diff --git a/gdb-detect-invalid-length-field-in-debug-frame-FDE-header.patch b/gdb-detect-invalid-length-field-in-debug-frame-FDE-header.patch new file mode 100644 index 0000000000000000000000000000000000000000..b8d2ffee3c65b41ece450f755b09e1b47c48a7ae --- /dev/null +++ b/gdb-detect-invalid-length-field-in-debug-frame-FDE-header.patch @@ -0,0 +1,75 @@ +From 723adb650a31859d7cc45832cb8adca0206455ed Mon Sep 17 00:00:00 2001 +From: Sandra Loosemore +Date: Thu, 25 Apr 2019 07:27:02 -0700 +Subject: [PATCH] Detect invalid length field in debug frame FDE header. + +GDB was failing to catch cases where a corrupt ELF or core file +contained an invalid length value in a Dwarf debug frame FDE header. +It was checking for buffer overflow but not cases where the length was +negative or caused pointer wrap-around. + +In addition to the additional validity check, this patch cleans up the +multiple signed/unsigned conversions on the length field so that an +unsigned representation is used consistently throughout. + +This patch fixes CVE-2017-9778 and PR gdb/21600. + +2019-04-25 Sandra Loosemore + Kang Li + + PR gdb/21600 + + * dwarf2-frame.c (read_initial_length): Be consistent about using + unsigned representation of length. + (decode_frame_entry_1): Likewise. Check for wraparound of + end pointer as well as buffer overflow. +--- + gdb/dwarf2-frame.c | 14 +++++++------- + 1 files changed, 7 insertions(+), 7 deletions(-) + +diff --git a/gdb/dwarf2-frame.c b/gdb/dwarf2-frame.c +index e2bf61b..b697afa 100644 +--- a/gdb/dwarf2-frame.c ++++ b/gdb/dwarf2-frame.c +@@ -1487,7 +1487,7 @@ static ULONGEST + read_initial_length (bfd *abfd, const gdb_byte *buf, + unsigned int *bytes_read_ptr) + { +- LONGEST result; ++ ULONGEST result; + + result = bfd_get_32 (abfd, buf); + if (result == 0xffffffff) +@@ -1788,7 +1788,7 @@ decode_frame_entry_1 (struct comp_unit *unit, const gdb_byte *start, + { + struct gdbarch *gdbarch = get_objfile_arch (unit->objfile); + const gdb_byte *buf, *end; +- LONGEST length; ++ ULONGEST length; + unsigned int bytes_read; + int dwarf64_p; + ULONGEST cie_id; +@@ -1799,15 +1799,15 @@ decode_frame_entry_1 (struct comp_unit *unit, const gdb_byte *start, + buf = start; + length = read_initial_length (unit->abfd, buf, &bytes_read); + buf += bytes_read; +- end = buf + length; +- +- /* Are we still within the section? */ +- if (end > unit->dwarf_frame_buffer + unit->dwarf_frame_size) +- return NULL; ++ end = buf + (size_t) length; + + if (length == 0) + return end; + ++ /* Are we still within the section? */ ++ if (end <= buf || end > unit->dwarf_frame_buffer + unit->dwarf_frame_size) ++ return NULL; ++ + /* Distinguish between 32 and 64-bit encoded frame info. */ + dwarf64_p = (bytes_read == 12); + +-- +2.9.3 + diff --git a/gdb.spec b/gdb.spec index 56e8f9d995eefe512e4ef7d3fa8fdc8878d5cbe3..0c7c19e4ba5cd7ea1c6db9fcaad07f15af70e111 100644 --- a/gdb.spec +++ b/gdb.spec @@ -1,6 +1,6 @@ Name: gdb Version: 8.3.1 -Release: 9 +Release: 10 License: GPLv3+ and GPLv3+ with exceptions and GPLv2+ and GPLv2+ with exceptions and GPL+ and LGPLv2+ and LGPLv3+ and BSD and Public Domain and GFDL Source: ftp://sourceware.org/pub/gdb/releases/gdb-%{version}.tar.xz @@ -167,6 +167,10 @@ Patch120: gdb-rhbz1723564-gdb-crash-PYTHONMALLOC-debug.patch Patch121: gdb-rhbz1553086-binutils-warning-loadable-section-outside-elf.patch # Fedora patch end +# Patch from upstream +Patch6000: gdb-detect-invalid-length-field-in-debug-frame-FDE-header.patch +# Upstream patch end + BuildRequires: rpm-libs BuildRequires: readline-devel >= 6.2-4 BuildRequires: gcc-c++ ncurses-devel texinfo gettext flex bison @@ -414,6 +418,9 @@ rm -f $RPM_BUILD_ROOT%{_datadir}/gdb/python/gdb/command/backtrace.py %{_infodir}/gdb.info* %changelog +* Mon Feb 3 2020 yuxiangyang - 8.3.1-10 +- fix CVE-2017-9778 + * Thu Jan 16 2020 openEuler Buildteam - 8.3.1-9 - rpm upgrade successful, delete the dependence to librpm8