Brad Bishop | 96ff198 | 2019-08-19 13:50:42 -0400 | [diff] [blame^] | 1 | From 6ad3791f095cfc1b0294f62c4b3a524ba735595e Mon Sep 17 00:00:00 2001 |
| 2 | From: Sandra Loosemore <sandra@codesourcery.com> |
| 3 | Date: Thu, 25 Apr 2019 07:27:02 -0700 |
| 4 | Subject: [PATCH] Detect invalid length field in debug frame FDE header. |
| 5 | |
| 6 | GDB was failing to catch cases where a corrupt ELF or core file |
| 7 | contained an invalid length value in a Dwarf debug frame FDE header. |
| 8 | It was checking for buffer overflow but not cases where the length was |
| 9 | negative or caused pointer wrap-around. |
| 10 | |
| 11 | In addition to the additional validity check, this patch cleans up the |
| 12 | multiple signed/unsigned conversions on the length field so that an |
| 13 | unsigned representation is used consistently throughout. |
| 14 | |
| 15 | This patch fixes CVE-2017-9778 and PR gdb/21600. |
| 16 | |
| 17 | 2019-04-25 Sandra Loosemore <sandra@codesourcery.com> |
| 18 | Kang Li <kanglictf@gmail.com> |
| 19 | |
| 20 | PR gdb/21600 |
| 21 | |
| 22 | * dwarf2-frame.c (read_initial_length): Be consistent about using |
| 23 | unsigned representation of length. |
| 24 | (decode_frame_entry_1): Likewise. Check for wraparound of |
| 25 | end pointer as well as buffer overflow. |
| 26 | |
| 27 | Upstream-Status: Backport |
| 28 | CVE: CVE-2017-9778 |
| 29 | Signed-off-by: Anuj Mittal <anuj.mittal@intel.com> |
| 30 | --- |
| 31 | gdb/ChangeLog | 10 ++++++++++ |
| 32 | gdb/dwarf2-frame.c | 14 +++++++------- |
| 33 | 2 files changed, 17 insertions(+), 7 deletions(-) |
| 34 | |
| 35 | diff --git a/gdb/ChangeLog b/gdb/ChangeLog |
| 36 | index 1c125de..d028d2b 100644 |
| 37 | --- a/gdb/ChangeLog |
| 38 | +++ b/gdb/ChangeLog |
| 39 | @@ -1,3 +1,13 @@ |
| 40 | +2019-04-25 Sandra Loosemore <sandra@codesourcery.com> |
| 41 | + Kang Li <kanglictf@gmail.com> |
| 42 | + |
| 43 | + PR gdb/21600 |
| 44 | + |
| 45 | + * dwarf2-frame.c (read_initial_length): Be consistent about using |
| 46 | + unsigned representation of length. |
| 47 | + (decode_frame_entry_1): Likewise. Check for wraparound of |
| 48 | + end pointer as well as buffer overflow. |
| 49 | + |
| 50 | 2019-05-11 Joel Brobecker <brobecker@adacore.com> |
| 51 | |
| 52 | * version.in: Set GDB version number to 8.3. |
| 53 | diff --git a/gdb/dwarf2-frame.c b/gdb/dwarf2-frame.c |
| 54 | index 178ac44..dc5d3b3 100644 |
| 55 | --- a/gdb/dwarf2-frame.c |
| 56 | +++ b/gdb/dwarf2-frame.c |
| 57 | @@ -1488,7 +1488,7 @@ static ULONGEST |
| 58 | read_initial_length (bfd *abfd, const gdb_byte *buf, |
| 59 | unsigned int *bytes_read_ptr) |
| 60 | { |
| 61 | - LONGEST result; |
| 62 | + ULONGEST result; |
| 63 | |
| 64 | result = bfd_get_32 (abfd, buf); |
| 65 | if (result == 0xffffffff) |
| 66 | @@ -1789,7 +1789,7 @@ decode_frame_entry_1 (struct comp_unit *unit, const gdb_byte *start, |
| 67 | { |
| 68 | struct gdbarch *gdbarch = get_objfile_arch (unit->objfile); |
| 69 | const gdb_byte *buf, *end; |
| 70 | - LONGEST length; |
| 71 | + ULONGEST length; |
| 72 | unsigned int bytes_read; |
| 73 | int dwarf64_p; |
| 74 | ULONGEST cie_id; |
| 75 | @@ -1800,15 +1800,15 @@ decode_frame_entry_1 (struct comp_unit *unit, const gdb_byte *start, |
| 76 | buf = start; |
| 77 | length = read_initial_length (unit->abfd, buf, &bytes_read); |
| 78 | buf += bytes_read; |
| 79 | - end = buf + length; |
| 80 | - |
| 81 | - /* Are we still within the section? */ |
| 82 | - if (end > unit->dwarf_frame_buffer + unit->dwarf_frame_size) |
| 83 | - return NULL; |
| 84 | + end = buf + (size_t) length; |
| 85 | |
| 86 | if (length == 0) |
| 87 | return end; |
| 88 | |
| 89 | + /* Are we still within the section? */ |
| 90 | + if (end <= buf || end > unit->dwarf_frame_buffer + unit->dwarf_frame_size) |
| 91 | + return NULL; |
| 92 | + |
| 93 | /* Distinguish between 32 and 64-bit encoded frame info. */ |
| 94 | dwarf64_p = (bytes_read == 12); |
| 95 | |
| 96 | -- |
| 97 | 2.20.1 |
| 98 | |