This patch doesn't seem to take into account your previous fix for
CVE-2023-39129
I modified this patch to apply it after your CVE-2023-39129 fix, and
there seem to be conflicts:
ERROR: gdb-cross-x86_64-11.2-r0 do_patch: Applying patch
'0013-CVE-2023-39130.patch' on target directory
'/home/steve/builds/poky-contrib-kirkstone/build/tmp/work/x86_64-linux/gdb-cross-x86_64/11.2-r0/gdb-11.2'
CmdError('quilt --quiltrc
/home/steve/builds/poky-contrib-kirkstone/build/tmp/work/x86_64-linux/gdb-cross-x86_64/11.2-r0/recipe-sysroot-native/etc/quiltrc
push', 0, 'stdout: Applying patch 0013-CVE-2023-39130.patch
patching file gdb/coff-pe-read.c
Hunk #1 FAILED at 254.
Hunk #2 succeeded at 323 (offset 37 lines).
Hunk #3 succeeded at 376 (offset 41 lines).
Hunk #4 FAILED at 387.
Hunk #5 FAILED at 433.
Hunk #6 FAILED at 481.
Hunk #7 FAILED at 639.
5 out of 7 hunks FAILED -- rejects in file gdb/coff-pe-read.c
patching file gdb/coffread.c
Hunk #1 succeeded at 691 (offset -20 lines).
Hunk #2 FAILED at 805.
Hunk #3 FAILED at 1306.
2 out of 3 hunks FAILED -- rejects in file gdb/coffread.c
patching file gdb/dbxread.c
Hunk #1 succeeded at 812 (offset 3 lines).
Hunk #2 FAILED at 2156.
1 out of 2 hunks FAILED -- rejects in file gdb/dbxread.c
patching file gdb/xcoffread.c
Hunk #1 FAILED at 779.
1 out of 1 hunk FAILED -- rejects in file gdb/xcoffread.c
Patch 0013-CVE-2023-39130.patch does not apply (enforce with -f)
I'm going to remove both patches from my test queue. Please submit a
V2 as a patch series including both fixes.
Thanks,
Steve
On Sun, Dec 17, 2023 at 9:41 PM Sanjana.Venkatesh via
lists.openembedded.org
<[email protected]> wrote:
>
> From: Sanjana <[email protected]>
>
> Issue: LIN1022-4855
>
> Signed-off-by: Sanjana <[email protected]>
> ---
> meta/recipes-devtools/gdb/gdb.inc | 1 +
> .../gdb/gdb/0013-CVE-2023-39130.patch | 328 ++++++++++++++++++
> 2 files changed, 329 insertions(+)
> create mode 100644 meta/recipes-devtools/gdb/gdb/0013-CVE-2023-39130.patch
>
> diff --git a/meta/recipes-devtools/gdb/gdb.inc
> b/meta/recipes-devtools/gdb/gdb.inc
> index 099bd2d8f5..62b813d5cb 100644
> --- a/meta/recipes-devtools/gdb/gdb.inc
> +++ b/meta/recipes-devtools/gdb/gdb.inc
> @@ -15,5 +15,6 @@ SRC_URI = "${GNU_MIRROR}/gdb/gdb-${PV}.tar.xz \
> file://0009-Fix-invalid-sigprocmask-call.patch \
> file://0010-gdbserver-ctrl-c-handling.patch \
> file://0011-CVE-2023-39128.patch \
> + file://0013-CVE-2023-39130.patch \
> "
> SRC_URI[sha256sum] =
> "1497c36a71881b8671a9a84a0ee40faab788ca30d7ba19d8463c3cc787152e32"
> diff --git a/meta/recipes-devtools/gdb/gdb/0013-CVE-2023-39130.patch
> b/meta/recipes-devtools/gdb/gdb/0013-CVE-2023-39130.patch
> new file mode 100644
> index 0000000000..9cf6645c58
> --- /dev/null
> +++ b/meta/recipes-devtools/gdb/gdb/0013-CVE-2023-39130.patch
> @@ -0,0 +1,328 @@
> +From: Alan Modra <[email protected]>
> +Date: Wed, 9 Aug 2023 00:28:36 +0000 (+0930)
> +Subject: gdb: warn unused result for bfd IO functions
> +X-Git-Tag: gdb-14-branchpoint~669
> +X-Git-Url:
> https://sourceware.org/git/?p=binutils-gdb.git;a=commitdiff_plain;h=2db20b97f1dc3e5dce3d6ed74a8a62f0dede8c80
> +
> +gdb: warn unused result for bfd IO functions
> +
> +This fixes the compilation warnings introduced by my bfdio.c patch.
> +
> +The removed bfd_seeks in coff_symfile_read date back to 1994, commit
> +7f4c859520, prior to which the file used stdio rather than bfd to read
> +symbols. Since it now uses bfd to read the file there should be no
> +need to synchronise to bfd's idea of the file position. I also fixed
> +a potential uninitialised memory access.
> +
> +Approved-By: Andrew Burgess <[email protected]>
> +
> +Upstream-Status: Backport
> [https://sourceware.org/git/?p=binutils-gdb.git;a=commitdiff_plain;h=2db20b97f1dc3e5dce3d6ed74a8a62f0dede8c80]
> +
> +CVE: CVE-2023-39130
> +
> +Signed-off-by: Sanjana Venkatesh <[email protected]>
> +
> +---
> +
> +diff --git a/gdb/coff-pe-read.c b/gdb/coff-pe-read.c
> +index b82b43c84cf..0d76ebdbfce 100644
> +--- a/gdb/coff-pe-read.c
> ++++ b/gdb/coff-pe-read.c
> +@@ -254,23 +254,31 @@ read_pe_truncate_name (char *dll_name)
> +
> + /* Low-level support functions, direct from the ld module pe-dll.c. */
> + static unsigned int
> +-pe_get16 (bfd *abfd, int where)
> ++pe_get16 (bfd *abfd, int where, bool *fail)
> + {
> + unsigned char b[2];
> +
> +- bfd_seek (abfd, (file_ptr) where, SEEK_SET);
> +- bfd_read (b, (bfd_size_type) 2, abfd);
> ++ if (bfd_seek (abfd, where, SEEK_SET) != 0
> ++ || bfd_read (b, 2, abfd) != 2)
> ++ {
> ++ *fail = true;
> ++ return 0;
> ++ }
> + return b[0] + (b[1] << 8);
> + }
> +
> + static unsigned int
> +-pe_get32 (bfd *abfd, int where)
> ++pe_get32 (bfd *abfd, int where, bool *fail)
> + {
> + unsigned char b[4];
> +
> +- bfd_seek (abfd, (file_ptr) where, SEEK_SET);
> +- bfd_read (b, (bfd_size_type) 4, abfd);
> +- return b[0] + (b[1] << 8) + (b[2] << 16) + (b[3] << 24);
> ++ if (bfd_seek (abfd, where, SEEK_SET) != 0
> ++ || bfd_read (b, 4, abfd) != 4)
> ++ {
> ++ *fail = true;
> ++ return 0;
> ++ }
> ++ return b[0] + (b[1] << 8) + (b[2] << 16) + ((unsigned) b[3] << 24);
> + }
> +
> + static unsigned int
> +@@ -286,7 +294,7 @@ pe_as32 (void *ptr)
> + {
> + unsigned char *b = (unsigned char *) ptr;
> +
> +- return b[0] + (b[1] << 8) + (b[2] << 16) + (b[3] << 24);
> ++ return b[0] + (b[1] << 8) + (b[2] << 16) + ((unsigned) b[3] << 24);
> + }
> +
> + /* Read the (non-debug) export symbol table from a portable
> +@@ -335,37 +343,50 @@ read_pe_exported_syms (minimal_symbol_reader &reader,
> + || strcmp (target, "pei-i386") == 0
> + || strcmp (target, "pe-arm-wince-little") == 0
> + || strcmp (target, "pei-arm-wince-little") == 0);
> ++
> ++ /* Possibly print a debug message about DLL not having a valid format. */
> ++ auto maybe_print_debug_msg = [&] () -> void {
> ++ if (debug_coff_pe_read)
> ++ gdb_printf (gdb_stdlog, _("%s doesn't appear to be a DLL\n"),
> ++ bfd_get_filename (dll));
> ++ };
> ++
> + if (!is_pe32 && !is_pe64)
> +- {
> +- /* This is not a recognized PE format file. Abort now, because
> +- the code is untested on anything else. *FIXME* test on
> +- further architectures and loosen or remove this test. */
> +- return;
> +- }
> ++ return maybe_print_debug_msg ();
> +
> + /* Get pe_header, optional header and numbers of export entries. */
> +- pe_header_offset = pe_get32 (dll, 0x3c);
> ++ bool fail = false;
> ++ pe_header_offset = pe_get32 (dll, 0x3c, &fail);
> ++ if (fail)
> ++ return maybe_print_debug_msg ();
> + opthdr_ofs = pe_header_offset + 4 + 20;
> + if (is_pe64)
> +- num_entries = pe_get32 (dll, opthdr_ofs + 108);
> ++ num_entries = pe_get32 (dll, opthdr_ofs + 108, &fail);
> + else
> +- num_entries = pe_get32 (dll, opthdr_ofs + 92);
> ++ num_entries = pe_get32 (dll, opthdr_ofs + 92, &fail);
> ++ if (fail)
> ++ return maybe_print_debug_msg ();
> +
> + if (num_entries < 1) /* No exports. */
> + return;
> + if (is_pe64)
> + {
> +- export_opthdrrva = pe_get32 (dll, opthdr_ofs + 112);
> +- export_opthdrsize = pe_get32 (dll, opthdr_ofs + 116);
> ++ export_opthdrrva = pe_get32 (dll, opthdr_ofs + 112, &fail);
> ++ export_opthdrsize = pe_get32 (dll, opthdr_ofs + 116, &fail);
> + }
> + else
> + {
> +- export_opthdrrva = pe_get32 (dll, opthdr_ofs + 96);
> +- export_opthdrsize = pe_get32 (dll, opthdr_ofs + 100);
> ++ export_opthdrrva = pe_get32 (dll, opthdr_ofs + 96, &fail);
> ++ export_opthdrsize = pe_get32 (dll, opthdr_ofs + 100, &fail);
> + }
> +- nsections = pe_get16 (dll, pe_header_offset + 4 + 2);
> ++ if (fail)
> ++ return maybe_print_debug_msg ();
> ++
> ++ nsections = pe_get16 (dll, pe_header_offset + 4 + 2, &fail);
> + secptr = (pe_header_offset + 4 + 20 +
> +- pe_get16 (dll, pe_header_offset + 4 + 16));
> ++ pe_get16 (dll, pe_header_offset + 4 + 16, &fail));
> ++ if (fail)
> ++ return maybe_print_debug_msg ();
> + expptr = 0;
> + export_size = 0;
> +
> +@@ -374,12 +395,13 @@ read_pe_exported_syms (minimal_symbol_reader &reader,
> + {
> + char sname[8];
> + unsigned long secptr1 = secptr + 40 * i;
> +- unsigned long vaddr = pe_get32 (dll, secptr1 + 12);
> +- unsigned long vsize = pe_get32 (dll, secptr1 + 16);
> +- unsigned long fptr = pe_get32 (dll, secptr1 + 20);
> ++ unsigned long vaddr = pe_get32 (dll, secptr1 + 12, &fail);
> ++ unsigned long vsize = pe_get32 (dll, secptr1 + 16, &fail);
> ++ unsigned long fptr = pe_get32 (dll, secptr1 + 20, &fail);
> +
> +- bfd_seek (dll, (file_ptr) secptr1, SEEK_SET);
> +- bfd_read (sname, (bfd_size_type) sizeof (sname), dll);
> ++ if (fail
> ++ || bfd_seek (dll, secptr1, SEEK_SET) != 0
> ++ || bfd_read (sname, sizeof (sname), dll) != sizeof (sname))
> +
> + if ((strcmp (sname, ".edata") == 0)
> + || (vaddr <= export_opthdrrva && export_opthdrrva < vaddr + vsize))
> +@@ -420,16 +442,18 @@ read_pe_exported_syms (minimal_symbol_reader &reader,
> + for (i = 0; i < nsections; i++)
> + {
> + unsigned long secptr1 = secptr + 40 * i;
> +- unsigned long vsize = pe_get32 (dll, secptr1 + 8);
> +- unsigned long vaddr = pe_get32 (dll, secptr1 + 12);
> +- unsigned long characteristics = pe_get32 (dll, secptr1 + 36);
> ++ unsigned long vsize = pe_get32 (dll, secptr1 + 8, &fail);
> ++ unsigned long vaddr = pe_get32 (dll, secptr1 + 12, &fail);
> ++ unsigned long characteristics = pe_get32 (dll, secptr1 + 36, &fail);
> + char sec_name[SCNNMLEN + 1];
> + int sectix;
> + unsigned int bfd_section_index;
> + asection *section;
> +
> +- bfd_seek (dll, (file_ptr) secptr1 + 0, SEEK_SET);
> +- bfd_read (sec_name, (bfd_size_type) SCNNMLEN, dll);
> ++ if (fail
> ++ || bfd_seek (dll, secptr1 + 0, SEEK_SET) != 0
> ++ || bfd_read (sec_name, SCNNMLEN, dll) != SCNNMLEN)
> ++ return maybe_print_debug_msg ();
> + sec_name[SCNNMLEN] = '\0';
> +
> + sectix = read_pe_section_index (sec_name);
> +@@ -468,8 +492,9 @@ read_pe_exported_syms (minimal_symbol_reader &reader,
> + gdb::def_vector<unsigned char> expdata_storage (export_size);
> + expdata = expdata_storage.data ();
> +
> +- bfd_seek (dll, (file_ptr) expptr, SEEK_SET);
> +- bfd_read (expdata, (bfd_size_type) export_size, dll);
> ++ if (bfd_seek (dll, expptr, SEEK_SET) != 0
> ++ || bfd_read (expdata, export_size, dll) != export_size)
> ++ return maybe_print_debug_msg ();
> + erva = expdata - export_rva;
> +
> + nexp = pe_as32 (expdata + 24);
> +@@ -626,20 +651,27 @@ pe_text_section_offset (struct bfd *abfd)
> + }
> +
> + /* Get pe_header, optional header and numbers of sections. */
> +- pe_header_offset = pe_get32 (abfd, 0x3c);
> +- nsections = pe_get16 (abfd, pe_header_offset + 4 + 2);
> ++ bool fail = false;
> ++ pe_header_offset = pe_get32 (abfd, 0x3c, &fail);
> ++ if (fail)
> ++ return DEFAULT_COFF_PE_TEXT_SECTION_OFFSET;
> ++ nsections = pe_get16 (abfd, pe_header_offset + 4 + 2, &fail);
> + secptr = (pe_header_offset + 4 + 20 +
> +- pe_get16 (abfd, pe_header_offset + 4 + 16));
> ++ pe_get16 (abfd, pe_header_offset + 4 + 16, &fail));
> ++ if (fail)
> ++ return DEFAULT_COFF_PE_TEXT_SECTION_OFFSET;
> +
> + /* Get the rva and size of the export section. */
> + for (i = 0; i < nsections; i++)
> + {
> + char sname[SCNNMLEN + 1];
> + unsigned long secptr1 = secptr + 40 * i;
> +- unsigned long vaddr = pe_get32 (abfd, secptr1 + 12);
> ++ unsigned long vaddr = pe_get32 (abfd, secptr1 + 12, &fail);
> +
> +- bfd_seek (abfd, (file_ptr) secptr1, SEEK_SET);
> +- bfd_read (sname, (bfd_size_type) SCNNMLEN, abfd);
> ++ if (fail
> ++ || bfd_seek (abfd, secptr1, SEEK_SET) != 0
> ++ || bfd_read (sname, SCNNMLEN, abfd) != SCNNMLEN)
> ++ return DEFAULT_COFF_PE_TEXT_SECTION_OFFSET;
> + sname[SCNNMLEN] = '\0';
> + if (strcmp (sname, ".text") == 0)
> + return vaddr;
> +diff --git a/gdb/coffread.c b/gdb/coffread.c
> +index 583db6bceb0..6a995ae2241 100644
> +--- a/gdb/coffread.c
> ++++ b/gdb/coffread.c
> +@@ -711,8 +711,6 @@ coff_symfile_read (struct objfile *objfile,
> symfile_add_flags symfile_flags)
> +
> + /* FIXME: dubious. Why can't we use something normal like
> + bfd_get_section_contents? */
> +- bfd_seek (abfd, abfd->where, 0);
> +-
> + stabstrsize = bfd_section_size (info->stabstrsect);
> +
> + coffstab_build_psymtabs (objfile,
> +@@ -807,22 +805,6 @@ coff_symtab_read (minimal_symbol_reader &reader,
> +
> + scoped_free_pendings free_pending;
> +
> +- /* Work around a stdio bug in SunOS4.1.1 (this makes me nervous....
> +- it's hard to know I've really worked around it. The fix should
> +- be harmless, anyway). The symptom of the bug is that the first
> +- fread (in read_one_sym), will (in my example) actually get data
> +- from file offset 268, when the fseek was to 264 (and ftell shows
> +- 264). This causes all hell to break loose. I was unable to
> +- reproduce this on a short test program which operated on the same
> +- file, performing (I think) the same sequence of operations.
> +-
> +- It stopped happening when I put in this (former) rewind().
> +-
> +- FIXME: Find out if this has been reported to Sun, whether it has
> +- been fixed in a later release, etc. */
> +-
> +- bfd_seek (objfile->obfd.get (), 0, 0);
> +-
> + /* Position to read the symbol table. */
> + val = bfd_seek (objfile->obfd.get (), symtab_offset, 0);
> + if (val < 0)
> +@@ -1308,12 +1290,13 @@ init_stringtab (bfd *abfd, file_ptr offset,
> gdb::unique_xmalloc_ptr<char> *stora
> + if (bfd_seek (abfd, offset, 0) < 0)
> + return -1;
> +
> +- val = bfd_read ((char *) lengthbuf, sizeof lengthbuf, abfd);
> +- length = bfd_h_get_32 (symfile_bfd, lengthbuf);
> +-
> ++ val = bfd_read (lengthbuf, sizeof lengthbuf, abfd);
> + /* If no string table is needed, then the file may end immediately
> + after the symbols. Just return with `stringtab' set to null. */
> +- if (val != sizeof lengthbuf || length < sizeof lengthbuf)
> ++ if (val != sizeof lengthbuf)
> ++ return 0;
> ++ length = bfd_h_get_32 (symfile_bfd, lengthbuf);
> ++ if (length < sizeof lengthbuf)
> + return 0;
> +
> + storage->reset ((char *) xmalloc (length));
> +diff --git a/gdb/dbxread.c b/gdb/dbxread.c
> +index 75bbd510155..ddc61d9d539 100644
> +--- a/gdb/dbxread.c
> ++++ b/gdb/dbxread.c
> +@@ -809,7 +809,8 @@ stabs_seek (int sym_offset)
> + symbuf_left -= sym_offset;
> + }
> + else
> +- bfd_seek (symfile_bfd, sym_offset, SEEK_CUR);
> ++ if (bfd_seek (symfile_bfd, sym_offset, SEEK_CUR) != 0)
> ++ perror_with_name (bfd_get_filename (symfile_bfd));
> + }
> +
> + #define INTERNALIZE_SYMBOL(intern, extern, abfd) \
> +@@ -2155,8 +2156,8 @@ dbx_expand_psymtab (legacy_psymtab *pst, struct
> objfile *objfile)
> + symbol_size = SYMBOL_SIZE (pst);
> +
> + /* Read in this file's symbols. */
> +- bfd_seek (objfile->obfd.get (), SYMBOL_OFFSET (pst), SEEK_SET);
> +- read_ofile_symtab (objfile, pst);
> ++ if (bfd_seek (objfile->obfd.get (), SYMBOL_OFFSET (pst), SEEK_SET) ==
> 0)
> ++ read_ofile_symtab (objfile, pst);
> + }
> +
> + pst->readin = true;
> +diff --git a/gdb/xcoffread.c b/gdb/xcoffread.c
> +index 8ce4b28d133..63eb538ca05 100644
> +--- a/gdb/xcoffread.c
> ++++ b/gdb/xcoffread.c
> +@@ -779,8 +779,9 @@ enter_line_range (struct subfile *subfile, unsigned
> beginoffset,
> +
> + while (curoffset <= limit_offset)
> + {
> +- bfd_seek (abfd, curoffset, SEEK_SET);
> +- bfd_read (ext_lnno, linesz, abfd);
> ++ if (bfd_seek (abfd, curoffset, SEEK_SET) != 0
> ++ || bfd_read (ext_lnno, linesz, abfd) != linesz)
> ++ return;
> + bfd_coff_swap_lineno_in (abfd, ext_lnno, &int_lnno);
> +
> + /* Find the address this line represents. */
> --
> 2.42.0
>
>
>
>
-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#192659):
https://lists.openembedded.org/g/openembedded-core/message/192659
Mute This Topic: https://lists.openembedded.org/mt/103238950/21656
Group Owner: [email protected]
Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub
[[email protected]]
-=-=-=-=-=-=-=-=-=-=-=-
