Accepting request 744189 from devel:gcc

- Backport 2nd part of fix for swo#23657.
  [bsc#1142772, swo#23657, CVE-2019-1010180]
  * gdb-dwarf-reader-reject-sections-with-invalid-sizes.patch (forwarded request 743950 from tomdevries)

OBS-URL: https://build.opensuse.org/request/show/744189
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/gdb?expand=0&rev=132

gdb-dwarf-reader-reject-sections-with-invalid-sizes.patch

@@ -0,0 +1,123 @@
+DWARF reader: Reject sections with invalid sizes
+
+This is another fuzzer bug, gdb/23567.  This time, the fuzzer has
+specifically altered the size of .debug_str:
+
+$ eu-readelf -S objdump
+Section Headers:
+[Nr] Name                 Type         Addr             Off      Size     ES Flags Lk Inf Al
+[31] .debug_str           PROGBITS     0000000000000000 0057116d ffffffffffffffff  1 MS     0   0  1
+
+When this file is loaded into GDB, the DWARF reader crashes attempting
+to access the string table (or it may just store a bunch of nonsense):
+
+[gdb-8.3-6-fc30]
+$ gdb -nx -q objdump
+BFD: warning: /path/to/objdump has a corrupt section with a size (ffffffffffffffff) larger than the file size
+Reading symbols from /path/to/objdump...
+Segmentation fault (core dumped)
+
+Nick has already committed a BFD patch to issue the warning seen above.
+
+[gdb master 6acc1a0b]
+$ gdb -BFD: warning: /path/to/objdump has a corrupt section with a size (ffffffffffffffff) larger than the file size
+Reading symbols from /path/to/objdump...
+(gdb) inf func
+All defined functions:
+
+File ./../include/dwarf2.def:
+186:	const
+
+              8 *>(.:
+                     ;'@<40>B);
+747:	const
+
+              8 *<2A>(.:
+                     ;'@<40>B);
+701:	const
+
+              8 *<2A>D <20>
+                     (.:
+                        ;'@<40>B);
+71:	const
+
+              8 *(.:
+                    ;'@<40>B);
+/* and more gibberish  */
+
+Consider read_indirect_string_at_offset_from:
+
+static const char *
+read_indirect_string_at_offset_from (struct objfile *objfile,
+                                     bfd *abfd, LONGEST str_offset,
+                                     struct dwarf2_section_info *sect,
+                                     const char *form_name,
+                                     const char *sect_name)
+{
+  dwarf2_read_section (objfile, sect);
+  if (sect->buffer == NULL)
+    error (_("%s used without %s section [in module %s]"),
+           form_name, sect_name, bfd_get_filename (abfd));
+  if (str_offset >= sect->size)
+    error (_("%s pointing outside of %s section [in module %s]"),
+           form_name, sect_name, bfd_get_filename (abfd));
+  gdb_assert (HOST_CHAR_BIT == 8);
+  if (sect->buffer[str_offset] == '\0')
+    return NULL;
+  return (const char *) (sect->buffer + str_offset);
+}
+
+With sect_size being ginormous, the code attempts to access
+sect->buffer[GINORMOUS], and depending on the layout of memory,
+GDB either stores a bunch of gibberish strings or crashes.
+
+This is an attempt to mitigate this by implementing a similar approach
+used by BFD. In our case, we simply reject the section with the invalid
+length:
+
+$ ./gdb -nx -q objdump
+BFD: warning: /path/to/objdump has a corrupt section with a size (ffffffffffffffff) larger than the file size
+Reading symbols from /path/to/objdump...
+
+warning: Discarding section .debug_str which has a section size (ffffffffffffffff) larger than the file size [in module /path/to/objdump]
+DW_FORM_strp used without .debug_str section [in module /path/to/objdump]
+(No debugging symbols found in /path/to/objdump)
+(gdb)
+
+Unfortunately, I have not found a way to regression test this, since it
+requires poking ELF section headers.
+
+gdb/ChangeLog:
+2019-10-16  Keith Seitz  <keiths@redhat.com>
+
+	PR gdb/23567
+	* dwarf2read.c (dwarf2_per_objfile::locate_sections): Discard
+	sections whose size is greater than the file size.
+
+Change-Id: I896ac3b4eb2207c54e8e05c16beab3051d9b4b2f
+
+---
+ gdb/ChangeLog    | 6 ++++++
+ gdb/dwarf2read.c | 9 +++++++++
+ 2 files changed, 15 insertions(+)
+
+diff --git a/gdb/dwarf2read.c b/gdb/dwarf2read.c
+index 0443b55d891..a78f818e0e8 100644
+--- a/gdb/dwarf2read.c
++++ b/gdb/dwarf2read.c
+@@ -2338,6 +2338,15 @@ dwarf2_per_objfile::locate_sections (bfd *abfd, asection *sectp,
+   if ((aflag & SEC_HAS_CONTENTS) == 0)
+     {
+     }
++  else if (elf_section_data (sectp)->this_hdr.sh_size
++	   > bfd_get_file_size (abfd))
++    {
++      bfd_size_type size = elf_section_data (sectp)->this_hdr.sh_size;
++      warning (_("Discarding section %s which has a section size (%s"
++		 ") larger than the file size [in module %s]"),
++	       bfd_section_name (abfd, sectp), phex_nz (size, sizeof (size)),
++	       bfd_get_filename (abfd));
++    }
+   else if (section_is_p (sectp->name, &names.info))
+     {
+       this->info.s.section = sectp;

gdb-s390-handle-arch13.diff

@@ -0,0 +1,168 @@
+commit 6d9d6da48e84a65871a9d72fa785105d603990a6
+Author: Andreas Arnez <arnez@linux.ibm.com>
+Date:   Wed Oct 9 11:09:22 2019 +0200
+
+    s390: Add record/replay support for arch13 instructions
+    
+    Enable recording most of the new "arch13" instructions on z/Architecture
+    targets, except for the specialized-function-assist instructions:
+    
+      SORTL - sort lists
+      DFLTCC - deflate conversion call
+      KDSA - compute digital signature authentication
+    
+    gdb/ChangeLog:
+    
+    	* s390-tdep.c (390_process_record): Handle new arch13 instructions
+    	except SORTL, DFLTCC, and KDSA.
+
+diff --git a/gdb/s390-tdep.c b/gdb/s390-tdep.c
+index 463c0a0..e7f1215 100644
+--- a/gdb/s390-tdep.c
++++ b/gdb/s390-tdep.c
+@@ -4134,6 +4134,7 @@ ex:
+ 	case 0xb998: /* ALCR - add logical with carry */
+ 	case 0xb999: /* SLBR - subtract logical with borrow */
+ 	case 0xb9f4: /* NRK - and */
++	case 0xb9f5: /* NCRK - and with complement */
+ 	case 0xb9f6: /* ORK - or */
+ 	case 0xb9f7: /* XRK - xor */
+ 	case 0xb9f8: /* ARK - add */
+@@ -4166,20 +4167,32 @@ ex:
+ 	case 0xb919: /* SGFR - subtract */
+ 	case 0xb91a: /* ALGFR - add logical */
+ 	case 0xb91b: /* SLGFR - subtract logical */
++	case 0xb964: /* NNGRK - and 64 bit */
++	case 0xb965: /* OCGRK - or with complement 64 bit */
++	case 0xb966: /* NOGRK - or 64 bit */
++	case 0xb967: /* NXGRK - not exclusive or 64 bit */
++	case 0xb974: /* NNRK - and 32 bit */
++	case 0xb975: /* OCRK - or with complement 32 bit */
++	case 0xb976: /* NORK - or 32 bit */
++	case 0xb977: /* NXRK - not exclusive or 32 bit */
+ 	case 0xb980: /* NGR - and */
+ 	case 0xb981: /* OGR - or */
+ 	case 0xb982: /* XGR - xor */
+ 	case 0xb988: /* ALCGR - add logical with carry */
+ 	case 0xb989: /* SLBGR - subtract logical with borrow */
++	case 0xb9c0: /* SELFHR - select high */
+ 	case 0xb9e1: /* POPCNT - population count */
+ 	case 0xb9e4: /* NGRK - and */
++	case 0xb9e5: /* NCGRK - and with complement */
+ 	case 0xb9e6: /* OGRK - or */
+ 	case 0xb9e7: /* XGRK - xor */
+ 	case 0xb9e8: /* AGRK - add */
+ 	case 0xb9e9: /* SGRK - subtract */
+ 	case 0xb9ea: /* ALGRK - add logical */
++	case 0xb9e3: /* SELGR - select 64 bit */
+ 	case 0xb9eb: /* SLGRK - subtract logical */
+ 	case 0xb9ed: /* MSGRKC - multiply single 64x64 -> 64 */
++	case 0xb9f0: /* SELR - select 32 bit */
+ 	case 0xb9fd: /* MSRKC - multiply single 32x32 -> 32 */
+ 	  /* 64-bit gpr destination + flags */
+ 	  if (s390_record_gpr_g (gdbarch, regcache, inib[6]))
+@@ -4555,7 +4568,13 @@ ex:
+ 	    return -1;
+ 	  break;
+ 
+-	/* 0xb932-0xb93b undefined */
++	/* 0xb932-0xb937 undefined */
++
++	/* 0xb938 unsupported: SORTL - sort lists */
++	/* 0xb939 unsupported: DFLTCC - deflate conversion call */
++	/* 0xb93a unsupported: KDSA - compute dig. signature auth. */
++
++	/* 0xb93b undefined */
+ 
+ 	case 0xb93c: /* PPNO - perform pseudorandom number operation [partial] */
+ 	  regcache_raw_read_unsigned (regcache, S390_R1_REGNUM, &tmp);
+@@ -5485,6 +5504,13 @@ ex:
+ 	/* 0xe3ce undefined */
+ 	/* 0xe3d0-0xe3ff undefined */
+ 
++	case 0xe601: /* VLEBRH - vector load byte reversed element */
++	case 0xe602: /* VLEBRG - vector load byte reversed element */
++	case 0xe603: /* VLEBRF - vector load byte reversed element */
++	case 0xe604: /* VLLEBRZ - vector load byte rev. el. and zero */
++	case 0xe605: /* VLBRREP - vector load byte rev. el. and replicate */
++	case 0xe606: /* VLBR - vector load byte reversed elements */
++	case 0xe607: /* VLER - vector load elements reversed */
+ 	case 0xe634: /* VPKZ - vector pack zoned */
+ 	case 0xe635: /* VLRL - vector load rightmost with immed. length */
+ 	case 0xe637: /* VLRLR - vector load rightmost with length */
+@@ -5547,6 +5573,9 @@ ex:
+ 	case 0xe77f: /* VSRAB - vector shift right arithmetic by byte */
+ 	case 0xe784: /* VPDI - vector permute doubleword immediate */
+ 	case 0xe785: /* VBPERM - vector bit permute */
++	case 0xe786: /* VSLD - vector shift left double by bit */
++	case 0xe787: /* VSRD - vector shift right double by bit */
++	case 0xe78b: /* VSTRS - vector string search */
+ 	case 0xe78c: /* VPERM - vector permute */
+ 	case 0xe78d: /* VSEL - vector select */
+ 	case 0xe78e: /* VFMS - vector fp multiply and subtract */
+@@ -5575,10 +5604,10 @@ ex:
+ 	case 0xe7bc: /* VGFMA - vector Galois field multiply sum and accumulate */
+ 	case 0xe7bd: /* VSBCBI - vector subtract with borrow compute borrow indication */
+ 	case 0xe7bf: /* VSBI - vector subtract with borrow indication */
+-	case 0xe7c0: /* VCLGD - vector convert to logical 64-bit */
+-	case 0xe7c1: /* VCDLG - vector convert from logical 64-bit */
+-	case 0xe7c2: /* VCGD - vector convert to fixed 64-bit */
+-	case 0xe7c3: /* VCDG - vector convert from fixed 64-bit */
++	case 0xe7c0: /* VCLFP - vector fp convert to logical */
++	case 0xe7c1: /* VCFPL - vector fp convert from logical */
++	case 0xe7c2: /* VCSFP - vector fp convert to fixed */
++	case 0xe7c3: /* VCFPS - vector fp convert from fixed */
+ 	case 0xe7c4: /* VLDE/VFLL - vector fp load lengthened */
+ 	case 0xe7c5: /* VLED/VFLR - vector fp load rounded */
+ 	case 0xe7c7: /* VFI - vector load fp integer */
+@@ -5629,6 +5658,7 @@ ex:
+ 	    return -1;
+ 	  break;
+ 
++	case 0xe609: /* VSTEBRH - vector store byte reversed element */
+ 	case 0xe709: /* VSTEH - vector store element */
+ 	  oaddr = s390_record_calc_disp (gdbarch, regcache, inib[3], insn[1], 0);
+ 	  if (record_full_arch_list_add_mem (oaddr, 2))
+@@ -5637,6 +5667,7 @@ ex:
+ 	    return -1;
+ 	  break;
+ 
++	case 0xe60a: /* VSTEBRG - vector store byte reversed element */
+ 	case 0xe70a: /* VSTEG - vector store element */
+ 	  oaddr = s390_record_calc_disp (gdbarch, regcache, inib[3], insn[1], 0);
+ 	  if (record_full_arch_list_add_mem (oaddr, 8))
+@@ -5645,6 +5676,7 @@ ex:
+ 	    return -1;
+ 	  break;
+ 
++	case 0xe60b: /* VSTEBRF - vector store byte reversed element */
+ 	case 0xe70b: /* VSTEF - vector store element */
+ 	  oaddr = s390_record_calc_disp (gdbarch, regcache, inib[3], insn[1], 0);
+ 	  if (record_full_arch_list_add_mem (oaddr, 4))
+@@ -5655,6 +5687,8 @@ ex:
+ 
+ 	/* 0xe70c-0xe70d undefined */
+ 
++	case 0xe60e: /* VSTBR - vector store byte reversed elements */
++	case 0xe60f: /* VSTER - vector store elements reversed */
+ 	case 0xe70e: /* VST - vector store */
+ 	  oaddr = s390_record_calc_disp (gdbarch, regcache, inib[3], insn[1], 0);
+ 	  if (record_full_arch_list_add_mem (oaddr, 16))
+@@ -6234,7 +6268,16 @@ ex:
+       /* SSE/SIL-format instruction */
+       switch (insn[0])
+ 	{
+-	/* 0xe500-0xe543 undefined, privileged, or unsupported */
++	/* 0xe500-0xe509 undefined, privileged, or unsupported */
++
++	case 0xe50a: /* MVCRL - move right to left */
++	  regcache_raw_read_unsigned (regcache, S390_R0_REGNUM, &tmp);
++	  oaddr = s390_record_calc_disp (gdbarch, regcache, 0, insn[1], 0);
++	  if (record_full_arch_list_add_mem (oaddr, (tmp & 0xff) + 1))
++	    return -1;
++	  break;
++
++	/* 0xe50b-0xe543 undefined, privileged, or unsupported */
+ 
+ 	case 0xe544: /* MVHHI - move */
+ 	  oaddr = s390_record_calc_disp (gdbarch, regcache, 0, insn[1], 0);

gdb.changes

@@ -1,3 +1,16 @@
+-------------------------------------------------------------------
+Tue Oct 29 09:32:42 UTC 2019 - Tom de Vries <tdevries@suse.com>
+
+- Backport 2nd part of fix for swo#23657.
+  [bsc#1142772, swo#23657, CVE-2019-1010180]
+  * gdb-dwarf-reader-reject-sections-with-invalid-sizes.patch
+
+-------------------------------------------------------------------
+Mon Oct 14 17:52:55 UTC 2019 - matz@suse.com
+
+- Add gdb-s390-handle-arch13.diff to handle most new s390 arch13
+  instructions.  [fate#327369, jsc#ECO-368]
+
 -------------------------------------------------------------------
 Mon Sep 30 10:34:54 UTC 2019 - Tom de Vries <tdevries@suse.com>
 

gdb.spec

@@ -13,7 +13,7 @@
 # license that conforms to the Open Source Definition (Version 1.9)
 # published by the Open Source Initiative.
 
-# Please submit bugfixes or comments via http://bugs.opensuse.org/
+# Please submit bugfixes or comments via https://bugs.opensuse.org/
 #
 
 
@@ -243,7 +243,9 @@ Patch2004:      gdb-testsuite-add-missing-initial-prompt-read-in-multidictionary
 Patch2005:      gdb-testsuite-pie-no-pie.patch
 Patch2007:      gdb-testsuite-read1-fixes.patch
 Patch2008:      gdb-testsuite-i386-pkru-exp.patch
-Patch2500:      gdb-fix-heap-use-after-free-in-typename-concat.patch
+Patch2009:      gdb-s390-handle-arch13.diff
+Patch2010:      gdb-fix-heap-use-after-free-in-typename-concat.patch
+Patch2011:      gdb-dwarf-reader-reject-sections-with-invalid-sizes.patch
 
 # Testsuite patches
 Patch2600:      gdb-testsuite-8.3-kfail-xfail-unsupported.patch
@@ -585,8 +587,9 @@ find -name "*.info*"|xargs rm -f
 %patch2005 -p1
 %patch2007 -p1
 %patch2008 -p1
-
+%patch2009 -p1
-%patch2500 -p1
+%patch2010 -p1
+%patch2011 -p1
 
 %patch2600 -p1