From: Andrew Burgess Date: Sun, 8 Sep 2024 20:17:55 +0000 (+0100) Subject: gdb: fix use of out of scope temporary variable in break-cond-parse.c X-Git-Tag: gdb-16-branchpoint~948 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=da8730e8f9255b683f0b5d311ac31cabf84fa1de;p=thirdparty%2Fbinutils-gdb.git gdb: fix use of out of scope temporary variable in break-cond-parse.c The commit: commit c6b486755e020095710c7494d029577ca967a13a Date: Thu Mar 30 19:21:22 2023 +0100 gdb: parse pending breakpoint thread/task immediately Introduce a use bug where the value of a temporary variable was being used after it had gone out of scope. This was picked up by the address sanitizer and would result in this error: (gdb) maintenance selftest create_breakpoint_parse_arg_string Running selftest create_breakpoint_parse_arg_string. ================================================================= ==2265825==ERROR: AddressSanitizer: stack-use-after-scope on address 0x7fbb08046511 at pc 0x000001632230 bp 0x7fff7c2fb770 sp 0x7fff7c2fb768 READ of size 1 at 0x7fbb08046511 thread T0 #0 0x163222f in create_breakpoint_parse_arg_string(char const*, std::unique_ptr >*, int*, int*, int*, std::unique_ptr >*, bool*) ../../src/gdb/break-cond-parse.c:496 #1 0x1633026 in test ../../src/gdb/break-cond-parse.c:582 #2 0x163391b in create_breakpoint_parse_arg_string_tests ../../src/gdb/break-cond-parse.c:649 #3 0x12cfebc in void std::__invoke_impl(std::__invoke_other, void (*&)()) /usr/include/c++/13/bits/invoke.h:61 #4 0x12cc8ee in std::enable_if, void>::type std::__invoke_r(void (*&)()) /usr/include/c++/13/bits/invoke.h:111 #5 0x12c81e5 in std::_Function_handler::_M_invoke(std::_Any_data const&) /usr/include/c++/13/bits/std_function.h:290 #6 0x18bb51d in std::function::operator()() const /usr/include/c++/13/bits/std_function.h:591 #7 0x4193ef9 in selftests::run_tests(gdb::array_view, bool) ../../src/gdbsupport/selftest.cc:100 #8 0x21c2206 in maintenance_selftest ../../src/gdb/maint.c:1172 ... etc ... The problem was caused by three lines like this one: thread_info *thr = parse_thread_id (std::string (t.get_value ()).c_str (), &tmptok); After parsing the thread-id TMPTOK would be left pointing into the temporary string which had been created on this line. When on the next line we did this: gdb_assert (*tmptok == '\0'); The value of *TMPTOK is undefined. Fix this by creating the std::string earlier in the scope. Now the contents of the string will remain valid when we check *TMPTOK. The address sanitizer issue is now resolved. --- diff --git a/gdb/break-cond-parse.c b/gdb/break-cond-parse.c index f5fe308a923..b2b1324479f 100644 --- a/gdb/break-cond-parse.c +++ b/gdb/break-cond-parse.c @@ -478,6 +478,7 @@ create_breakpoint_parse_arg_string for (const token &t : tokens) { + std::string tok_value (t.get_value ()); switch (t.get_type ()) { case token::type::FORCE: @@ -490,9 +491,7 @@ create_breakpoint_parse_arg_string if (task != -1 || inferior != -1) error ("You can specify only one of thread, inferior, or task."); const char *tmptok; - thread_info *thr - = parse_thread_id (std::string (t.get_value ()).c_str (), - &tmptok); + thread_info *thr = parse_thread_id (tok_value.c_str (), &tmptok); gdb_assert (*tmptok == '\0'); thread = thr->global_num; } @@ -504,8 +503,7 @@ create_breakpoint_parse_arg_string if (task != -1 || thread != -1) error ("You can specify only one of thread, inferior, or task."); char *tmptok; - long inferior_id - = strtol (std::string (t.get_value ()).c_str (), &tmptok, 0); + long inferior_id = strtol (tok_value.c_str (), &tmptok, 0); if (*tmptok != '\0') error (_("Junk '%s' after inferior keyword."), tmptok); if (inferior_id > INT_MAX) @@ -523,8 +521,7 @@ create_breakpoint_parse_arg_string if (inferior != -1 || thread != -1) error ("You can specify only one of thread, inferior, or task."); char *tmptok; - long task_id - = strtol (std::string (t.get_value ()).c_str (), &tmptok, 0); + long task_id = strtol (tok_value.c_str (), &tmptok, 0); if (*tmptok != '\0') error (_("Junk '%s' after task keyword."), tmptok); if (task_id > INT_MAX)