!11 fix cve-2017-9778

Merge pull request !11 from HukunaMatata/CVE
2020-02-03 15:16:21 +08:00 · 2020-02-03 15:16:21 +08:00 · 8959fbae2d
commit 8959fbae2d
parent 9dfcd8dbfd 6b2ec75e20
2 changed files with 83 additions and 1 deletions
--- a/gdb-detect-invalid-length-field-in-debug-frame-FDE-header.patch
+++ b/gdb-detect-invalid-length-field-in-debug-frame-FDE-header.patch
@ -0,0 +1,75 @@
+From 723adb650a31859d7cc45832cb8adca0206455ed Mon Sep 17 00:00:00 2001
+From: Sandra Loosemore <sandra@codesourcery.com>
+Date: Thu, 25 Apr 2019 07:27:02 -0700
+Subject: [PATCH] Detect invalid length field in debug frame FDE header.
+
+GDB was failing to catch cases where a corrupt ELF or core file
+contained an invalid length value in a Dwarf debug frame FDE header.
+It was checking for buffer overflow but not cases where the length was
+negative or caused pointer wrap-around.
+
+In addition to the additional validity check, this patch cleans up the
+multiple signed/unsigned conversions on the length field so that an
+unsigned representation is used consistently throughout.
+
+This patch fixes CVE-2017-9778 and PR gdb/21600.
+
+2019-04-25  Sandra Loosemore  <sandra@codesourcery.com>
+	    Kang Li <kanglictf@gmail.com>
+
+	PR gdb/21600
+
+	* dwarf2-frame.c (read_initial_length): Be consistent about using
+	unsigned representation of length.
+	(decode_frame_entry_1): Likewise.  Check for wraparound of
+	end pointer as well as buffer overflow.
+---
+ gdb/dwarf2-frame.c | 14 +++++++-------
+ 1 files changed, 7 insertions(+), 7 deletions(-)
+
+diff --git a/gdb/dwarf2-frame.c b/gdb/dwarf2-frame.c
+index e2bf61b..b697afa 100644
+--- a/gdb/dwarf2-frame.c
+++ b/gdb/dwarf2-frame.c
+@@ -1487,7 +1487,7 @@ static ULONGEST
+ read_initial_length (bfd *abfd, const gdb_byte *buf,
+ 		     unsigned int *bytes_read_ptr)
+ {
+-  LONGEST result;
+  ULONGEST result;
+ 
+   result = bfd_get_32 (abfd, buf);
+   if (result == 0xffffffff)
+@@ -1788,7 +1788,7 @@ decode_frame_entry_1 (struct comp_unit *unit, const gdb_byte *start,
+ {
+   struct gdbarch *gdbarch = get_objfile_arch (unit->objfile);
+   const gdb_byte *buf, *end;
+-  LONGEST length;
+  ULONGEST length;
+   unsigned int bytes_read;
+   int dwarf64_p;
+   ULONGEST cie_id;
+@@ -1799,15 +1799,15 @@ decode_frame_entry_1 (struct comp_unit *unit, const gdb_byte *start,
+   buf = start;
+   length = read_initial_length (unit->abfd, buf, &bytes_read);
+   buf += bytes_read;
+-  end = buf + length;
+-
+-  /* Are we still within the section?  */
+-  if (end > unit->dwarf_frame_buffer + unit->dwarf_frame_size)
+-    return NULL;
+  end = buf + (size_t) length;
+ 
+   if (length == 0)
+     return end;
+ 
+  /* Are we still within the section?  */
+  if (end <= buf || end > unit->dwarf_frame_buffer + unit->dwarf_frame_size)
+    return NULL;
+
+   /* Distinguish between 32 and 64-bit encoded frame info.  */
+   dwarf64_p = (bytes_read == 12);
+ 
+-- 
+2.9.3
+
--- a/gdb.spec
+++ b/gdb.spec
@ -1,6 +1,6 @@
 Name: gdb
 Version: 8.3.1
-Release: 9
+Release: 10

 License: GPLv3+ and GPLv3+ with exceptions and GPLv2+ and GPLv2+ with exceptions and GPL+ and LGPLv2+ and LGPLv3+ and BSD and Public Domain and GFDL
 Source: ftp://sourceware.org/pub/gdb/releases/gdb-%{version}.tar.xz
@ -167,6 +167,10 @@ Patch120:  gdb-rhbz1723564-gdb-crash-PYTHONMALLOC-debug.patch
 Patch121:  gdb-rhbz1553086-binutils-warning-loadable-section-outside-elf.patch
 # Fedora patch end

+# Patch from upstream
+Patch6000: gdb-detect-invalid-length-field-in-debug-frame-FDE-header.patch
+# Upstream patch end
+
 BuildRequires: rpm-libs
 BuildRequires: readline-devel >= 6.2-4
 BuildRequires: gcc-c++ ncurses-devel texinfo gettext flex bison
@ -414,6 +418,9 @@ rm -f $RPM_BUILD_ROOT%{_datadir}/gdb/python/gdb/command/backtrace.py
 %{_infodir}/gdb.info*

 %changelog
+* Mon Feb  3 2020 yuxiangyang<yuxiangyang4@huawei.com> - 8.3.1-10
+- fix CVE-2017-9778
+
 * Thu Jan 16 2020 openEuler Buildteam <buildteam@openeuler.org> - 8.3.1-9
 - rpm upgrade successful, delete the dependence to librpm8