gdb: fix CVE-2017-9778

(From OE-Core rev: d8faa8974d08651dac42afa7a7e545a4c30d813e) Signed-off-by: Anuj Mittal <anuj.mittal@intel.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
author: Anuj Mittal <anuj.mittal@intel.com> 2019-04-29 14:26:34 +0800
committer: Richard Purdie <richard.purdie@linuxfoundation.org> 2019-04-30 12:05:23 +0100
commit: 05d058e64597402fcb81d9789041a8ad4ca28c39 (patch)
tree: eb99c42f36058ab302ef8655e600b37271d0a0f0 /meta/recipes-devtools/gdb
parent: e2cc220b0aa9725d673b16293b73d6b470fdf4d4 (diff)
download: poky-05d058e64597402fcb81d9789041a8ad4ca28c39.tar.gz
2 files changed, 100 insertions, 0 deletions
diff --git a/meta/recipes-devtools/gdb/gdb-8.2.1.inc b/meta/recipes-devtools/gdb/gdb-8.2.1.inc
index 1fc1ec0da4..cb8d189f2a 100644
--- a/meta/recipes-devtools/gdb/gdb-8.2.1.inc
+++ b/meta/recipes-devtools/gdb/gdb-8.2.1.inc
@@ -17,6 +17,7 @@ SRC_URI = "http://ftp.gnu.org/gnu/gdb/gdb-${PV}.tar.xz \
           file://0011-Fix-invalid-sigprocmask-call.patch \
           file://gdbserver-ctrl-c-handling.patch \
           file://0001-Fix-build-with-latest-GCC-9.0-tree.patch \
+           file://CVE-2017-9778.patch \
 "
 SRC_URI[md5sum] = "f8b2562e830a4098dd5b5ea9e9296c70"
 SRC_URI[sha256sum] = "0a6a432907a03c5c8eaad3c3cffd50c00a40c3a5e3c4039440624bae703f2202"
diff --git a/meta/recipes-devtools/gdb/gdb/CVE-2017-9778.patch b/meta/recipes-devtools/gdb/gdb/CVE-2017-9778.patch
new file mode 100644
index 0000000000..935f2661fe
--- /dev/null
+++ b/meta/recipes-devtools/gdb/gdb/CVE-2017-9778.patch
@@ -0,0 +1,99 @@
+From a608b79f30ab3f670095e14ba3d3b5b24a19fe68 Mon Sep 17 00:00:00 2001
+From: Sandra Loosemore <sandra@codesourcery.com>
+Date: Thu, 25 Apr 2019 07:27:02 -0700
+Subject: [PATCH] Detect invalid length field in debug frame FDE header.
+GDB was failing to catch cases where a corrupt ELF or core file
+contained an invalid length value in a Dwarf debug frame FDE header.
+It was checking for buffer overflow but not cases where the length was
+negative or caused pointer wrap-around.
+In addition to the additional validity check, this patch cleans up the
+multiple signed/unsigned conversions on the length field so that an
+unsigned representation is used consistently throughout.
+This patch fixes CVE-2017-9778 and PR gdb/21600.
+2019-04-25  Sandra Loosemore  <sandra@codesourcery.com>
+            Kang Li <kanglictf@gmail.com>
+        PR gdb/21600
+        * dwarf2-frame.c (read_initial_length): Be consistent about using
+        unsigned representation of length.
+        (decode_frame_entry_1): Likewise.  Check for wraparound of
+        end pointer as well as buffer overflow.
+Upstream-Status: Backport [https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=723adb650a31859d7cc45832cb8adca0206455ed]
+CVE: CVE-2017-9778
+Signed-off-by: Anuj Mittal <anuj.mittal@intel.com>
+---
+ gdb/ChangeLog      | 11 +++++++++++
+ gdb/dwarf2-frame.c | 14 +++++++-------
+ 2 files changed, 18 insertions(+), 7 deletions(-)
+diff --git a/gdb/ChangeLog b/gdb/ChangeLog
+index 3711dc7..0a9720b 100644
+--- a/gdb/ChangeLog
+++ b/gdb/ChangeLog
+@@ -1,3 +1,14 @@
+2019-04-25  Sandra Loosemore  <sandra@codesourcery.com>
+           Kang Li <kanglictf@gmail.com>
+
+       PR gdb/21600
+
+       * dwarf2-frame.c (read_initial_length): Be consistent about using
+       unsigned representation of length.
+       (decode_frame_entry_1): Likewise.  Check for wraparound of
+       end pointer as well as buffer overflow.
+
+
+ 2018-12-23  Joel Brobecker  <brobecker@adacore.com>
+ 
+        * version.in: Set GDB version number to 8.2.1.
+diff --git a/gdb/dwarf2-frame.c b/gdb/dwarf2-frame.c
+index 91e16cf..a7b99fd 100644
+--- a/gdb/dwarf2-frame.c
+++ b/gdb/dwarf2-frame.c
+@@ -1477,7 +1477,7 @@ static ULONGEST
+ read_initial_length (bfd *abfd, const gdb_byte *buf,
+                     unsigned int *bytes_read_ptr)
+ {
+-  LONGEST result;
+  ULONGEST result;
+ 
+   result = bfd_get_32 (abfd, buf);
+   if (result == 0xffffffff)
+@@ -1780,7 +1780,7 @@ decode_frame_entry_1 (struct comp_unit *unit, const gdb_byte *start,
+ {
+   struct gdbarch *gdbarch = get_objfile_arch (unit->objfile);
+   const gdb_byte *buf, *end;
+-  LONGEST length;
+  ULONGEST length;
+   unsigned int bytes_read;
+   int dwarf64_p;
+   ULONGEST cie_id;
+@@ -1791,15 +1791,15 @@ decode_frame_entry_1 (struct comp_unit *unit, const gdb_byte *start,
+   buf = start;
+   length = read_initial_length (unit->abfd, buf, &bytes_read);
+   buf += bytes_read;
+-  end = buf + length;
+-
+-  /* Are we still within the section?  */
+-  if (end > unit->dwarf_frame_buffer + unit->dwarf_frame_size)
+-    return NULL;
+  end = buf + (size_t) length;
+ 
+   if (length == 0)
+     return end;
+ 
+  /* Are we still within the section?  */
+  if (end <= buf || end > unit->dwarf_frame_buffer + unit->dwarf_frame_size)
+    return NULL;
+
+   /* Distinguish between 32 and 64-bit encoded frame info.  */
+   dwarf64_p = (bytes_read == 12);
+ 
+-- 
+2.7.4
author	Anuj Mittal <anuj.mittal@intel.com>	2019-04-29 14:26:34 +0800
committer	Richard Purdie <richard.purdie@linuxfoundation.org>	2019-04-30 12:05:23 +0100
commit	05d058e64597402fcb81d9789041a8ad4ca28c39 (patch)
tree	eb99c42f36058ab302ef8655e600b37271d0a0f0 /meta/recipes-devtools/gdb
parent	e2cc220b0aa9725d673b16293b73d6b470fdf4d4 (diff)
download	poky-05d058e64597402fcb81d9789041a8ad4ca28c39.tar.gz

diff --git a/meta/recipes-devtools/gdb/gdb-8.2.1.inc b/meta/recipes-devtools/gdb/gdb-8.2.1.inc index 1fc1ec0da4..cb8d189f2a 100644 --- a/meta/recipes-devtools/gdb/gdb-8.2.1.inc +++ b/meta/recipes-devtools/gdb/gdb-8.2.1.inc
@@ -17,6 +17,7 @@ SRC_URI = "http://ftp.gnu.org/gnu/gdb/gdb-${PV}.tar.xz \
17	file://0011-Fix-invalid-sigprocmask-call.patch \	17	file://0011-Fix-invalid-sigprocmask-call.patch \
18	file://gdbserver-ctrl-c-handling.patch \	18	file://gdbserver-ctrl-c-handling.patch \
19	file://0001-Fix-build-with-latest-GCC-9.0-tree.patch \	19	file://0001-Fix-build-with-latest-GCC-9.0-tree.patch \
		20	file://CVE-2017-9778.patch \
20	"	21	"
21	SRC_URI[md5sum] = "f8b2562e830a4098dd5b5ea9e9296c70"	22	SRC_URI[md5sum] = "f8b2562e830a4098dd5b5ea9e9296c70"
22	SRC_URI[sha256sum] = "0a6a432907a03c5c8eaad3c3cffd50c00a40c3a5e3c4039440624bae703f2202"	23	SRC_URI[sha256sum] = "0a6a432907a03c5c8eaad3c3cffd50c00a40c3a5e3c4039440624bae703f2202"


diff --git a/meta/recipes-devtools/gdb/gdb/CVE-2017-9778.patch b/meta/recipes-devtools/gdb/gdb/CVE-2017-9778.patch new file mode 100644 index 0000000000..935f2661fe --- /dev/null +++ b/meta/recipes-devtools/gdb/gdb/CVE-2017-9778.patch
@@ -0,0 +1,99 @@
		1	From a608b79f30ab3f670095e14ba3d3b5b24a19fe68 Mon Sep 17 00:00:00 2001
		2	From: Sandra Loosemore <sandra@codesourcery.com>
		3	Date: Thu, 25 Apr 2019 07:27:02 -0700
		4	Subject: [PATCH] Detect invalid length field in debug frame FDE header.
		5
		6	GDB was failing to catch cases where a corrupt ELF or core file
		7	contained an invalid length value in a Dwarf debug frame FDE header.
		8	It was checking for buffer overflow but not cases where the length was
		9	negative or caused pointer wrap-around.
		10
		11	In addition to the additional validity check, this patch cleans up the
		12	multiple signed/unsigned conversions on the length field so that an
		13	unsigned representation is used consistently throughout.
		14
		15	This patch fixes CVE-2017-9778 and PR gdb/21600.
		16
		17	2019-04-25 Sandra Loosemore <sandra@codesourcery.com>
		18	Kang Li <kanglictf@gmail.com>
		19
		20	PR gdb/21600
		21
		22	* dwarf2-frame.c (read_initial_length): Be consistent about using
		23	unsigned representation of length.
		24	(decode_frame_entry_1): Likewise. Check for wraparound of
		25	end pointer as well as buffer overflow.
		26
		27	Upstream-Status: Backport [https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=723adb650a31859d7cc45832cb8adca0206455ed]
		28	CVE: CVE-2017-9778
		29	Signed-off-by: Anuj Mittal <anuj.mittal@intel.com>
		30	---
		31	gdb/ChangeLog \| 11 +++++++++++
		32	gdb/dwarf2-frame.c \| 14 +++++++-------
		33	2 files changed, 18 insertions(+), 7 deletions(-)
		34
		35	diff --git a/gdb/ChangeLog b/gdb/ChangeLog
		36	index 3711dc7..0a9720b 100644
		37	--- a/gdb/ChangeLog
		38	+++ b/gdb/ChangeLog
		39	@@ -1,3 +1,14 @@
		40	+2019-04-25 Sandra Loosemore <sandra@codesourcery.com>
		41	+ Kang Li <kanglictf@gmail.com>
		42	+
		43	+ PR gdb/21600
		44	+
		45	+ * dwarf2-frame.c (read_initial_length): Be consistent about using
		46	+ unsigned representation of length.
		47	+ (decode_frame_entry_1): Likewise. Check for wraparound of
		48	+ end pointer as well as buffer overflow.
		49	+
		50	+
		51	2018-12-23 Joel Brobecker <brobecker@adacore.com>
		52
		53	* version.in: Set GDB version number to 8.2.1.
		54	diff --git a/gdb/dwarf2-frame.c b/gdb/dwarf2-frame.c
		55	index 91e16cf..a7b99fd 100644
		56	--- a/gdb/dwarf2-frame.c
		57	+++ b/gdb/dwarf2-frame.c
		58	@@ -1477,7 +1477,7 @@ static ULONGEST
		59	read_initial_length (bfd abfd, const gdb_byte buf,
		60	unsigned int *bytes_read_ptr)
		61	{
		62	- LONGEST result;
		63	+ ULONGEST result;
		64
		65	result = bfd_get_32 (abfd, buf);
		66	if (result == 0xffffffff)
		67	@@ -1780,7 +1780,7 @@ decode_frame_entry_1 (struct comp_unit unit, const gdb_byte start,
		68	{
		69	struct gdbarch *gdbarch = get_objfile_arch (unit->objfile);
		70	const gdb_byte buf, end;
		71	- LONGEST length;
		72	+ ULONGEST length;
		73	unsigned int bytes_read;
		74	int dwarf64_p;
		75	ULONGEST cie_id;
		76	@@ -1791,15 +1791,15 @@ decode_frame_entry_1 (struct comp_unit unit, const gdb_byte start,
		77	buf = start;
		78	length = read_initial_length (unit->abfd, buf, &bytes_read);
		79	buf += bytes_read;
		80	- end = buf + length;
		81	-
		82	- /* Are we still within the section? */
		83	- if (end > unit->dwarf_frame_buffer + unit->dwarf_frame_size)
		84	- return NULL;
		85	+ end = buf + (size_t) length;
		86
		87	if (length == 0)
		88	return end;
		89
		90	+ /* Are we still within the section? */
		91	+ if (end <= buf \|\| end > unit->dwarf_frame_buffer + unit->dwarf_frame_size)
		92	+ return NULL;
		93	+
		94	/* Distinguish between 32 and 64-bit encoded frame info. */
		95	dwarf64_p = (bytes_read == 12);
		96
		97	--
		98	2.7.4
		99