diff options
Diffstat (limited to 'meta/recipes-devtools/gdb/gdb/CVE-2017-9778.patch')
| -rw-r--r-- | meta/recipes-devtools/gdb/gdb/CVE-2017-9778.patch | 98 |
1 files changed, 0 insertions, 98 deletions
diff --git a/meta/recipes-devtools/gdb/gdb/CVE-2017-9778.patch b/meta/recipes-devtools/gdb/gdb/CVE-2017-9778.patch deleted file mode 100644 index f142ed00d7..0000000000 --- a/meta/recipes-devtools/gdb/gdb/CVE-2017-9778.patch +++ /dev/null @@ -1,98 +0,0 @@ -From 6ad3791f095cfc1b0294f62c4b3a524ba735595e Mon Sep 17 00:00:00 2001 -From: Sandra Loosemore <sandra@codesourcery.com> -Date: Thu, 25 Apr 2019 07:27:02 -0700 -Subject: [PATCH] Detect invalid length field in debug frame FDE header. - -GDB was failing to catch cases where a corrupt ELF or core file -contained an invalid length value in a Dwarf debug frame FDE header. -It was checking for buffer overflow but not cases where the length was -negative or caused pointer wrap-around. - -In addition to the additional validity check, this patch cleans up the -multiple signed/unsigned conversions on the length field so that an -unsigned representation is used consistently throughout. - -This patch fixes CVE-2017-9778 and PR gdb/21600. - -2019-04-25 Sandra Loosemore <sandra@codesourcery.com> - Kang Li <kanglictf@gmail.com> - - PR gdb/21600 - - * dwarf2-frame.c (read_initial_length): Be consistent about using - unsigned representation of length. - (decode_frame_entry_1): Likewise. Check for wraparound of - end pointer as well as buffer overflow. - -Upstream-Status: Backport -CVE: CVE-2017-9778 -Signed-off-by: Anuj Mittal <anuj.mittal@intel.com> ---- - gdb/ChangeLog | 10 ++++++++++ - gdb/dwarf2-frame.c | 14 +++++++------- - 2 files changed, 17 insertions(+), 7 deletions(-) - -diff --git a/gdb/ChangeLog b/gdb/ChangeLog -index 1c125de..d028d2b 100644 ---- a/gdb/ChangeLog -+++ b/gdb/ChangeLog -@@ -1,3 +1,13 @@ -+2019-04-25 Sandra Loosemore <sandra@codesourcery.com> -+ Kang Li <kanglictf@gmail.com> -+ -+ PR gdb/21600 -+ -+ * dwarf2-frame.c (read_initial_length): Be consistent about using -+ unsigned representation of length. -+ (decode_frame_entry_1): Likewise. Check for wraparound of -+ end pointer as well as buffer overflow. -+ - 2019-05-11 Joel Brobecker <brobecker@adacore.com> - - * version.in: Set GDB version number to 8.3. -diff --git a/gdb/dwarf2-frame.c b/gdb/dwarf2-frame.c -index 178ac44..dc5d3b3 100644 ---- a/gdb/dwarf2-frame.c -+++ b/gdb/dwarf2-frame.c -@@ -1488,7 +1488,7 @@ static ULONGEST - read_initial_length (bfd *abfd, const gdb_byte *buf, - unsigned int *bytes_read_ptr) - { -- LONGEST result; -+ ULONGEST result; - - result = bfd_get_32 (abfd, buf); - if (result == 0xffffffff) -@@ -1789,7 +1789,7 @@ decode_frame_entry_1 (struct comp_unit *unit, const gdb_byte *start, - { - struct gdbarch *gdbarch = get_objfile_arch (unit->objfile); - const gdb_byte *buf, *end; -- LONGEST length; -+ ULONGEST length; - unsigned int bytes_read; - int dwarf64_p; - ULONGEST cie_id; -@@ -1800,15 +1800,15 @@ decode_frame_entry_1 (struct comp_unit *unit, const gdb_byte *start, - buf = start; - length = read_initial_length (unit->abfd, buf, &bytes_read); - buf += bytes_read; -- end = buf + length; -- -- /* Are we still within the section? */ -- if (end > unit->dwarf_frame_buffer + unit->dwarf_frame_size) -- return NULL; -+ end = buf + (size_t) length; - - if (length == 0) - return end; - -+ /* Are we still within the section? */ -+ if (end <= buf || end > unit->dwarf_frame_buffer + unit->dwarf_frame_size) -+ return NULL; -+ - /* Distinguish between 32 and 64-bit encoded frame info. */ - dwarf64_p = (bytes_read == 12); - --- -2.20.1 - |