summaryrefslogtreecommitdiffstats
path: root/meta/recipes-devtools/gdb
diff options
context:
space:
mode:
authorAnuj Mittal <anuj.mittal@intel.com>2019-04-29 14:26:34 +0800
committerRichard Purdie <richard.purdie@linuxfoundation.org>2019-04-29 22:29:19 +0100
commitd8faa8974d08651dac42afa7a7e545a4c30d813e (patch)
treec413eb4acc28659aa476a830c4b016919d14ba3b /meta/recipes-devtools/gdb
parentac6af654f50aa6f3057dee0de806f5dfae10e4a8 (diff)
downloadopenembedded-core-d8faa8974d08651dac42afa7a7e545a4c30d813e.tar.gz
openembedded-core-d8faa8974d08651dac42afa7a7e545a4c30d813e.tar.bz2
openembedded-core-d8faa8974d08651dac42afa7a7e545a4c30d813e.zip
gdb: fix CVE-2017-9778
Signed-off-by: Anuj Mittal <anuj.mittal@intel.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Diffstat (limited to 'meta/recipes-devtools/gdb')
-rw-r--r--meta/recipes-devtools/gdb/gdb-8.2.1.inc1
-rw-r--r--meta/recipes-devtools/gdb/gdb/CVE-2017-9778.patch99
2 files changed, 100 insertions, 0 deletions
diff --git a/meta/recipes-devtools/gdb/gdb-8.2.1.inc b/meta/recipes-devtools/gdb/gdb-8.2.1.inc
index 1fc1ec0da4..cb8d189f2a 100644
--- a/meta/recipes-devtools/gdb/gdb-8.2.1.inc
+++ b/meta/recipes-devtools/gdb/gdb-8.2.1.inc
@@ -17,6 +17,7 @@ SRC_URI = "http://ftp.gnu.org/gnu/gdb/gdb-${PV}.tar.xz \
file://0011-Fix-invalid-sigprocmask-call.patch \
file://gdbserver-ctrl-c-handling.patch \
file://0001-Fix-build-with-latest-GCC-9.0-tree.patch \
+ file://CVE-2017-9778.patch \
"
SRC_URI[md5sum] = "f8b2562e830a4098dd5b5ea9e9296c70"
SRC_URI[sha256sum] = "0a6a432907a03c5c8eaad3c3cffd50c00a40c3a5e3c4039440624bae703f2202"
diff --git a/meta/recipes-devtools/gdb/gdb/CVE-2017-9778.patch b/meta/recipes-devtools/gdb/gdb/CVE-2017-9778.patch
new file mode 100644
index 0000000000..935f2661fe
--- /dev/null
+++ b/meta/recipes-devtools/gdb/gdb/CVE-2017-9778.patch
@@ -0,0 +1,99 @@
+From a608b79f30ab3f670095e14ba3d3b5b24a19fe68 Mon Sep 17 00:00:00 2001
+From: Sandra Loosemore <sandra@codesourcery.com>
+Date: Thu, 25 Apr 2019 07:27:02 -0700
+Subject: [PATCH] Detect invalid length field in debug frame FDE header.
+
+GDB was failing to catch cases where a corrupt ELF or core file
+contained an invalid length value in a Dwarf debug frame FDE header.
+It was checking for buffer overflow but not cases where the length was
+negative or caused pointer wrap-around.
+
+In addition to the additional validity check, this patch cleans up the
+multiple signed/unsigned conversions on the length field so that an
+unsigned representation is used consistently throughout.
+
+This patch fixes CVE-2017-9778 and PR gdb/21600.
+
+2019-04-25 Sandra Loosemore <sandra@codesourcery.com>
+ Kang Li <kanglictf@gmail.com>
+
+ PR gdb/21600
+
+ * dwarf2-frame.c (read_initial_length): Be consistent about using
+ unsigned representation of length.
+ (decode_frame_entry_1): Likewise. Check for wraparound of
+ end pointer as well as buffer overflow.
+
+Upstream-Status: Backport [https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=723adb650a31859d7cc45832cb8adca0206455ed]
+CVE: CVE-2017-9778
+Signed-off-by: Anuj Mittal <anuj.mittal@intel.com>
+---
+ gdb/ChangeLog | 11 +++++++++++
+ gdb/dwarf2-frame.c | 14 +++++++-------
+ 2 files changed, 18 insertions(+), 7 deletions(-)
+
+diff --git a/gdb/ChangeLog b/gdb/ChangeLog
+index 3711dc7..0a9720b 100644
+--- a/gdb/ChangeLog
++++ b/gdb/ChangeLog
+@@ -1,3 +1,14 @@
++2019-04-25 Sandra Loosemore <sandra@codesourcery.com>
++ Kang Li <kanglictf@gmail.com>
++
++ PR gdb/21600
++
++ * dwarf2-frame.c (read_initial_length): Be consistent about using
++ unsigned representation of length.
++ (decode_frame_entry_1): Likewise. Check for wraparound of
++ end pointer as well as buffer overflow.
++
++
+ 2018-12-23 Joel Brobecker <brobecker@adacore.com>
+
+ * version.in: Set GDB version number to 8.2.1.
+diff --git a/gdb/dwarf2-frame.c b/gdb/dwarf2-frame.c
+index 91e16cf..a7b99fd 100644
+--- a/gdb/dwarf2-frame.c
++++ b/gdb/dwarf2-frame.c
+@@ -1477,7 +1477,7 @@ static ULONGEST
+ read_initial_length (bfd *abfd, const gdb_byte *buf,
+ unsigned int *bytes_read_ptr)
+ {
+- LONGEST result;
++ ULONGEST result;
+
+ result = bfd_get_32 (abfd, buf);
+ if (result == 0xffffffff)
+@@ -1780,7 +1780,7 @@ decode_frame_entry_1 (struct comp_unit *unit, const gdb_byte *start,
+ {
+ struct gdbarch *gdbarch = get_objfile_arch (unit->objfile);
+ const gdb_byte *buf, *end;
+- LONGEST length;
++ ULONGEST length;
+ unsigned int bytes_read;
+ int dwarf64_p;
+ ULONGEST cie_id;
+@@ -1791,15 +1791,15 @@ decode_frame_entry_1 (struct comp_unit *unit, const gdb_byte *start,
+ buf = start;
+ length = read_initial_length (unit->abfd, buf, &bytes_read);
+ buf += bytes_read;
+- end = buf + length;
+-
+- /* Are we still within the section? */
+- if (end > unit->dwarf_frame_buffer + unit->dwarf_frame_size)
+- return NULL;
++ end = buf + (size_t) length;
+
+ if (length == 0)
+ return end;
+
++ /* Are we still within the section? */
++ if (end <= buf || end > unit->dwarf_frame_buffer + unit->dwarf_frame_size)
++ return NULL;
++
+ /* Distinguish between 32 and 64-bit encoded frame info. */
+ dwarf64_p = (bytes_read == 12);
+
+--
+2.7.4
+