import gdb-8.2-8.el8

2020-01-21 15:43:41 -05:00 · 2020-01-21 15:43:41 -05:00 · b62867e538
commit b62867e538
parent d230d9434c
5 changed files with 218 additions and 1 deletions
--- a/SOURCES/_gdb.spec.Patch.include
+++ b/SOURCES/_gdb.spec.Patch.include
@ -647,3 +647,12 @@ Patch158: gdb-rhbz1187581-power8-regs-not-in-8.2-14of15.patch
 # Pedro Franco de Carvalho, RH BZ 1187581
 Patch159: gdb-rhbz1187581-power8-regs-not-in-8.2-15of15.patch

+# "Fix" segfault that happens on parse_macro_definition because
+# debugedit corrupts the .debug_macro section.
+# Sergio Durigan Junior, RH BZ 1708192.
+Patch160: gdb-rhbz1708192-parse_macro_definition-crash.patch
+
+# Prevent buffer overflow with sections with invalid sizes.
+# Keith Seitz, RH BZ 1740299.
+Patch161: gdb-rhbz1742099-reject-sections-with-invalid-sizes.patch
+
--- a/SOURCES/_gdb.spec.patch.include
+++ b/SOURCES/_gdb.spec.patch.include
@ -157,3 +157,5 @@
 %patch157 -p1
 %patch158 -p1
 %patch159 -p1
+%patch160 -p1
+%patch161 -p1
--- a/SOURCES/gdb-rhbz1708192-parse_macro_definition-crash.patch
+++ b/SOURCES/gdb-rhbz1708192-parse_macro_definition-crash.patch
@ -0,0 +1,69 @@
+From FEDORA_PATCHES Mon Sep 17 00:00:00 2001
+From: Sergio Durigan Junior <sergiodj@redhat.com>
+Date: Fri, 10 May 2019 16:57:26 -0400
+Subject: gdb-rhbz1708192-parse_macro_definition-crash.patch
+
+;; "Fix" segfault that happens on parse_macro_definition because
+;; debugedit corrupts the .debug_macro section.
+;; Sergio Durigan Junior, RH BZ 1708192.
+
+Don't crash if dwarf_decode_macro_bytes's 'body' is NULL
+
+Hi,
+
+Ref.: https://bugzilla.redhat.com/show_bug.cgi?id=1708192
+      https://bugzilla.redhat.com/show_bug.cgi?id=1708786
+
+During the Fedora RPM build process, gdb-add-index is invoked to
+extract the DWARF index from the binary, and GDB will segfault because
+dwarf2read.c:parse_definition_macro's 'body' variable is NULL.
+
+The underlying problem is that Fedora's rpm-build's "debugedit"
+program will silently corrupt .debug_macro strings when a binary is
+compiled with -g3.  This is being taken care of by Mark Wielaard,
+here:
+
+  https://bugzilla.redhat.com/show_bug.cgi?id=1708786
+
+However, I still feel it's important to make GDB more resilient
+against invalid DWARF input, so I'm proposing this rather simple patch
+to catch the situation when "body == NULL" (i.e., it's probably been
+corrupted) and issue a complaint.  This is not a real fix to the
+problem, of course, but at least GDB is able to finish without
+segfaulting.
+
+OK for master?
+
+gdb/ChangeLog:
+2019-05-15  Sergio Durigan Junior  <sergiodj@redhat.com>
+
+	Ref.: https://bugzilla.redhat.com/show_bug.cgi?id=1708192
+	* dwarf2read.c (dwarf_decode_macro_bytes): Check whether 'body' is
+	NULL, and complain if that's the case.
+
+diff --git a/gdb/dwarf2read.c b/gdb/dwarf2read.c
+--- a/gdb/dwarf2read.c
+++ b/gdb/dwarf2read.c
+@@ -24355,7 +24355,21 @@ dwarf_decode_macro_bytes (struct dwarf2_per_objfile *dwarf2_per_objfile,
+ 			 is_define ? _("definition") : _("undefinition"),
+ 			 line == 0 ? _("zero") : _("non-zero"), line, body);
+ 
+-	    if (is_define)
+	    if (body == NULL)
+	      {
+		/* Fedora's rpm-build's "debugedit" binary
+		   corrupted .debug_macro sections.
+
+		   For more info, see
+		   https://bugzilla.redhat.com/show_bug.cgi?id=1708786 */
+		complaint (_("debug info gives %s invalid macro %s "
+			     "without body (corrupted?) at line %d "
+			     "on file %s"),
+			   at_commandline ? _("command-line") : _("in-file"),
+			   is_define ? _("definition") : _("undefinition"),
+			   line, current_file->filename);
+	      }
+	    else if (is_define)
+ 	      parse_macro_definition (current_file, line, body);
+ 	    else
+ 	      {
--- a/SOURCES/gdb-rhbz1742099-reject-sections-with-invalid-sizes.patch
+++ b/SOURCES/gdb-rhbz1742099-reject-sections-with-invalid-sizes.patch
@ -0,0 +1,128 @@
+From FEDORA_PATCHES Mon Sep 17 00:00:00 2001
+From: Keith Seitz <keiths@redhat.com>
+Date: Thu, 17 Oct 2019 09:44:15 -0700
+Subject: gdb-rhbz1742099-reject-sections-with-invalid-sizes.patch
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+;; Prevent buffer overflow with sections with invalid sizes.
+;; Keith Seitz, RH BZ 1740299.
+
+DWARF reader: Reject sections with invalid sizes
+
+This is another fuzzer bug, gdb/23567.  This time, the fuzzer has
+specifically altered the size of .debug_str:
+
+$ eu-readelf -S objdump
+Section Headers:
+[Nr] Name                 Type         Addr             Off      Size     ES Flags Lk Inf Al
+[31] .debug_str           PROGBITS     0000000000000000 0057116d ffffffffffffffff  1 MS     0   0  1
+
+When this file is loaded into GDB, the DWARF reader crashes attempting
+to access the string table (or it may just store a bunch of nonsense):
+
+[gdb-8.3-6-fc30]
+$ gdb -nx -q objdump
+BFD: warning: /path/to/objdump has a corrupt section with a size (ffffffffffffffff) larger than the file size
+Reading symbols from /path/to/objdump...
+Segmentation fault (core dumped)
+
+Nick has already committed a BFD patch to issue the warning seen above.
+
+[gdb master 6acc1a0b]
+$ gdb -BFD: warning: /path/to/objdump has a corrupt section with a size (ffffffffffffffff) larger than the file size
+Reading symbols from /path/to/objdump...
+(gdb) inf func
+All defined functions:
+
+File ./../include/dwarf2.def:
+186:    const
+
+              8 *>(.:
+                     ;'@<40>B);
+747:    const
+
+              8 *<2A>(.:
+                     ;'@<40>B);
+701:    const
+
+              8 *<2A>D <20>
+                     (.:
+                        ;'@<40>B);
+71:     const
+
+              8 *(.:
+                    ;'@<40>B);
+/* and more gibberish  */
+
+Consider read_indirect_string_at_offset_from:
+
+static const char *
+read_indirect_string_at_offset_from (struct objfile *objfile,
+                                     bfd *abfd, LONGEST str_offset,
+                                     struct dwarf2_section_info *sect,
+                                     const char *form_name,
+                                     const char *sect_name)
+{
+  dwarf2_read_section (objfile, sect);
+  if (sect->buffer == NULL)
+    error (_("%s used without %s section [in module %s]"),
+           form_name, sect_name, bfd_get_filename (abfd));
+  if (str_offset >= sect->size)
+    error (_("%s pointing outside of %s section [in module %s]"),
+           form_name, sect_name, bfd_get_filename (abfd));
+  gdb_assert (HOST_CHAR_BIT == 8);
+  if (sect->buffer[str_offset] == '\0')
+    return NULL;
+  return (const char *) (sect->buffer + str_offset);
+}
+
+With sect_size being ginormous, the code attempts to access
+sect->buffer[GINORMOUS], and depending on the layout of memory,
+GDB either stores a bunch of gibberish strings or crashes.
+
+This is an attempt to mitigate this by implementing a similar approach
+used by BFD. In our case, we simply reject the section with the invalid
+length:
+
+$ ./gdb -nx -q objdump
+BFD: warning: /path/to/objdump has a corrupt section with a size (ffffffffffffffff) larger than the file size
+Reading symbols from /path/to/objdump...
+
+warning: Discarding section .debug_str which has a section size (ffffffffffffffff) larger than the file size [in module /path/to/objdump]
+DW_FORM_strp used without .debug_str section [in module /path/to/objdump]
+(No debugging symbols found in /path/to/objdump)
+(gdb)
+
+Unfortunately, I have not found a way to regression test this, since it
+requires poking ELF section headers.
+
+gdb/ChangeLog:
+2019-10-16  Keith Seitz  <keiths@redhat.com>
+
+        PR gdb/23567
+        * dwarf2read.c (dwarf2_per_objfile::locate_sections): Discard
+        sections whose size is greater than the file size.
+
+Change-Id: I896ac3b4eb2207c54e8e05c16beab3051d9b4b2f
+
+diff --git a/gdb/dwarf2read.c b/gdb/dwarf2read.c
+--- a/gdb/dwarf2read.c
+++ b/gdb/dwarf2read.c
+@@ -2335,6 +2335,15 @@ dwarf2_per_objfile::locate_sections (bfd *abfd, asection *sectp,
+   if ((aflag & SEC_HAS_CONTENTS) == 0)
+     {
+     }
+  else if (elf_section_data (sectp)->this_hdr.sh_size
+	   > bfd_get_file_size (abfd))
+    {
+      bfd_size_type size = elf_section_data (sectp)->this_hdr.sh_size;
+      warning (_("Discarding section %s which has a section size (%s"
+		 ") larger than the file size [in module %s]"),
+	       bfd_section_name (abfd, sectp), phex_nz (size, sizeof (size)),
+	       bfd_get_filename (abfd));
+    }
+   else if (section_is_p (sectp->name, &names.info))
+     {
+       this->info.s.section = sectp;
--- a/SPECS/gdb.spec
+++ b/SPECS/gdb.spec
@ -26,7 +26,7 @@ Version: 8.2

 # The release always contains a leading reserved number, start it at 1.
 # `upstream' is not a part of `name' to stay fully rpm dependencies compatible for the testing.
-Release: 6%{?dist}
+Release: 8%{?dist}

 License: GPLv3+ and GPLv3+ with exceptions and GPLv2+ and GPLv2+ with exceptions and GPL+ and LGPLv2+ and LGPLv3+ and BSD and Public Domain and GFDL
 Group: Development/Debuggers
@ -1034,6 +1034,15 @@ fi
 %endif

 %changelog
+* Tue Oct 22 2019 Keith Seitz <keiths@redhat.com> - 8.2-8.el8
+- Fix buffer overflow reading sections with invalid sizes
+  (Keith Seitz, RH BZ 1742099)
+
+* Thu Oct 17 2019 Keith Seitz <keiths@redhat.com> - 8.2-7.el8
+- Fix segfault that happens on parse_macro_definition because
+  debugedit corrupts the .debug_macro section (Sergio Durigan Junior,
+  RH BZ 1708192).
+
 * Wed Apr  3 2019 Keith Seitz <keiths@redhat.com> 8.2-6.el8
 - Fix yum vs dnf messaging for RHEL8 (RH BZ 1666249):
  Add gdb-rhbz1666249-suggest-yum-instead-of-dnf.pattch