From d35f65d419d97b948d1c8ca9a6535afd691120ea Mon Sep 17 00:00:00 2001 From: Deepthi Hemraj Date: Mon, 5 Feb 2024 04:31:09 -0800 Subject: [PATCH] gdb: Fix CVE-2023-39129 CVE: CVE-2023-39129 (From OE-Core rev: 67b62fd57d7073b42db2747227d07841d0d064e3) Signed-off-by: Deepthi Hemraj Signed-off-by: Steve Sakoman --- meta/recipes-devtools/gdb/gdb.inc | 1 + .../gdb/gdb/0012-CVE-2023-39129.patch | 50 +++++++++++++++++++ 2 files changed, 51 insertions(+) create mode 100644 meta/recipes-devtools/gdb/gdb/0012-CVE-2023-39129.patch diff --git a/meta/recipes-devtools/gdb/gdb.inc b/meta/recipes-devtools/gdb/gdb.inc index 099bd2d8f5..ad2b3ad4b7 100644 --- a/meta/recipes-devtools/gdb/gdb.inc +++ b/meta/recipes-devtools/gdb/gdb.inc @@ -15,5 +15,6 @@ SRC_URI = "${GNU_MIRROR}/gdb/gdb-${PV}.tar.xz \ file://0009-Fix-invalid-sigprocmask-call.patch \ file://0010-gdbserver-ctrl-c-handling.patch \ file://0011-CVE-2023-39128.patch \ + file://0012-CVE-2023-39129.patch \ " SRC_URI[sha256sum] = "1497c36a71881b8671a9a84a0ee40faab788ca30d7ba19d8463c3cc787152e32" diff --git a/meta/recipes-devtools/gdb/gdb/0012-CVE-2023-39129.patch b/meta/recipes-devtools/gdb/gdb/0012-CVE-2023-39129.patch new file mode 100644 index 0000000000..63fb44d59a --- /dev/null +++ b/meta/recipes-devtools/gdb/gdb/0012-CVE-2023-39129.patch @@ -0,0 +1,50 @@ +From: Keith Seitz +Date: Wed, 2 Aug 2023 15:35:11 +0000 (-0700) +Subject: Verify COFF symbol stringtab offset +X-Git-Tag: gdb-14-branchpoint~473 +X-Git-Url: https://sourceware.org/git/?p=binutils-gdb.git;a=commitdiff_plain;h=58abdf887821a5da09ba184c6e400a3bc5cccd5a + +Verify COFF symbol stringtab offset + +This patch addresses an issue with malformed/fuzzed debug information that +was recently reported in gdb/30639. That bug specifically deals with +an ASAN issue, but the reproducer provided by the reporter causes a +another failure outside of ASAN: + +Upstream-Status: Backport [https://sourceware.org/git/?p=binutils-gdb.git;a=commitdiff_plain;h=58abdf887821a5da09ba184c6e400a3bc5cccd5a] + +CVE: CVE-2023-39129 + +Signed-off-by: Deepthi Hemraj + +diff --git a/gdb/coffread.c b/gdb/coffread.c +--- a/gdb/coffread.c ++++ b/gdb/coffread.c +@@ -159,6 +160,7 @@ static file_ptr linetab_offset; + static file_ptr linetab_size; + + static char *stringtab = NULL; ++static long stringtab_length = 0; + + extern void stabsread_clear_cache (void); + +@@ -1303,6 +1298,7 @@ init_stringtab (bfd *abfd, file_ptr offset, gdb::unique_xmalloc_ptr *stora + /* This is in target format (probably not very useful, and not + currently used), not host format. */ + memcpy (stringtab, lengthbuf, sizeof lengthbuf); ++ stringtab_length = length; + if (length == sizeof length) /* Empty table -- just the count. */ + return 0; + +@@ -1322,8 +1318,9 @@ getsymname (struct internal_syment *symbol_entry) + + if (symbol_entry->_n._n_n._n_zeroes == 0) + { +- /* FIXME: Probably should be detecting corrupt symbol files by +- seeing whether offset points to within the stringtab. */ ++ if (symbol_entry->_n._n_n._n_offset > stringtab_length) ++ error (_("COFF Error: string table offset (%ld) outside string table (length %ld)"), ++ symbol_entry->_n._n_n._n_offset, stringtab_length); + result = stringtab + symbol_entry->_n._n_n._n_offset; + } + else