in start_event_loop 
/home/smarchi/src/binutils-gdb/gdb/main.c:412
    #11 0x5649f9e615a6 in captured_command_loop 
/home/smarchi/src/binutils-gdb/gdb/main.c:476
    #12 0x5649f9e66b5c in captured_main 
/home/smarchi/src/binutils-gdb/gdb/main.c:1320
    #13 0x5649f9e66c99 in gdb_main(captured_main_args*) 
/home/smarchi/src/binutils-gdb/gdb/main.c:1339
    #14 0x5649f83b758d in main /home/smarchi/src/binutils-gdb/gdb/gdb.c:32
    #15 0x7f39eda3984f  (/usr/lib/libc.so.6+0x2384f) (BuildId: 
2f005a79cd1a8e385972f5a102f16adba414d75e)
    #16 0x7f39eda39909 in __libc_start_main (/usr/lib/libc.so.6+0x23909) 
(BuildId: 2f005a79cd1a8e385972f5a102f16adba414d75e)
    #17 0x5649f83b7354 in _start 
(/home/smarchi/build/binutils-gdb/gdb/gdb+0xb0f0354) (BuildId: 
2bb3933a88a2426705e531a680e7075402ea19f8)

0x60200001ae90 is located 0 bytes inside of 1-byte region 
[0x60200001ae90,0x60200001ae91)
freed by thread T0 here:
    #0 0x7f39ef4dfdc2 in __interceptor_free 
/usr/src/debug/gcc/gcc/libsanitizer/asan/asan_malloc_linux.cpp:52
    #1 0x7f39ef3cef65 in _rl_scxt_dispose (/usr/lib/libreadline.so.8+0x25f65) 
(BuildId: 092e91fc4361b0ef94561e3ae03a75f69398acbb)

previously allocated by thread T0 here:
    #0 0x7f39ef4e1369 in __interceptor_malloc 
/usr/src/debug/gcc/gcc/libsanitizer/asan/asan_malloc_linux.cpp:69
    #1 0x5649f865bca2 in xmalloc /home/smarchi/src/binutils-gdb/gdb/alloc.c:57
    #2 0x7f39ef3eb6da  (/usr/lib/libreadline.so.8+0x426da) (BuildId: 
092e91fc4361b0ef94561e3ae03a75f69398acbb)

SUMMARY: AddressSanitizer: double-free 
/usr/src/debug/gcc/gcc/libsanitizer/asan/asan_malloc_linux.cpp:52 in 
__interceptor_free

Simon
reply via email to
[Prev in Thread] Current Thread [Next in Thread]