From 4e2f76637bb3cddaa63c0cbadacc52148d8a4118 Mon Sep 17 00:00:00 2001 From: "caomeng5@huawei.com" Date: Wed, 25 Dec 2019 09:39:52 +0800 Subject: [PATCH 1/2] fix CVE-2017-9778 --- ...ngth-field-in-debug-frame-FDE-header.patch | 76 +++++++++++++++++++ gdb.spec | 10 ++- 2 files changed, 85 insertions(+), 1 deletion(-) create mode 100644 gdb-Detect-invalid-length-field-in-debug-frame-FDE-header.patch diff --git a/gdb-Detect-invalid-length-field-in-debug-frame-FDE-header.patch b/gdb-Detect-invalid-length-field-in-debug-frame-FDE-header.patch new file mode 100644 index 0000000..fa4cf2a --- /dev/null +++ b/gdb-Detect-invalid-length-field-in-debug-frame-FDE-header.patch @@ -0,0 +1,76 @@ +From 723adb650a31859d7cc45832cb8adca0206455ed Mon Sep 17 00:00:00 2001 +From: Sandra Loosemore +Date: Thu, 25 Apr 2019 07:27:02 -0700 +Subject: [PATCH] Detect invalid length field in debug frame FDE header. + +GDB was failing to catch cases where a corrupt ELF or core file +contained an invalid length value in a Dwarf debug frame FDE header. +It was checking for buffer overflow but not cases where the length was +negative or caused pointer wrap-around. + +In addition to the additional validity check, this patch cleans up the +multiple signed/unsigned conversions on the length field so that an +unsigned representation is used consistently throughout. + +This patch fixes CVE-2017-9778 and PR gdb/21600. + +2019-04-25 Sandra Loosemore + Kang Li + + PR gdb/21600 + + * dwarf2-frame.c (read_initial_length): Be consistent about using + unsigned representation of length. + (decode_frame_entry_1): Likewise. Check for wraparound of + end pointer as well as buffer overflow. +--- + gdb/ChangeLog | 10 ++++++++++ + gdb/dwarf2-frame.c | 14 +++++++------- + 2 files changed, 17 insertions(+), 7 deletions(-) + +diff --git a/gdb/dwarf2-frame.c b/gdb/dwarf2-frame.c +index e2bf61b..b697afa 100644 +--- a/gdb/dwarf2-frame.c ++++ b/gdb/dwarf2-frame.c +@@ -1487,7 +1487,7 @@ static ULONGEST + read_initial_length (bfd *abfd, const gdb_byte *buf, + unsigned int *bytes_read_ptr) + { +- LONGEST result; ++ ULONGEST result; + + result = bfd_get_32 (abfd, buf); + if (result == 0xffffffff) +@@ -1788,7 +1788,7 @@ decode_frame_entry_1 (struct comp_unit *unit, const gdb_byte *start, + { + struct gdbarch *gdbarch = get_objfile_arch (unit->objfile); + const gdb_byte *buf, *end; +- LONGEST length; ++ ULONGEST length; + unsigned int bytes_read; + int dwarf64_p; + ULONGEST cie_id; +@@ -1799,15 +1799,15 @@ decode_frame_entry_1 (struct comp_unit *unit, const gdb_byte *start, + buf = start; + length = read_initial_length (unit->abfd, buf, &bytes_read); + buf += bytes_read; +- end = buf + length; +- +- /* Are we still within the section? */ +- if (end > unit->dwarf_frame_buffer + unit->dwarf_frame_size) +- return NULL; ++ end = buf + (size_t) length; + + if (length == 0) + return end; + ++ /* Are we still within the section? */ ++ if (end <= buf || end > unit->dwarf_frame_buffer + unit->dwarf_frame_size) ++ return NULL; ++ + /* Distinguish between 32 and 64-bit encoded frame info. */ + dwarf64_p = (bytes_read == 12); + +-- +2.9.3 + diff --git a/gdb.spec b/gdb.spec index c94b93f..ae4ffa7 100644 --- a/gdb.spec +++ b/gdb.spec @@ -1,6 +1,6 @@ Name: gdb Version: 8.2 -Release: 4 +Release: 5 License: GPLv3+ and GPLv3+ with exceptions and GPLv2+ and GPLv2+ with exceptions and GPL+ and LGPLv2+ and LGPLv3+ and BSD and Public Domain and GFDL Source: ftp://sourceware.org/pub/gdb/releases/gdb-%{version}.tar.xz @@ -179,6 +179,8 @@ Patch132: gdb-rhbz1491128-batch-mode-exit-status-1of2.patch Patch133: gdb-rhbz1491128-batch-mode-exit-status-2of2.patch Patch134: gdb-use-pulongest-aarch64-linux-tdep.patch +Patch6000: gdb-Detect-invalid-length-field-in-debug-frame-FDE-header.patch + BuildRequires: rpm-libs BuildRequires: readline-devel >= 6.2-4 BuildRequires: gcc-c++ ncurses-devel texinfo gettext flex bison @@ -426,5 +428,11 @@ rm -f $RPM_BUILD_ROOT%{_datadir}/gdb/python/gdb/command/backtrace.py %{_infodir}/gdb.info* %changelog +* Thu Dec 19 2019 yeyunfeng - 8.2-5 +- Type:cves +- ID:CVE-2017-9778 +- SUG:NA +- DESC: fix CVE-2017-9778 + * Wed Sep 11 2019 openEuler Buildteam - 8.2-4 - Package init -- Gitee From 1696f38442f7c5198e32655cec170ac73d92cbfb Mon Sep 17 00:00:00 2001 From: "caomeng5@huawei.com" Date: Wed, 25 Dec 2019 09:47:15 +0800 Subject: [PATCH 2/2] modify the requirement about python --- gdb.spec | 9 ++++++++- 1 file changed, 8 insertions(+), 1 deletion(-) diff --git a/gdb.spec b/gdb.spec index ae4ffa7..20ef824 100644 --- a/gdb.spec +++ b/gdb.spec @@ -1,6 +1,6 @@ Name: gdb Version: 8.2 -Release: 5 +Release: 6 License: GPLv3+ and GPLv3+ with exceptions and GPLv2+ and GPLv2+ with exceptions and GPL+ and LGPLv2+ and LGPLv3+ and BSD and Public Domain and GFDL Source: ftp://sourceware.org/pub/gdb/releases/gdb-%{version}.tar.xz @@ -8,6 +8,7 @@ URL: http://gnu.org/software/gdb/ %global gdb_src gdb-%{version} %global gdb_build build-%{_target_platform} +%global __python %{__python3} %undefine _debuginfo_subpackages @@ -428,6 +429,12 @@ rm -f $RPM_BUILD_ROOT%{_datadir}/gdb/python/gdb/command/backtrace.py %{_infodir}/gdb.info* %changelog +* Tue Dec 24 2019 yuxiangyang - 8.2-6 +- Type:bugfix +- ID:NA +- SUG:NA +- DESC: Modify the requirement about python2/3 when compilation rpm. + * Thu Dec 19 2019 yeyunfeng - 8.2-5 - Type:cves - ID:CVE-2017-9778 -- Gitee