From c2644c6afc4dffc5a31460beddd7a0b99fe12325 Mon Sep 17 00:00:00 2001 From: Vinay Kumar Date: Fri, 17 Jan 2020 19:14:25 +0200 Subject: gdb: Fix CVE-2019-1010180 Source: git://sourceware.org/git/binutils-gdb.git Tracking -- https://sourceware.org/bugzilla/show_bug.cgi?id=23657 Backported upstream commit 950b74950f6020eda38647f22e9077ac7f68ca49 to gdb-8.3.1 sources. Upstream-Status: Backport [https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=950b74950f6020eda38647f22e9077ac7f68ca49] (From OE-Core rev: 536a2656b44fbb98a3cdc60eed32f378184cce7c) Signed-off-by: Vinay Kumar Signed-off-by: Ross Burton Signed-off-by: Richard Purdie Signed-off-by: Adrian Bunk Signed-off-by: Richard Purdie --- meta/recipes-devtools/gdb/gdb-8.2.1.inc | 1 + .../gdb/gdb/CVE-2019-1010180.patch | 132 +++++++++++++++++++++ 2 files changed, 133 insertions(+) create mode 100644 meta/recipes-devtools/gdb/gdb/CVE-2019-1010180.patch diff --git a/meta/recipes-devtools/gdb/gdb-8.2.1.inc b/meta/recipes-devtools/gdb/gdb-8.2.1.inc index f28b57439c..8fa48171f4 100644 --- a/meta/recipes-devtools/gdb/gdb-8.2.1.inc +++ b/meta/recipes-devtools/gdb/gdb-8.2.1.inc @@ -19,6 +19,7 @@ SRC_URI = "http://ftp.gnu.org/gnu/gdb/gdb-${PV}.tar.xz \ file://0001-Fix-build-with-latest-GCC-9.0-tree.patch \ file://CVE-2017-9778.patch \ file://0012-AArch64-Fix-the-gdb-build-with-musl-libc.patch \ + file://CVE-2019-1010180.patch \ " SRC_URI[md5sum] = "f8b2562e830a4098dd5b5ea9e9296c70" SRC_URI[sha256sum] = "0a6a432907a03c5c8eaad3c3cffd50c00a40c3a5e3c4039440624bae703f2202" diff --git a/meta/recipes-devtools/gdb/gdb/CVE-2019-1010180.patch b/meta/recipes-devtools/gdb/gdb/CVE-2019-1010180.patch new file mode 100644 index 0000000000..46b2b3a713 --- /dev/null +++ b/meta/recipes-devtools/gdb/gdb/CVE-2019-1010180.patch @@ -0,0 +1,132 @@ +From 950b74950f6020eda38647f22e9077ac7f68ca49 Mon Sep 17 00:00:00 2001 +From: Keith Seitz +Date: Wed, 16 Oct 2019 11:33:59 -0700 +Subject: [PATCH] DWARF reader: Reject sections with invalid sizes + +This is another fuzzer bug, gdb/23567. This time, the fuzzer has +specifically altered the size of .debug_str: + +$ eu-readelf -S objdump +Section Headers: +[Nr] Name Type Addr Off Size ES Flags Lk Inf Al +[31] .debug_str PROGBITS 0000000000000000 0057116d ffffffffffffffff 1 MS 0 0 1 + +When this file is loaded into GDB, the DWARF reader crashes attempting +to access the string table (or it may just store a bunch of nonsense): + +[gdb-8.3-6-fc30] +$ gdb -nx -q objdump +BFD: warning: /path/to/objdump has a corrupt section with a size (ffffffffffffffff) larger than the file size +Reading symbols from /path/to/objdump... +Segmentation fault (core dumped) + +Nick has already committed a BFD patch to issue the warning seen above. + +[gdb master 6acc1a0b] +$ gdb -BFD: warning: /path/to/objdump has a corrupt section with a size (ffffffffffffffff) larger than the file size +Reading symbols from /path/to/objdump... +(gdb) inf func +All defined functions: + +File ./../include/dwarf2.def: +186: const + + 8 *>(.: + ;'@�B); +747: const + + 8 *�(.: + ;'@�B); +701: const + + 8 *�D � + (.: + ;'@�B); +71: const + + 8 *(.: + ;'@�B); +/* and more gibberish */ + +Consider read_indirect_string_at_offset_from: + +static const char * +read_indirect_string_at_offset_from (struct objfile *objfile, + bfd *abfd, LONGEST str_offset, + struct dwarf2_section_info *sect, + const char *form_name, + const char *sect_name) +{ + dwarf2_read_section (objfile, sect); + if (sect->buffer == NULL) + error (_("%s used without %s section [in module %s]"), + form_name, sect_name, bfd_get_filename (abfd)); + if (str_offset >= sect->size) + error (_("%s pointing outside of %s section [in module %s]"), + form_name, sect_name, bfd_get_filename (abfd)); + gdb_assert (HOST_CHAR_BIT == 8); + if (sect->buffer[str_offset] == '\0') + return NULL; + return (const char *) (sect->buffer + str_offset); +} + +With sect_size being ginormous, the code attempts to access +sect->buffer[GINORMOUS], and depending on the layout of memory, +GDB either stores a bunch of gibberish strings or crashes. + +This is an attempt to mitigate this by implementing a similar approach +used by BFD. In our case, we simply reject the section with the invalid +length: + +$ ./gdb -nx -q objdump +BFD: warning: /path/to/objdump has a corrupt section with a size (ffffffffffffffff) larger than the file size +Reading symbols from /path/to/objdump... + +warning: Discarding section .debug_str which has a section size (ffffffffffffffff) larger than the file size [in module /path/to/objdump] +DW_FORM_strp used without .debug_str section [in module /path/to/objdump] +(No debugging symbols found in /path/to/objdump) +(gdb) + +Unfortunately, I have not found a way to regression test this, since it +requires poking ELF section headers. + +gdb/ChangeLog: +2019-10-16 Keith Seitz + + PR gdb/23567 + * dwarf2read.c (dwarf2_per_objfile::locate_sections): Discard + sections whose size is greater than the file size. + +Change-Id: I896ac3b4eb2207c54e8e05c16beab3051d9b4b2f + +CVE: CVE-2019-1010180 +Upstream-Status: Backport [https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=950b74950f6020eda38647f22e9077ac7f68ca49] +[Removed Changelog entry] +Signed-off-by: Vinay Kumar +--- + gdb/dwarf2read.c | 9 +++++++++ + 2 files changed, 15 insertions(+) + +diff --git a/gdb/dwarf2read.c b/gdb/dwarf2read.c +index 0443b55..a78f818 100644 +--- a/gdb/dwarf2read.c ++++ b/gdb/dwarf2read.c +@@ -2338,6 +2338,15 @@ dwarf2_per_objfile::locate_sections (bfd *abfd, asection *sectp, + if ((aflag & SEC_HAS_CONTENTS) == 0) + { + } ++ else if (elf_section_data (sectp)->this_hdr.sh_size ++ > bfd_get_file_size (abfd)) ++ { ++ bfd_size_type size = elf_section_data (sectp)->this_hdr.sh_size; ++ warning (_("Discarding section %s which has a section size (%s" ++ ") larger than the file size [in module %s]"), ++ bfd_section_name (abfd, sectp), phex_nz (size, sizeof (size)), ++ bfd_get_filename (abfd)); ++ } + else if (section_is_p (sectp->name, &names.info)) + { + this->info.s.section = sectp; +-- +2.7.4 + -- cgit v1.2.3-54-g00ecf