[Lldb-commits] [PATCH] D115654: [lldb/plugin] Fix heap-use-after-free in ScriptedProcess::ReadMemory
Med Ismail Bennani via Phabricator via lldb-commits
lldb-commits at lists.llvm.org
Mon Dec 13 10:55:10 PST 2021
mib created this revision.
mib added reviewers: JDevlieghere, aprantl.
mib added a project: LLDB.
mib requested review of this revision.
Herald added a subscriber: lldb-commits.
This commit should fix a heap-use-after-free bug that was caught by the
sanitizer bot.
The issue is that we were reading memory from a second target into a
`SBData` object in Python, that was passed to lldb's internal
`ScriptedProcess::DoReadMemory` C++ method.
The ScriptedPythonInterface then extracts the underlying `DataExtractor`
from the `SBData` object, and is used to read the memory with the
appropriate address size and byte order.
Unfortunately, it seems that even though the DataExtractor object was
still valid, it pointed to invalid, possibly garbage-collected memory
from Python.
To mitigate this, the patch uses `SBData::SetDataWithOwnership` to copy
the pointed buffer to lldb's heap memory which prevents the
use-after-free error.
rdar://84511405
Signed-off-by: Med Ismail Bennani <medismail.bennani at gmail.com>
Repository:
rG LLVM Github Monorepo
https://reviews.llvm.org/D115654
Files:
lldb/test/API/functionalities/scripted_process/TestScriptedProcess.py
lldb/test/API/functionalities/scripted_process/stack_core_scripted_process.py
Index: lldb/test/API/functionalities/scripted_process/stack_core_scripted_process.py
===================================================================
--- lldb/test/API/functionalities/scripted_process/stack_core_scripted_process.py
+++ lldb/test/API/functionalities/scripted_process/stack_core_scripted_process.py
@@ -43,8 +43,9 @@
if error.Fail():
return data
- data.SetData(error, bytes_read, self.corefile_target.GetByteOrder(),
- self.corefile_target.GetAddressByteSize())
+ data.SetDataWithOwnership(error, bytes_read,
+ self.corefile_target.GetByteOrder(),
+ self.corefile_target.GetAddressByteSize())
return data
Index: lldb/test/API/functionalities/scripted_process/TestScriptedProcess.py
===================================================================
--- lldb/test/API/functionalities/scripted_process/TestScriptedProcess.py
+++ lldb/test/API/functionalities/scripted_process/TestScriptedProcess.py
@@ -139,7 +139,6 @@
@skipUnlessDarwin
@skipIfOutOfTreeDebugserver
- @skipIfAsan # rdar://85954489
def test_launch_scripted_process_stack_frames(self):
"""Test that we can launch an lldb scripted process from the command
line, check its process ID and read string from memory."""
-------------- next part --------------
A non-text attachment was scrubbed...
Name: D115654.393966.patch
Type: text/x-patch
Size: 1373 bytes
Desc: not available
URL: <http://lists.llvm.org/pipermail/lldb-commits/attachments/20211213/5fad6b56/attachment-0001.bin>
More information about the lldb-commits
mailing list