From: Siddharth Doshi Date: Tue, 12 Sep 2023 06:19:37 +0000 (+0530) Subject: gdb: Fix CVE-2023-39128 X-Git-Tag: 2020-04.29-dunfell~48 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=c991fdbb63a6de754399ac4fe04288ea66d34c4d;p=thirdparty%2Fopenembedded%2Fopenembedded-core.git gdb: Fix CVE-2023-39128 Note: The Fix needs to be pushed in gdb rather than bintuils-gdb as we are disabling gdb in binutils configure. Upstream-Status: Backport from [https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=033bc52bb6190393c8eed80925fa78cc35b40c6d] CVE: CVE-2023-39128 Signed-off-by: Siddharth Doshi Signed-off-by: Steve Sakoman --- diff --git a/meta/recipes-devtools/gdb/gdb-9.1.inc b/meta/recipes-devtools/gdb/gdb-9.1.inc index d019e6b3847..212c554cf17 100644 --- a/meta/recipes-devtools/gdb/gdb-9.1.inc +++ b/meta/recipes-devtools/gdb/gdb-9.1.inc @@ -16,6 +16,7 @@ SRC_URI = "${GNU_MIRROR}/gdb/gdb-${PV}.tar.xz \ file://0009-resolve-restrict-keyword-conflict.patch \ file://0010-Fix-invalid-sigprocmask-call.patch \ file://0011-gdbserver-ctrl-c-handling.patch \ + file://0012-CVE-2023-39128.patch \ " SRC_URI[md5sum] = "f7e9f6236c425097d9e5f18a6ac40655" SRC_URI[sha256sum] = "699e0ec832fdd2f21c8266171ea5bf44024bd05164fdf064e4d10cc4cf0d1737" diff --git a/meta/recipes-devtools/gdb/gdb/0012-CVE-2023-39128.patch b/meta/recipes-devtools/gdb/gdb/0012-CVE-2023-39128.patch new file mode 100644 index 00000000000..6445455bded --- /dev/null +++ b/meta/recipes-devtools/gdb/gdb/0012-CVE-2023-39128.patch @@ -0,0 +1,75 @@ +From 033bc52bb6190393c8eed80925fa78cc35b40c6d Mon Sep 17 00:00:00 2001 +From: Tom Tromey +Date: Wed, 16 Aug 2023 11:29:19 -0600 +Subject: [PATCH] Avoid buffer overflow in ada_decode + +A bug report pointed out a buffer overflow in ada_decode, which Keith +helpfully analyzed. ada_decode had a logic error when the input was +all digits. While this isn't valid -- and would probably only appear +in fuzzer tests -- it still should be handled properly. + +This patch adds a missing bounds check. Tested with the self-tests in +an asan build. + +Bug: https://sourceware.org/bugzilla/show_bug.cgi?id=30639 +Reviewed-by: Keith Seitz + +Upstream-Status: Backport from [https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=033bc52bb6190393c8eed80925fa78cc35b40c6d] +CVE: CVE-2023-39128 +Signed-off-by: Siddharth Doshi +--- + gdb/ada-lang.c | 19 ++++++++++++++++++- + 1 file changed, 18 insertions(+), 1 deletion(-) + +diff --git a/gdb/ada-lang.c b/gdb/ada-lang.c +index 0c2d4fc..40852b6 100644 +--- a/gdb/ada-lang.c ++++ b/gdb/ada-lang.c +@@ -56,6 +56,7 @@ + #include "cli/cli-utils.h" + #include "gdbsupport/function-view.h" + #include "gdbsupport/byte-vector.h" ++#include "gdbsupport/selftest.h" + #include + + /* Define whether or not the C operator '/' truncates towards zero for +@@ -1184,7 +1185,7 @@ ada_decode (const char *encoded) + i -= 1; + if (i > 1 && encoded[i] == '_' && encoded[i - 1] == '_') + len0 = i - 1; +- else if (encoded[i] == '$') ++ else if (i >= 0 && encoded[i] == '$') + len0 = i; + } + +@@ -1350,6 +1351,18 @@ Suppress: + + } + ++#ifdef GDB_SELF_TEST ++ ++static void ++ada_decode_tests () ++{ ++ /* This isn't valid, but used to cause a crash. PR gdb/30639. The ++ result does not really matter very much. */ ++ SELF_CHECK (ada_decode ("44") == "44"); ++} ++ ++#endif ++ + /* Table for keeping permanent unique copies of decoded names. Once + allocated, names in this table are never released. While this is a + storage leak, it should not be significant unless there are massive +@@ -14345,4 +14358,8 @@ DWARF attribute."), + gdb::observers::new_objfile.attach (ada_new_objfile_observer); + gdb::observers::free_objfile.attach (ada_free_objfile_observer); + gdb::observers::inferior_exit.attach (ada_inferior_exit); ++ ++#ifdef GDB_SELF_TEST ++ selftests::register_test ("ada-decode", ada_decode_tests); ++#endif + } +-- +2.24.4 +