fix CVE-2017-9778

2019-12-25 09:39:52 +08:00 · 2019-12-25 09:39:52 +08:00 · 4e2f76637b
commit 4e2f76637b
parent fc7613e488
2 changed files with 85 additions and 1 deletions
--- a/gdb-Detect-invalid-length-field-in-debug-frame-FDE-header.patch
+++ b/gdb-Detect-invalid-length-field-in-debug-frame-FDE-header.patch
@ -0,0 +1,76 @@
+From 723adb650a31859d7cc45832cb8adca0206455ed Mon Sep 17 00:00:00 2001
+From: Sandra Loosemore <sandra@codesourcery.com>
+Date: Thu, 25 Apr 2019 07:27:02 -0700
+Subject: [PATCH] Detect invalid length field in debug frame FDE header.
+
+GDB was failing to catch cases where a corrupt ELF or core file
+contained an invalid length value in a Dwarf debug frame FDE header.
+It was checking for buffer overflow but not cases where the length was
+negative or caused pointer wrap-around.
+
+In addition to the additional validity check, this patch cleans up the
+multiple signed/unsigned conversions on the length field so that an
+unsigned representation is used consistently throughout.
+
+This patch fixes CVE-2017-9778 and PR gdb/21600.
+
+2019-04-25  Sandra Loosemore  <sandra@codesourcery.com>
+            Kang Li <kanglictf@gmail.com>
+
+        PR gdb/21600
+
+        * dwarf2-frame.c (read_initial_length): Be consistent about using
+        unsigned representation of length.
+        (decode_frame_entry_1): Likewise.  Check for wraparound of
+        end pointer as well as buffer overflow.
+---
+ gdb/ChangeLog      | 10 ++++++++++
+ gdb/dwarf2-frame.c | 14 +++++++-------
+ 2 files changed, 17 insertions(+), 7 deletions(-)
+
+diff --git a/gdb/dwarf2-frame.c b/gdb/dwarf2-frame.c
+index e2bf61b..b697afa 100644
+--- a/gdb/dwarf2-frame.c
+++ b/gdb/dwarf2-frame.c
+@@ -1487,7 +1487,7 @@ static ULONGEST
+ read_initial_length (bfd *abfd, const gdb_byte *buf,
+                     unsigned int *bytes_read_ptr)
+ {
+-  LONGEST result;
+  ULONGEST result;
+ 
+   result = bfd_get_32 (abfd, buf);
+   if (result == 0xffffffff)
+@@ -1788,7 +1788,7 @@ decode_frame_entry_1 (struct comp_unit *unit, const gdb_byte *start,
+ {
+   struct gdbarch *gdbarch = get_objfile_arch (unit->objfile);
+   const gdb_byte *buf, *end;
+-  LONGEST length;
+  ULONGEST length;
+   unsigned int bytes_read;
+   int dwarf64_p;
+   ULONGEST cie_id;
+@@ -1799,15 +1799,15 @@ decode_frame_entry_1 (struct comp_unit *unit, const gdb_byte *start,
+   buf = start;
+   length = read_initial_length (unit->abfd, buf, &bytes_read);
+   buf += bytes_read;
+-  end = buf + length;
+-
+-  /* Are we still within the section?  */
+-  if (end > unit->dwarf_frame_buffer + unit->dwarf_frame_size)
+-    return NULL;
+  end = buf + (size_t) length;
+ 
+   if (length == 0)
+     return end;
+ 
+  /* Are we still within the section?  */
+  if (end <= buf || end > unit->dwarf_frame_buffer + unit->dwarf_frame_size)
+    return NULL;
+
+   /* Distinguish between 32 and 64-bit encoded frame info.  */
+   dwarf64_p = (bytes_read == 12);
+ 
+-- 
+2.9.3
+
--- a/gdb.spec
+++ b/gdb.spec
@ -1,6 +1,6 @@
 Name: gdb
 Version: 8.2
-Release: 4
+Release: 5

 License: GPLv3+ and GPLv3+ with exceptions and GPLv2+ and GPLv2+ with exceptions and GPL+ and LGPLv2+ and LGPLv3+ and BSD and Public Domain and GFDL
 Source: ftp://sourceware.org/pub/gdb/releases/gdb-%{version}.tar.xz
@ -179,6 +179,8 @@ Patch132: gdb-rhbz1491128-batch-mode-exit-status-1of2.patch
 Patch133: gdb-rhbz1491128-batch-mode-exit-status-2of2.patch
 Patch134: gdb-use-pulongest-aarch64-linux-tdep.patch

+Patch6000: gdb-Detect-invalid-length-field-in-debug-frame-FDE-header.patch
+
 BuildRequires: rpm-libs
 BuildRequires: readline-devel >= 6.2-4
 BuildRequires: gcc-c++ ncurses-devel texinfo gettext flex bison
@ -426,5 +428,11 @@ rm -f $RPM_BUILD_ROOT%{_datadir}/gdb/python/gdb/command/backtrace.py
 %{_infodir}/gdb.info*

 %changelog
+* Thu Dec 19 2019 yeyunfeng<yeyunfeng@huawei.com> - 8.2-5
+- Type:cves
+- ID:CVE-2017-9778
+- SUG:NA
+- DESC: fix CVE-2017-9778
+
 * Wed Sep 11 2019 openEuler Buildteam <buildteam@openeuler.org> - 8.2-4
 - Package init