From 093152590037de228529d29e06de7126f24cc7a3 Mon Sep 17 00:00:00 2001 From: eabdullin Date: Thu, 21 Sep 2023 18:30:31 +0000 Subject: [PATCH] import CS gdb-10.2-11.el9 --- SOURCES/_gdb.spec.Patch.include | 16 +++ SOURCES/_gdb.spec.patch.include | 4 + ...gdb.base-printcmds-s390x-regressions.patch | 71 +++++++++++ ...-2130624-assert_in_jit_event_handler.patch | 115 ++++++++++++++++++ ...rhbz2155439-assert-failure-copy_type.patch | 73 +++++++++++ ...rhbz-2132600-prevent-buffer-overflow.patch | 27 ++++ SPECS/gdb.spec | 16 ++- 7 files changed, 321 insertions(+), 1 deletion(-) create mode 100644 SOURCES/gdb-fix-gdb.base-printcmds-s390x-regressions.patch create mode 100644 SOURCES/gdb-rhbz-2130624-assert_in_jit_event_handler.patch create mode 100644 SOURCES/gdb-rhbz2155439-assert-failure-copy_type.patch create mode 100644 SOURCES/libiberty-rhbz-2132600-prevent-buffer-overflow.patch diff --git a/SOURCES/_gdb.spec.Patch.include b/SOURCES/_gdb.spec.Patch.include index 87f7715..8750a11 100644 --- a/SOURCES/_gdb.spec.Patch.include +++ b/SOURCES/_gdb.spec.Patch.include @@ -463,3 +463,19 @@ Patch111: gdb-rhbz1870017-p10-plt-prologue-skipping.patch # (Simon Marchi, RHBZ 2086761) Patch112: gdb-rhbz2086761-unknown-cfa-rule.patch +# Backport "Fix assertion failure in copy_type" +# (Tom Tromey, RHBZ2155439) +Patch113: gdb-rhbz2155439-assert-failure-copy_type.patch + +# Backport "[gdb/testsuite] Fix PR20630 regression test in gdb.base/printcmds.exp" +# (Tom de Vries) +Patch114: gdb-fix-gdb.base-printcmds-s390x-regressions.patch + +# Backport "[gdb/breakpoint] Fix assert in jit_event_handler" +# (Tom de Vries, RHBZ2130624) +Patch115: gdb-rhbz-2130624-assert_in_jit_event_handler.patch + +# Backport libiberty: prevent buffer overflow when decoding user input +# (Luís Ferreira, RHBZ2132600) +Patch116: libiberty-rhbz-2132600-prevent-buffer-overflow.patch + diff --git a/SOURCES/_gdb.spec.patch.include b/SOURCES/_gdb.spec.patch.include index dac5ffa..f0da001 100644 --- a/SOURCES/_gdb.spec.patch.include +++ b/SOURCES/_gdb.spec.patch.include @@ -110,3 +110,7 @@ %patch110 -p1 %patch111 -p1 %patch112 -p1 +%patch113 -p1 +%patch114 -p1 +%patch115 -p1 +%patch116 -p1 diff --git a/SOURCES/gdb-fix-gdb.base-printcmds-s390x-regressions.patch b/SOURCES/gdb-fix-gdb.base-printcmds-s390x-regressions.patch new file mode 100644 index 0000000..edf28c9 --- /dev/null +++ b/SOURCES/gdb-fix-gdb.base-printcmds-s390x-regressions.patch @@ -0,0 +1,71 @@ +From FEDORA_PATCHES Mon Sep 17 00:00:00 2001 +From: Tom de Vries +Date: Mon, 12 Dec 2022 15:21:33 +0100 +Subject: gdb-fix-gdb.base-printcmds-s390x-regressions.patch + +;; Backport "[gdb/testsuite] Fix PR20630 regression test in gdb.base/printcmds.exp" +;; (Tom de Vries) + +On s390x-linux, I run into: +... +(gdb) print {unsigned char}{65}^M +$749 = 0 '\000'^M +(gdb) FAIL: gdb.base/printcmds.exp: print {unsigned char}{65} +... + +In contrast, on x86_64-linux, we have: +... +(gdb) print {unsigned char}{65}^M +$749 = 65 'A'^M +(gdb) PASS: gdb.base/printcmds.exp: print {unsigned char}{65} +... + +The first problem here is that the test is supposed to be a regression test +for PR20630, which can be reproduced (for an unfixed gdb) like this: +... +(gdb) p {unsigned char[]}{0x17} +gdbtypes.c:4641: internal-error: copy_type: \ + Assertion `TYPE_OBJFILE_OWNED (type)' failed. +... +but it's not due to insufficient quoting (note the dropped '[]'). + +That's easy to fix, but after that we have on s390 (big endian): +... +(gdb) print {unsigned char[]}{65}^M +$749 = ""^M +... +and on x86_64 (little endian): +... +(gdb) print {unsigned char[]}{65}^M +$749 = "A"^M +... + +Fix this by using 0xffffffff, such that in both cases we have: +... +(gdb) print {unsigned char[]}{0xffffffff}^M +$749 = "\377\377\377\377"^M +... + +Tested on x86_64-linux and s390x-linux. + +diff --git a/gdb/testsuite/gdb.base/printcmds.exp b/gdb/testsuite/gdb.base/printcmds.exp +--- a/gdb/testsuite/gdb.base/printcmds.exp ++++ b/gdb/testsuite/gdb.base/printcmds.exp +@@ -717,6 +717,7 @@ proc test_print_string_constants {} { + } + + proc test_print_array_constants {} { ++ global hex + + if [target_info exists gdb,cannot_call_functions] { + unsupported "this target can not call functions" +@@ -735,7 +736,8 @@ proc test_print_array_constants {} { + gdb_test "print *&{4,5,6}\[1\]" "Attempt to take address of value not located in memory." + + # This used to cause a crash. +- gdb_test "print {unsigned char[]}{65}" " = 65 'A'" ++ set val [string_to_regexp {"\377\377\377\377"}] ++ gdb_test "print {unsigned char\[\]}{0xffffffff}" " = $val" + } + + proc test_print_enums {} { diff --git a/SOURCES/gdb-rhbz-2130624-assert_in_jit_event_handler.patch b/SOURCES/gdb-rhbz-2130624-assert_in_jit_event_handler.patch new file mode 100644 index 0000000..488aaa3 --- /dev/null +++ b/SOURCES/gdb-rhbz-2130624-assert_in_jit_event_handler.patch @@ -0,0 +1,115 @@ +From FEDORA_PATCHES Mon Sep 17 00:00:00 2001 +From: Tom de Vries +Date: Fri, 21 May 2021 15:09:14 +0200 +Subject: gdb-rhbz-2130624-assert_in_jit_event_handler.patch + +;; Backport "[gdb/breakpoint] Fix assert in jit_event_handler" +;; (Tom de Vries, RHBZ2130624) + +Consider a minimal test-case test.c: +... +int main (void) { return 0; } +... +which we can compile into llvm byte code using clang: +... +$ clang -g -S -emit-llvm --target=x86_64-unknown-unknown-elf test.c +... +and then run using lli, which uses the llvm jit: +... +$ lli test.ll +... + +If we run this under gdb, we run into an assert: +... +$ gdb -q -batch -ex run --args /usr/bin/lli test.ll +Dwarf Error: Cannot not find DIE at 0x18a936e7 \ + [from module libLLVM.so.10-10.0.1-lp152.30.4.x86_64.debug] + +[Thread debugging using libthread_db enabled] +Using host libthread_db library "/lib64/libthread_db.so.1". +src/gdb/jit.c:1178: internal-error: \ + void jit_event_handler(gdbarch*, objfile*): \ + Assertion `jiter->jiter_data != nullptr' failed. +... + +This is caused by the following. + +When running jit_breakpoint_re_set_internal, we first handle +libLLVM.so.10.debug, and set a jit breakpoint. + +Next we handle libLLVM.so.10: +... +(gdb) p the_objfile.original_name +$42 = 0x2494170 "libLLVM.so.10" +... +but the minimal symbols we find are from libLLVM.so.10.debug: +... +(gdb) p reg_symbol.objfile.original_name +$43 = 0x38e7c50 "libLLVM.so.10-10.0.1-lp152.30.4.x86_64.debug" +(gdb) p desc_symbol.objfile.original_name +$44 = 0x38e7c50 "libLLVM.so.10-10.0.1-lp152.30.4.x86_64.debug" +... +and consequently, the objf_data is the one from libLLVM.so.10.debug: +... + jiter_objfile_data *objf_data + = get_jiter_objfile_data (reg_symbol.objfile); +... +and so we hit this: +... + if (objf_data->cached_code_address == addr) + continue; +... +and no second jit breakpoint is inserted. + +Subsequently, the jit breakpoint is triggered and handled, but when finding +the symbol for the breakpoint address we get: +... +(gdb) p jit_bp_sym.objfile.original_name +$52 = 0x2494170 "libLLVM.so.10" +... + +The assert 'jiter->jiter_data != nullptr' triggers because it checks +libLLVM.so.10 while the one with jiter_data setup is libLLVM.so.10.debug. + +This fixes the assert: +... + jiter_objfile_data *objf_data +- = get_jiter_objfile_data (reg_symbol.objfile); +- = get_jiter_objfile_data (the_objfile); +... +but consequently we'll have two jit breakpoints, so we also make sure we don't +set a jit breakpoint on separate debug objects like libLLVM.so.10.debug. + +Tested on x86_64-linux. + +gdb/ChangeLog: + +2021-05-21 Tom de Vries + + PR breakpoint/27889 + * jit.c (jit_breakpoint_re_set_internal): Skip separate debug + objects. Call get_jiter_objfile_data with the_objfile. + +diff --git a/gdb/jit.c b/gdb/jit.c +--- a/gdb/jit.c ++++ b/gdb/jit.c +@@ -893,6 +893,10 @@ jit_breakpoint_re_set_internal (struct gdbarch *gdbarch, program_space *pspace) + { + for (objfile *the_objfile : pspace->objfiles ()) + { ++ /* Skip separate debug objects. */ ++ if (the_objfile->separate_debug_objfile_backlink != nullptr) ++ continue; ++ + if (the_objfile->skip_jit_symbol_lookup) + continue; + +@@ -919,7 +923,7 @@ jit_breakpoint_re_set_internal (struct gdbarch *gdbarch, program_space *pspace) + } + + jiter_objfile_data *objf_data +- = get_jiter_objfile_data (reg_symbol.objfile); ++ = get_jiter_objfile_data (the_objfile); + objf_data->register_code = reg_symbol.minsym; + objf_data->descriptor = desc_symbol.minsym; + diff --git a/SOURCES/gdb-rhbz2155439-assert-failure-copy_type.patch b/SOURCES/gdb-rhbz2155439-assert-failure-copy_type.patch new file mode 100644 index 0000000..554d477 --- /dev/null +++ b/SOURCES/gdb-rhbz2155439-assert-failure-copy_type.patch @@ -0,0 +1,73 @@ +From FEDORA_PATCHES Mon Sep 17 00:00:00 2001 +From: Bruno Larsen +Date: Wed, 22 Mar 2023 15:48:00 +0100 +Subject: gdb-rhbz2155439-assert-failure-copy_type.patch + +;; Backport "Fix assertion failure in copy_type" +;; (Tom Tromey, RHBZ2155439) + +PR exp/20630 points out a simple way to cause an assertion failure in +copy_type -- but this was found in the wild a few times as well. + +copy_type only works for objfile-owned types, but there isn't a deep +reason for this. This patch fixes the bug by updating copy_type to +work for any sort of type. + +Better would perhaps be to finally implement type GC, but I still +haven't attempted this. + +Bug: https://sourceware.org/bugzilla/show_bug.cgi?id=20630 + +diff --git a/gdb/gdbtypes.c b/gdb/gdbtypes.c +--- a/gdb/gdbtypes.c ++++ b/gdb/gdbtypes.c +@@ -5504,27 +5504,24 @@ copy_type_recursive (struct objfile *objfile, + } + + /* Make a copy of the given TYPE, except that the pointer & reference +- types are not preserved. +- +- This function assumes that the given type has an associated objfile. +- This objfile is used to allocate the new type. */ ++ types are not preserved. */ + + struct type * + copy_type (const struct type *type) + { +- struct type *new_type; +- +- gdb_assert (TYPE_OBJFILE_OWNED (type)); +- +- new_type = alloc_type_copy (type); ++ struct type *new_type = alloc_type_copy (type); + TYPE_INSTANCE_FLAGS (new_type) = TYPE_INSTANCE_FLAGS (type); + TYPE_LENGTH (new_type) = TYPE_LENGTH (type); + memcpy (TYPE_MAIN_TYPE (new_type), TYPE_MAIN_TYPE (type), + sizeof (struct main_type)); + if (type->main_type->dyn_prop_list != NULL) +- new_type->main_type->dyn_prop_list +- = copy_dynamic_prop_list (&TYPE_OBJFILE (type) -> objfile_obstack, +- type->main_type->dyn_prop_list); ++ { ++ struct obstack *storage = (TYPE_OBJFILE_OWNED (type) ++ ? &TYPE_OBJFILE (type)->objfile_obstack ++ : gdbarch_obstack (TYPE_OWNER (type).gdbarch)); ++ new_type->main_type->dyn_prop_list ++ = copy_dynamic_prop_list (storage, type->main_type->dyn_prop_list); ++ } + + return new_type; + } +diff --git a/gdb/testsuite/gdb.base/printcmds.exp b/gdb/testsuite/gdb.base/printcmds.exp +--- a/gdb/testsuite/gdb.base/printcmds.exp ++++ b/gdb/testsuite/gdb.base/printcmds.exp +@@ -733,6 +733,9 @@ proc test_print_array_constants {} { + gdb_test_escape_braces "print {{0,1,2},{3,4,5}}" " = {{0, 1, 2}, {3, 4, 5}}" + gdb_test "print {4,5,6}\[2\]" " = 6" + gdb_test "print *&{4,5,6}\[1\]" "Attempt to take address of value not located in memory." ++ ++ # This used to cause a crash. ++ gdb_test "print {unsigned char[]}{65}" " = 65 'A'" + } + + proc test_print_enums {} { diff --git a/SOURCES/libiberty-rhbz-2132600-prevent-buffer-overflow.patch b/SOURCES/libiberty-rhbz-2132600-prevent-buffer-overflow.patch new file mode 100644 index 0000000..a0f5076 --- /dev/null +++ b/SOURCES/libiberty-rhbz-2132600-prevent-buffer-overflow.patch @@ -0,0 +1,27 @@ +From FEDORA_PATCHES Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Lu=C3=ADs=20Ferreira?= +Date: Thu, 23 Sep 2021 11:33:47 -0400 +Subject: libiberty-rhbz-2132600-prevent-buffer-overflow.patch +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +;; Backport libiberty: prevent buffer overflow when decoding user input +;; (Luís Ferreira, RHBZ2132600) + +libiberty/ + * d-demangle.c (dlang_symbol_backref): Ensure strlen of + string is less than length computed by dlang_number. + +diff --git a/libiberty/d-demangle.c b/libiberty/d-demangle.c +--- a/libiberty/d-demangle.c ++++ b/libiberty/d-demangle.c +@@ -380,7 +380,7 @@ dlang_symbol_backref (string *decl, const char *mangled, + + /* Must point to a simple identifier. */ + backref = dlang_number (backref, &len); +- if (backref == NULL) ++ if (backref == NULL || strlen (backref) < len) + return NULL; + + backref = dlang_lname (decl, backref, len); diff --git a/SPECS/gdb.spec b/SPECS/gdb.spec index ed549d5..2d5a0d4 100644 --- a/SPECS/gdb.spec +++ b/SPECS/gdb.spec @@ -37,7 +37,7 @@ Version: 10.2 # The release always contains a leading reserved number, start it at 1. # `upstream' is not a part of `name' to stay fully rpm dependencies compatible for the testing. -Release: 10%{?dist} +Release: 11%{?dist} License: GPLv3+ and GPLv3+ with exceptions and GPLv2+ and GPLv2+ with exceptions and GPL+ and LGPLv2+ and LGPLv3+ and BSD and Public Domain and GFDL # Do not provide URL for snapshots as the file lasts there only for 2 days. @@ -1158,6 +1158,20 @@ fi %endif %changelog +* Wed Mar 29 2023 Bruno Larsen - 10.2-11.el9 +- Backport "libiberty: prevent buffer overflow when decoding user input" + (Luís Ferreira, RHBZ2132600) + +* Mon Mar 27 2023 Bruno Larsen +- Backport "[gdb/breakpoint] Fix assert in jit_event_handler" + (Tom de Vries, RHBZ 2130624) + +* Wed Mar 23 2023 Bruno Larsen +- Bakport "Fix assertion failure in copy_type" + (Tom Tromey, RHBZ 2155439) +- Bakport "[gdb/testsuite] Fix PR20630 regression test in gdb.base/printcmds.exp" + (Tom de Vries) + * Tue May 24 2022 Keith Seitz - 10.2-10.el9 - Backport "fix logic of find_comp_unit and set_comp_unit" (Simon Marchi, RHBZ 2086761)