gdb: Fix CVE-2019-1010180

Source: git://sourceware.org/git/binutils-gdb.git Tracking -- https://sourceware.org/bugzilla/show_bug.cgi?id=23657 Backported upstream commit 950b74950f6020eda38647f22e9077ac7f68ca49 to gdb-8.3.1 sources. Upstream-Status: Backport [https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=950b74950f6020eda38647f22e9077ac7f68ca49] (From OE-Core rev: 536a2656b44fbb98a3cdc60eed32f378184cce7c) Signed-off-by: Vinay Kumar <vinay.m.engg@gmail.com> Signed-off-by: Ross Burton <ross.burton@intel.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> Signed-off-by: Adrian Bunk <bunk@stusta.de> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
author: Vinay Kumar <vinay.m.engg@gmail.com> 2020-01-17 19:14:25 +0200
committer: Richard Purdie <richard.purdie@linuxfoundation.org> 2020-01-28 11:15:01 +0000
commit: c2644c6afc4dffc5a31460beddd7a0b99fe12325 (patch)
tree: 90e0aa6f10a2ee97682e46b00fffc37684ea7502
parent: 60ce01fec873367d0a5ab7d317d3bee95b4b75ac (diff)
download: poky-c2644c6afc4dffc5a31460beddd7a0b99fe12325.tar.gz
2 files changed, 133 insertions, 0 deletions
diff --git a/meta/recipes-devtools/gdb/gdb-8.2.1.inc b/meta/recipes-devtools/gdb/gdb-8.2.1.inc
index f28b57439c..8fa48171f4 100644
--- a/meta/recipes-devtools/gdb/gdb-8.2.1.inc
+++ b/meta/recipes-devtools/gdb/gdb-8.2.1.inc
@@ -19,6 +19,7 @@ SRC_URI = "http://ftp.gnu.org/gnu/gdb/gdb-${PV}.tar.xz \
           file://0001-Fix-build-with-latest-GCC-9.0-tree.patch \
           file://CVE-2017-9778.patch \
           file://0012-AArch64-Fix-the-gdb-build-with-musl-libc.patch \
+           file://CVE-2019-1010180.patch \
 "
 SRC_URI[md5sum] = "f8b2562e830a4098dd5b5ea9e9296c70"
 SRC_URI[sha256sum] = "0a6a432907a03c5c8eaad3c3cffd50c00a40c3a5e3c4039440624bae703f2202"
diff --git a/meta/recipes-devtools/gdb/gdb/CVE-2019-1010180.patch b/meta/recipes-devtools/gdb/gdb/CVE-2019-1010180.patch
new file mode 100644
index 0000000000..46b2b3a713
--- /dev/null
+++ b/meta/recipes-devtools/gdb/gdb/CVE-2019-1010180.patch
@@ -0,0 +1,132 @@
+From 950b74950f6020eda38647f22e9077ac7f68ca49 Mon Sep 17 00:00:00 2001
+From: Keith Seitz <keiths@redhat.com>
+Date: Wed, 16 Oct 2019 11:33:59 -0700
+Subject: [PATCH] DWARF reader: Reject sections with invalid sizes
+This is another fuzzer bug, gdb/23567.  This time, the fuzzer has
+specifically altered the size of .debug_str:
+$ eu-readelf -S objdump
+Section Headers:
+[Nr] Name                 Type         Addr             Off      Size     ES Flags Lk Inf Al
+[31] .debug_str           PROGBITS     0000000000000000 0057116d ffffffffffffffff  1 MS     0   0  1
+When this file is loaded into GDB, the DWARF reader crashes attempting
+to access the string table (or it may just store a bunch of nonsense):
+[gdb-8.3-6-fc30]
+$ gdb -nx -q objdump
+BFD: warning: /path/to/objdump has a corrupt section with a size (ffffffffffffffff) larger than the file size
+Reading symbols from /path/to/objdump...
+Segmentation fault (core dumped)
+Nick has already committed a BFD patch to issue the warning seen above.
+[gdb master 6acc1a0b]
+$ gdb -BFD: warning: /path/to/objdump has a corrupt section with a size (ffffffffffffffff) larger than the file size
+Reading symbols from /path/to/objdump...
+(gdb) inf func
+All defined functions:
+File ./../include/dwarf2.def:
+186:    const
+              8 *>(.:
+                     ;'@�B);
+747:    const
+              8 *�(.:
+                     ;'@�B);
+701:    const
+              8 *�D �
+                     (.:
+                        ;'@�B);
+71:     const
+              8 *(.:
+                    ;'@�B);
+/* and more gibberish  */
+Consider read_indirect_string_at_offset_from:
+static const char *
+read_indirect_string_at_offset_from (struct objfile *objfile,
+                                     bfd *abfd, LONGEST str_offset,
+                                     struct dwarf2_section_info *sect,
+                                     const char *form_name,
+                                     const char *sect_name)
+{
+  dwarf2_read_section (objfile, sect);
+  if (sect->buffer == NULL)
+    error (_("%s used without %s section [in module %s]"),
+           form_name, sect_name, bfd_get_filename (abfd));
+  if (str_offset >= sect->size)
+    error (_("%s pointing outside of %s section [in module %s]"),
+           form_name, sect_name, bfd_get_filename (abfd));
+  gdb_assert (HOST_CHAR_BIT == 8);
+  if (sect->buffer[str_offset] == '\0')
+    return NULL;
+  return (const char *) (sect->buffer + str_offset);
+}
+With sect_size being ginormous, the code attempts to access
+sect->buffer[GINORMOUS], and depending on the layout of memory,
+GDB either stores a bunch of gibberish strings or crashes.
+This is an attempt to mitigate this by implementing a similar approach
+used by BFD. In our case, we simply reject the section with the invalid
+length:
+$ ./gdb -nx -q objdump
+BFD: warning: /path/to/objdump has a corrupt section with a size (ffffffffffffffff) larger than the file size
+Reading symbols from /path/to/objdump...
+warning: Discarding section .debug_str which has a section size (ffffffffffffffff) larger than the file size [in module /path/to/objdump]
+DW_FORM_strp used without .debug_str section [in module /path/to/objdump]
+(No debugging symbols found in /path/to/objdump)
+(gdb)
+Unfortunately, I have not found a way to regression test this, since it
+requires poking ELF section headers.
+gdb/ChangeLog:
+2019-10-16  Keith Seitz  <keiths@redhat.com>
+        PR gdb/23567
+        * dwarf2read.c (dwarf2_per_objfile::locate_sections): Discard
+        sections whose size is greater than the file size.
+Change-Id: I896ac3b4eb2207c54e8e05c16beab3051d9b4b2f
+CVE: CVE-2019-1010180
+Upstream-Status: Backport [https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=950b74950f6020eda38647f22e9077ac7f68ca49]
+[Removed Changelog entry]
+Signed-off-by: Vinay Kumar <vinay.m.engg@gmail.com>
+---
+ gdb/dwarf2read.c | 9 +++++++++
+ 2 files changed, 15 insertions(+)
+diff --git a/gdb/dwarf2read.c b/gdb/dwarf2read.c
+index 0443b55..a78f818 100644
+--- a/gdb/dwarf2read.c
+++ b/gdb/dwarf2read.c
+@@ -2338,6 +2338,15 @@ dwarf2_per_objfile::locate_sections (bfd *abfd, asection *sectp,
+   if ((aflag & SEC_HAS_CONTENTS) == 0)
+     {
+     }
+  else if (elf_section_data (sectp)->this_hdr.sh_size
+          > bfd_get_file_size (abfd))
+    {
+      bfd_size_type size = elf_section_data (sectp)->this_hdr.sh_size;
+      warning (_("Discarding section %s which has a section size (%s"
+                ") larger than the file size [in module %s]"),
+              bfd_section_name (abfd, sectp), phex_nz (size, sizeof (size)),
+              bfd_get_filename (abfd));
+    }
+   else if (section_is_p (sectp->name, &names.info))
+     {
+       this->info.s.section = sectp;
+-- 
+2.7.4
author	Vinay Kumar <vinay.m.engg@gmail.com>	2020-01-17 19:14:25 +0200
committer	Richard Purdie <richard.purdie@linuxfoundation.org>	2020-01-28 11:15:01 +0000
commit	c2644c6afc4dffc5a31460beddd7a0b99fe12325 (patch)
tree	90e0aa6f10a2ee97682e46b00fffc37684ea7502
parent	60ce01fec873367d0a5ab7d317d3bee95b4b75ac (diff)
download	poky-c2644c6afc4dffc5a31460beddd7a0b99fe12325.tar.gz

diff --git a/meta/recipes-devtools/gdb/gdb-8.2.1.inc b/meta/recipes-devtools/gdb/gdb-8.2.1.inc index f28b57439c..8fa48171f4 100644 --- a/meta/recipes-devtools/gdb/gdb-8.2.1.inc +++ b/meta/recipes-devtools/gdb/gdb-8.2.1.inc
@@ -19,6 +19,7 @@ SRC_URI = "http://ftp.gnu.org/gnu/gdb/gdb-${PV}.tar.xz \
19	file://0001-Fix-build-with-latest-GCC-9.0-tree.patch \	19	file://0001-Fix-build-with-latest-GCC-9.0-tree.patch \
20	file://CVE-2017-9778.patch \	20	file://CVE-2017-9778.patch \
21	file://0012-AArch64-Fix-the-gdb-build-with-musl-libc.patch \	21	file://0012-AArch64-Fix-the-gdb-build-with-musl-libc.patch \
		22	file://CVE-2019-1010180.patch \
22	"	23	"
23	SRC_URI[md5sum] = "f8b2562e830a4098dd5b5ea9e9296c70"	24	SRC_URI[md5sum] = "f8b2562e830a4098dd5b5ea9e9296c70"
24	SRC_URI[sha256sum] = "0a6a432907a03c5c8eaad3c3cffd50c00a40c3a5e3c4039440624bae703f2202"	25	SRC_URI[sha256sum] = "0a6a432907a03c5c8eaad3c3cffd50c00a40c3a5e3c4039440624bae703f2202"


diff --git a/meta/recipes-devtools/gdb/gdb/CVE-2019-1010180.patch b/meta/recipes-devtools/gdb/gdb/CVE-2019-1010180.patch new file mode 100644 index 0000000000..46b2b3a713 --- /dev/null +++ b/meta/recipes-devtools/gdb/gdb/CVE-2019-1010180.patch
@@ -0,0 +1,132 @@
		1	From 950b74950f6020eda38647f22e9077ac7f68ca49 Mon Sep 17 00:00:00 2001
		2	From: Keith Seitz <keiths@redhat.com>
		3	Date: Wed, 16 Oct 2019 11:33:59 -0700
		4	Subject: [PATCH] DWARF reader: Reject sections with invalid sizes
		5
		6	This is another fuzzer bug, gdb/23567. This time, the fuzzer has
		7	specifically altered the size of .debug_str:
		8
		9	$ eu-readelf -S objdump
		10	Section Headers:
		11	[Nr] Name Type Addr Off Size ES Flags Lk Inf Al
		12	[31] .debug_str PROGBITS 0000000000000000 0057116d ffffffffffffffff 1 MS 0 0 1
		13
		14	When this file is loaded into GDB, the DWARF reader crashes attempting
		15	to access the string table (or it may just store a bunch of nonsense):
		16
		17	[gdb-8.3-6-fc30]
		18	$ gdb -nx -q objdump
		19	BFD: warning: /path/to/objdump has a corrupt section with a size (ffffffffffffffff) larger than the file size
		20	Reading symbols from /path/to/objdump...
		21	Segmentation fault (core dumped)
		22
		23	Nick has already committed a BFD patch to issue the warning seen above.
		24
		25	[gdb master 6acc1a0b]
		26	$ gdb -BFD: warning: /path/to/objdump has a corrupt section with a size (ffffffffffffffff) larger than the file size
		27	Reading symbols from /path/to/objdump...
		28	(gdb) inf func
		29	All defined functions:
		30
		31	File ./../include/dwarf2.def:
		32	186: const
		33
		34	8 *>(.:
		35	;'@�B);
		36	747: const
		37
		38	8 *�(.:
		39	;'@�B);
		40	701: const
		41
		42	8 *�D �
		43	(.:
		44	;'@�B);
		45	71: const
		46
		47	8 *(.:
		48	;'@�B);
		49	/* and more gibberish */
		50
		51	Consider read_indirect_string_at_offset_from:
		52
		53	static const char *
		54	read_indirect_string_at_offset_from (struct objfile *objfile,
		55	bfd *abfd, LONGEST str_offset,
		56	struct dwarf2_section_info *sect,
		57	const char *form_name,
		58	const char *sect_name)
		59	{
		60	dwarf2_read_section (objfile, sect);
		61	if (sect->buffer == NULL)
		62	error (_("%s used without %s section [in module %s]"),
		63	form_name, sect_name, bfd_get_filename (abfd));
		64	if (str_offset >= sect->size)
		65	error (_("%s pointing outside of %s section [in module %s]"),
		66	form_name, sect_name, bfd_get_filename (abfd));
		67	gdb_assert (HOST_CHAR_BIT == 8);
		68	if (sect->buffer[str_offset] == '\0')
		69	return NULL;
		70	return (const char *) (sect->buffer + str_offset);
		71	}
		72
		73	With sect_size being ginormous, the code attempts to access
		74	sect->buffer[GINORMOUS], and depending on the layout of memory,
		75	GDB either stores a bunch of gibberish strings or crashes.
		76
		77	This is an attempt to mitigate this by implementing a similar approach
		78	used by BFD. In our case, we simply reject the section with the invalid
		79	length:
		80
		81	$ ./gdb -nx -q objdump
		82	BFD: warning: /path/to/objdump has a corrupt section with a size (ffffffffffffffff) larger than the file size
		83	Reading symbols from /path/to/objdump...
		84
		85	warning: Discarding section .debug_str which has a section size (ffffffffffffffff) larger than the file size [in module /path/to/objdump]
		86	DW_FORM_strp used without .debug_str section [in module /path/to/objdump]
		87	(No debugging symbols found in /path/to/objdump)
		88	(gdb)
		89
		90	Unfortunately, I have not found a way to regression test this, since it
		91	requires poking ELF section headers.
		92
		93	gdb/ChangeLog:
		94	2019-10-16 Keith Seitz <keiths@redhat.com>
		95
		96	PR gdb/23567
		97	* dwarf2read.c (dwarf2_per_objfile::locate_sections): Discard
		98	sections whose size is greater than the file size.
		99
		100	Change-Id: I896ac3b4eb2207c54e8e05c16beab3051d9b4b2f
		101
		102	CVE: CVE-2019-1010180
		103	Upstream-Status: Backport [https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=950b74950f6020eda38647f22e9077ac7f68ca49]
		104	[Removed Changelog entry]
		105	Signed-off-by: Vinay Kumar <vinay.m.engg@gmail.com>
		106	---
		107	gdb/dwarf2read.c \| 9 +++++++++
		108	2 files changed, 15 insertions(+)
		109
		110	diff --git a/gdb/dwarf2read.c b/gdb/dwarf2read.c
		111	index 0443b55..a78f818 100644
		112	--- a/gdb/dwarf2read.c
		113	+++ b/gdb/dwarf2read.c
		114	@@ -2338,6 +2338,15 @@ dwarf2_per_objfile::locate_sections (bfd abfd, asection sectp,
		115	if ((aflag & SEC_HAS_CONTENTS) == 0)
		116	{
		117	}
		118	+ else if (elf_section_data (sectp)->this_hdr.sh_size
		119	+ > bfd_get_file_size (abfd))
		120	+ {
		121	+ bfd_size_type size = elf_section_data (sectp)->this_hdr.sh_size;
		122	+ warning (_("Discarding section %s which has a section size (%s"
		123	+ ") larger than the file size [in module %s]"),
		124	+ bfd_section_name (abfd, sectp), phex_nz (size, sizeof (size)),
		125	+ bfd_get_filename (abfd));
		126	+ }
		127	else if (section_is_p (sectp->name, &names.info))
		128	{
		129	this->info.s.section = sectp;
		130	--
		131	2.7.4
		132