summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorVinay Kumar <vinay.m.engg@gmail.com>2020-01-17 17:14:25 (GMT)
committerRichard Purdie <richard.purdie@linuxfoundation.org>2020-01-28 11:15:01 (GMT)
commitc2644c6afc4dffc5a31460beddd7a0b99fe12325 (patch)
tree90e0aa6f10a2ee97682e46b00fffc37684ea7502
parent60ce01fec873367d0a5ab7d317d3bee95b4b75ac (diff)
downloadpoky-c2644c6afc4dffc5a31460beddd7a0b99fe12325.tar.gz
gdb: Fix CVE-2019-1010180
Source: git://sourceware.org/git/binutils-gdb.git Tracking -- https://sourceware.org/bugzilla/show_bug.cgi?id=23657 Backported upstream commit 950b74950f6020eda38647f22e9077ac7f68ca49 to gdb-8.3.1 sources. Upstream-Status: Backport [https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=950b74950f6020eda38647f22e9077ac7f68ca49] (From OE-Core rev: 536a2656b44fbb98a3cdc60eed32f378184cce7c) Signed-off-by: Vinay Kumar <vinay.m.engg@gmail.com> Signed-off-by: Ross Burton <ross.burton@intel.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> Signed-off-by: Adrian Bunk <bunk@stusta.de> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
-rw-r--r--meta/recipes-devtools/gdb/gdb-8.2.1.inc1
-rw-r--r--meta/recipes-devtools/gdb/gdb/CVE-2019-1010180.patch132
2 files changed, 133 insertions, 0 deletions
diff --git a/meta/recipes-devtools/gdb/gdb-8.2.1.inc b/meta/recipes-devtools/gdb/gdb-8.2.1.inc
index f28b574..8fa4817 100644
--- a/meta/recipes-devtools/gdb/gdb-8.2.1.inc
+++ b/meta/recipes-devtools/gdb/gdb-8.2.1.inc
@@ -19,6 +19,7 @@ SRC_URI = "http://ftp.gnu.org/gnu/gdb/gdb-${PV}.tar.xz \
19 file://0001-Fix-build-with-latest-GCC-9.0-tree.patch \ 19 file://0001-Fix-build-with-latest-GCC-9.0-tree.patch \
20 file://CVE-2017-9778.patch \ 20 file://CVE-2017-9778.patch \
21 file://0012-AArch64-Fix-the-gdb-build-with-musl-libc.patch \ 21 file://0012-AArch64-Fix-the-gdb-build-with-musl-libc.patch \
22 file://CVE-2019-1010180.patch \
22" 23"
23SRC_URI[md5sum] = "f8b2562e830a4098dd5b5ea9e9296c70" 24SRC_URI[md5sum] = "f8b2562e830a4098dd5b5ea9e9296c70"
24SRC_URI[sha256sum] = "0a6a432907a03c5c8eaad3c3cffd50c00a40c3a5e3c4039440624bae703f2202" 25SRC_URI[sha256sum] = "0a6a432907a03c5c8eaad3c3cffd50c00a40c3a5e3c4039440624bae703f2202"
diff --git a/meta/recipes-devtools/gdb/gdb/CVE-2019-1010180.patch b/meta/recipes-devtools/gdb/gdb/CVE-2019-1010180.patch
new file mode 100644
index 0000000..46b2b3a
--- /dev/null
+++ b/meta/recipes-devtools/gdb/gdb/CVE-2019-1010180.patch
@@ -0,0 +1,132 @@
1From 950b74950f6020eda38647f22e9077ac7f68ca49 Mon Sep 17 00:00:00 2001
2From: Keith Seitz <keiths@redhat.com>
3Date: Wed, 16 Oct 2019 11:33:59 -0700
4Subject: [PATCH] DWARF reader: Reject sections with invalid sizes
5
6This is another fuzzer bug, gdb/23567. This time, the fuzzer has
7specifically altered the size of .debug_str:
8
9$ eu-readelf -S objdump
10Section Headers:
11[Nr] Name Type Addr Off Size ES Flags Lk Inf Al
12[31] .debug_str PROGBITS 0000000000000000 0057116d ffffffffffffffff 1 MS 0 0 1
13
14When this file is loaded into GDB, the DWARF reader crashes attempting
15to access the string table (or it may just store a bunch of nonsense):
16
17[gdb-8.3-6-fc30]
18$ gdb -nx -q objdump
19BFD: warning: /path/to/objdump has a corrupt section with a size (ffffffffffffffff) larger than the file size
20Reading symbols from /path/to/objdump...
21Segmentation fault (core dumped)
22
23Nick has already committed a BFD patch to issue the warning seen above.
24
25[gdb master 6acc1a0b]
26$ gdb -BFD: warning: /path/to/objdump has a corrupt section with a size (ffffffffffffffff) larger than the file size
27Reading symbols from /path/to/objdump...
28(gdb) inf func
29All defined functions:
30
31File ./../include/dwarf2.def:
32186: const
33
34 8 *>(.:
35 ;'@�B);
36747: const
37
38 8 *�(.:
39 ;'@�B);
40701: const
41
42 8 *�D �
43 (.:
44 ;'@�B);
4571: const
46
47 8 *(.:
48 ;'@�B);
49/* and more gibberish */
50
51Consider read_indirect_string_at_offset_from:
52
53static const char *
54read_indirect_string_at_offset_from (struct objfile *objfile,
55 bfd *abfd, LONGEST str_offset,
56 struct dwarf2_section_info *sect,
57 const char *form_name,
58 const char *sect_name)
59{
60 dwarf2_read_section (objfile, sect);
61 if (sect->buffer == NULL)
62 error (_("%s used without %s section [in module %s]"),
63 form_name, sect_name, bfd_get_filename (abfd));
64 if (str_offset >= sect->size)
65 error (_("%s pointing outside of %s section [in module %s]"),
66 form_name, sect_name, bfd_get_filename (abfd));
67 gdb_assert (HOST_CHAR_BIT == 8);
68 if (sect->buffer[str_offset] == '\0')
69 return NULL;
70 return (const char *) (sect->buffer + str_offset);
71}
72
73With sect_size being ginormous, the code attempts to access
74sect->buffer[GINORMOUS], and depending on the layout of memory,
75GDB either stores a bunch of gibberish strings or crashes.
76
77This is an attempt to mitigate this by implementing a similar approach
78used by BFD. In our case, we simply reject the section with the invalid
79length:
80
81$ ./gdb -nx -q objdump
82BFD: warning: /path/to/objdump has a corrupt section with a size (ffffffffffffffff) larger than the file size
83Reading symbols from /path/to/objdump...
84
85warning: Discarding section .debug_str which has a section size (ffffffffffffffff) larger than the file size [in module /path/to/objdump]
86DW_FORM_strp used without .debug_str section [in module /path/to/objdump]
87(No debugging symbols found in /path/to/objdump)
88(gdb)
89
90Unfortunately, I have not found a way to regression test this, since it
91requires poking ELF section headers.
92
93gdb/ChangeLog:
942019-10-16 Keith Seitz <keiths@redhat.com>
95
96 PR gdb/23567
97 * dwarf2read.c (dwarf2_per_objfile::locate_sections): Discard
98 sections whose size is greater than the file size.
99
100Change-Id: I896ac3b4eb2207c54e8e05c16beab3051d9b4b2f
101
102CVE: CVE-2019-1010180
103Upstream-Status: Backport [https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=950b74950f6020eda38647f22e9077ac7f68ca49]
104[Removed Changelog entry]
105Signed-off-by: Vinay Kumar <vinay.m.engg@gmail.com>
106---
107 gdb/dwarf2read.c | 9 +++++++++
108 2 files changed, 15 insertions(+)
109
110diff --git a/gdb/dwarf2read.c b/gdb/dwarf2read.c
111index 0443b55..a78f818 100644
112--- a/gdb/dwarf2read.c
113+++ b/gdb/dwarf2read.c
114@@ -2338,6 +2338,15 @@ dwarf2_per_objfile::locate_sections (bfd *abfd, asection *sectp,
115 if ((aflag & SEC_HAS_CONTENTS) == 0)
116 {
117 }
118+ else if (elf_section_data (sectp)->this_hdr.sh_size
119+ > bfd_get_file_size (abfd))
120+ {
121+ bfd_size_type size = elf_section_data (sectp)->this_hdr.sh_size;
122+ warning (_("Discarding section %s which has a section size (%s"
123+ ") larger than the file size [in module %s]"),
124+ bfd_section_name (abfd, sectp), phex_nz (size, sizeof (size)),
125+ bfd_get_filename (abfd));
126+ }
127 else if (section_is_p (sectp->name, &names.info))
128 {
129 this->info.s.section = sectp;
130--
1312.7.4
132