Fix CVE-2023-39129

(cherry picked from commit 4ce6d8b3e41b02eb62cb187edebe5c33fe86a344)
2023-10-12 15:47:31 +08:00 · 2023-10-12 15:47:31 +08:00 · 3f26990d93
commit 3f26990d93
parent aa1d188326
2 changed files with 132 additions and 2 deletions
--- a/backport-CVE-2023-39129.patch
+++ b/backport-CVE-2023-39129.patch
@ -0,0 +1,125 @@
 From 58abdf887821a5da09ba184c6e400a3bc5cccd5a Mon Sep 17 00:00:00 2001
 From: Keith Seitz <keiths@redhat.com>
 Date: Wed, 2 Aug 2023 08:35:11 -0700
 Subject: [PATCH] Verify COFF symbol stringtab offset
 This patch addresses an issue with malformed/fuzzed debug information that
 was recently reported in gdb/30639. That bug specifically deals with
 an ASAN issue, but the reproducer provided by the reporter causes a
 another failure outside of ASAN:
 $ ./gdb --data-directory data-directory -nx -q UAF_2
 Reading symbols from /home/keiths/UAF_2...
 Fatal signal: Segmentation fault
 ----- Backtrace -----
 0x59a53a gdb_internal_backtrace_1
 	../../src/gdb/bt-utils.c:122
 0x59a5dd _Z22gdb_internal_backtracev
 	../../src/gdb/bt-utils.c:168
 0x786380 handle_fatal_signal
 	../../src/gdb/event-top.c:889
 0x7864ec handle_sigsegv
 	../../src/gdb/event-top.c:962
 0x7ff354c5fb6f ???
 0x611f9a process_coff_symbol
 	../../src/gdb/coffread.c:1556
 0x611025 coff_symtab_read
 	../../src/gdb/coffread.c:1172
 0x60f8ff coff_read_minsyms
 	../../src/gdb/coffread.c:549
 0x60fe4b coff_symfile_read
 	../../src/gdb/coffread.c:698
 0xbde0f6 read_symbols
 	../../src/gdb/symfile.c:772
 0xbde7a3 syms_from_objfile_1
 	../../src/gdb/symfile.c:966
 0xbde867 syms_from_objfile
 	../../src/gdb/symfile.c:983
 0xbded42 symbol_file_add_with_addrs
 	../../src/gdb/symfile.c:1086
 0xbdf083 _Z24symbol_file_add_from_bfdRKN3gdb7ref_ptrI3bfd18gdb_bfd_ref_policyEEPKc10enum_flagsI16symfile_add_flagEPSt6vectorI14other_sectionsSaISC_EES8_I12objfile_flagEP7objfile
 	../../src/gdb/symfile.c:1166
 0xbdf0d2 _Z15symbol_file_addPKc10enum_flagsI16symfile_add_flagEPSt6vectorI14other_sectionsSaIS5_EES1_I12objfile_flagE
 	../../src/gdb/symfile.c:1179
 0xbdf197 symbol_file_add_main_1
 	../../src/gdb/symfile.c:1203
 0xbdf13e _Z20symbol_file_add_mainPKc10enum_flagsI16symfile_add_flagE
 	../../src/gdb/symfile.c:1194
 0x90f97f symbol_file_add_main_adapter
 	../../src/gdb/main.c:549
 0x90f895 catch_command_errors
 	../../src/gdb/main.c:518
 0x9109b6 captured_main_1
 	../../src/gdb/main.c:1203
 0x910fc8 captured_main
 	../../src/gdb/main.c:1310
 0x911067 _Z8gdb_mainP18captured_main_args
 	../../src/gdb/main.c:1339
 0x418c71 main
 	../../src/gdb/gdb.c:39
 ---------------------
 A fatal error internal to GDB has been detected, further
 debugging is not possible.  GDB will now terminate.
 This is a bug, please report it.  For instructions, see:
 <https://www.gnu.org/software/gdb/bugs/>.
 Segmentation fault (core dumped)
 The issue here is that the COFF offset for the fuzzed symbol's
 name is outside the string table. That is, the offset is greater
 than the actual string table size.
 coffread.c:getsymname actually contains a FIXME about this, and that's
 what I've chosen to address to fix this issue, following what is done
 in the DWARF reader:
 $ ./gdb --data-directory data-directory -nx -q UAF_2
 Reading symbols from /home/keiths/UAF_2...
 COFF Error: string table offset (256) outside string table (length 0)
 (gdb)
 Unfortunately, I haven't any idea how else to test this patch since
 COFF is not very common anymore. GCC removed support for it five
 years ago with GCC 8.
 ---
 gdb/coffread.c | 7 +++++--
 1 file changed, 5 insertions(+), 2 deletions(-)
 diff --git a/gdb/coffread.c b/gdb/coffread.c
 index f8e14d8ad93..ae7632d49cb 100644
 --- a/gdb/coffread.c
 +++ b/gdb/coffread.c
@@ -159,6 +159,7 @@ static file_ptr linetab_offset;
 static file_ptr linetab_size;
 static char *stringtab = NULL;
 +static long stringtab_length = 0;
 extern void stabsread_clear_cache (void);
@@ -1303,6 +1304,7 @@ init_stringtab (bfd *abfd, file_ptr offset, gdb::unique_xmalloc_ptr<char> *stora
   /* This is in target format (probably not very useful, and not
      currently used), not host format.  */
   memcpy (stringtab, lengthbuf, sizeof lengthbuf);
 +  stringtab_length = length;
   if (length == sizeof length)	/* Empty table -- just the count.  */
     return 0;
@@ -1322,8 +1324,9 @@ getsymname (struct internal_syment *symbol_entry)
   if (symbol_entry->_n._n_n._n_zeroes == 0)
     {
 -      /* FIXME: Probably should be detecting corrupt symbol files by
 -	 seeing whether offset points to within the stringtab.  */
 +      if (symbol_entry->_n._n_n._n_offset > stringtab_length)
 +	error (_("COFF Error: string table offset (%ld) outside string table (length %ld)"),
 +	       symbol_entry->_n._n_n._n_offset, stringtab_length);
       result = stringtab + symbol_entry->_n._n_n._n_offset;
     }
   else
 -- 
 2.41.0.windows.3
--- a/gdb.spec
+++ b/gdb.spec
@ -1,6 +1,6 @@
 Name: gdb
 Version: 11.1
-Release: 6
+Release: 7
 License: GPLv3+ and GPLv3+ with exceptions and GPLv2+ and GPLv2+ with exceptions and GPL+ and LGPLv2+ and LGPLv3+ and BSD and Public Domain and GFDL-1.3
 Source: ftp://sourceware.org/pub/gdb/releases/gdb-%{version}.tar.xz
@ -94,7 +94,6 @@ Patch81: gdb-rhbz2022177-dprintf-2.patch
 # Fedra patch end
 Patch82: 0001-Make-c-exp.y-work-with-Bison-3.8.patch
 Patch1000: backport-CVE-2023-39128.patch
 %ifarch loongarch64
 Patch83: 0001-gdb-Add-LoongArch-bfd-support.patch
@ -104,6 +103,9 @@ Patch86: 0004-gdbserver-Add-LoongArch-port-support.patch
 Patch87: 0005-gdb-Add-LoongArch-clfs-system.patch
 %endif
 Patch88: backport-CVE-2023-39128.patch
 Patch89: backport-CVE-2023-39129.patch
 %global gdb_src gdb-%{version}
 %global gdb_build build-%{_target_platform}
 %global __python %{__python3}
@ -379,6 +381,9 @@ rm -f $RPM_BUILD_ROOT%{_datadir}/gdb/python/gdb/command/backtrace.py
 %{_infodir}/gdb.info*
 %changelog
 * Thu Oct 12 2023 liningjie <liningjie@xfusion.com> - 11.1-7
 - fix CVE-2023-39129
 * Mon Sep 4 2023 Liu Chao <liuchao173@huawei.com> - 11.1-6
 - correct patch's commit message