[OE-core] [PATCH 2/3] gdb: fix CVE-2017-9778

Anuj Mittal anuj.mittal at intel.com
Fri Jul 19 05:55:28 UTC 2019 

Signed-off-by: Anuj Mittal <anuj.mittal at intel.com>
---
 meta/recipes-devtools/gdb/gdb-8.3.inc         |  1 +
 .../gdb/gdb/CVE-2017-9778.patch               | 98 +++++++++++++++++++
 2 files changed, 99 insertions(+)
 create mode 100644 meta/recipes-devtools/gdb/gdb/CVE-2017-9778.patch

diff --git a/meta/recipes-devtools/gdb/gdb-8.3.inc b/meta/recipes-devtools/gdb/gdb-8.3.inc
index db8d5f349f..a5ef936fbf 100644
--- a/meta/recipes-devtools/gdb/gdb-8.3.inc
+++ b/meta/recipes-devtools/gdb/gdb-8.3.inc
@@ -16,6 +16,7 @@ SRC_URI = "http://ftp.gnu.org/gnu/gdb/gdb-${PV}.tar.xz \
            file://0009-Change-order-of-CFLAGS.patch \
            file://0010-resolve-restrict-keyword-conflict.patch \
            file://0011-Fix-invalid-sigprocmask-call.patch \
+           file://CVE-2017-9778.patch \
            "
 SRC_URI[md5sum] = "bbd95b2f9b34621ad7a19a3965476314"
 SRC_URI[sha256sum] = "802f7ee309dcc547d65a68d61ebd6526762d26c3051f52caebe2189ac1ffd72e"
diff --git a/meta/recipes-devtools/gdb/gdb/CVE-2017-9778.patch b/meta/recipes-devtools/gdb/gdb/CVE-2017-9778.patch
new file mode 100644
index 0000000000..f142ed00d7
--- /dev/null
+++ b/meta/recipes-devtools/gdb/gdb/CVE-2017-9778.patch
@@ -0,0 +1,98 @@
+From 6ad3791f095cfc1b0294f62c4b3a524ba735595e Mon Sep 17 00:00:00 2001
+From: Sandra Loosemore <sandra at codesourcery.com>
+Date: Thu, 25 Apr 2019 07:27:02 -0700
+Subject: [PATCH] Detect invalid length field in debug frame FDE header.
+
+GDB was failing to catch cases where a corrupt ELF or core file
+contained an invalid length value in a Dwarf debug frame FDE header.
+It was checking for buffer overflow but not cases where the length was
+negative or caused pointer wrap-around.
+
+In addition to the additional validity check, this patch cleans up the
+multiple signed/unsigned conversions on the length field so that an
+unsigned representation is used consistently throughout.
+
+This patch fixes CVE-2017-9778 and PR gdb/21600.
+
+2019-04-25  Sandra Loosemore  <sandra at codesourcery.com>
+	    Kang Li <kanglictf at gmail.com>
+
+	PR gdb/21600
+
+	* dwarf2-frame.c (read_initial_length): Be consistent about using
+	unsigned representation of length.
+	(decode_frame_entry_1): Likewise.  Check for wraparound of
+	end pointer as well as buffer overflow.
+
+Upstream-Status: Backport
+CVE: CVE-2017-9778
+Signed-off-by: Anuj Mittal <anuj.mittal at intel.com>
+---
+ gdb/ChangeLog      | 10 ++++++++++
+ gdb/dwarf2-frame.c | 14 +++++++-------
+ 2 files changed, 17 insertions(+), 7 deletions(-)
+
+diff --git a/gdb/ChangeLog b/gdb/ChangeLog
+index 1c125de..d028d2b 100644
+--- a/gdb/ChangeLog
++++ b/gdb/ChangeLog
+@@ -1,3 +1,13 @@
++2019-04-25  Sandra Loosemore  <sandra at codesourcery.com>
++	Kang Li <kanglictf at gmail.com>
++
++	PR gdb/21600
++
++	* dwarf2-frame.c (read_initial_length): Be consistent about using
++	unsigned representation of length.
++	(decode_frame_entry_1): Likewise.  Check for wraparound of
++	end pointer as well as buffer overflow.
++
+ 2019-05-11  Joel Brobecker  <brobecker at adacore.com>
+ 
+ 	* version.in: Set GDB version number to 8.3.
+diff --git a/gdb/dwarf2-frame.c b/gdb/dwarf2-frame.c
+index 178ac44..dc5d3b3 100644
+--- a/gdb/dwarf2-frame.c
++++ b/gdb/dwarf2-frame.c
+@@ -1488,7 +1488,7 @@ static ULONGEST
+ read_initial_length (bfd *abfd, const gdb_byte *buf,
+ 		     unsigned int *bytes_read_ptr)
+ {
+-  LONGEST result;
++  ULONGEST result;
+ 
+   result = bfd_get_32 (abfd, buf);
+   if (result == 0xffffffff)
+@@ -1789,7 +1789,7 @@ decode_frame_entry_1 (struct comp_unit *unit, const gdb_byte *start,
+ {
+   struct gdbarch *gdbarch = get_objfile_arch (unit->objfile);
+   const gdb_byte *buf, *end;
+-  LONGEST length;
++  ULONGEST length;
+   unsigned int bytes_read;
+   int dwarf64_p;
+   ULONGEST cie_id;
+@@ -1800,15 +1800,15 @@ decode_frame_entry_1 (struct comp_unit *unit, const gdb_byte *start,
+   buf = start;
+   length = read_initial_length (unit->abfd, buf, &bytes_read);
+   buf += bytes_read;
+-  end = buf + length;
+-
+-  /* Are we still within the section?  */
+-  if (end > unit->dwarf_frame_buffer + unit->dwarf_frame_size)
+-    return NULL;
++  end = buf + (size_t) length;
+ 
+   if (length == 0)
+     return end;
+ 
++  /* Are we still within the section?  */
++  if (end <= buf || end > unit->dwarf_frame_buffer + unit->dwarf_frame_size)
++    return NULL;
++
+   /* Distinguish between 32 and 64-bit encoded frame info.  */
+   dwarf64_p = (bytes_read == 12);
+ 
+-- 
+2.20.1
+
-- 
2.20.1

More information about the Openembedded-core mailing list