gdb: fix CVE-2017-9778

(From OE-Core rev: 4fa03fa14f8facb134ecd772a99c25184d8a4cbd) Signed-off-by: Anuj Mittal <anuj.mittal@intel.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
author: Anuj Mittal <anuj.mittal@intel.com> 2019-07-19 13:55:28 +0800
committer: Richard Purdie <richard.purdie@linuxfoundation.org> 2019-07-19 16:19:14 +0100
commit: 2a11ee3ad248bc97c65b4be02dc80d7eb7f5cde3 (patch)
tree: a17152afdf11b826d9fde5adafdc1f20b5d7d89d
parent: 0176b556fa24325daf9e13891739b26fe916cf8f (diff)
download: poky-2a11ee3ad248bc97c65b4be02dc80d7eb7f5cde3.tar.gz
2 files changed, 99 insertions, 0 deletions
diff --git a/meta/recipes-devtools/gdb/gdb-8.3.inc b/meta/recipes-devtools/gdb/gdb-8.3.inc
index db8d5f349f..a5ef936fbf 100644
--- a/meta/recipes-devtools/gdb/gdb-8.3.inc
+++ b/meta/recipes-devtools/gdb/gdb-8.3.inc
@@ -16,6 +16,7 @@ SRC_URI = "http://ftp.gnu.org/gnu/gdb/gdb-${PV}.tar.xz \
           file://0009-Change-order-of-CFLAGS.patch \
           file://0010-resolve-restrict-keyword-conflict.patch \
           file://0011-Fix-invalid-sigprocmask-call.patch \
+           file://CVE-2017-9778.patch \
           "
 SRC_URI[md5sum] = "bbd95b2f9b34621ad7a19a3965476314"
 SRC_URI[sha256sum] = "802f7ee309dcc547d65a68d61ebd6526762d26c3051f52caebe2189ac1ffd72e"
diff --git a/meta/recipes-devtools/gdb/gdb/CVE-2017-9778.patch b/meta/recipes-devtools/gdb/gdb/CVE-2017-9778.patch
new file mode 100644
index 0000000000..f142ed00d7
--- /dev/null
+++ b/meta/recipes-devtools/gdb/gdb/CVE-2017-9778.patch
@@ -0,0 +1,98 @@
+From 6ad3791f095cfc1b0294f62c4b3a524ba735595e Mon Sep 17 00:00:00 2001
+From: Sandra Loosemore <sandra@codesourcery.com>
+Date: Thu, 25 Apr 2019 07:27:02 -0700
+Subject: [PATCH] Detect invalid length field in debug frame FDE header.
+GDB was failing to catch cases where a corrupt ELF or core file
+contained an invalid length value in a Dwarf debug frame FDE header.
+It was checking for buffer overflow but not cases where the length was
+negative or caused pointer wrap-around.
+In addition to the additional validity check, this patch cleans up the
+multiple signed/unsigned conversions on the length field so that an
+unsigned representation is used consistently throughout.
+This patch fixes CVE-2017-9778 and PR gdb/21600.
+2019-04-25  Sandra Loosemore  <sandra@codesourcery.com>
+            Kang Li <kanglictf@gmail.com>
+        PR gdb/21600
+        * dwarf2-frame.c (read_initial_length): Be consistent about using
+        unsigned representation of length.
+        (decode_frame_entry_1): Likewise.  Check for wraparound of
+        end pointer as well as buffer overflow.
+Upstream-Status: Backport
+CVE: CVE-2017-9778
+Signed-off-by: Anuj Mittal <anuj.mittal@intel.com>
+---
+ gdb/ChangeLog      | 10 ++++++++++
+ gdb/dwarf2-frame.c | 14 +++++++-------
+ 2 files changed, 17 insertions(+), 7 deletions(-)
+diff --git a/gdb/ChangeLog b/gdb/ChangeLog
+index 1c125de..d028d2b 100644
+--- a/gdb/ChangeLog
+++ b/gdb/ChangeLog
+@@ -1,3 +1,13 @@
+2019-04-25  Sandra Loosemore  <sandra@codesourcery.com>
+       Kang Li <kanglictf@gmail.com>
+
+       PR gdb/21600
+
+       * dwarf2-frame.c (read_initial_length): Be consistent about using
+       unsigned representation of length.
+       (decode_frame_entry_1): Likewise.  Check for wraparound of
+       end pointer as well as buffer overflow.
+
+ 2019-05-11  Joel Brobecker  <brobecker@adacore.com>
+ 
+        * version.in: Set GDB version number to 8.3.
+diff --git a/gdb/dwarf2-frame.c b/gdb/dwarf2-frame.c
+index 178ac44..dc5d3b3 100644
+--- a/gdb/dwarf2-frame.c
+++ b/gdb/dwarf2-frame.c
+@@ -1488,7 +1488,7 @@ static ULONGEST
+ read_initial_length (bfd *abfd, const gdb_byte *buf,
+                     unsigned int *bytes_read_ptr)
+ {
+-  LONGEST result;
+  ULONGEST result;
+ 
+   result = bfd_get_32 (abfd, buf);
+   if (result == 0xffffffff)
+@@ -1789,7 +1789,7 @@ decode_frame_entry_1 (struct comp_unit *unit, const gdb_byte *start,
+ {
+   struct gdbarch *gdbarch = get_objfile_arch (unit->objfile);
+   const gdb_byte *buf, *end;
+-  LONGEST length;
+  ULONGEST length;
+   unsigned int bytes_read;
+   int dwarf64_p;
+   ULONGEST cie_id;
+@@ -1800,15 +1800,15 @@ decode_frame_entry_1 (struct comp_unit *unit, const gdb_byte *start,
+   buf = start;
+   length = read_initial_length (unit->abfd, buf, &bytes_read);
+   buf += bytes_read;
+-  end = buf + length;
+-
+-  /* Are we still within the section?  */
+-  if (end > unit->dwarf_frame_buffer + unit->dwarf_frame_size)
+-    return NULL;
+  end = buf + (size_t) length;
+ 
+   if (length == 0)
+     return end;
+ 
+  /* Are we still within the section?  */
+  if (end <= buf || end > unit->dwarf_frame_buffer + unit->dwarf_frame_size)
+    return NULL;
+
+   /* Distinguish between 32 and 64-bit encoded frame info.  */
+   dwarf64_p = (bytes_read == 12);
+ 
+-- 
+2.20.1
author	Anuj Mittal <anuj.mittal@intel.com>	2019-07-19 13:55:28 +0800
committer	Richard Purdie <richard.purdie@linuxfoundation.org>	2019-07-19 16:19:14 +0100
commit	2a11ee3ad248bc97c65b4be02dc80d7eb7f5cde3 (patch)
tree	a17152afdf11b826d9fde5adafdc1f20b5d7d89d
parent	0176b556fa24325daf9e13891739b26fe916cf8f (diff)
download	poky-2a11ee3ad248bc97c65b4be02dc80d7eb7f5cde3.tar.gz

diff --git a/meta/recipes-devtools/gdb/gdb-8.3.inc b/meta/recipes-devtools/gdb/gdb-8.3.inc index db8d5f349f..a5ef936fbf 100644 --- a/meta/recipes-devtools/gdb/gdb-8.3.inc +++ b/meta/recipes-devtools/gdb/gdb-8.3.inc
@@ -16,6 +16,7 @@ SRC_URI = "http://ftp.gnu.org/gnu/gdb/gdb-${PV}.tar.xz \
16	file://0009-Change-order-of-CFLAGS.patch \	16	file://0009-Change-order-of-CFLAGS.patch \
17	file://0010-resolve-restrict-keyword-conflict.patch \	17	file://0010-resolve-restrict-keyword-conflict.patch \
18	file://0011-Fix-invalid-sigprocmask-call.patch \	18	file://0011-Fix-invalid-sigprocmask-call.patch \
		19	file://CVE-2017-9778.patch \
19	"	20	"
20	SRC_URI[md5sum] = "bbd95b2f9b34621ad7a19a3965476314"	21	SRC_URI[md5sum] = "bbd95b2f9b34621ad7a19a3965476314"
21	SRC_URI[sha256sum] = "802f7ee309dcc547d65a68d61ebd6526762d26c3051f52caebe2189ac1ffd72e"	22	SRC_URI[sha256sum] = "802f7ee309dcc547d65a68d61ebd6526762d26c3051f52caebe2189ac1ffd72e"


diff --git a/meta/recipes-devtools/gdb/gdb/CVE-2017-9778.patch b/meta/recipes-devtools/gdb/gdb/CVE-2017-9778.patch new file mode 100644 index 0000000000..f142ed00d7 --- /dev/null +++ b/meta/recipes-devtools/gdb/gdb/CVE-2017-9778.patch
@@ -0,0 +1,98 @@
		1	From 6ad3791f095cfc1b0294f62c4b3a524ba735595e Mon Sep 17 00:00:00 2001
		2	From: Sandra Loosemore <sandra@codesourcery.com>
		3	Date: Thu, 25 Apr 2019 07:27:02 -0700
		4	Subject: [PATCH] Detect invalid length field in debug frame FDE header.
		5
		6	GDB was failing to catch cases where a corrupt ELF or core file
		7	contained an invalid length value in a Dwarf debug frame FDE header.
		8	It was checking for buffer overflow but not cases where the length was
		9	negative or caused pointer wrap-around.
		10
		11	In addition to the additional validity check, this patch cleans up the
		12	multiple signed/unsigned conversions on the length field so that an
		13	unsigned representation is used consistently throughout.
		14
		15	This patch fixes CVE-2017-9778 and PR gdb/21600.
		16
		17	2019-04-25 Sandra Loosemore <sandra@codesourcery.com>
		18	Kang Li <kanglictf@gmail.com>
		19
		20	PR gdb/21600
		21
		22	* dwarf2-frame.c (read_initial_length): Be consistent about using
		23	unsigned representation of length.
		24	(decode_frame_entry_1): Likewise. Check for wraparound of
		25	end pointer as well as buffer overflow.
		26
		27	Upstream-Status: Backport
		28	CVE: CVE-2017-9778
		29	Signed-off-by: Anuj Mittal <anuj.mittal@intel.com>
		30	---
		31	gdb/ChangeLog \| 10 ++++++++++
		32	gdb/dwarf2-frame.c \| 14 +++++++-------
		33	2 files changed, 17 insertions(+), 7 deletions(-)
		34
		35	diff --git a/gdb/ChangeLog b/gdb/ChangeLog
		36	index 1c125de..d028d2b 100644
		37	--- a/gdb/ChangeLog
		38	+++ b/gdb/ChangeLog
		39	@@ -1,3 +1,13 @@
		40	+2019-04-25 Sandra Loosemore <sandra@codesourcery.com>
		41	+ Kang Li <kanglictf@gmail.com>
		42	+
		43	+ PR gdb/21600
		44	+
		45	+ * dwarf2-frame.c (read_initial_length): Be consistent about using
		46	+ unsigned representation of length.
		47	+ (decode_frame_entry_1): Likewise. Check for wraparound of
		48	+ end pointer as well as buffer overflow.
		49	+
		50	2019-05-11 Joel Brobecker <brobecker@adacore.com>
		51
		52	* version.in: Set GDB version number to 8.3.
		53	diff --git a/gdb/dwarf2-frame.c b/gdb/dwarf2-frame.c
		54	index 178ac44..dc5d3b3 100644
		55	--- a/gdb/dwarf2-frame.c
		56	+++ b/gdb/dwarf2-frame.c
		57	@@ -1488,7 +1488,7 @@ static ULONGEST
		58	read_initial_length (bfd abfd, const gdb_byte buf,
		59	unsigned int *bytes_read_ptr)
		60	{
		61	- LONGEST result;
		62	+ ULONGEST result;
		63
		64	result = bfd_get_32 (abfd, buf);
		65	if (result == 0xffffffff)
		66	@@ -1789,7 +1789,7 @@ decode_frame_entry_1 (struct comp_unit unit, const gdb_byte start,
		67	{
		68	struct gdbarch *gdbarch = get_objfile_arch (unit->objfile);
		69	const gdb_byte buf, end;
		70	- LONGEST length;
		71	+ ULONGEST length;
		72	unsigned int bytes_read;
		73	int dwarf64_p;
		74	ULONGEST cie_id;
		75	@@ -1800,15 +1800,15 @@ decode_frame_entry_1 (struct comp_unit unit, const gdb_byte start,
		76	buf = start;
		77	length = read_initial_length (unit->abfd, buf, &bytes_read);
		78	buf += bytes_read;
		79	- end = buf + length;
		80	-
		81	- /* Are we still within the section? */
		82	- if (end > unit->dwarf_frame_buffer + unit->dwarf_frame_size)
		83	- return NULL;
		84	+ end = buf + (size_t) length;
		85
		86	if (length == 0)
		87	return end;
		88
		89	+ /* Are we still within the section? */
		90	+ if (end <= buf \|\| end > unit->dwarf_frame_buffer + unit->dwarf_frame_size)
		91	+ return NULL;
		92	+
		93	/* Distinguish between 32 and 64-bit encoded frame info. */
		94	dwarf64_p = (bytes_read == 12);
		95
		96	--
		97	2.20.1
		98