From d1d2231988f1b867131c4d9a94cb38399ad7c942 Mon Sep 17 00:00:00 2001 From: liningjie Date: Wed, 22 Nov 2023 11:29:21 +0800 Subject: [PATCH] Fix CVE-2023-39130 --- backport-CVE-2023-39130.patch | 327 ++++++++++++++++++++++++++++++++++ gdb.spec | 6 +- 2 files changed, 332 insertions(+), 1 deletion(-) create mode 100644 backport-CVE-2023-39130.patch diff --git a/backport-CVE-2023-39130.patch b/backport-CVE-2023-39130.patch new file mode 100644 index 0000000..240a8a4 --- /dev/null +++ b/backport-CVE-2023-39130.patch @@ -0,0 +1,327 @@ +From 5642059d4341f5e671022a8b076b0313b1da6c90 Mon Sep 17 00:00:00 2001 +From: Alan Modra +Date: Wed, 22 Nov 2023 10:37:20 +0800 +Subject: [PATCH] gdb: warn unused result for bfd IO functions + +This fixes the compilation warnings introduced by my bfdio.c patch. + +The removed bfd_seeks in coff_symfile_read date back to 1994, commit +7f4c859520, prior to which the file used stdio rather than bfd to read +symbols. Since it now uses bfd to read the file there should be no +need to synchronise to bfd's idea of the file position. I also fixed +a potential uninitialised memory access. + +Approved-By: Andrew Burgess +--- + gdb/coff-pe-read.c | 114 +++++++++++++++++++++++++++++---------------- + gdb/coffread.c | 29 +++--------- + gdb/dbxread.c | 7 +-- + gdb/xcoffread.c | 5 +- + 4 files changed, 86 insertions(+), 69 deletions(-) + +diff --git a/gdb/coff-pe-read.c b/gdb/coff-pe-read.c +index e1c51d4..1b5365e 100644 +--- a/gdb/coff-pe-read.c ++++ b/gdb/coff-pe-read.c +@@ -291,23 +291,31 @@ read_pe_truncate_name (char *dll_name) + + /* Low-level support functions, direct from the ld module pe-dll.c. */ + static unsigned int +-pe_get16 (bfd *abfd, int where) ++pe_get16 (bfd *abfd, int where, bool *fail) + { + unsigned char b[2]; + +- bfd_seek (abfd, (file_ptr) where, SEEK_SET); +- bfd_bread (b, (bfd_size_type) 2, abfd); ++ if (bfd_seek (abfd, where, SEEK_SET) != 0 ++ || bfd_bread (b, 2, abfd) != 2) ++ { ++ *fail = true; ++ return 0; ++ } + return b[0] + (b[1] << 8); + } + + static unsigned int +-pe_get32 (bfd *abfd, int where) ++pe_get32 (bfd *abfd, int where, bool *fail) + { + unsigned char b[4]; + +- bfd_seek (abfd, (file_ptr) where, SEEK_SET); +- bfd_bread (b, (bfd_size_type) 4, abfd); +- return b[0] + (b[1] << 8) + (b[2] << 16) + (b[3] << 24); ++ if (bfd_seek (abfd, where, SEEK_SET) != 0 ++ || bfd_bread (b, 4, abfd) != 4) ++ { ++ *fail = true; ++ return 0; ++ } ++ return b[0] + (b[1] << 8) + (b[2] << 16) + ((unsigned) b[3] << 24); + } + + static unsigned int +@@ -323,7 +331,7 @@ pe_as32 (void *ptr) + { + unsigned char *b = (unsigned char *) ptr; + +- return b[0] + (b[1] << 8) + (b[2] << 16) + (b[3] << 24); ++ return b[0] + (b[1] << 8) + (b[2] << 16) + ((unsigned) b[3] << 24); + } + + /* Read the (non-debug) export symbol table from a portable +@@ -376,37 +384,50 @@ read_pe_exported_syms (minimal_symbol_reader &reader, + || strcmp (target, "pei-i386") == 0 + || strcmp (target, "pe-arm-wince-little") == 0 + || strcmp (target, "pei-arm-wince-little") == 0); ++ ++ /* Possibly print a debug message about DLL not having a valid format. */ ++ auto maybe_print_debug_msg = [&] () -> void { ++ if (debug_coff_pe_read) ++ fprintf_unfiltered (gdb_stdlog, _("%s doesn't appear to be a DLL\n"), ++ bfd_get_filename (dll)); ++ }; ++ + if (!is_pe32 && !is_pe64) +- { +- /* This is not a recognized PE format file. Abort now, because +- the code is untested on anything else. *FIXME* test on +- further architectures and loosen or remove this test. */ +- return; +- } ++ return maybe_print_debug_msg (); + + /* Get pe_header, optional header and numbers of export entries. */ +- pe_header_offset = pe_get32 (dll, 0x3c); ++ bool fail = false; ++ pe_header_offset = pe_get32 (dll, 0x3c, &fail); ++ if (fail) ++ return maybe_print_debug_msg (); + opthdr_ofs = pe_header_offset + 4 + 20; + if (is_pe64) +- num_entries = pe_get32 (dll, opthdr_ofs + 108); ++ num_entries = pe_get32 (dll, opthdr_ofs + 108, &fail); + else +- num_entries = pe_get32 (dll, opthdr_ofs + 92); ++ num_entries = pe_get32 (dll, opthdr_ofs + 92, &fail); ++ if (fail) ++ return maybe_print_debug_msg (); + + if (num_entries < 1) /* No exports. */ + return; + if (is_pe64) + { +- export_opthdrrva = pe_get32 (dll, opthdr_ofs + 112); +- export_opthdrsize = pe_get32 (dll, opthdr_ofs + 116); ++ export_opthdrrva = pe_get32 (dll, opthdr_ofs + 112, &fail); ++ export_opthdrsize = pe_get32 (dll, opthdr_ofs + 116, &fail); + } + else + { +- export_opthdrrva = pe_get32 (dll, opthdr_ofs + 96); +- export_opthdrsize = pe_get32 (dll, opthdr_ofs + 100); ++ export_opthdrrva = pe_get32 (dll, opthdr_ofs + 96, &fail); ++ export_opthdrsize = pe_get32 (dll, opthdr_ofs + 100, &fail); + } +- nsections = pe_get16 (dll, pe_header_offset + 4 + 2); ++ if (fail) ++ return maybe_print_debug_msg (); ++ ++ nsections = pe_get16 (dll, pe_header_offset + 4 + 2, &fail); + secptr = (pe_header_offset + 4 + 20 + +- pe_get16 (dll, pe_header_offset + 4 + 16)); ++ pe_get16 (dll, pe_header_offset + 4 + 16, &fail)); ++ if (fail) ++ return maybe_print_debug_msg (); + expptr = 0; + export_size = 0; + +@@ -415,12 +436,13 @@ read_pe_exported_syms (minimal_symbol_reader &reader, + { + char sname[8]; + unsigned long secptr1 = secptr + 40 * i; +- unsigned long vaddr = pe_get32 (dll, secptr1 + 12); +- unsigned long vsize = pe_get32 (dll, secptr1 + 16); +- unsigned long fptr = pe_get32 (dll, secptr1 + 20); ++ unsigned long vaddr = pe_get32 (dll, secptr1 + 12, &fail); ++ unsigned long vsize = pe_get32 (dll, secptr1 + 16, &fail); ++ unsigned long fptr = pe_get32 (dll, secptr1 + 20, &fail); + +- bfd_seek (dll, (file_ptr) secptr1, SEEK_SET); +- bfd_bread (sname, (bfd_size_type) sizeof (sname), dll); ++ if (fail ++ || bfd_seek (dll, secptr1, SEEK_SET) != 0 ++ || bfd_bread (sname, sizeof (sname), dll) != sizeof (sname)) + + if ((strcmp (sname, ".edata") == 0) + || (vaddr <= export_opthdrrva && export_opthdrrva < vaddr + vsize)) +@@ -455,16 +477,18 @@ read_pe_exported_syms (minimal_symbol_reader &reader, + for (i = 0; i < nsections; i++) + { + unsigned long secptr1 = secptr + 40 * i; +- unsigned long vsize = pe_get32 (dll, secptr1 + 8); +- unsigned long vaddr = pe_get32 (dll, secptr1 + 12); +- unsigned long characteristics = pe_get32 (dll, secptr1 + 36); ++ unsigned long vsize = pe_get32 (dll, secptr1 + 8, &fail); ++ unsigned long vaddr = pe_get32 (dll, secptr1 + 12, &fail); ++ unsigned long characteristics = pe_get32 (dll, secptr1 + 36, &fail); + char sec_name[SCNNMLEN + 1]; + int sectix; + unsigned int bfd_section_index; + asection *section; + +- bfd_seek (dll, (file_ptr) secptr1 + 0, SEEK_SET); +- bfd_bread (sec_name, (bfd_size_type) SCNNMLEN, dll); ++ if (fail ++ || bfd_seek (dll, secptr1 + 0, SEEK_SET) != 0 ++ || bfd_bread (sec_name, SCNNMLEN, dll) != SCNNMLEN) ++ return maybe_print_debug_msg (); + sec_name[SCNNMLEN] = '\0'; + + sectix = read_pe_section_index (sec_name); +@@ -503,8 +527,9 @@ read_pe_exported_syms (minimal_symbol_reader &reader, + gdb::def_vector expdata_storage (export_size); + expdata = expdata_storage.data (); + +- bfd_seek (dll, (file_ptr) expptr, SEEK_SET); +- bfd_bread (expdata, (bfd_size_type) export_size, dll); ++ if (bfd_seek (dll, expptr, SEEK_SET) != 0 ++ || bfd_bread (expdata, export_size, dll) != export_size) ++ return maybe_print_debug_msg (); + erva = expdata - export_rva; + + nexp = pe_as32 (expdata + 24); +@@ -652,20 +677,27 @@ pe_text_section_offset (struct bfd *abfd) + } + + /* Get pe_header, optional header and numbers of sections. */ +- pe_header_offset = pe_get32 (abfd, 0x3c); +- nsections = pe_get16 (abfd, pe_header_offset + 4 + 2); ++ bool fail = false; ++ pe_header_offset = pe_get32 (abfd, 0x3c, &fail); ++ if (fail) ++ return DEFAULT_COFF_PE_TEXT_SECTION_OFFSET; ++ nsections = pe_get16 (abfd, pe_header_offset + 4 + 2, &fail); + secptr = (pe_header_offset + 4 + 20 + +- pe_get16 (abfd, pe_header_offset + 4 + 16)); ++ pe_get16 (abfd, pe_header_offset + 4 + 16, &fail)); ++ if (fail) ++ return DEFAULT_COFF_PE_TEXT_SECTION_OFFSET; + + /* Get the rva and size of the export section. */ + for (i = 0; i < nsections; i++) + { + char sname[SCNNMLEN + 1]; + unsigned long secptr1 = secptr + 40 * i; +- unsigned long vaddr = pe_get32 (abfd, secptr1 + 12); ++ unsigned long vaddr = pe_get32 (abfd, secptr1 + 12, &fail); + +- bfd_seek (abfd, (file_ptr) secptr1, SEEK_SET); +- bfd_bread (sname, (bfd_size_type) SCNNMLEN, abfd); ++ if (fail ++ || bfd_seek (abfd, secptr1, SEEK_SET) != 0 ++ || bfd_bread (sname, SCNNMLEN, abfd) != SCNNMLEN) ++ return DEFAULT_COFF_PE_TEXT_SECTION_OFFSET; + sname[SCNNMLEN] = '\0'; + if (strcmp (sname, ".text") == 0) + return vaddr; +diff --git a/gdb/coffread.c b/gdb/coffread.c +index a6e8df7..4973581 100644 +--- a/gdb/coffread.c ++++ b/gdb/coffread.c +@@ -689,9 +689,7 @@ coff_symfile_read (struct objfile *objfile, symfile_add_flags symfile_flags) + } + + /* FIXME: dubious. Why can't we use something normal like +- bfd_get_section_contents? */ +- bfd_seek (abfd, abfd->where, 0); +- ++ bfd_get_section_contents? */ + stabstrsize = bfd_section_size (info->stabstrsect); + + coffstab_build_psymtabs (objfile, +@@ -781,22 +779,6 @@ coff_symtab_read (minimal_symbol_reader &reader, + + scoped_free_pendings free_pending; + +- /* Work around a stdio bug in SunOS4.1.1 (this makes me nervous.... +- it's hard to know I've really worked around it. The fix should +- be harmless, anyway). The symptom of the bug is that the first +- fread (in read_one_sym), will (in my example) actually get data +- from file offset 268, when the fseek was to 264 (and ftell shows +- 264). This causes all hell to break loose. I was unable to +- reproduce this on a short test program which operated on the same +- file, performing (I think) the same sequence of operations. +- +- It stopped happening when I put in this (former) rewind(). +- +- FIXME: Find out if this has been reported to Sun, whether it has +- been fixed in a later release, etc. */ +- +- bfd_seek (objfile->obfd, 0, 0); +- + /* Position to read the symbol table. */ + val = bfd_seek (objfile->obfd, (long) symtab_offset, 0); + if (val < 0) +@@ -1290,12 +1272,13 @@ init_stringtab (bfd *abfd, long offset, gdb::unique_xmalloc_ptr *storage) + if (bfd_seek (abfd, offset, 0) < 0) + return -1; + +- val = bfd_bread ((char *) lengthbuf, sizeof lengthbuf, abfd); +- length = bfd_h_get_32 (symfile_bfd, lengthbuf); +- ++ val = bfd_bread (lengthbuf, sizeof lengthbuf, abfd); + /* If no string table is needed, then the file may end immediately + after the symbols. Just return with `stringtab' set to null. */ +- if (val != sizeof lengthbuf || length < sizeof lengthbuf) ++ if (val != sizeof lengthbuf) ++ return 0; ++ length = bfd_h_get_32 (symfile_bfd, lengthbuf); ++ if (length < sizeof lengthbuf) + return 0; + + storage->reset ((char *) xmalloc (length)); +diff --git a/gdb/dbxread.c b/gdb/dbxread.c +index 5a83516..b7c5ddd 100644 +--- a/gdb/dbxread.c ++++ b/gdb/dbxread.c +@@ -811,7 +811,8 @@ stabs_seek (int sym_offset) + symbuf_left -= sym_offset; + } + else +- bfd_seek (symfile_bfd, sym_offset, SEEK_CUR); ++ if (bfd_seek (symfile_bfd, sym_offset, SEEK_CUR) != 0) ++ perror_with_name (bfd_get_filename (symfile_bfd)); + } + + #define INTERNALIZE_SYMBOL(intern, extern, abfd) \ +@@ -2106,8 +2107,8 @@ dbx_psymtab_to_symtab_1 (struct objfile *objfile, struct partial_symtab *pst) + symbol_size = SYMBOL_SIZE (pst); + + /* Read in this file's symbols. */ +- bfd_seek (objfile->obfd, SYMBOL_OFFSET (pst), SEEK_SET); +- read_ofile_symtab (objfile, pst); ++ if (bfd_seek (objfile->obfd, SYMBOL_OFFSET (pst), SEEK_SET) == 0) ++ read_ofile_symtab (objfile, pst); + } + + pst->readin = 1; +diff --git a/gdb/xcoffread.c b/gdb/xcoffread.c +index 6985a43..8e73f59 100644 +--- a/gdb/xcoffread.c ++++ b/gdb/xcoffread.c +@@ -856,8 +856,9 @@ enter_line_range (struct subfile *subfile, unsigned beginoffset, + + while (curoffset <= limit_offset) + { +- bfd_seek (abfd, curoffset, SEEK_SET); +- bfd_bread (ext_lnno, linesz, abfd); ++ if (bfd_seek (abfd, curoffset, SEEK_SET) != 0 ++ || bfd_bread (ext_lnno, linesz, abfd) != linesz) ++ return; + bfd_coff_swap_lineno_in (abfd, ext_lnno, &int_lnno); + + /* Find the address this line represents. */ +-- +2.33.0 \ No newline at end of file diff --git a/gdb.spec b/gdb.spec index 2324451..0764725 100644 --- a/gdb.spec +++ b/gdb.spec @@ -1,6 +1,6 @@ Name: gdb Version: 9.2 -Release: 5 +Release: 6 License: GPLv3+ and GPLv3+ with exceptions and GPLv2+ and GPLv2+ with exceptions and GPL+ and LGPLv2+ and LGPLv3+ and BSD and Public Domain and GFDL-1.3 Source: ftp://sourceware.org/pub/gdb/releases/gdb-%{version}.tar.xz @@ -148,6 +148,7 @@ Patch99: gdb-rhbz1829702-fix-python39.patch Patch100: gdb-rhbz1844458-use-fputX_unfiltered.patch Patch101: gdb-rhbz1838777-debuginfod.patch Patch102: backport-CVE-2023-39128.patch +Patch103: backport-CVE-2023-39130.patch # Fedora patch end BuildRequires: rpm-libs autoconf @@ -395,6 +396,9 @@ rm -f $RPM_BUILD_ROOT%{_datadir}/gdb/python/gdb/command/backtrace.py %{_infodir}/gdb.info* %changelog +* Wed Nov 22 2023 liningjie - 9.2-6 +- fix CVE-2023-39130 + * Mon Sep 4 2023 Liu Chao - 9.2-5 - correct patch's commit message -- Gitee