[oe-commits] [openembedded-core] 36/41: gdb: fix CVE-2017-9778

git at git.openembedded.org git at git.openembedded.org
Sun May 12 08:15:03 UTC 2019 

This is an automated email from the git hooks/post-receive script.

rpurdie pushed a commit to branch warrior
in repository openembedded-core.

commit 09dc0c4008bcc134d2424d7a9606a881baf6b79b
Author: Anuj Mittal <anuj.mittal at intel.com>
AuthorDate: Mon Apr 29 14:26:34 2019 +0800

    gdb: fix CVE-2017-9778
    
    Signed-off-by: Anuj Mittal <anuj.mittal at intel.com>
    Signed-off-by: Richard Purdie <richard.purdie at linuxfoundation.org>
    Signed-off-by: Armin Kuster <akuster808 at gmail.com>
---
 meta/recipes-devtools/gdb/gdb-8.2.1.inc           |  1 +
 meta/recipes-devtools/gdb/gdb/CVE-2017-9778.patch | 99 +++++++++++++++++++++++
 2 files changed, 100 insertions(+)

diff --git a/meta/recipes-devtools/gdb/gdb-8.2.1.inc b/meta/recipes-devtools/gdb/gdb-8.2.1.inc
index 1fc1ec0..cb8d189 100644
--- a/meta/recipes-devtools/gdb/gdb-8.2.1.inc
+++ b/meta/recipes-devtools/gdb/gdb-8.2.1.inc
@@ -17,6 +17,7 @@ SRC_URI = "http://ftp.gnu.org/gnu/gdb/gdb-${PV}.tar.xz \
            file://0011-Fix-invalid-sigprocmask-call.patch \
            file://gdbserver-ctrl-c-handling.patch \
            file://0001-Fix-build-with-latest-GCC-9.0-tree.patch \
+           file://CVE-2017-9778.patch \
 "
 SRC_URI[md5sum] = "f8b2562e830a4098dd5b5ea9e9296c70"
 SRC_URI[sha256sum] = "0a6a432907a03c5c8eaad3c3cffd50c00a40c3a5e3c4039440624bae703f2202"
diff --git a/meta/recipes-devtools/gdb/gdb/CVE-2017-9778.patch b/meta/recipes-devtools/gdb/gdb/CVE-2017-9778.patch
new file mode 100644
index 0000000..935f266
--- /dev/null
+++ b/meta/recipes-devtools/gdb/gdb/CVE-2017-9778.patch
@@ -0,0 +1,99 @@
+From a608b79f30ab3f670095e14ba3d3b5b24a19fe68 Mon Sep 17 00:00:00 2001
+From: Sandra Loosemore <sandra at codesourcery.com>
+Date: Thu, 25 Apr 2019 07:27:02 -0700
+Subject: [PATCH] Detect invalid length field in debug frame FDE header.
+
+GDB was failing to catch cases where a corrupt ELF or core file
+contained an invalid length value in a Dwarf debug frame FDE header.
+It was checking for buffer overflow but not cases where the length was
+negative or caused pointer wrap-around.
+
+In addition to the additional validity check, this patch cleans up the
+multiple signed/unsigned conversions on the length field so that an
+unsigned representation is used consistently throughout.
+
+This patch fixes CVE-2017-9778 and PR gdb/21600.
+
+2019-04-25  Sandra Loosemore  <sandra at codesourcery.com>
+	    Kang Li <kanglictf at gmail.com>
+
+	PR gdb/21600
+
+	* dwarf2-frame.c (read_initial_length): Be consistent about using
+	unsigned representation of length.
+	(decode_frame_entry_1): Likewise.  Check for wraparound of
+	end pointer as well as buffer overflow.
+
+Upstream-Status: Backport [https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=723adb650a31859d7cc45832cb8adca0206455ed]
+CVE: CVE-2017-9778
+Signed-off-by: Anuj Mittal <anuj.mittal at intel.com>
+---
+ gdb/ChangeLog      | 11 +++++++++++
+ gdb/dwarf2-frame.c | 14 +++++++-------
+ 2 files changed, 18 insertions(+), 7 deletions(-)
+
+diff --git a/gdb/ChangeLog b/gdb/ChangeLog
+index 3711dc7..0a9720b 100644
+--- a/gdb/ChangeLog
++++ b/gdb/ChangeLog
+@@ -1,3 +1,14 @@
++2019-04-25  Sandra Loosemore  <sandra at codesourcery.com>
++	    Kang Li <kanglictf at gmail.com>
++
++	PR gdb/21600
++
++	* dwarf2-frame.c (read_initial_length): Be consistent about using
++	unsigned representation of length.
++	(decode_frame_entry_1): Likewise.  Check for wraparound of
++	end pointer as well as buffer overflow.
++
++
+ 2018-12-23  Joel Brobecker  <brobecker at adacore.com>
+ 
+ 	* version.in: Set GDB version number to 8.2.1.
+diff --git a/gdb/dwarf2-frame.c b/gdb/dwarf2-frame.c
+index 91e16cf..a7b99fd 100644
+--- a/gdb/dwarf2-frame.c
++++ b/gdb/dwarf2-frame.c
+@@ -1477,7 +1477,7 @@ static ULONGEST
+ read_initial_length (bfd *abfd, const gdb_byte *buf,
+ 		     unsigned int *bytes_read_ptr)
+ {
+-  LONGEST result;
++  ULONGEST result;
+ 
+   result = bfd_get_32 (abfd, buf);
+   if (result == 0xffffffff)
+@@ -1780,7 +1780,7 @@ decode_frame_entry_1 (struct comp_unit *unit, const gdb_byte *start,
+ {
+   struct gdbarch *gdbarch = get_objfile_arch (unit->objfile);
+   const gdb_byte *buf, *end;
+-  LONGEST length;
++  ULONGEST length;
+   unsigned int bytes_read;
+   int dwarf64_p;
+   ULONGEST cie_id;
+@@ -1791,15 +1791,15 @@ decode_frame_entry_1 (struct comp_unit *unit, const gdb_byte *start,
+   buf = start;
+   length = read_initial_length (unit->abfd, buf, &bytes_read);
+   buf += bytes_read;
+-  end = buf + length;
+-
+-  /* Are we still within the section?  */
+-  if (end > unit->dwarf_frame_buffer + unit->dwarf_frame_size)
+-    return NULL;
++  end = buf + (size_t) length;
+ 
+   if (length == 0)
+     return end;
+ 
++  /* Are we still within the section?  */
++  if (end <= buf || end > unit->dwarf_frame_buffer + unit->dwarf_frame_size)
++    return NULL;
++
+   /* Distinguish between 32 and 64-bit encoded frame info.  */
+   dwarf64_p = (bytes_read == 12);
+ 
+-- 
+2.7.4
+

-- 
To stop receiving notification emails like this one, please contact
the administrator of this repository.

More information about the Openembedded-commits mailing list