summaryrefslogtreecommitdiffstats
path: root/meta/recipes-devtools/gdb
diff options
context:
space:
mode:
authorAnuj Mittal <anuj.mittal@intel.com>2019-07-19 13:55:28 +0800
committerRichard Purdie <richard.purdie@linuxfoundation.org>2019-07-19 16:16:31 +0100
commit4fa03fa14f8facb134ecd772a99c25184d8a4cbd (patch)
tree849fc08abf90a15ee2c0062147d2c3fa71cc8468 /meta/recipes-devtools/gdb
parentb3b1c00cc46b33ddbf7e008267032220e1e298af (diff)
downloadopenembedded-core-4fa03fa14f8facb134ecd772a99c25184d8a4cbd.tar.gz
openembedded-core-4fa03fa14f8facb134ecd772a99c25184d8a4cbd.tar.bz2
openembedded-core-4fa03fa14f8facb134ecd772a99c25184d8a4cbd.zip
gdb: fix CVE-2017-9778
Signed-off-by: Anuj Mittal <anuj.mittal@intel.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Diffstat (limited to 'meta/recipes-devtools/gdb')
-rw-r--r--meta/recipes-devtools/gdb/gdb-8.3.inc1
-rw-r--r--meta/recipes-devtools/gdb/gdb/CVE-2017-9778.patch98
2 files changed, 99 insertions, 0 deletions
diff --git a/meta/recipes-devtools/gdb/gdb-8.3.inc b/meta/recipes-devtools/gdb/gdb-8.3.inc
index db8d5f349f..a5ef936fbf 100644
--- a/meta/recipes-devtools/gdb/gdb-8.3.inc
+++ b/meta/recipes-devtools/gdb/gdb-8.3.inc
@@ -16,6 +16,7 @@ SRC_URI = "http://ftp.gnu.org/gnu/gdb/gdb-${PV}.tar.xz \
file://0009-Change-order-of-CFLAGS.patch \
file://0010-resolve-restrict-keyword-conflict.patch \
file://0011-Fix-invalid-sigprocmask-call.patch \
+ file://CVE-2017-9778.patch \
"
SRC_URI[md5sum] = "bbd95b2f9b34621ad7a19a3965476314"
SRC_URI[sha256sum] = "802f7ee309dcc547d65a68d61ebd6526762d26c3051f52caebe2189ac1ffd72e"
diff --git a/meta/recipes-devtools/gdb/gdb/CVE-2017-9778.patch b/meta/recipes-devtools/gdb/gdb/CVE-2017-9778.patch
new file mode 100644
index 0000000000..f142ed00d7
--- /dev/null
+++ b/meta/recipes-devtools/gdb/gdb/CVE-2017-9778.patch
@@ -0,0 +1,98 @@
+From 6ad3791f095cfc1b0294f62c4b3a524ba735595e Mon Sep 17 00:00:00 2001
+From: Sandra Loosemore <sandra@codesourcery.com>
+Date: Thu, 25 Apr 2019 07:27:02 -0700
+Subject: [PATCH] Detect invalid length field in debug frame FDE header.
+
+GDB was failing to catch cases where a corrupt ELF or core file
+contained an invalid length value in a Dwarf debug frame FDE header.
+It was checking for buffer overflow but not cases where the length was
+negative or caused pointer wrap-around.
+
+In addition to the additional validity check, this patch cleans up the
+multiple signed/unsigned conversions on the length field so that an
+unsigned representation is used consistently throughout.
+
+This patch fixes CVE-2017-9778 and PR gdb/21600.
+
+2019-04-25 Sandra Loosemore <sandra@codesourcery.com>
+ Kang Li <kanglictf@gmail.com>
+
+ PR gdb/21600
+
+ * dwarf2-frame.c (read_initial_length): Be consistent about using
+ unsigned representation of length.
+ (decode_frame_entry_1): Likewise. Check for wraparound of
+ end pointer as well as buffer overflow.
+
+Upstream-Status: Backport
+CVE: CVE-2017-9778
+Signed-off-by: Anuj Mittal <anuj.mittal@intel.com>
+---
+ gdb/ChangeLog | 10 ++++++++++
+ gdb/dwarf2-frame.c | 14 +++++++-------
+ 2 files changed, 17 insertions(+), 7 deletions(-)
+
+diff --git a/gdb/ChangeLog b/gdb/ChangeLog
+index 1c125de..d028d2b 100644
+--- a/gdb/ChangeLog
++++ b/gdb/ChangeLog
+@@ -1,3 +1,13 @@
++2019-04-25 Sandra Loosemore <sandra@codesourcery.com>
++ Kang Li <kanglictf@gmail.com>
++
++ PR gdb/21600
++
++ * dwarf2-frame.c (read_initial_length): Be consistent about using
++ unsigned representation of length.
++ (decode_frame_entry_1): Likewise. Check for wraparound of
++ end pointer as well as buffer overflow.
++
+ 2019-05-11 Joel Brobecker <brobecker@adacore.com>
+
+ * version.in: Set GDB version number to 8.3.
+diff --git a/gdb/dwarf2-frame.c b/gdb/dwarf2-frame.c
+index 178ac44..dc5d3b3 100644
+--- a/gdb/dwarf2-frame.c
++++ b/gdb/dwarf2-frame.c
+@@ -1488,7 +1488,7 @@ static ULONGEST
+ read_initial_length (bfd *abfd, const gdb_byte *buf,
+ unsigned int *bytes_read_ptr)
+ {
+- LONGEST result;
++ ULONGEST result;
+
+ result = bfd_get_32 (abfd, buf);
+ if (result == 0xffffffff)
+@@ -1789,7 +1789,7 @@ decode_frame_entry_1 (struct comp_unit *unit, const gdb_byte *start,
+ {
+ struct gdbarch *gdbarch = get_objfile_arch (unit->objfile);
+ const gdb_byte *buf, *end;
+- LONGEST length;
++ ULONGEST length;
+ unsigned int bytes_read;
+ int dwarf64_p;
+ ULONGEST cie_id;
+@@ -1800,15 +1800,15 @@ decode_frame_entry_1 (struct comp_unit *unit, const gdb_byte *start,
+ buf = start;
+ length = read_initial_length (unit->abfd, buf, &bytes_read);
+ buf += bytes_read;
+- end = buf + length;
+-
+- /* Are we still within the section? */
+- if (end > unit->dwarf_frame_buffer + unit->dwarf_frame_size)
+- return NULL;
++ end = buf + (size_t) length;
+
+ if (length == 0)
+ return end;
+
++ /* Are we still within the section? */
++ if (end <= buf || end > unit->dwarf_frame_buffer + unit->dwarf_frame_size)
++ return NULL;
++
+ /* Distinguish between 32 and 64-bit encoded frame info. */
+ dwarf64_p = (bytes_read == 12);
+
+--
+2.20.1
+