pool/gdb
SHA256
4
0
Fork 1
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Accepting request 743950 from home:tomdevries:branches:devel:gcc-gdb-cve-v2

Browse Source 
- Backport 2nd part of fix for swo#23657.
  [bsc#1142772, swo#23657, CVE-2019-1010180]
  * gdb-dwarf-reader-reject-sections-with-invalid-sizes.patch

OBS-URL: https://build.opensuse.org/request/show/743950
OBS-URL: https://build.opensuse.org/package/show/devel:gcc/gdb?expand=0&rev=233
This commit is contained in:
Michael Matz 2019-10-30 13:43:38 +00:00 committed by Git OBS Bridge
parent 3402f9d75a
commit 7366c0f556
3 changed files with 135 additions and 4 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

123
gdb-dwarf-reader-reject-sections-with-invalid-sizes.patch Normal file
View File

@ -0,0 +1,123 @@
DWARF reader: Reject sections with invalid sizes
This is another fuzzer bug, gdb/23567. This time, the fuzzer has
specifically altered the size of .debug_str:
$ eu-readelf -S objdump
Section Headers:
[Nr] Name Type Addr Off Size ES Flags Lk Inf Al
[31] .debug_str PROGBITS 0000000000000000 0057116d ffffffffffffffff 1 MS 0 0 1
When this file is loaded into GDB, the DWARF reader crashes attempting
to access the string table (or it may just store a bunch of nonsense):
[gdb-8.3-6-fc30]
$ gdb -nx -q objdump
BFD: warning: /path/to/objdump has a corrupt section with a size (ffffffffffffffff) larger than the file size
Reading symbols from /path/to/objdump...
Segmentation fault (core dumped)
Nick has already committed a BFD patch to issue the warning seen above.
[gdb master 6acc1a0b]
$ gdb -BFD: warning: /path/to/objdump has a corrupt section with a size (ffffffffffffffff) larger than the file size
Reading symbols from /path/to/objdump...
(gdb) inf func
All defined functions:
File ./../include/dwarf2.def:
186: const
8 *>(.:
;'@<40>B);
747: const
8 *<2A>(.:
;'@<40>B);
701: const
8 *<2A>D <20>
(.:
;'@<40>B);
71: const
8 *(.:
;'@<40>B);
/* and more gibberish */
Consider read_indirect_string_at_offset_from:
static const char *
read_indirect_string_at_offset_from (struct objfile *objfile,
bfd *abfd, LONGEST str_offset,
struct dwarf2_section_info *sect,
const char *form_name,
const char *sect_name)
{
dwarf2_read_section (objfile, sect);
if (sect->buffer == NULL)
error (_("%s used without %s section [in module %s]"),
form_name, sect_name, bfd_get_filename (abfd));
if (str_offset >= sect->size)
error (_("%s pointing outside of %s section [in module %s]"),
form_name, sect_name, bfd_get_filename (abfd));
gdb_assert (HOST_CHAR_BIT == 8);
if (sect->buffer[str_offset] == '\0')
return NULL;
return (const char *) (sect->buffer + str_offset);
}
With sect_size being ginormous, the code attempts to access
sect->buffer[GINORMOUS], and depending on the layout of memory,
GDB either stores a bunch of gibberish strings or crashes.
This is an attempt to mitigate this by implementing a similar approach
used by BFD. In our case, we simply reject the section with the invalid
length:
$ ./gdb -nx -q objdump
BFD: warning: /path/to/objdump has a corrupt section with a size (ffffffffffffffff) larger than the file size
Reading symbols from /path/to/objdump...
warning: Discarding section .debug_str which has a section size (ffffffffffffffff) larger than the file size [in module /path/to/objdump]
DW_FORM_strp used without .debug_str section [in module /path/to/objdump]
(No debugging symbols found in /path/to/objdump)
(gdb)
Unfortunately, I have not found a way to regression test this, since it
requires poking ELF section headers.
gdb/ChangeLog:
2019-10-16 Keith Seitz <keiths@redhat.com>
PR gdb/23567
* dwarf2read.c (dwarf2_per_objfile::locate_sections): Discard
sections whose size is greater than the file size.
Change-Id: I896ac3b4eb2207c54e8e05c16beab3051d9b4b2f
---
gdb/ChangeLog | 6 ++++++
gdb/dwarf2read.c | 9 +++++++++
2 files changed, 15 insertions(+)
diff --git a/gdb/dwarf2read.c b/gdb/dwarf2read.c
index 0443b55d891..a78f818e0e8 100644
--- a/gdb/dwarf2read.c
+++ b/gdb/dwarf2read.c
@@ -2338,6 +2338,15 @@ dwarf2_per_objfile::locate_sections (bfd *abfd, asection *sectp,
if ((aflag & SEC_HAS_CONTENTS) == 0)
{
}
+ else if (elf_section_data (sectp)->this_hdr.sh_size
+ > bfd_get_file_size (abfd))
+ {
+ bfd_size_type size = elf_section_data (sectp)->this_hdr.sh_size;
+ warning (_("Discarding section %s which has a section size (%s"
+ ") larger than the file size [in module %s]"),
+ bfd_section_name (abfd, sectp), phex_nz (size, sizeof (size)),
+ bfd_get_filename (abfd));
+ }
else if (section_is_p (sectp->name, &names.info))
{
this->info.s.section = sectp;

7
gdb.changes
View File

@ -1,3 +1,10 @@
-------------------------------------------------------------------
Tue Oct 29 09:32:42 UTC 2019 - Tom de Vries <tdevries@suse.com>
- Backport 2nd part of fix for swo#23657.
[bsc#1142772, swo#23657, CVE-2019-1010180]
* gdb-dwarf-reader-reject-sections-with-invalid-sizes.patch
-------------------------------------------------------------------
Mon Oct 14 17:52:55 UTC 2019 - matz@suse.com

9
gdb.spec
View File

@ -13,7 +13,7 @@
# license that conforms to the Open Source Definition (Version 1.9)
# published by the Open Source Initiative.
# Please submit bugfixes or comments via http://bugs.opensuse.org/
# Please submit bugfixes or comments via https://bugs.opensuse.org/
#
@ -244,7 +244,8 @@ Patch2005: gdb-testsuite-pie-no-pie.patch
Patch2007: gdb-testsuite-read1-fixes.patch
Patch2008: gdb-testsuite-i386-pkru-exp.patch
Patch2009: gdb-s390-handle-arch13.diff
Patch2500: gdb-fix-heap-use-after-free-in-typename-concat.patch
Patch2010: gdb-fix-heap-use-after-free-in-typename-concat.patch
Patch2011: gdb-dwarf-reader-reject-sections-with-invalid-sizes.patch
# Testsuite patches
Patch2600: gdb-testsuite-8.3-kfail-xfail-unsupported.patch
@ -587,8 +588,8 @@ find -name "*.info*"|xargs rm -f
%patch2007 -p1
%patch2008 -p1
%patch2009 -p1
%patch2500 -p1
%patch2010 -p1
%patch2011 -p1
%patch2600 -p1