From 3402f9d75a5761eb4f5e08212bfe081a77850c00e73b6b1f69e5e40a68274e6f Mon Sep 17 00:00:00 2001 From: Michael Matz Date: Mon, 14 Oct 2019 17:54:50 +0000 Subject: [PATCH 1/2] - Add gdb-s390-handle-arch13.diff to handle most new s390 arch13 instructions. [fate#327369, jsc#ECO-368] OBS-URL: https://build.opensuse.org/package/show/devel:gcc/gdb?expand=0&rev=232 --- gdb-s390-handle-arch13.diff | 168 ++++++++++++++++++++++++++++++++++++ gdb.changes | 6 ++ gdb.spec | 2 + 3 files changed, 176 insertions(+) create mode 100644 gdb-s390-handle-arch13.diff diff --git a/gdb-s390-handle-arch13.diff b/gdb-s390-handle-arch13.diff new file mode 100644 index 0000000..4dd7d95 --- /dev/null +++ b/gdb-s390-handle-arch13.diff @@ -0,0 +1,168 @@ +commit 6d9d6da48e84a65871a9d72fa785105d603990a6 +Author: Andreas Arnez +Date: Wed Oct 9 11:09:22 2019 +0200 + + s390: Add record/replay support for arch13 instructions + + Enable recording most of the new "arch13" instructions on z/Architecture + targets, except for the specialized-function-assist instructions: + + SORTL - sort lists + DFLTCC - deflate conversion call + KDSA - compute digital signature authentication + + gdb/ChangeLog: + + * s390-tdep.c (390_process_record): Handle new arch13 instructions + except SORTL, DFLTCC, and KDSA. + +diff --git a/gdb/s390-tdep.c b/gdb/s390-tdep.c +index 463c0a0..e7f1215 100644 +--- a/gdb/s390-tdep.c ++++ b/gdb/s390-tdep.c +@@ -4134,6 +4134,7 @@ ex: + case 0xb998: /* ALCR - add logical with carry */ + case 0xb999: /* SLBR - subtract logical with borrow */ + case 0xb9f4: /* NRK - and */ ++ case 0xb9f5: /* NCRK - and with complement */ + case 0xb9f6: /* ORK - or */ + case 0xb9f7: /* XRK - xor */ + case 0xb9f8: /* ARK - add */ +@@ -4166,20 +4167,32 @@ ex: + case 0xb919: /* SGFR - subtract */ + case 0xb91a: /* ALGFR - add logical */ + case 0xb91b: /* SLGFR - subtract logical */ ++ case 0xb964: /* NNGRK - and 64 bit */ ++ case 0xb965: /* OCGRK - or with complement 64 bit */ ++ case 0xb966: /* NOGRK - or 64 bit */ ++ case 0xb967: /* NXGRK - not exclusive or 64 bit */ ++ case 0xb974: /* NNRK - and 32 bit */ ++ case 0xb975: /* OCRK - or with complement 32 bit */ ++ case 0xb976: /* NORK - or 32 bit */ ++ case 0xb977: /* NXRK - not exclusive or 32 bit */ + case 0xb980: /* NGR - and */ + case 0xb981: /* OGR - or */ + case 0xb982: /* XGR - xor */ + case 0xb988: /* ALCGR - add logical with carry */ + case 0xb989: /* SLBGR - subtract logical with borrow */ ++ case 0xb9c0: /* SELFHR - select high */ + case 0xb9e1: /* POPCNT - population count */ + case 0xb9e4: /* NGRK - and */ ++ case 0xb9e5: /* NCGRK - and with complement */ + case 0xb9e6: /* OGRK - or */ + case 0xb9e7: /* XGRK - xor */ + case 0xb9e8: /* AGRK - add */ + case 0xb9e9: /* SGRK - subtract */ + case 0xb9ea: /* ALGRK - add logical */ ++ case 0xb9e3: /* SELGR - select 64 bit */ + case 0xb9eb: /* SLGRK - subtract logical */ + case 0xb9ed: /* MSGRKC - multiply single 64x64 -> 64 */ ++ case 0xb9f0: /* SELR - select 32 bit */ + case 0xb9fd: /* MSRKC - multiply single 32x32 -> 32 */ + /* 64-bit gpr destination + flags */ + if (s390_record_gpr_g (gdbarch, regcache, inib[6])) +@@ -4555,7 +4568,13 @@ ex: + return -1; + break; + +- /* 0xb932-0xb93b undefined */ ++ /* 0xb932-0xb937 undefined */ ++ ++ /* 0xb938 unsupported: SORTL - sort lists */ ++ /* 0xb939 unsupported: DFLTCC - deflate conversion call */ ++ /* 0xb93a unsupported: KDSA - compute dig. signature auth. */ ++ ++ /* 0xb93b undefined */ + + case 0xb93c: /* PPNO - perform pseudorandom number operation [partial] */ + regcache_raw_read_unsigned (regcache, S390_R1_REGNUM, &tmp); +@@ -5485,6 +5504,13 @@ ex: + /* 0xe3ce undefined */ + /* 0xe3d0-0xe3ff undefined */ + ++ case 0xe601: /* VLEBRH - vector load byte reversed element */ ++ case 0xe602: /* VLEBRG - vector load byte reversed element */ ++ case 0xe603: /* VLEBRF - vector load byte reversed element */ ++ case 0xe604: /* VLLEBRZ - vector load byte rev. el. and zero */ ++ case 0xe605: /* VLBRREP - vector load byte rev. el. and replicate */ ++ case 0xe606: /* VLBR - vector load byte reversed elements */ ++ case 0xe607: /* VLER - vector load elements reversed */ + case 0xe634: /* VPKZ - vector pack zoned */ + case 0xe635: /* VLRL - vector load rightmost with immed. length */ + case 0xe637: /* VLRLR - vector load rightmost with length */ +@@ -5547,6 +5573,9 @@ ex: + case 0xe77f: /* VSRAB - vector shift right arithmetic by byte */ + case 0xe784: /* VPDI - vector permute doubleword immediate */ + case 0xe785: /* VBPERM - vector bit permute */ ++ case 0xe786: /* VSLD - vector shift left double by bit */ ++ case 0xe787: /* VSRD - vector shift right double by bit */ ++ case 0xe78b: /* VSTRS - vector string search */ + case 0xe78c: /* VPERM - vector permute */ + case 0xe78d: /* VSEL - vector select */ + case 0xe78e: /* VFMS - vector fp multiply and subtract */ +@@ -5575,10 +5604,10 @@ ex: + case 0xe7bc: /* VGFMA - vector Galois field multiply sum and accumulate */ + case 0xe7bd: /* VSBCBI - vector subtract with borrow compute borrow indication */ + case 0xe7bf: /* VSBI - vector subtract with borrow indication */ +- case 0xe7c0: /* VCLGD - vector convert to logical 64-bit */ +- case 0xe7c1: /* VCDLG - vector convert from logical 64-bit */ +- case 0xe7c2: /* VCGD - vector convert to fixed 64-bit */ +- case 0xe7c3: /* VCDG - vector convert from fixed 64-bit */ ++ case 0xe7c0: /* VCLFP - vector fp convert to logical */ ++ case 0xe7c1: /* VCFPL - vector fp convert from logical */ ++ case 0xe7c2: /* VCSFP - vector fp convert to fixed */ ++ case 0xe7c3: /* VCFPS - vector fp convert from fixed */ + case 0xe7c4: /* VLDE/VFLL - vector fp load lengthened */ + case 0xe7c5: /* VLED/VFLR - vector fp load rounded */ + case 0xe7c7: /* VFI - vector load fp integer */ +@@ -5629,6 +5658,7 @@ ex: + return -1; + break; + ++ case 0xe609: /* VSTEBRH - vector store byte reversed element */ + case 0xe709: /* VSTEH - vector store element */ + oaddr = s390_record_calc_disp (gdbarch, regcache, inib[3], insn[1], 0); + if (record_full_arch_list_add_mem (oaddr, 2)) +@@ -5637,6 +5667,7 @@ ex: + return -1; + break; + ++ case 0xe60a: /* VSTEBRG - vector store byte reversed element */ + case 0xe70a: /* VSTEG - vector store element */ + oaddr = s390_record_calc_disp (gdbarch, regcache, inib[3], insn[1], 0); + if (record_full_arch_list_add_mem (oaddr, 8)) +@@ -5645,6 +5676,7 @@ ex: + return -1; + break; + ++ case 0xe60b: /* VSTEBRF - vector store byte reversed element */ + case 0xe70b: /* VSTEF - vector store element */ + oaddr = s390_record_calc_disp (gdbarch, regcache, inib[3], insn[1], 0); + if (record_full_arch_list_add_mem (oaddr, 4)) +@@ -5655,6 +5687,8 @@ ex: + + /* 0xe70c-0xe70d undefined */ + ++ case 0xe60e: /* VSTBR - vector store byte reversed elements */ ++ case 0xe60f: /* VSTER - vector store elements reversed */ + case 0xe70e: /* VST - vector store */ + oaddr = s390_record_calc_disp (gdbarch, regcache, inib[3], insn[1], 0); + if (record_full_arch_list_add_mem (oaddr, 16)) +@@ -6234,7 +6268,16 @@ ex: + /* SSE/SIL-format instruction */ + switch (insn[0]) + { +- /* 0xe500-0xe543 undefined, privileged, or unsupported */ ++ /* 0xe500-0xe509 undefined, privileged, or unsupported */ ++ ++ case 0xe50a: /* MVCRL - move right to left */ ++ regcache_raw_read_unsigned (regcache, S390_R0_REGNUM, &tmp); ++ oaddr = s390_record_calc_disp (gdbarch, regcache, 0, insn[1], 0); ++ if (record_full_arch_list_add_mem (oaddr, (tmp & 0xff) + 1)) ++ return -1; ++ break; ++ ++ /* 0xe50b-0xe543 undefined, privileged, or unsupported */ + + case 0xe544: /* MVHHI - move */ + oaddr = s390_record_calc_disp (gdbarch, regcache, 0, insn[1], 0); diff --git a/gdb.changes b/gdb.changes index bd2398b..b0be0e6 100644 --- a/gdb.changes +++ b/gdb.changes @@ -1,3 +1,9 @@ +------------------------------------------------------------------- +Mon Oct 14 17:52:55 UTC 2019 - matz@suse.com + +- Add gdb-s390-handle-arch13.diff to handle most new s390 arch13 + instructions. [fate#327369, jsc#ECO-368] + ------------------------------------------------------------------- Mon Sep 30 10:34:54 UTC 2019 - Tom de Vries diff --git a/gdb.spec b/gdb.spec index 44a389b..fe846cc 100644 --- a/gdb.spec +++ b/gdb.spec @@ -243,6 +243,7 @@ Patch2004: gdb-testsuite-add-missing-initial-prompt-read-in-multidictionary Patch2005: gdb-testsuite-pie-no-pie.patch Patch2007: gdb-testsuite-read1-fixes.patch Patch2008: gdb-testsuite-i386-pkru-exp.patch +Patch2009: gdb-s390-handle-arch13.diff Patch2500: gdb-fix-heap-use-after-free-in-typename-concat.patch # Testsuite patches @@ -585,6 +586,7 @@ find -name "*.info*"|xargs rm -f %patch2005 -p1 %patch2007 -p1 %patch2008 -p1 +%patch2009 -p1 %patch2500 -p1 From 7366c0f556386c528a805795d4d575148f8092844c150b8b8144a7d3d1a74e71 Mon Sep 17 00:00:00 2001 From: Michael Matz Date: Wed, 30 Oct 2019 13:43:38 +0000 Subject: [PATCH 2/2] Accepting request 743950 from home:tomdevries:branches:devel:gcc-gdb-cve-v2 - Backport 2nd part of fix for swo#23657. [bsc#1142772, swo#23657, CVE-2019-1010180] * gdb-dwarf-reader-reject-sections-with-invalid-sizes.patch OBS-URL: https://build.opensuse.org/request/show/743950 OBS-URL: https://build.opensuse.org/package/show/devel:gcc/gdb?expand=0&rev=233 --- ...r-reject-sections-with-invalid-sizes.patch | 123 ++++++++++++++++++ gdb.changes | 7 + gdb.spec | 9 +- 3 files changed, 135 insertions(+), 4 deletions(-) create mode 100644 gdb-dwarf-reader-reject-sections-with-invalid-sizes.patch diff --git a/gdb-dwarf-reader-reject-sections-with-invalid-sizes.patch b/gdb-dwarf-reader-reject-sections-with-invalid-sizes.patch new file mode 100644 index 0000000..25fdc6a --- /dev/null +++ b/gdb-dwarf-reader-reject-sections-with-invalid-sizes.patch @@ -0,0 +1,123 @@ +DWARF reader: Reject sections with invalid sizes + +This is another fuzzer bug, gdb/23567. This time, the fuzzer has +specifically altered the size of .debug_str: + +$ eu-readelf -S objdump +Section Headers: +[Nr] Name Type Addr Off Size ES Flags Lk Inf Al +[31] .debug_str PROGBITS 0000000000000000 0057116d ffffffffffffffff 1 MS 0 0 1 + +When this file is loaded into GDB, the DWARF reader crashes attempting +to access the string table (or it may just store a bunch of nonsense): + +[gdb-8.3-6-fc30] +$ gdb -nx -q objdump +BFD: warning: /path/to/objdump has a corrupt section with a size (ffffffffffffffff) larger than the file size +Reading symbols from /path/to/objdump... +Segmentation fault (core dumped) + +Nick has already committed a BFD patch to issue the warning seen above. + +[gdb master 6acc1a0b] +$ gdb -BFD: warning: /path/to/objdump has a corrupt section with a size (ffffffffffffffff) larger than the file size +Reading symbols from /path/to/objdump... +(gdb) inf func +All defined functions: + +File ./../include/dwarf2.def: +186: const + + 8 *>(.: + ;'@�B); +747: const + + 8 *�(.: + ;'@�B); +701: const + + 8 *�D � + (.: + ;'@�B); +71: const + + 8 *(.: + ;'@�B); +/* and more gibberish */ + +Consider read_indirect_string_at_offset_from: + +static const char * +read_indirect_string_at_offset_from (struct objfile *objfile, + bfd *abfd, LONGEST str_offset, + struct dwarf2_section_info *sect, + const char *form_name, + const char *sect_name) +{ + dwarf2_read_section (objfile, sect); + if (sect->buffer == NULL) + error (_("%s used without %s section [in module %s]"), + form_name, sect_name, bfd_get_filename (abfd)); + if (str_offset >= sect->size) + error (_("%s pointing outside of %s section [in module %s]"), + form_name, sect_name, bfd_get_filename (abfd)); + gdb_assert (HOST_CHAR_BIT == 8); + if (sect->buffer[str_offset] == '\0') + return NULL; + return (const char *) (sect->buffer + str_offset); +} + +With sect_size being ginormous, the code attempts to access +sect->buffer[GINORMOUS], and depending on the layout of memory, +GDB either stores a bunch of gibberish strings or crashes. + +This is an attempt to mitigate this by implementing a similar approach +used by BFD. In our case, we simply reject the section with the invalid +length: + +$ ./gdb -nx -q objdump +BFD: warning: /path/to/objdump has a corrupt section with a size (ffffffffffffffff) larger than the file size +Reading symbols from /path/to/objdump... + +warning: Discarding section .debug_str which has a section size (ffffffffffffffff) larger than the file size [in module /path/to/objdump] +DW_FORM_strp used without .debug_str section [in module /path/to/objdump] +(No debugging symbols found in /path/to/objdump) +(gdb) + +Unfortunately, I have not found a way to regression test this, since it +requires poking ELF section headers. + +gdb/ChangeLog: +2019-10-16 Keith Seitz + + PR gdb/23567 + * dwarf2read.c (dwarf2_per_objfile::locate_sections): Discard + sections whose size is greater than the file size. + +Change-Id: I896ac3b4eb2207c54e8e05c16beab3051d9b4b2f + +--- + gdb/ChangeLog | 6 ++++++ + gdb/dwarf2read.c | 9 +++++++++ + 2 files changed, 15 insertions(+) + +diff --git a/gdb/dwarf2read.c b/gdb/dwarf2read.c +index 0443b55d891..a78f818e0e8 100644 +--- a/gdb/dwarf2read.c ++++ b/gdb/dwarf2read.c +@@ -2338,6 +2338,15 @@ dwarf2_per_objfile::locate_sections (bfd *abfd, asection *sectp, + if ((aflag & SEC_HAS_CONTENTS) == 0) + { + } ++ else if (elf_section_data (sectp)->this_hdr.sh_size ++ > bfd_get_file_size (abfd)) ++ { ++ bfd_size_type size = elf_section_data (sectp)->this_hdr.sh_size; ++ warning (_("Discarding section %s which has a section size (%s" ++ ") larger than the file size [in module %s]"), ++ bfd_section_name (abfd, sectp), phex_nz (size, sizeof (size)), ++ bfd_get_filename (abfd)); ++ } + else if (section_is_p (sectp->name, &names.info)) + { + this->info.s.section = sectp; diff --git a/gdb.changes b/gdb.changes index b0be0e6..a2ab79d 100644 --- a/gdb.changes +++ b/gdb.changes @@ -1,3 +1,10 @@ +------------------------------------------------------------------- +Tue Oct 29 09:32:42 UTC 2019 - Tom de Vries + +- Backport 2nd part of fix for swo#23657. + [bsc#1142772, swo#23657, CVE-2019-1010180] + * gdb-dwarf-reader-reject-sections-with-invalid-sizes.patch + ------------------------------------------------------------------- Mon Oct 14 17:52:55 UTC 2019 - matz@suse.com diff --git a/gdb.spec b/gdb.spec index fe846cc..4052e3e 100644 --- a/gdb.spec +++ b/gdb.spec @@ -13,7 +13,7 @@ # license that conforms to the Open Source Definition (Version 1.9) # published by the Open Source Initiative. -# Please submit bugfixes or comments via http://bugs.opensuse.org/ +# Please submit bugfixes or comments via https://bugs.opensuse.org/ # @@ -244,7 +244,8 @@ Patch2005: gdb-testsuite-pie-no-pie.patch Patch2007: gdb-testsuite-read1-fixes.patch Patch2008: gdb-testsuite-i386-pkru-exp.patch Patch2009: gdb-s390-handle-arch13.diff -Patch2500: gdb-fix-heap-use-after-free-in-typename-concat.patch +Patch2010: gdb-fix-heap-use-after-free-in-typename-concat.patch +Patch2011: gdb-dwarf-reader-reject-sections-with-invalid-sizes.patch # Testsuite patches Patch2600: gdb-testsuite-8.3-kfail-xfail-unsupported.patch @@ -587,8 +588,8 @@ find -name "*.info*"|xargs rm -f %patch2007 -p1 %patch2008 -p1 %patch2009 -p1 - -%patch2500 -p1 +%patch2010 -p1 +%patch2011 -p1 %patch2600 -p1