diff options
Diffstat (limited to 'meta/recipes-devtools/gdb/gdb')
-rw-r--r-- | meta/recipes-devtools/gdb/gdb/0012-CVE-2023-39128.patch | 75 |
1 files changed, 75 insertions, 0 deletions
diff --git a/meta/recipes-devtools/gdb/gdb/0012-CVE-2023-39128.patch b/meta/recipes-devtools/gdb/gdb/0012-CVE-2023-39128.patch new file mode 100644 index 0000000000..6445455bde --- /dev/null +++ b/meta/recipes-devtools/gdb/gdb/0012-CVE-2023-39128.patch | |||
@@ -0,0 +1,75 @@ | |||
1 | From 033bc52bb6190393c8eed80925fa78cc35b40c6d Mon Sep 17 00:00:00 2001 | ||
2 | From: Tom Tromey <tromey@adacore.com> | ||
3 | Date: Wed, 16 Aug 2023 11:29:19 -0600 | ||
4 | Subject: [PATCH] Avoid buffer overflow in ada_decode | ||
5 | |||
6 | A bug report pointed out a buffer overflow in ada_decode, which Keith | ||
7 | helpfully analyzed. ada_decode had a logic error when the input was | ||
8 | all digits. While this isn't valid -- and would probably only appear | ||
9 | in fuzzer tests -- it still should be handled properly. | ||
10 | |||
11 | This patch adds a missing bounds check. Tested with the self-tests in | ||
12 | an asan build. | ||
13 | |||
14 | Bug: https://sourceware.org/bugzilla/show_bug.cgi?id=30639 | ||
15 | Reviewed-by: Keith Seitz <keiths@redhat.com> | ||
16 | |||
17 | Upstream-Status: Backport from [https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=033bc52bb6190393c8eed80925fa78cc35b40c6d] | ||
18 | CVE: CVE-2023-39128 | ||
19 | Signed-off-by: Siddharth Doshi <sdoshi@mvista.com> | ||
20 | --- | ||
21 | gdb/ada-lang.c | 19 ++++++++++++++++++- | ||
22 | 1 file changed, 18 insertions(+), 1 deletion(-) | ||
23 | |||
24 | diff --git a/gdb/ada-lang.c b/gdb/ada-lang.c | ||
25 | index 0c2d4fc..40852b6 100644 | ||
26 | --- a/gdb/ada-lang.c | ||
27 | +++ b/gdb/ada-lang.c | ||
28 | @@ -56,6 +56,7 @@ | ||
29 | #include "cli/cli-utils.h" | ||
30 | #include "gdbsupport/function-view.h" | ||
31 | #include "gdbsupport/byte-vector.h" | ||
32 | +#include "gdbsupport/selftest.h" | ||
33 | #include <algorithm> | ||
34 | |||
35 | /* Define whether or not the C operator '/' truncates towards zero for | ||
36 | @@ -1184,7 +1185,7 @@ ada_decode (const char *encoded) | ||
37 | i -= 1; | ||
38 | if (i > 1 && encoded[i] == '_' && encoded[i - 1] == '_') | ||
39 | len0 = i - 1; | ||
40 | - else if (encoded[i] == '$') | ||
41 | + else if (i >= 0 && encoded[i] == '$') | ||
42 | len0 = i; | ||
43 | } | ||
44 | |||
45 | @@ -1350,6 +1351,18 @@ Suppress: | ||
46 | |||
47 | } | ||
48 | |||
49 | +#ifdef GDB_SELF_TEST | ||
50 | + | ||
51 | +static void | ||
52 | +ada_decode_tests () | ||
53 | +{ | ||
54 | + /* This isn't valid, but used to cause a crash. PR gdb/30639. The | ||
55 | + result does not really matter very much. */ | ||
56 | + SELF_CHECK (ada_decode ("44") == "44"); | ||
57 | +} | ||
58 | + | ||
59 | +#endif | ||
60 | + | ||
61 | /* Table for keeping permanent unique copies of decoded names. Once | ||
62 | allocated, names in this table are never released. While this is a | ||
63 | storage leak, it should not be significant unless there are massive | ||
64 | @@ -14345,4 +14358,8 @@ DWARF attribute."), | ||
65 | gdb::observers::new_objfile.attach (ada_new_objfile_observer); | ||
66 | gdb::observers::free_objfile.attach (ada_free_objfile_observer); | ||
67 | gdb::observers::inferior_exit.attach (ada_inferior_exit); | ||
68 | + | ||
69 | +#ifdef GDB_SELF_TEST | ||
70 | + selftests::register_test ("ada-decode", ada_decode_tests); | ||
71 | +#endif | ||
72 | } | ||
73 | -- | ||
74 | 2.24.4 | ||
75 | |||