diff options
Diffstat (limited to 'meta/recipes-devtools/gdb/gdb/CVE-2017-9778.patch')
-rw-r--r-- | meta/recipes-devtools/gdb/gdb/CVE-2017-9778.patch | 99 |
1 files changed, 0 insertions, 99 deletions
diff --git a/meta/recipes-devtools/gdb/gdb/CVE-2017-9778.patch b/meta/recipes-devtools/gdb/gdb/CVE-2017-9778.patch deleted file mode 100644 index 935f2661fe..0000000000 --- a/meta/recipes-devtools/gdb/gdb/CVE-2017-9778.patch +++ /dev/null @@ -1,99 +0,0 @@ -From a608b79f30ab3f670095e14ba3d3b5b24a19fe68 Mon Sep 17 00:00:00 2001 -From: Sandra Loosemore <sandra@codesourcery.com> -Date: Thu, 25 Apr 2019 07:27:02 -0700 -Subject: [PATCH] Detect invalid length field in debug frame FDE header. - -GDB was failing to catch cases where a corrupt ELF or core file -contained an invalid length value in a Dwarf debug frame FDE header. -It was checking for buffer overflow but not cases where the length was -negative or caused pointer wrap-around. - -In addition to the additional validity check, this patch cleans up the -multiple signed/unsigned conversions on the length field so that an -unsigned representation is used consistently throughout. - -This patch fixes CVE-2017-9778 and PR gdb/21600. - -2019-04-25 Sandra Loosemore <sandra@codesourcery.com> - Kang Li <kanglictf@gmail.com> - - PR gdb/21600 - - * dwarf2-frame.c (read_initial_length): Be consistent about using - unsigned representation of length. - (decode_frame_entry_1): Likewise. Check for wraparound of - end pointer as well as buffer overflow. - -Upstream-Status: Backport [https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=723adb650a31859d7cc45832cb8adca0206455ed] -CVE: CVE-2017-9778 -Signed-off-by: Anuj Mittal <anuj.mittal@intel.com> ---- - gdb/ChangeLog | 11 +++++++++++ - gdb/dwarf2-frame.c | 14 +++++++------- - 2 files changed, 18 insertions(+), 7 deletions(-) - -diff --git a/gdb/ChangeLog b/gdb/ChangeLog -index 3711dc7..0a9720b 100644 ---- a/gdb/ChangeLog -+++ b/gdb/ChangeLog -@@ -1,3 +1,14 @@ -+2019-04-25 Sandra Loosemore <sandra@codesourcery.com> -+ Kang Li <kanglictf@gmail.com> -+ -+ PR gdb/21600 -+ -+ * dwarf2-frame.c (read_initial_length): Be consistent about using -+ unsigned representation of length. -+ (decode_frame_entry_1): Likewise. Check for wraparound of -+ end pointer as well as buffer overflow. -+ -+ - 2018-12-23 Joel Brobecker <brobecker@adacore.com> - - * version.in: Set GDB version number to 8.2.1. -diff --git a/gdb/dwarf2-frame.c b/gdb/dwarf2-frame.c -index 91e16cf..a7b99fd 100644 ---- a/gdb/dwarf2-frame.c -+++ b/gdb/dwarf2-frame.c -@@ -1477,7 +1477,7 @@ static ULONGEST - read_initial_length (bfd *abfd, const gdb_byte *buf, - unsigned int *bytes_read_ptr) - { -- LONGEST result; -+ ULONGEST result; - - result = bfd_get_32 (abfd, buf); - if (result == 0xffffffff) -@@ -1780,7 +1780,7 @@ decode_frame_entry_1 (struct comp_unit *unit, const gdb_byte *start, - { - struct gdbarch *gdbarch = get_objfile_arch (unit->objfile); - const gdb_byte *buf, *end; -- LONGEST length; -+ ULONGEST length; - unsigned int bytes_read; - int dwarf64_p; - ULONGEST cie_id; -@@ -1791,15 +1791,15 @@ decode_frame_entry_1 (struct comp_unit *unit, const gdb_byte *start, - buf = start; - length = read_initial_length (unit->abfd, buf, &bytes_read); - buf += bytes_read; -- end = buf + length; -- -- /* Are we still within the section? */ -- if (end > unit->dwarf_frame_buffer + unit->dwarf_frame_size) -- return NULL; -+ end = buf + (size_t) length; - - if (length == 0) - return end; - -+ /* Are we still within the section? */ -+ if (end <= buf || end > unit->dwarf_frame_buffer + unit->dwarf_frame_size) -+ return NULL; -+ - /* Distinguish between 32 and 64-bit encoded frame info. */ - dwarf64_p = (bytes_read == 12); - --- -2.7.4 - |