This is an archive of the discontinued LLVM Phabricator instance.

Differential D115654

[lldb/plugin] Fix heap-use-after-free in ScriptedProcess::ReadMemory
ClosedPublic

Authored by mib on Dec 13 2021, 10:55 AM.

Details

Reviewers
JDevlieghere
aprantl
Commits
rGef74c8002ae8: [lldb/plugin] Fix heap-use-after-free in ScriptedProcess::ReadMemory
Summary

This commit should fix a heap-use-after-free bug that was caught by the
sanitizer bot.

The issue is that we were reading memory from a second target into a
SBData object in Python, that was passed to lldb's internal
ScriptedProcess::DoReadMemory C++ method.

The ScriptedPythonInterface then extracts the underlying DataExtractor
from the SBData object, and is used to read the memory with the
appropriate address size and byte order.

Unfortunately, it seems that even though the DataExtractor object was
still valid, it pointed to invalid, possibly garbage-collected memory
from Python.

To mitigate this, the patch uses SBData::SetDataWithOwnership to copy
the pointed buffer to lldb's heap memory which prevents the
use-after-free error.

rdar://84511405

Signed-off-by: Med Ismail Bennani <medismail.bennani@gmail.com>

Diff Detail

Revision Contents

PathSize
lldb/
test/
API/
functionalities/
scripted_process/
1 line
5 lines

Diff 393970

lldb/test/API/functionalities/scripted_process/TestScriptedProcess.py

Show First 20 LinesShow All 133 Lines▼ Show 20 Lines def create_stack_skinny_corefile(self, file):
self.assertTrue(process.IsValid(), "Process is invalid.") self.assertTrue(process.IsValid(), "Process is invalid.")
# FIXME: Use SBAPI to save the process corefile. # FIXME: Use SBAPI to save the process corefile.
self.runCmd("process save-core -s stack " + file) self.runCmd("process save-core -s stack " + file)
self.assertTrue(os.path.exists(file), "No stack-only corefile found.") self.assertTrue(os.path.exists(file), "No stack-only corefile found.")
self.assertTrue(self.dbg.DeleteTarget(target), "Couldn't delete target") self.assertTrue(self.dbg.DeleteTarget(target), "Couldn't delete target")
@skipUnlessDarwin @skipUnlessDarwin
@skipIfOutOfTreeDebugserver @skipIfOutOfTreeDebugserver
@skipIfAsan # rdar://85954489
def test_launch_scripted_process_stack_frames(self): def test_launch_scripted_process_stack_frames(self):
"""Test that we can launch an lldb scripted process from the command """Test that we can launch an lldb scripted process from the command
line, check its process ID and read string from memory.""" line, check its process ID and read string from memory."""
self.build() self.build()
target = self.dbg.CreateTarget(self.getBuildArtifact("a.out")) target = self.dbg.CreateTarget(self.getBuildArtifact("a.out"))
self.assertTrue(target, VALID_TARGET) self.assertTrue(target, VALID_TARGET)
for module in target.modules: for module in target.modules:
▲ Show 20 LinesShow All 50 LinesShow Last 20 Lines

lldb/test/API/functionalities/scripted_process/stack_core_scripted_process.py

Show All 37 Linesclass StackCoreScriptedProcess(ScriptedProcess):
def read_memory_at_address(self, addr: int, size: int) -> lldb.SBData: def read_memory_at_address(self, addr: int, size: int) -> lldb.SBData:
data = lldb.SBData() data = lldb.SBData()
error = lldb.SBError() error = lldb.SBError()
bytes_read = self.corefile_process.ReadMemory(addr, size, error) bytes_read = self.corefile_process.ReadMemory(addr, size, error)
if error.Fail(): if error.Fail():
return data return data
data.SetData(error, bytes_read, self.corefile_target.GetByteOrder(), data.SetDataWithOwnership(error, bytes_read,
self.corefile_target.GetByteOrder(),
self.corefile_target.GetAddressByteSize()) self.corefile_target.GetAddressByteSize())
return data return data
def get_loaded_images(self): def get_loaded_images(self):
# TODO: Iterate over corefile_target modules and build a data structure # TODO: Iterate over corefile_target modules and build a data structure
# from it. # from it.
return self.loaded_images return self.loaded_images
▲ Show 20 LinesShow All 84 LinesShow Last 20 Lines