From a2055ea3cefa92cfa677ad39f4c87dac7dec216e Mon Sep 17 00:00:00 2001 From: liningjie Date: Fri, 28 Jul 2023 13:10:08 +0800 Subject: [PATCH] fix CVE-2023-39128 --- backport-CVE-2023-39128.patch | 71 +++++++++++++++++++++++++++++++++++ gdb.spec | 6 ++- 2 files changed, 76 insertions(+), 1 deletion(-) create mode 100644 backport-CVE-2023-39128.patch diff --git a/backport-CVE-2023-39128.patch b/backport-CVE-2023-39128.patch new file mode 100644 index 0000000..52f86d2 --- /dev/null +++ b/backport-CVE-2023-39128.patch @@ -0,0 +1,71 @@ +From 033bc52bb6190393c8eed80925fa78cc35b40c6d Mon Sep 17 00:00:00 2001 +From: Tom Tromey +Date: Wed, 16 Aug 2023 11:29:19 -0600 +Subject: [PATCH] Avoid buffer overflow in ada_decode + +A bug report pointed out a buffer overflow in ada_decode, which Keith +helpfully analyzed. ada_decode had a logic error when the input was +all digits. While this isn't valid -- and would probably only appear +in fuzzer tests -- it still should be handled properly. + +This patch adds a missing bounds check. Tested with the self-tests in +an asan build. + +Bug: https://sourceware.org/bugzilla/show_bug.cgi?id=30639 +Reviewed-by: Keith Seitz +--- + gdb/ada-lang.c | 19 ++++++++++++++++++- + 1 file changed, 18 insertions(+), 1 deletion(-) + +diff --git a/gdb/ada-lang.c b/gdb/ada-lang.c +index 4a9a6e0f38f..2f934b1e79a 100644 +--- a/gdb/ada-lang.c ++++ b/gdb/ada-lang.c +@@ -57,6 +57,7 @@ + #include "cli/cli-utils.h" + #include "gdbsupport/function-view.h" + #include "gdbsupport/byte-vector.h" ++#include "gdbsupport/selftest.h" + #include + #include "ada-exp.h" + #include "charset.h" +@@ -1377,7 +1378,7 @@ ada_decode (const char *encoded, bool wrap, bool operators) + i -= 1; + if (i > 1 && encoded[i] == '_' && encoded[i - 1] == '_') + len0 = i - 1; +- else if (encoded[i] == '$') ++ else if (i >= 0 && encoded[i] == '$') + len0 = i; + } + +@@ -1574,6 +1575,18 @@ Suppress: + return decoded; + } + ++#ifdef GDB_SELF_TEST ++ ++static void ++ada_decode_tests () ++{ ++ /* This isn't valid, but used to cause a crash. PR gdb/30639. The ++ result does not really matter very much. */ ++ SELF_CHECK (ada_decode ("44") == "44"); ++} ++ ++#endif ++ + /* Table for keeping permanent unique copies of decoded names. Once + allocated, names in this table are never released. While this is a + storage leak, it should not be significant unless there are massive +@@ -13984,4 +13997,8 @@ DWARF attribute."), + gdb::observers::new_objfile.attach (ada_new_objfile_observer, "ada-lang"); + gdb::observers::free_objfile.attach (ada_free_objfile_observer, "ada-lang"); + gdb::observers::inferior_exit.attach (ada_inferior_exit, "ada-lang"); ++ ++#ifdef GDB_SELF_TEST ++ selftests::register_test ("ada-decode", ada_decode_tests); ++#endif + } +-- +2.39.3 + diff --git a/gdb.spec b/gdb.spec index 50b87b7..50bf43d 100644 --- a/gdb.spec +++ b/gdb.spec @@ -1,6 +1,6 @@ Name: gdb Version: 12.1 -Release: 6 +Release: 7 License: GPLv3+ and GPLv3+ with exceptions and GPLv2+ and GPLv2+ with exceptions and GPL+ and LGPLv2+ and LGPLv3+ and BSD and Public Domain and GFDL-1.3 Source: https://ftp.gnu.org/gnu/gdb/gdb-%{version}.tar.xz @@ -94,6 +94,7 @@ Patch81: gdb-Use-bool-for-evregpy_no_listeners_p.patch Patch82: gdb-Make-import-gdb.events-work.patch Patch83: gdb-Handle-Python-3.11-deprecation-of-PySys_SetPath-and-.patch Patch84: gdb-libctf-update-regexp-to-allow-makeinfo-to-build-docu.patch +Patch85: backport-CVE-2023-39128.patch %global gdb_src gdb-%{version} %global gdb_build build-%{_target_platform} @@ -369,6 +370,9 @@ rm -f $RPM_BUILD_ROOT%{_datadir}/gdb/python/gdb/command/backtrace.py %{_infodir}/ctf-spec.info.gz %changelog +* Sat Sep 2 2023 liningjie - 12.1-7 +- fix CVE-2023-39128 + * Thu Aug 3 2023 Wenyu Liu - 12.1-6 - libctf: update regexp to allow makeinfo to build document -- Gitee