Google Git
Sign in
gnu/binutils-gdb/e0f06496026b516b6815438879f1e83573cf4eae
commit
e0f06496026b516b6815438879f1e83573cf4eae
[log]
author
Andrew Burgess <aburgess@redhat.com>
Mon Oct 13 14:43:51 2025 +0100
committer
Andrew Burgess <aburgess@redhat.com>
Wed Jan 07 11:10:54 2026 +0000
tree
2c2d88cdc7a64cd7237ee50790b96cebe95b13e3
parent
7be6efd7d4bf9eb93a876fffddb34ced3bceb546 [diff]
gdb: hold a target_ops_ref in scoped_finish_thread_state

This commit fixes a use after free issue that was reported here:

  https://inbox.sourceware.org/gdb-patches/68354b98-795a-4b50-9eac-e54aa1d01b9d@simark.ca

This issue was exposed by the gdb.replay/missing-thread.exp test that
was added in this commit:

  commit 8bd08ee92c4a7bf2ad9e29c4da32a276ef2257fc
  Date:   Fri May 16 17:56:58 2025 +0100

      gdb: crash if thread unexpectedly disappears from thread list

It is worth pointing out that the use after free issue existed before
this commit, this commit just introduced a test that exposed the issue
when GDB is run with the address sanitizer.

It has taken a while to get this fix ready for upstream as this fix
depended on the recently committed patch:

  commit 43db8f70d86b2492b79f59342187b919fd58b3dd
  Date:   Thu Oct 23 16:34:20 2025 +0100

      gdbsupport: remove undefined behaviour from (forward_)scope_exit

The problem is that the first commit above introduces a test which
causes the remote target to disconnect while processing an inferior
stop event, specifically, within normal_stop (infrun.c), GDB calls
update_thread_list, and it is during this call that the inferior
disconnects.

When the remote target disconnects, GDB immediately unpushes the
remote target.  See remote_unpush_target and its uses in remote.c.

If this is the last use of the remote target, then unpushing it will
cause the target to be deleted.

This is a problem, because in normal_stop, we have an RAII variable
maybe_finish_thread_state, which is an optional
scoped_finish_thread_state, and in some cases, this will hold a
pointer to the process_startum_target which needs to be finished.

So the order of events is:

  1. Call to normal_stop.

  2. Create maybe_finish_thread_state with a pointer to the current
     remote_target object.

  3. Call update_thread_list.

  4. Remote disconnects, GDB unpushes and deletes the current
     remote_target object.  GDB throws an exception.

  5. The exception propagates back to normal_stop.

  6. The destructor for maybe_finish_thread_state runs, and tries to
     make use of its cached pointer to the (now deleted) remote_target
     object.  Badness ensues.

This bug isn't restricted to normal_stop.  If a remote target
disconnects anywhere where there is a scoped_finish_thread_state in
the call stack then this issue could arise.

I think what we need to do is to ensure that the remote_target is not
actually deleted until after the scoped_finish_thread_state has been
cleaned up.

And so, to achieve this, I propose changing scoped_finish_thread_state
to hold a target_ops_ref rather than a pointer to the target_ops
object.  Holding the reference will prevent the object from being
deleted.

The new scoped_finish_thread_state is defined within its own file, and
is a drop in replacement for the existing class.

On my local machine the gdb.replay/missing-thread.exp test passes
cleanly after this commit (with address sanitizers), but when I test
on some other machines with a more recent Fedora install, I'm still
seeing test failures (both before and after this patch), though not
relating to the address sanitizer (at least, I don't see an error from
the sanitizer).  I don't think these other issues are directly related
to the problem being addressed in this commit, and so I'm proposing
this patch for inclusion anyway.  I'll continue to look at the test
and see if I can fix the other failures too.  Or maybe I'll end up
having to back out the test.

Approved-By: Simon Marchi <simon.marchi@efficios.com>
Reviewed-By: Guinevere Larsen <guinevere@redhat.com>
5 files changed
tree: 2c2d88cdc7a64cd7237ee50790b96cebe95b13e3
  1. bfd/
  2. binutils/
  3. config/
  4. contrib/
  5. cpu/
  6. elfcpp/
  7. etc/
  8. gas/
  9. gdb/
  10. gdbserver/
  11. gdbsupport/
  12. gnulib/
  13. gold/
  14. gprof/
  15. gprofng/
  16. include/
  17. ld/
  18. libbacktrace/
  19. libctf/
  20. libdecnumber/
  21. libiberty/
  22. libsframe/
  23. opcodes/
  24. readline/
  25. sim/
  26. texinfo/
  27. zlib/
  28. .cvsignore
  29. .editorconfig
  30. .gitattributes
  31. .gitignore
  32. .pre-commit-config.yaml
  33. ar-lib
  34. ChangeLog
  35. compile
  36. config-ml.in
  37. config.guess
  38. config.rpath
  39. config.sub
  40. configure
  41. configure.ac
  42. COPYING
  43. COPYING.LIB
  44. COPYING.LIBGLOSS
  45. COPYING.NEWLIB
  46. COPYING3
  47. COPYING3.LIB
  48. depcomp
  49. djunpack.bat
  50. install-sh
  51. libtool.m4
  52. ltgcc.m4
  53. ltmain.sh
  54. ltoptions.m4
  55. ltsugar.m4
  56. ltversion.m4
  57. lt~obsolete.m4
  58. MAINTAINERS
  59. Makefile.def
  60. Makefile.in
  61. Makefile.tpl
  62. makefile.vms
  63. missing
  64. mkdep
  65. mkinstalldirs
  66. move-if-change
  67. multilib.am
  68. README
  69. README-maintainer-mode
  70. SECURITY.txt
  71. setup.com
  72. src-release.sh
  73. symlink-tree
  74. test-driver
  75. ylwrap