fix gdb CVE-2019-1010180

Signed-off-by: chenhaixiang <chenhaixiang3@huawei.com> (cherry picked from commit 9be8d5d63973a31419c86f81ea25a6df9825756b)
2022-10-09 16:34:39 +08:00 · 2022-10-09 16:34:39 +08:00 · 7a3cc45945
commit 7a3cc45945
parent 0bceae741e
3 changed files with 228 additions and 1 deletions
--- a/0001-CVE-2019-1010180-Add-bfd_get_file_size-to-get-archive-element-size.patch
+++ b/0001-CVE-2019-1010180-Add-bfd_get_file_size-to-get-archive-element-size.patch
@ -0,0 +1,78 @@
+From 8e2f54bcee7e3e8315d4a39a302eaf8e4389e07d Mon Sep 17 00:00:00 2001
+From: "H.J. Lu" <hjl.tools@gmail.com>
+Date: Tue, 30 May 2017 06:34:05 -0700
+Subject: [PATCH] Add bfd_get_file_size to get archive element size
+
+We can't use stat() to get archive element size.  Add bfd_get_file_size
+to get size for both normal files and archive elements.
+
+bfd/
+
+	PR binutils/21519
+	* bfdio.c (bfd_get_file_size): New function.
+	* bfd-in2.h: Regenerated.
+
+Conflict:1.remove changelog; 2.the folder binutils/ does not exist.
+Reference:https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=8e2f54bcee7e3e8315d4a39a302eaf8e4389e07d
+
+---
+ gdb-7.6.patch | 43 +++++++++++++++++++++++++++++++++++++++++++
+ 1 file changed, 43 insertions(+)
+
+diff --git a/gdb-7.6.patch b/gdb-7.6.patch
+index 106d164..b29ccc9 100644
+--- a/gdb-7.6.patch
+++ b/gdb-7.6.patch
+@@ -22,6 +22,49 @@ tar xvzmf gdb-7.6.tar.gz \
+ 
+ exit 0
+ 
+--- gdb-7.6/bfd/bfd-in2.h
++++ gdb-7.6/bfd/bfd-in2.h
+@@ -1242,6 +1242,8 @@ long bfd_get_mtime (bfd *abfd);
+
+ file_ptr bfd_get_size (bfd *abfd);
+
++file_ptr bfd_get_file_size (bfd *abfd);
++
+ void *bfd_mmap (bfd *abfd, void *addr, bfd_size_type len,
+     int prot, int flags, file_ptr offset,
+     void **map_addr, bfd_size_type *map_len);
+--- gdb-7.6/bfd/bfdio.c
++++ gdb-7.6/bfd/bfdio.c
+@@ -434,6 +434,29 @@ bfd_get_size (bfd *abfd)
+   return buf.st_size;
+ }
+
++/*
++FUNCTION
++       bfd_get_file_size
++
++SYNOPSIS
++       file_ptr bfd_get_file_size (bfd *abfd);
++
++DESCRIPTION
++       Return the file size (as read from file system) for the file
++       associated with BFD @var{abfd}.  It supports both normal files
++       and archive elements.
++
++*/
++
++file_ptr
++bfd_get_file_size (bfd *abfd)
++{
++  if (abfd->my_archive != NULL
++      && !bfd_is_thin_archive (abfd->my_archive))
++    return arelt_size (abfd);
++
++  return bfd_get_size (abfd);
++}
+
+ /*
+ FUNCTION
+ --- gdb-7.6/libiberty/Makefile.in.orig
+ +++ gdb-7.6/libiberty/Makefile.in
+ @@ -175,6 +175,7 @@ REQUIRED_OFILES =							\
+-- 
+2.27.0
+
--- a/0002-CVE-2019-1010180-DWARF-reader-Reject-sections-with-invalid-sizes.patch
+++ b/0002-CVE-2019-1010180-DWARF-reader-Reject-sections-with-invalid-sizes.patch
@ -0,0 +1,144 @@
+From 950b74950f6020eda38647f22e9077ac7f68ca49 Mon Sep 17 00:00:00 2001
+From: Keith Seitz <keiths@redhat.com>
+Date: Wed, 16 Oct 2019 11:33:59 -0700
+Subject: [PATCH] DWARF reader: Reject sections with invalid sizes
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+This is another fuzzer bug, gdb/23567.  This time, the fuzzer has
+specifically altered the size of .debug_str:
+
+$ eu-readelf -S objdump
+Section Headers:
+[Nr] Name                 Type         Addr             Off      Size     ES Flags Lk Inf Al
+[31] .debug_str           PROGBITS     0000000000000000 0057116d ffffffffffffffff  1 MS     0   0  1
+
+When this file is loaded into GDB, the DWARF reader crashes attempting
+to access the string table (or it may just store a bunch of nonsense):
+
+[gdb-8.3-6-fc30]
+$ gdb -nx -q objdump
+BFD: warning: /path/to/objdump has a corrupt section with a size (ffffffffffffffff) larger than the file size
+Reading symbols from /path/to/objdump...
+Segmentation fault (core dumped)
+
+Nick has already committed a BFD patch to issue the warning seen above.
+
+[gdb master 6acc1a0b]
+$ gdb -BFD: warning: /path/to/objdump has a corrupt section with a size (ffffffffffffffff) larger than the file size
+Reading symbols from /path/to/objdump...
+(gdb) inf func
+All defined functions:
+
+File ./../include/dwarf2.def:
+186:	const
+
+              8 *>(.:
+                     ;'@<40>B);
+747:	const
+
+              8 *<2A>(.:
+                     ;'@<40>B);
+701:	const
+
+              8 *<2A>D <20>
+                     (.:
+                        ;'@<40>B);
+71:	const
+
+              8 *(.:
+                    ;'@<40>B);
+/* and more gibberish  */
+
+Consider read_indirect_string_at_offset_from:
+
+static const char *
+read_indirect_string_at_offset_from (struct objfile *objfile,
+                                     bfd *abfd, LONGEST str_offset,
+                                     struct dwarf2_section_info *sect,
+                                     const char *form_name,
+                                     const char *sect_name)
+{
+  dwarf2_read_section (objfile, sect);
+  if (sect->buffer == NULL)
+    error (_("%s used without %s section [in module %s]"),
+           form_name, sect_name, bfd_get_filename (abfd));
+  if (str_offset >= sect->size)
+    error (_("%s pointing outside of %s section [in module %s]"),
+           form_name, sect_name, bfd_get_filename (abfd));
+  gdb_assert (HOST_CHAR_BIT == 8);
+  if (sect->buffer[str_offset] == '\0')
+    return NULL;
+  return (const char *) (sect->buffer + str_offset);
+}
+
+With sect_size being ginormous, the code attempts to access
+sect->buffer[GINORMOUS], and depending on the layout of memory,
+GDB either stores a bunch of gibberish strings or crashes.
+
+This is an attempt to mitigate this by implementing a similar approach
+used by BFD. In our case, we simply reject the section with the invalid
+length:
+
+$ ./gdb -nx -q objdump
+BFD: warning: /path/to/objdump has a corrupt section with a size (ffffffffffffffff) larger than the file size
+Reading symbols from /path/to/objdump...
+
+warning: Discarding section .debug_str which has a section size (ffffffffffffffff) larger than the file size [in module /path/to/objdump]
+DW_FORM_strp used without .debug_str section [in module /path/to/objdump]
+(No debugging symbols found in /path/to/objdump)
+(gdb)
+
+Unfortunately, I have not found a way to regression test this, since it
+requires poking ELF section headers.
+
+gdb/ChangeLog:
+2019-10-16  Keith Seitz  <keiths@redhat.com>
+
+	PR gdb/23567
+	* dwarf2read.c (dwarf2_per_objfile::locate_sections): Discard
+	sections whose size is greater than the file size.
+
+Change-Id: I896ac3b4eb2207c54e8e05c16beab3051d9b4b2f
+
+Conflict:1.remove changelog; 2.patch context adaptation; 
+	3.use sectp->name replace bfd_section_name (sectp);use abfd->filename replace bfd_get_filename.
+Reference:https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=950b74950f6020eda38647f22e9077ac7f68ca49
+
+---
+ gdb-7.6.patch | 18 ++++++++++++++++++
+ 1 file changed, 18 insertions(+)
+
+diff --git a/gdb-7.6.patch b/gdb-7.6.patch
+index b29ccc9..0989724 100644
+--- a/gdb-7.6.patch
+++ b/gdb-7.6.patch
+@@ -65,6 +65,24 @@ exit 0
+ 
+  /*
+  FUNCTION
+--- gdb-7.6/gdb/dwarf2read.c
++++ gdb-7.6/gdb/dwarf2read.c
+@@ -1822,6 +1822,15 @@ dwarf2_locate_sections (bfd *abfd, asection *sectp, void *vnames)
+   if ((aflag & SEC_HAS_CONTENTS) == 0)
+     {
+     }
++    else if (elf_section_data (sectp)->this_hdr.sh_size
++          > bfd_get_file_size (abfd))
++    {
++      bfd_size_type size = elf_section_data (sectp)->this_hdr.sh_size;
++      warning (_("Discarding section %s which has a section size (%s"
++                ") larger than the file size [in module %s]"),
++              sectp->name, phex_nz (size, sizeof (size)),
++              abfd->filename);
++    }
+   else if (section_is_p (sectp->name, &names->info))
+     {
+       dwarf2_per_objfile->info.asection = sectp;
+ --- gdb-7.6/libiberty/Makefile.in.orig
+ +++ gdb-7.6/libiberty/Makefile.in
+ @@ -175,6 +175,7 @@ REQUIRED_OFILES =							\
+-- 
+2.27.0
+
--- a/crash.spec
+++ b/crash.spec
@ -1,6 +1,6 @@
 Name: crash
 Version: 7.3.0
-Release: 5
+Release: 6
 Summary: Linux kernel crash utility.
 License: GPLv3
 URL: https://crash-utility.github.io
@ -14,6 +14,8 @@ Patch4: 0003-arm64-use-dedicated-bits-to-record-the-VA-space-layo.patch
 Patch5: 0004-arm64-implement-switchable-PTOV-VTOP-for-kernels-5.1.patch
 Patch6:	add-SDEI-stack-resolution.patch
 Patch7: Handle-task_struct-cpu-member-changes-for-kernels-5..patch
+Patch8: 0001-CVE-2019-1010180-Add-bfd_get_file_size-to-get-archive-element-size.patch
+Patch9: 0002-CVE-2019-1010180-DWARF-reader-Reject-sections-with-invalid-sizes.patch

 BuildRequires: ncurses-devel zlib-devel lzo-devel snappy-devel
 BuildRequires: gcc gcc-c++ bison m4
@ -79,6 +81,9 @@ install -D -m 0644 defs.h %{buildroot}%{_includedir}/%{name}/defs.h
 %{_mandir}/man8/crash.8*

 %changelog
+* Sun Oct 9 2022 chenhaixiang <chenhaixiang3@huawei.com> - 7.3.0-6
+- fix gdb CVE-2019-1010180
+
 * Wed Feb 23 2022 wangbin <wangbin224@huawei.com> - 7.3.0-5
 - Handle task_struct cpu member changes for kernels >= 5.16-rc1
  and delete use_system_readline_v3.patch