diff options
author | Vinay Kumar <vinay.m.engg@gmail.com> | 2019-11-05 16:32:50 +0530 |
---|---|---|
committer | Richard Purdie <richard.purdie@linuxfoundation.org> | 2019-12-06 14:49:33 +0000 |
commit | 473cb322c968605809eca1c1d9304a1fb813df06 (patch) | |
tree | 34cdf228092d26ce738be2a371a4e411235ff5ce /meta/recipes-devtools/gdb | |
parent | bb702471b5b1e6825762d985ab7b1b7b28a123c2 (diff) | |
download | poky-473cb322c968605809eca1c1d9304a1fb813df06.tar.gz |
gdb: Fix CVE-2019-1010180
Source: git://sourceware.org/git/binutils-gdb.git
Tracking -- https://sourceware.org/bugzilla/show_bug.cgi?id=23657
Backported upstream commit 950b74950f6020eda38647f22e9077ac7f68ca49 to gdb-8.3.1 sources.
Upstream-Status: Backport [https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=950b74950f6020eda38647f22e9077ac7f68ca49]
(From OE-Core rev: 82a227e54e704ef9237c1613b9d3350fa26fe9dd)
(From OE-Core rev: 0a20e92a02b3ba1687792b3607c0e30a6247b42b)
Signed-off-by: Vinay Kumar <vinay.m.engg@gmail.com>
Signed-off-by: Ross Burton <ross.burton@intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Signed-off-by: Anuj Mittal <anuj.mittal@intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Diffstat (limited to 'meta/recipes-devtools/gdb')
-rw-r--r-- | meta/recipes-devtools/gdb/gdb-8.3.1.inc | 1 | ||||
-rw-r--r-- | meta/recipes-devtools/gdb/gdb/CVE-2019-1010180.patch | 132 |
2 files changed, 133 insertions, 0 deletions
diff --git a/meta/recipes-devtools/gdb/gdb-8.3.1.inc b/meta/recipes-devtools/gdb/gdb-8.3.1.inc index 39f1c48cc7..aec913f3ce 100644 --- a/meta/recipes-devtools/gdb/gdb-8.3.1.inc +++ b/meta/recipes-devtools/gdb/gdb-8.3.1.inc | |||
@@ -16,6 +16,7 @@ SRC_URI = "${GNU_MIRROR}/gdb/gdb-${PV}.tar.xz \ | |||
16 | file://0009-Change-order-of-CFLAGS.patch \ | 16 | file://0009-Change-order-of-CFLAGS.patch \ |
17 | file://0010-resolve-restrict-keyword-conflict.patch \ | 17 | file://0010-resolve-restrict-keyword-conflict.patch \ |
18 | file://0011-Fix-invalid-sigprocmask-call.patch \ | 18 | file://0011-Fix-invalid-sigprocmask-call.patch \ |
19 | file://CVE-2019-1010180.patch \ | ||
19 | " | 20 | " |
20 | SRC_URI[md5sum] = "73b6a5d8141672c62bf851cd34c4aa83" | 21 | SRC_URI[md5sum] = "73b6a5d8141672c62bf851cd34c4aa83" |
21 | SRC_URI[sha256sum] = "1e55b4d7cdca7b34be12f4ceae651623aa73b2fd640152313f9f66a7149757c4" | 22 | SRC_URI[sha256sum] = "1e55b4d7cdca7b34be12f4ceae651623aa73b2fd640152313f9f66a7149757c4" |
diff --git a/meta/recipes-devtools/gdb/gdb/CVE-2019-1010180.patch b/meta/recipes-devtools/gdb/gdb/CVE-2019-1010180.patch new file mode 100644 index 0000000000..46b2b3a713 --- /dev/null +++ b/meta/recipes-devtools/gdb/gdb/CVE-2019-1010180.patch | |||
@@ -0,0 +1,132 @@ | |||
1 | From 950b74950f6020eda38647f22e9077ac7f68ca49 Mon Sep 17 00:00:00 2001 | ||
2 | From: Keith Seitz <keiths@redhat.com> | ||
3 | Date: Wed, 16 Oct 2019 11:33:59 -0700 | ||
4 | Subject: [PATCH] DWARF reader: Reject sections with invalid sizes | ||
5 | |||
6 | This is another fuzzer bug, gdb/23567. This time, the fuzzer has | ||
7 | specifically altered the size of .debug_str: | ||
8 | |||
9 | $ eu-readelf -S objdump | ||
10 | Section Headers: | ||
11 | [Nr] Name Type Addr Off Size ES Flags Lk Inf Al | ||
12 | [31] .debug_str PROGBITS 0000000000000000 0057116d ffffffffffffffff 1 MS 0 0 1 | ||
13 | |||
14 | When this file is loaded into GDB, the DWARF reader crashes attempting | ||
15 | to access the string table (or it may just store a bunch of nonsense): | ||
16 | |||
17 | [gdb-8.3-6-fc30] | ||
18 | $ gdb -nx -q objdump | ||
19 | BFD: warning: /path/to/objdump has a corrupt section with a size (ffffffffffffffff) larger than the file size | ||
20 | Reading symbols from /path/to/objdump... | ||
21 | Segmentation fault (core dumped) | ||
22 | |||
23 | Nick has already committed a BFD patch to issue the warning seen above. | ||
24 | |||
25 | [gdb master 6acc1a0b] | ||
26 | $ gdb -BFD: warning: /path/to/objdump has a corrupt section with a size (ffffffffffffffff) larger than the file size | ||
27 | Reading symbols from /path/to/objdump... | ||
28 | (gdb) inf func | ||
29 | All defined functions: | ||
30 | |||
31 | File ./../include/dwarf2.def: | ||
32 | 186: const | ||
33 | |||
34 | 8 *>(.: | ||
35 | ;'@�B); | ||
36 | 747: const | ||
37 | |||
38 | 8 *�(.: | ||
39 | ;'@�B); | ||
40 | 701: const | ||
41 | |||
42 | 8 *�D � | ||
43 | (.: | ||
44 | ;'@�B); | ||
45 | 71: const | ||
46 | |||
47 | 8 *(.: | ||
48 | ;'@�B); | ||
49 | /* and more gibberish */ | ||
50 | |||
51 | Consider read_indirect_string_at_offset_from: | ||
52 | |||
53 | static const char * | ||
54 | read_indirect_string_at_offset_from (struct objfile *objfile, | ||
55 | bfd *abfd, LONGEST str_offset, | ||
56 | struct dwarf2_section_info *sect, | ||
57 | const char *form_name, | ||
58 | const char *sect_name) | ||
59 | { | ||
60 | dwarf2_read_section (objfile, sect); | ||
61 | if (sect->buffer == NULL) | ||
62 | error (_("%s used without %s section [in module %s]"), | ||
63 | form_name, sect_name, bfd_get_filename (abfd)); | ||
64 | if (str_offset >= sect->size) | ||
65 | error (_("%s pointing outside of %s section [in module %s]"), | ||
66 | form_name, sect_name, bfd_get_filename (abfd)); | ||
67 | gdb_assert (HOST_CHAR_BIT == 8); | ||
68 | if (sect->buffer[str_offset] == '\0') | ||
69 | return NULL; | ||
70 | return (const char *) (sect->buffer + str_offset); | ||
71 | } | ||
72 | |||
73 | With sect_size being ginormous, the code attempts to access | ||
74 | sect->buffer[GINORMOUS], and depending on the layout of memory, | ||
75 | GDB either stores a bunch of gibberish strings or crashes. | ||
76 | |||
77 | This is an attempt to mitigate this by implementing a similar approach | ||
78 | used by BFD. In our case, we simply reject the section with the invalid | ||
79 | length: | ||
80 | |||
81 | $ ./gdb -nx -q objdump | ||
82 | BFD: warning: /path/to/objdump has a corrupt section with a size (ffffffffffffffff) larger than the file size | ||
83 | Reading symbols from /path/to/objdump... | ||
84 | |||
85 | warning: Discarding section .debug_str which has a section size (ffffffffffffffff) larger than the file size [in module /path/to/objdump] | ||
86 | DW_FORM_strp used without .debug_str section [in module /path/to/objdump] | ||
87 | (No debugging symbols found in /path/to/objdump) | ||
88 | (gdb) | ||
89 | |||
90 | Unfortunately, I have not found a way to regression test this, since it | ||
91 | requires poking ELF section headers. | ||
92 | |||
93 | gdb/ChangeLog: | ||
94 | 2019-10-16 Keith Seitz <keiths@redhat.com> | ||
95 | |||
96 | PR gdb/23567 | ||
97 | * dwarf2read.c (dwarf2_per_objfile::locate_sections): Discard | ||
98 | sections whose size is greater than the file size. | ||
99 | |||
100 | Change-Id: I896ac3b4eb2207c54e8e05c16beab3051d9b4b2f | ||
101 | |||
102 | CVE: CVE-2019-1010180 | ||
103 | Upstream-Status: Backport [https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=950b74950f6020eda38647f22e9077ac7f68ca49] | ||
104 | [Removed Changelog entry] | ||
105 | Signed-off-by: Vinay Kumar <vinay.m.engg@gmail.com> | ||
106 | --- | ||
107 | gdb/dwarf2read.c | 9 +++++++++ | ||
108 | 2 files changed, 15 insertions(+) | ||
109 | |||
110 | diff --git a/gdb/dwarf2read.c b/gdb/dwarf2read.c | ||
111 | index 0443b55..a78f818 100644 | ||
112 | --- a/gdb/dwarf2read.c | ||
113 | +++ b/gdb/dwarf2read.c | ||
114 | @@ -2338,6 +2338,15 @@ dwarf2_per_objfile::locate_sections (bfd *abfd, asection *sectp, | ||
115 | if ((aflag & SEC_HAS_CONTENTS) == 0) | ||
116 | { | ||
117 | } | ||
118 | + else if (elf_section_data (sectp)->this_hdr.sh_size | ||
119 | + > bfd_get_file_size (abfd)) | ||
120 | + { | ||
121 | + bfd_size_type size = elf_section_data (sectp)->this_hdr.sh_size; | ||
122 | + warning (_("Discarding section %s which has a section size (%s" | ||
123 | + ") larger than the file size [in module %s]"), | ||
124 | + bfd_section_name (abfd, sectp), phex_nz (size, sizeof (size)), | ||
125 | + bfd_get_filename (abfd)); | ||
126 | + } | ||
127 | else if (section_is_p (sectp->name, &names.info)) | ||
128 | { | ||
129 | this->info.s.section = sectp; | ||
130 | -- | ||
131 | 2.7.4 | ||
132 | |||