fix gdb CVE-2019-1010180

Signed-off-by: chenhaixiang <chenhaixiang3@huawei.com> (cherry picked from commit 9be8d5d63973a31419c86f81ea25a6df9825756b)
2022-10-09 16:34:39 +08:00 · 2022-10-09 16:34:39 +08:00 · 7a3cc45945
commit 7a3cc45945
parent 0bceae741e
3 changed files with 228 additions and 1 deletions
--- a/0001-CVE-2019-1010180-Add-bfd_get_file_size-to-get-archive-element-size.patch
+++ b/0001-CVE-2019-1010180-Add-bfd_get_file_size-to-get-archive-element-size.patch
@ -0,0 +1,78 @@
 From 8e2f54bcee7e3e8315d4a39a302eaf8e4389e07d Mon Sep 17 00:00:00 2001
 From: "H.J. Lu" <hjl.tools@gmail.com>
 Date: Tue, 30 May 2017 06:34:05 -0700
 Subject: [PATCH] Add bfd_get_file_size to get archive element size
 We can't use stat() to get archive element size.  Add bfd_get_file_size
 to get size for both normal files and archive elements.
 bfd/
 	PR binutils/21519
 	* bfdio.c (bfd_get_file_size): New function.
 	* bfd-in2.h: Regenerated.
 Conflict:1.remove changelog; 2.the folder binutils/ does not exist.
 Reference:https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=8e2f54bcee7e3e8315d4a39a302eaf8e4389e07d
 ---
 gdb-7.6.patch | 43 +++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 43 insertions(+)
 diff --git a/gdb-7.6.patch b/gdb-7.6.patch
 index 106d164..b29ccc9 100644
 --- a/gdb-7.6.patch
 +++ b/gdb-7.6.patch
@@ -22,6 +22,49 @@ tar xvzmf gdb-7.6.tar.gz \
 exit 0
 +--- gdb-7.6/bfd/bfd-in2.h
 ++++ gdb-7.6/bfd/bfd-in2.h
 +@@ -1242,6 +1242,8 @@ long bfd_get_mtime (bfd *abfd);
 +
 + file_ptr bfd_get_size (bfd *abfd);
 +
 ++file_ptr bfd_get_file_size (bfd *abfd);
 ++
 + void *bfd_mmap (bfd *abfd, void *addr, bfd_size_type len,
 +     int prot, int flags, file_ptr offset,
 +     void **map_addr, bfd_size_type *map_len);
 +--- gdb-7.6/bfd/bfdio.c
 ++++ gdb-7.6/bfd/bfdio.c
 +@@ -434,6 +434,29 @@ bfd_get_size (bfd *abfd)
 +   return buf.st_size;
 + }
 +
 ++/*
 ++FUNCTION
 ++       bfd_get_file_size
 ++
 ++SYNOPSIS
 ++       file_ptr bfd_get_file_size (bfd *abfd);
 ++
 ++DESCRIPTION
 ++       Return the file size (as read from file system) for the file
 ++       associated with BFD @var{abfd}.  It supports both normal files
 ++       and archive elements.
 ++
 ++*/
 ++
 ++file_ptr
 ++bfd_get_file_size (bfd *abfd)
 ++{
 ++  if (abfd->my_archive != NULL
 ++      && !bfd_is_thin_archive (abfd->my_archive))
 ++    return arelt_size (abfd);
 ++
 ++  return bfd_get_size (abfd);
 ++}
 +
 + /*
 + FUNCTION
 --- gdb-7.6/libiberty/Makefile.in.orig
 +++ gdb-7.6/libiberty/Makefile.in
 @@ -175,6 +175,7 @@ REQUIRED_OFILES =							\
 -- 
 2.27.0
--- a/0002-CVE-2019-1010180-DWARF-reader-Reject-sections-with-invalid-sizes.patch
+++ b/0002-CVE-2019-1010180-DWARF-reader-Reject-sections-with-invalid-sizes.patch
@ -0,0 +1,144 @@
 From 950b74950f6020eda38647f22e9077ac7f68ca49 Mon Sep 17 00:00:00 2001
 From: Keith Seitz <keiths@redhat.com>
 Date: Wed, 16 Oct 2019 11:33:59 -0700
 Subject: [PATCH] DWARF reader: Reject sections with invalid sizes
 MIME-Version: 1.0
 Content-Type: text/plain; charset=UTF-8
 Content-Transfer-Encoding: 8bit
 This is another fuzzer bug, gdb/23567.  This time, the fuzzer has
 specifically altered the size of .debug_str:
 $ eu-readelf -S objdump
 Section Headers:
 [Nr] Name                 Type         Addr             Off      Size     ES Flags Lk Inf Al
 [31] .debug_str           PROGBITS     0000000000000000 0057116d ffffffffffffffff  1 MS     0   0  1
 When this file is loaded into GDB, the DWARF reader crashes attempting
 to access the string table (or it may just store a bunch of nonsense):
 [gdb-8.3-6-fc30]
 $ gdb -nx -q objdump
 BFD: warning: /path/to/objdump has a corrupt section with a size (ffffffffffffffff) larger than the file size
 Reading symbols from /path/to/objdump...
 Segmentation fault (core dumped)
 Nick has already committed a BFD patch to issue the warning seen above.
 [gdb master 6acc1a0b]
 $ gdb -BFD: warning: /path/to/objdump has a corrupt section with a size (ffffffffffffffff) larger than the file size
 Reading symbols from /path/to/objdump...
 (gdb) inf func
 All defined functions:
 File ./../include/dwarf2.def:
 186:	const
              8 *>(.:
                     ;'@<40>B);
 747:	const
              8 *<2A>(.:
                     ;'@<40>B);
 701:	const
              8 *<2A>D <20>
                     (.:
                        ;'@<40>B);
 71:	const
              8 *(.:
                    ;'@<40>B);
 /* and more gibberish  */
 Consider read_indirect_string_at_offset_from:
 static const char *
 read_indirect_string_at_offset_from (struct objfile *objfile,
                                     bfd *abfd, LONGEST str_offset,
                                     struct dwarf2_section_info *sect,
                                     const char *form_name,
                                     const char *sect_name)
 {
  dwarf2_read_section (objfile, sect);
  if (sect->buffer == NULL)
    error (_("%s used without %s section [in module %s]"),
           form_name, sect_name, bfd_get_filename (abfd));
  if (str_offset >= sect->size)
    error (_("%s pointing outside of %s section [in module %s]"),
           form_name, sect_name, bfd_get_filename (abfd));
  gdb_assert (HOST_CHAR_BIT == 8);
  if (sect->buffer[str_offset] == '\0')
    return NULL;
  return (const char *) (sect->buffer + str_offset);
 }
 With sect_size being ginormous, the code attempts to access
 sect->buffer[GINORMOUS], and depending on the layout of memory,
 GDB either stores a bunch of gibberish strings or crashes.
 This is an attempt to mitigate this by implementing a similar approach
 used by BFD. In our case, we simply reject the section with the invalid
 length:
 $ ./gdb -nx -q objdump
 BFD: warning: /path/to/objdump has a corrupt section with a size (ffffffffffffffff) larger than the file size
 Reading symbols from /path/to/objdump...
 warning: Discarding section .debug_str which has a section size (ffffffffffffffff) larger than the file size [in module /path/to/objdump]
 DW_FORM_strp used without .debug_str section [in module /path/to/objdump]
 (No debugging symbols found in /path/to/objdump)
 (gdb)
 Unfortunately, I have not found a way to regression test this, since it
 requires poking ELF section headers.
 gdb/ChangeLog:
 2019-10-16  Keith Seitz  <keiths@redhat.com>
 	PR gdb/23567
 	* dwarf2read.c (dwarf2_per_objfile::locate_sections): Discard
 	sections whose size is greater than the file size.
 Change-Id: I896ac3b4eb2207c54e8e05c16beab3051d9b4b2f
 Conflict:1.remove changelog; 2.patch context adaptation; 
 	3.use sectp->name replace bfd_section_name (sectp);use abfd->filename replace bfd_get_filename.
 Reference:https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=950b74950f6020eda38647f22e9077ac7f68ca49
 ---
 gdb-7.6.patch | 18 ++++++++++++++++++
 1 file changed, 18 insertions(+)
 diff --git a/gdb-7.6.patch b/gdb-7.6.patch
 index b29ccc9..0989724 100644
 --- a/gdb-7.6.patch
 +++ b/gdb-7.6.patch
@@ -65,6 +65,24 @@ exit 0
  /*
  FUNCTION
 +--- gdb-7.6/gdb/dwarf2read.c
 ++++ gdb-7.6/gdb/dwarf2read.c
 +@@ -1822,6 +1822,15 @@ dwarf2_locate_sections (bfd *abfd, asection *sectp, void *vnames)
 +   if ((aflag & SEC_HAS_CONTENTS) == 0)
 +     {
 +     }
 ++    else if (elf_section_data (sectp)->this_hdr.sh_size
 ++          > bfd_get_file_size (abfd))
 ++    {
 ++      bfd_size_type size = elf_section_data (sectp)->this_hdr.sh_size;
 ++      warning (_("Discarding section %s which has a section size (%s"
 ++                ") larger than the file size [in module %s]"),
 ++              sectp->name, phex_nz (size, sizeof (size)),
 ++              abfd->filename);
 ++    }
 +   else if (section_is_p (sectp->name, &names->info))
 +     {
 +       dwarf2_per_objfile->info.asection = sectp;
 --- gdb-7.6/libiberty/Makefile.in.orig
 +++ gdb-7.6/libiberty/Makefile.in
 @@ -175,6 +175,7 @@ REQUIRED_OFILES =							\
 -- 
 2.27.0
--- a/crash.spec
+++ b/crash.spec
@ -1,6 +1,6 @@
 Name: crash
 Version: 7.3.0
-Release: 5
+Release: 6
 Summary: Linux kernel crash utility.
 License: GPLv3
 URL: https://crash-utility.github.io
@ -14,6 +14,8 @@ Patch4: 0003-arm64-use-dedicated-bits-to-record-the-VA-space-layo.patch
 Patch5: 0004-arm64-implement-switchable-PTOV-VTOP-for-kernels-5.1.patch
 Patch6:	add-SDEI-stack-resolution.patch
 Patch7: Handle-task_struct-cpu-member-changes-for-kernels-5..patch
 Patch8: 0001-CVE-2019-1010180-Add-bfd_get_file_size-to-get-archive-element-size.patch
 Patch9: 0002-CVE-2019-1010180-DWARF-reader-Reject-sections-with-invalid-sizes.patch
 BuildRequires: ncurses-devel zlib-devel lzo-devel snappy-devel
 BuildRequires: gcc gcc-c++ bison m4
@ -79,6 +81,9 @@ install -D -m 0644 defs.h %{buildroot}%{_includedir}/%{name}/defs.h
 %{_mandir}/man8/crash.8*
 %changelog
 * Sun Oct 9 2022 chenhaixiang <chenhaixiang3@huawei.com> - 7.3.0-6
 - fix gdb CVE-2019-1010180
 * Wed Feb 23 2022 wangbin <wangbin224@huawei.com> - 7.3.0-5
 - Handle task_struct cpu member changes for kernels >= 5.16-rc1
  and delete use_system_readline_v3.patch