From: Tom Tromey Date: Tue, 14 Oct 2025 03:36:56 +0000 (-0600) Subject: Fix use-after-free when destroying objfile X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=4109b068142bc8e7c19728c163c5685fdaeea851;p=thirdparty%2Fbinutils-gdb.git Fix use-after-free when destroying objfile The recent patch to heap-allocate compunit_symtabs introduced a use-after-free that can occur when destroying an objfile. The bug here is that the objfile obstack is destroyed before compunit_symtabs; but the compunit_symtabs destructor refers to the symtabs, which are allocated on the obstack. This patch fixes the problem. This was reported using ASAN, but I reproduced it with valgrind and verified that this fixes the problem. Bug: https://sourceware.org/bugzilla/show_bug.cgi?id=33435 --- diff --git a/gdb/objfiles.h b/gdb/objfiles.h index 9566acfe33b..3c4e568b98c 100644 --- a/gdb/objfiles.h +++ b/gdb/objfiles.h @@ -719,11 +719,6 @@ private: program_space *m_pspace; public: - /* List of compunits. - These are used to do symbol lookups and file/line-number lookups. */ - - owning_intrusive_list compunit_symtabs; - /* The object file's BFD. Can be null if the objfile contains only minimal symbols (e.g. the run time common symbols for SunOS4) or if the objfile is a dynamic objfile (e.g. created by JIT reader @@ -751,6 +746,11 @@ public: auto_obstack objfile_obstack; + /* List of compunits. + These are used to do symbol lookups and file/line-number lookups. */ + + owning_intrusive_list compunit_symtabs; + /* Structure which keeps track of functions that manipulate objfile's of the same type as this objfile. I.e. the function to read partial symbols for example. Note that this structure is in statically diff --git a/gdb/symfile.c b/gdb/symfile.c index eb969249f3f..2406c569c26 100644 --- a/gdb/symfile.c +++ b/gdb/symfile.c @@ -2581,6 +2581,8 @@ reread_symbols (int from_tty) error (_("Can't read symbols from %s: %s."), objfile_name (&objfile), bfd_errmsg (bfd_get_error ())); + objfile.compunit_symtabs.clear (); + /* NB: after this call to obstack_free, objfiles_changed will need to be called (see discussion below). */ obstack_free (&objfile.objfile_obstack, 0); @@ -2590,7 +2592,6 @@ reread_symbols (int from_tty) objfile.sect_index_data = -1; objfile.sect_index_rodata = -1; objfile.sect_index_text = -1; - objfile.compunit_symtabs.clear (); objfile.template_symbols = NULL; objfile.static_links.clear ();