diff --git a/backport-CVE-2023-39129.patch b/backport-CVE-2023-39129.patch new file mode 100644 index 0000000000000000000000000000000000000000..c2083cecd6f87f2e7b7c9d29aeb2f37cb465e577 --- /dev/null +++ b/backport-CVE-2023-39129.patch @@ -0,0 +1,125 @@ +From 58abdf887821a5da09ba184c6e400a3bc5cccd5a Mon Sep 17 00:00:00 2001 +From: Keith Seitz +Date: Wed, 2 Aug 2023 08:35:11 -0700 +Subject: [PATCH] Verify COFF symbol stringtab offset + +This patch addresses an issue with malformed/fuzzed debug information that +was recently reported in gdb/30639. That bug specifically deals with +an ASAN issue, but the reproducer provided by the reporter causes a +another failure outside of ASAN: + +$ ./gdb --data-directory data-directory -nx -q UAF_2 +Reading symbols from /home/keiths/UAF_2... + + +Fatal signal: Segmentation fault +----- Backtrace ----- +0x59a53a gdb_internal_backtrace_1 + ../../src/gdb/bt-utils.c:122 +0x59a5dd _Z22gdb_internal_backtracev + ../../src/gdb/bt-utils.c:168 +0x786380 handle_fatal_signal + ../../src/gdb/event-top.c:889 +0x7864ec handle_sigsegv + ../../src/gdb/event-top.c:962 +0x7ff354c5fb6f ??? +0x611f9a process_coff_symbol + ../../src/gdb/coffread.c:1556 +0x611025 coff_symtab_read + ../../src/gdb/coffread.c:1172 +0x60f8ff coff_read_minsyms + ../../src/gdb/coffread.c:549 +0x60fe4b coff_symfile_read + ../../src/gdb/coffread.c:698 +0xbde0f6 read_symbols + ../../src/gdb/symfile.c:772 +0xbde7a3 syms_from_objfile_1 + ../../src/gdb/symfile.c:966 +0xbde867 syms_from_objfile + ../../src/gdb/symfile.c:983 +0xbded42 symbol_file_add_with_addrs + ../../src/gdb/symfile.c:1086 +0xbdf083 _Z24symbol_file_add_from_bfdRKN3gdb7ref_ptrI3bfd18gdb_bfd_ref_policyEEPKc10enum_flagsI16symfile_add_flagEPSt6vectorI14other_sectionsSaISC_EES8_I12objfile_flagEP7objfile + ../../src/gdb/symfile.c:1166 +0xbdf0d2 _Z15symbol_file_addPKc10enum_flagsI16symfile_add_flagEPSt6vectorI14other_sectionsSaIS5_EES1_I12objfile_flagE + ../../src/gdb/symfile.c:1179 +0xbdf197 symbol_file_add_main_1 + ../../src/gdb/symfile.c:1203 +0xbdf13e _Z20symbol_file_add_mainPKc10enum_flagsI16symfile_add_flagE + ../../src/gdb/symfile.c:1194 +0x90f97f symbol_file_add_main_adapter + ../../src/gdb/main.c:549 +0x90f895 catch_command_errors + ../../src/gdb/main.c:518 +0x9109b6 captured_main_1 + ../../src/gdb/main.c:1203 +0x910fc8 captured_main + ../../src/gdb/main.c:1310 +0x911067 _Z8gdb_mainP18captured_main_args + ../../src/gdb/main.c:1339 +0x418c71 main + ../../src/gdb/gdb.c:39 +--------------------- +A fatal error internal to GDB has been detected, further +debugging is not possible. GDB will now terminate. + +This is a bug, please report it. For instructions, see: +. + +Segmentation fault (core dumped) + +The issue here is that the COFF offset for the fuzzed symbol's +name is outside the string table. That is, the offset is greater +than the actual string table size. + +coffread.c:getsymname actually contains a FIXME about this, and that's +what I've chosen to address to fix this issue, following what is done +in the DWARF reader: + +$ ./gdb --data-directory data-directory -nx -q UAF_2 +Reading symbols from /home/keiths/UAF_2... +COFF Error: string table offset (256) outside string table (length 0) +(gdb) + +Unfortunately, I haven't any idea how else to test this patch since +COFF is not very common anymore. GCC removed support for it five +years ago with GCC 8. +--- + gdb/coffread.c | 7 +++++-- + 1 file changed, 5 insertions(+), 2 deletions(-) + +diff --git a/gdb/coffread.c b/gdb/coffread.c +index f8e14d8ad93..ae7632d49cb 100644 +--- a/gdb/coffread.c ++++ b/gdb/coffread.c +@@ -159,6 +159,7 @@ static file_ptr linetab_offset; + static file_ptr linetab_size; + + static char *stringtab = NULL; ++static long stringtab_length = 0; + + extern void stabsread_clear_cache (void); + +@@ -1303,6 +1304,7 @@ init_stringtab (bfd *abfd, file_ptr offset, gdb::unique_xmalloc_ptr *stora + /* This is in target format (probably not very useful, and not + currently used), not host format. */ + memcpy (stringtab, lengthbuf, sizeof lengthbuf); ++ stringtab_length = length; + if (length == sizeof length) /* Empty table -- just the count. */ + return 0; + +@@ -1322,8 +1324,9 @@ getsymname (struct internal_syment *symbol_entry) + + if (symbol_entry->_n._n_n._n_zeroes == 0) + { +- /* FIXME: Probably should be detecting corrupt symbol files by +- seeing whether offset points to within the stringtab. */ ++ if (symbol_entry->_n._n_n._n_offset > stringtab_length) ++ error (_("COFF Error: string table offset (%ld) outside string table (length %ld)"), ++ symbol_entry->_n._n_n._n_offset, stringtab_length); + result = stringtab + symbol_entry->_n._n_n._n_offset; + } + else +-- +2.41.0.windows.3 + diff --git a/gdb.spec b/gdb.spec index 3ffe066944c3f3a5e3e053ef6ab163605195be5d..7816909bcb56d898a43cad442ed4a4b4ab60297f 100644 --- a/gdb.spec +++ b/gdb.spec @@ -1,6 +1,6 @@ Name: gdb Version: 11.1 -Release: 6 +Release: 7 License: GPLv3+ and GPLv3+ with exceptions and GPLv2+ and GPLv2+ with exceptions and GPL+ and LGPLv2+ and LGPLv3+ and BSD and Public Domain and GFDL-1.3 Source: ftp://sourceware.org/pub/gdb/releases/gdb-%{version}.tar.xz @@ -94,7 +94,6 @@ Patch81: gdb-rhbz2022177-dprintf-2.patch # Fedra patch end Patch82: 0001-Make-c-exp.y-work-with-Bison-3.8.patch -Patch1000: backport-CVE-2023-39128.patch %ifarch loongarch64 Patch83: 0001-gdb-Add-LoongArch-bfd-support.patch @@ -104,6 +103,9 @@ Patch86: 0004-gdbserver-Add-LoongArch-port-support.patch Patch87: 0005-gdb-Add-LoongArch-clfs-system.patch %endif +Patch88: backport-CVE-2023-39128.patch +Patch89: backport-CVE-2023-39129.patch + %global gdb_src gdb-%{version} %global gdb_build build-%{_target_platform} %global __python %{__python3} @@ -379,6 +381,9 @@ rm -f $RPM_BUILD_ROOT%{_datadir}/gdb/python/gdb/command/backtrace.py %{_infodir}/gdb.info* %changelog +* Thu Oct 12 2023 liningjie - 11.1-7 +- fix CVE-2023-39129 + * Mon Sep 4 2023 Liu Chao - 11.1-6 - correct patch's commit message