1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
|
From 6ad3791f095cfc1b0294f62c4b3a524ba735595e Mon Sep 17 00:00:00 2001
From: Sandra Loosemore <sandra@codesourcery.com>
Date: Thu, 25 Apr 2019 07:27:02 -0700
Subject: [PATCH] Detect invalid length field in debug frame FDE header.
GDB was failing to catch cases where a corrupt ELF or core file
contained an invalid length value in a Dwarf debug frame FDE header.
It was checking for buffer overflow but not cases where the length was
negative or caused pointer wrap-around.
In addition to the additional validity check, this patch cleans up the
multiple signed/unsigned conversions on the length field so that an
unsigned representation is used consistently throughout.
This patch fixes CVE-2017-9778 and PR gdb/21600.
2019-04-25 Sandra Loosemore <sandra@codesourcery.com>
Kang Li <kanglictf@gmail.com>
PR gdb/21600
* dwarf2-frame.c (read_initial_length): Be consistent about using
unsigned representation of length.
(decode_frame_entry_1): Likewise. Check for wraparound of
end pointer as well as buffer overflow.
Upstream-Status: Backport
CVE: CVE-2017-9778
Signed-off-by: Anuj Mittal <anuj.mittal@intel.com>
---
gdb/ChangeLog | 10 ++++++++++
gdb/dwarf2-frame.c | 14 +++++++-------
2 files changed, 17 insertions(+), 7 deletions(-)
diff --git a/gdb/ChangeLog b/gdb/ChangeLog
index 1c125de..d028d2b 100644
--- a/gdb/ChangeLog
+++ b/gdb/ChangeLog
@@ -1,3 +1,13 @@
+2019-04-25 Sandra Loosemore <sandra@codesourcery.com>
+ Kang Li <kanglictf@gmail.com>
+
+ PR gdb/21600
+
+ * dwarf2-frame.c (read_initial_length): Be consistent about using
+ unsigned representation of length.
+ (decode_frame_entry_1): Likewise. Check for wraparound of
+ end pointer as well as buffer overflow.
+
2019-05-11 Joel Brobecker <brobecker@adacore.com>
* version.in: Set GDB version number to 8.3.
diff --git a/gdb/dwarf2-frame.c b/gdb/dwarf2-frame.c
index 178ac44..dc5d3b3 100644
--- a/gdb/dwarf2-frame.c
+++ b/gdb/dwarf2-frame.c
@@ -1488,7 +1488,7 @@ static ULONGEST
read_initial_length (bfd *abfd, const gdb_byte *buf,
unsigned int *bytes_read_ptr)
{
- LONGEST result;
+ ULONGEST result;
result = bfd_get_32 (abfd, buf);
if (result == 0xffffffff)
@@ -1789,7 +1789,7 @@ decode_frame_entry_1 (struct comp_unit *unit, const gdb_byte *start,
{
struct gdbarch *gdbarch = get_objfile_arch (unit->objfile);
const gdb_byte *buf, *end;
- LONGEST length;
+ ULONGEST length;
unsigned int bytes_read;
int dwarf64_p;
ULONGEST cie_id;
@@ -1800,15 +1800,15 @@ decode_frame_entry_1 (struct comp_unit *unit, const gdb_byte *start,
buf = start;
length = read_initial_length (unit->abfd, buf, &bytes_read);
buf += bytes_read;
- end = buf + length;
-
- /* Are we still within the section? */
- if (end > unit->dwarf_frame_buffer + unit->dwarf_frame_size)
- return NULL;
+ end = buf + (size_t) length;
if (length == 0)
return end;
+ /* Are we still within the section? */
+ if (end <= buf || end > unit->dwarf_frame_buffer + unit->dwarf_frame_size)
+ return NULL;
+
/* Distinguish between 32 and 64-bit encoded frame info. */
dwarf64_p = (bytes_read == 12);
--
2.20.1
|
