| Message ID | 20240202120104.3735837-1-Deepthi.Hemraj@windriver.com |
|---|---|
| State | Accepted, archived |
| Commit | 67b62fd57d7073b42db2747227d07841d0d064e3 |
| Delegated to: | Steve Sakoman |
| Headers | show |
| Series | [kirkstone,V3,1/2] gdb: Fix CVE-2023-39129 | expand |
On Fri, Feb 2, 2024 at 2:01 AM Hemraj, Deepthi via lists.openembedded.org <Deepthi.Hemraj=windriver.com@lists.openembedded.org> wrote: > > From: Deepthi Hemraj <Deepthi.Hemraj@windriver.com> > > Issue: LIN1022-4854 Please don't include internal windriver issue designators. Also, please send your initial submission without a version number. If you need to resubmit, add a version number and include a comment after the --- line below indicating what has changed. Otherwise I am left to puzzle out which patch you intended I should take. I have fixed this, so no need to resubmit this time. Thanks, Steve > > Signed-off-by: Deepthi Hemraj <Deepthi.Hemraj@windriver.com> > --- > meta/recipes-devtools/gdb/gdb.inc | 1 + > .../gdb/gdb/0012-CVE-2023-39129.patch | 50 +++++++++++++++++++ > 2 files changed, 51 insertions(+) > create mode 100644 meta/recipes-devtools/gdb/gdb/0012-CVE-2023-39129.patch > > diff --git a/meta/recipes-devtools/gdb/gdb.inc b/meta/recipes-devtools/gdb/gdb.inc > index 099bd2d8f5..ad2b3ad4b7 100644 > --- a/meta/recipes-devtools/gdb/gdb.inc > +++ b/meta/recipes-devtools/gdb/gdb.inc > @@ -15,5 +15,6 @@ SRC_URI = "${GNU_MIRROR}/gdb/gdb-${PV}.tar.xz \ > file://0009-Fix-invalid-sigprocmask-call.patch \ > file://0010-gdbserver-ctrl-c-handling.patch \ > file://0011-CVE-2023-39128.patch \ > + file://0012-CVE-2023-39129.patch \ > " > SRC_URI[sha256sum] = "1497c36a71881b8671a9a84a0ee40faab788ca30d7ba19d8463c3cc787152e32" > diff --git a/meta/recipes-devtools/gdb/gdb/0012-CVE-2023-39129.patch b/meta/recipes-devtools/gdb/gdb/0012-CVE-2023-39129.patch > new file mode 100644 > index 0000000000..63fb44d59a > --- /dev/null > +++ b/meta/recipes-devtools/gdb/gdb/0012-CVE-2023-39129.patch > @@ -0,0 +1,50 @@ > +From: Keith Seitz <keiths@...> > +Date: Wed, 2 Aug 2023 15:35:11 +0000 (-0700) > +Subject: Verify COFF symbol stringtab offset > +X-Git-Tag: gdb-14-branchpoint~473 > +X-Git-Url: https://sourceware.org/git/?p=binutils-gdb.git;a=commitdiff_plain;h=58abdf887821a5da09ba184c6e400a3bc5cccd5a > + > +Verify COFF symbol stringtab offset > + > +This patch addresses an issue with malformed/fuzzed debug information that > +was recently reported in gdb/30639. That bug specifically deals with > +an ASAN issue, but the reproducer provided by the reporter causes a > +another failure outside of ASAN: > + > +Upstream-Status: Backport [https://sourceware.org/git/?p=binutils-gdb.git;a=commitdiff_plain;h=58abdf887821a5da09ba184c6e400a3bc5cccd5a] > + > +CVE: CVE-2023-39129 > + > +Signed-off-by: Deepthi Hemraj <Deepthi.Hemraj@windriver.com> > + > +diff --git a/gdb/coffread.c b/gdb/coffread.c > +--- a/gdb/coffread.c > ++++ b/gdb/coffread.c > +@@ -159,6 +160,7 @@ static file_ptr linetab_offset; > + static file_ptr linetab_size; > + > + static char *stringtab = NULL; > ++static long stringtab_length = 0; > + > + extern void stabsread_clear_cache (void); > + > +@@ -1303,6 +1298,7 @@ init_stringtab (bfd *abfd, file_ptr offset, gdb::unique_xmalloc_ptr<char> *stora > + /* This is in target format (probably not very useful, and not > + currently used), not host format. */ > + memcpy (stringtab, lengthbuf, sizeof lengthbuf); > ++ stringtab_length = length; > + if (length == sizeof length) /* Empty table -- just the count. */ > + return 0; > + > +@@ -1322,8 +1318,9 @@ getsymname (struct internal_syment *symbol_entry) > + > + if (symbol_entry->_n._n_n._n_zeroes == 0) > + { > +- /* FIXME: Probably should be detecting corrupt symbol files by > +- seeing whether offset points to within the stringtab. */ > ++ if (symbol_entry->_n._n_n._n_offset > stringtab_length) > ++ error (_("COFF Error: string table offset (%ld) outside string table (length %ld)"), > ++ symbol_entry->_n._n_n._n_offset, stringtab_length); > + result = stringtab + symbol_entry->_n._n_n._n_offset; > + } > + else > -- > 2.43.0 > > > -=-=-=-=-=-=-=-=-=-=-=- > Links: You receive all messages sent to this group. > View/Reply Online (#194787): https://lists.openembedded.org/g/openembedded-core/message/194787 > Mute This Topic: https://lists.openembedded.org/mt/104117785/3620601 > Group Owner: openembedded-core+owner@lists.openembedded.org > Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [steve@sakoman.com] > -=-=-=-=-=-=-=-=-=-=-=- >
On 2024-02-02 10:57 a.m., Steve Sakoman via lists.openembedded.org wrote: > On Fri, Feb 2, 2024 at 2:01 AM Hemraj, Deepthi via > lists.openembedded.org > <Deepthi.Hemraj=windriver.com@lists.openembedded.org> wrote: >> From: Deepthi Hemraj<Deepthi.Hemraj@windriver.com> >> >> Issue: LIN1022-4854 > Please don't include internal windriver issue designators. Agreed. Please only add those if needed when doing WR reviews. > > Also, please send your initial submission without a version number. > If you need to resubmit, add a version number and include a comment > after the --- line below indicating what has changed. Otherwise I am > left to puzzle out which patch you intended I should take. > > I have fixed this, so no need to resubmit this time. Thanks Steve. Also there are two threads with the same git shortlog / email subject: [OE-core] [kirkstone][PATCH V3 1/2] gdb: Fix CVE-2023-39129 This is the second one and the first was: https://lists.openembedded.org/g/openembedded-core/message/194789 I'll reply there to ask you to change the git shortlog. I'm a bit concerned about the fix since the last comment in: https://sourceware.org/bugzilla/show_bug.cgi?id=30640 says: " Fixed by 58abdf88782 (and follow-up patches from mjw). " Deepthi, What can you find out about the "follow-up" patches? I suspect that we won't need to revert this commit but that there may be more work to be done. Steve, will you keep what you have from this commit in your tree? ../Randy > > Thanks, > > Steve > >> Signed-off-by: Deepthi Hemraj<Deepthi.Hemraj@windriver.com> >> --- >> meta/recipes-devtools/gdb/gdb.inc | 1 + >> .../gdb/gdb/0012-CVE-2023-39129.patch | 50 +++++++++++++++++++ >> 2 files changed, 51 insertions(+) >> create mode 100644 meta/recipes-devtools/gdb/gdb/0012-CVE-2023-39129.patch >> >> diff --git a/meta/recipes-devtools/gdb/gdb.inc b/meta/recipes-devtools/gdb/gdb.inc >> index 099bd2d8f5..ad2b3ad4b7 100644 >> --- a/meta/recipes-devtools/gdb/gdb.inc >> +++ b/meta/recipes-devtools/gdb/gdb.inc >> @@ -15,5 +15,6 @@ SRC_URI = "${GNU_MIRROR}/gdb/gdb-${PV}.tar.xz \ >> file://0009-Fix-invalid-sigprocmask-call.patch \ >> file://0010-gdbserver-ctrl-c-handling.patch \ >> file://0011-CVE-2023-39128.patch \ >> +file://0012-CVE-2023-39129.patch \ >> " >> SRC_URI[sha256sum] = "1497c36a71881b8671a9a84a0ee40faab788ca30d7ba19d8463c3cc787152e32" >> diff --git a/meta/recipes-devtools/gdb/gdb/0012-CVE-2023-39129.patch b/meta/recipes-devtools/gdb/gdb/0012-CVE-2023-39129.patch >> new file mode 100644 >> index 0000000000..63fb44d59a >> --- /dev/null >> +++ b/meta/recipes-devtools/gdb/gdb/0012-CVE-2023-39129.patch >> @@ -0,0 +1,50 @@ >> +From: Keith Seitz<keiths@...> >> +Date: Wed, 2 Aug 2023 15:35:11 +0000 (-0700) >> +Subject: Verify COFF symbol stringtab offset >> +X-Git-Tag: gdb-14-branchpoint~473 >> +X-Git-Url:https://sourceware.org/git/?p=binutils-gdb.git;a=commitdiff_plain;h=58abdf887821a5da09ba184c6e400a3bc5cccd5a >> + >> +Verify COFF symbol stringtab offset >> + >> +This patch addresses an issue with malformed/fuzzed debug information that >> +was recently reported in gdb/30639. That bug specifically deals with >> +an ASAN issue, but the reproducer provided by the reporter causes a >> +another failure outside of ASAN: >> + >> +Upstream-Status: Backport [https://sourceware.org/git/?p=binutils-gdb.git;a=commitdiff_plain;h=58abdf887821a5da09ba184c6e400a3bc5cccd5a] >> + >> +CVE: CVE-2023-39129 >> + >> +Signed-off-by: Deepthi Hemraj<Deepthi.Hemraj@windriver.com> >> + >> +diff --git a/gdb/coffread.c b/gdb/coffread.c >> +--- a/gdb/coffread.c >> ++++ b/gdb/coffread.c >> +@@ -159,6 +160,7 @@ static file_ptr linetab_offset; >> + static file_ptr linetab_size; >> + >> + static char *stringtab = NULL; >> ++static long stringtab_length = 0; >> + >> + extern void stabsread_clear_cache (void); >> + >> +@@ -1303,6 +1298,7 @@ init_stringtab (bfd *abfd, file_ptr offset, gdb::unique_xmalloc_ptr<char> *stora >> + /* This is in target format (probably not very useful, and not >> + currently used), not host format. */ >> + memcpy (stringtab, lengthbuf, sizeof lengthbuf); >> ++ stringtab_length = length; >> + if (length == sizeof length) /* Empty table -- just the count. */ >> + return 0; >> + >> +@@ -1322,8 +1318,9 @@ getsymname (struct internal_syment *symbol_entry) >> + >> + if (symbol_entry->_n._n_n._n_zeroes == 0) >> + { >> +- /* FIXME: Probably should be detecting corrupt symbol files by >> +- seeing whether offset points to within the stringtab. */ >> ++ if (symbol_entry->_n._n_n._n_offset > stringtab_length) >> ++ error (_("COFF Error: string table offset (%ld) outside string table (length %ld)"), >> ++ symbol_entry->_n._n_n._n_offset, stringtab_length); >> + result = stringtab + symbol_entry->_n._n_n._n_offset; >> + } >> + else >> -- >> 2.43.0 >> >> >> >> >> >> -=-=-=-=-=-=-=-=-=-=-=- >> Links: You receive all messages sent to this group. >> View/Reply Online (#194805):https://lists.openembedded.org/g/openembedded-core/message/194805 >> Mute This Topic:https://lists.openembedded.org/mt/104117785/3616765 >> Group Owner:openembedded-core+owner@lists.openembedded.org >> Unsubscribe:https://lists.openembedded.org/g/openembedded-core/unsub [randy.macleod@windriver.com] >> -=-=-=-=-=-=-=-=-=-=-=- >>
On Fri, Feb 2, 2024 at 6:14 AM Randy MacLeod <randy.macleod@windriver.com> wrote: > > On 2024-02-02 10:57 a.m., Steve Sakoman via lists.openembedded.org wrote: > > On Fri, Feb 2, 2024 at 2:01 AM Hemraj, Deepthi via > lists.openembedded.org > <Deepthi.Hemraj=windriver.com@lists.openembedded.org> wrote: > > From: Deepthi Hemraj <Deepthi.Hemraj@windriver.com> > > Issue: LIN1022-4854 > > Please don't include internal windriver issue designators. > > Agreed. Please only add those if needed when doing WR reviews. > > Also, please send your initial submission without a version number. > If you need to resubmit, add a version number and include a comment > after the --- line below indicating what has changed. Otherwise I am > left to puzzle out which patch you intended I should take. > > > > I have fixed this, so no need to resubmit this time. > > Thanks Steve. > > Also there are two threads with the same git shortlog / email subject: > [OE-core] [kirkstone][PATCH V3 1/2] gdb: Fix CVE-2023-39129 > > > > This is the second one and the first was: > https://lists.openembedded.org/g/openembedded-core/message/194789 > I'll reply there to ask you to change the git shortlog. > > > I'm a bit concerned about the fix since the last comment in: > > https://sourceware.org/bugzilla/show_bug.cgi?id=30640 > > says: > " Fixed by 58abdf88782 (and follow-up patches from mjw). " > > Deepthi, > What can you find out about the "follow-up" patches? > > I suspect that we won't need to revert this commit but that there > may be more work to be done. > > Steve, will you keep what you have from this commit in your tree? Yes, I will keep it in -nut for now (assuming it passes autobuilder testing) Steve > > ../Randy > > > Thanks, > > Steve > > Signed-off-by: Deepthi Hemraj <Deepthi.Hemraj@windriver.com> > --- > meta/recipes-devtools/gdb/gdb.inc | 1 + > .../gdb/gdb/0012-CVE-2023-39129.patch | 50 +++++++++++++++++++ > 2 files changed, 51 insertions(+) > create mode 100644 meta/recipes-devtools/gdb/gdb/0012-CVE-2023-39129.patch > > diff --git a/meta/recipes-devtools/gdb/gdb.inc b/meta/recipes-devtools/gdb/gdb.inc > index 099bd2d8f5..ad2b3ad4b7 100644 > --- a/meta/recipes-devtools/gdb/gdb.inc > +++ b/meta/recipes-devtools/gdb/gdb.inc > @@ -15,5 +15,6 @@ SRC_URI = "${GNU_MIRROR}/gdb/gdb-${PV}.tar.xz \ > file://0009-Fix-invalid-sigprocmask-call.patch \ > file://0010-gdbserver-ctrl-c-handling.patch \ > file://0011-CVE-2023-39128.patch \ > + file://0012-CVE-2023-39129.patch \ > " > SRC_URI[sha256sum] = "1497c36a71881b8671a9a84a0ee40faab788ca30d7ba19d8463c3cc787152e32" > diff --git a/meta/recipes-devtools/gdb/gdb/0012-CVE-2023-39129.patch b/meta/recipes-devtools/gdb/gdb/0012-CVE-2023-39129.patch > new file mode 100644 > index 0000000000..63fb44d59a > --- /dev/null > +++ b/meta/recipes-devtools/gdb/gdb/0012-CVE-2023-39129.patch > @@ -0,0 +1,50 @@ > +From: Keith Seitz <keiths@...> > +Date: Wed, 2 Aug 2023 15:35:11 +0000 (-0700) > +Subject: Verify COFF symbol stringtab offset > +X-Git-Tag: gdb-14-branchpoint~473 > +X-Git-Url: https://sourceware.org/git/?p=binutils-gdb.git;a=commitdiff_plain;h=58abdf887821a5da09ba184c6e400a3bc5cccd5a > + > +Verify COFF symbol stringtab offset > + > +This patch addresses an issue with malformed/fuzzed debug information that > +was recently reported in gdb/30639. That bug specifically deals with > +an ASAN issue, but the reproducer provided by the reporter causes a > +another failure outside of ASAN: > + > +Upstream-Status: Backport [https://sourceware.org/git/?p=binutils-gdb.git;a=commitdiff_plain;h=58abdf887821a5da09ba184c6e400a3bc5cccd5a] > + > +CVE: CVE-2023-39129 > + > +Signed-off-by: Deepthi Hemraj <Deepthi.Hemraj@windriver.com> > + > +diff --git a/gdb/coffread.c b/gdb/coffread.c > +--- a/gdb/coffread.c > ++++ b/gdb/coffread.c > +@@ -159,6 +160,7 @@ static file_ptr linetab_offset; > + static file_ptr linetab_size; > + > + static char *stringtab = NULL; > ++static long stringtab_length = 0; > + > + extern void stabsread_clear_cache (void); > + > +@@ -1303,6 +1298,7 @@ init_stringtab (bfd *abfd, file_ptr offset, gdb::unique_xmalloc_ptr<char> *stora > + /* This is in target format (probably not very useful, and not > + currently used), not host format. */ > + memcpy (stringtab, lengthbuf, sizeof lengthbuf); > ++ stringtab_length = length; > + if (length == sizeof length) /* Empty table -- just the count. */ > + return 0; > + > +@@ -1322,8 +1318,9 @@ getsymname (struct internal_syment *symbol_entry) > + > + if (symbol_entry->_n._n_n._n_zeroes == 0) > + { > +- /* FIXME: Probably should be detecting corrupt symbol files by > +- seeing whether offset points to within the stringtab. */ > ++ if (symbol_entry->_n._n_n._n_offset > stringtab_length) > ++ error (_("COFF Error: string table offset (%ld) outside string table (length %ld)"), > ++ symbol_entry->_n._n_n._n_offset, stringtab_length); > + result = stringtab + symbol_entry->_n._n_n._n_offset; > + } > + else > -- > 2.43.0 > > > > > > -=-=-=-=-=-=-=-=-=-=-=- > Links: You receive all messages sent to this group. > View/Reply Online (#194805): https://lists.openembedded.org/g/openembedded-core/message/194805 > Mute This Topic: https://lists.openembedded.org/mt/104117785/3616765 > Group Owner: openembedded-core+owner@lists.openembedded.org > Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [randy.macleod@windriver.com] > -=-=-=-=-=-=-=-=-=-=-=- > > > -- > # Randy MacLeod > # Wind River Linux
Sent from Mail<https://go.microsoft.com/fwlink/?LinkId=550986> for Windows From: Steve Sakoman<mailto:steve@sakoman.com> Sent: Friday, February 2, 2024 10:04 PM To: MacLeod, Randy<mailto:Randy.MacLeod@windriver.com> Cc: Hemraj, Deepthi<mailto:Deepthi.Hemraj@windriver.com>; openembedded-core@lists.openembedded.org<mailto:openembedded-core@lists.openembedded.org>; rwmacleod@gmail.com<mailto:rwmacleod@gmail.com>; umesh.kalappa0@gmail.com<mailto:umesh.kalappa0@gmail.com>; pgowda.cve@gmail.com<mailto:pgowda.cve@gmail.com>; shivams@gmail.com<mailto:shivams@gmail.com>; sundeep.kokkonda@gmail.com<mailto:sundeep.kokkonda@gmail.com> Subject: Re: [OE-core] [kirkstone][PATCH V3 1/2] gdb: Fix CVE-2023-39129 CAUTION: This email comes from a non Wind River email account! Do not click links or open attachments unless you recognize the sender and know the content is safe. On Fri, Feb 2, 2024 at 6:14 AM Randy MacLeod <randy.macleod@windriver.com> wrote: > > On 2024-02-02 10:57 a.m., Steve Sakoman via lists.openembedded.org wrote: > > On Fri, Feb 2, 2024 at 2:01 AM Hemraj, Deepthi via > lists.openembedded.org > <Deepthi.Hemraj=windriver.com@lists.openembedded.org> wrote: > > From: Deepthi Hemraj <Deepthi.Hemraj@windriver.com> > > Issue: LIN1022-4854 > > Please don't include internal windriver issue designators. > > Agreed. Please only add those if needed when doing WR reviews. > > Also, please send your initial submission without a version number. > If you need to resubmit, add a version number and include a comment > after the --- line below indicating what has changed. Otherwise I am > left to puzzle out which patch you intended I should take. > > > > I have fixed this, so no need to resubmit this time. > > Thanks Steve. > > Also there are two threads with the same git shortlog / email subject: > [OE-core] [kirkstone][PATCH V3 1/2] gdb: Fix CVE-2023-39129 > > > > This is the second one and the first was: > https://lists.openembedded.org/g/openembedded-core/message/194789 > I'll reply there to ask you to change the git shortlog. > > > I'm a bit concerned about the fix since the last comment in: > > https://sourceware.org/bugzilla/show_bug.cgi?id=30640 > > says: > " Fixed by 58abdf88782 (and follow-up patches from mjw). " > > Deepthi, > What can you find out about the "follow-up" patches? > > I suspect that we won't need to revert this commit but that there > may be more work to be done. > > Steve, will you keep what you have from this commit in your tree? Yes, I will keep it in -nut for now (assuming it passes autobuilder testing) Steve > > ../Randy > > > Thanks, > > Steve Hi Randy, >> " Fixed by 58abdf88782 (and follow-up patches from mjw). " >> >> Deepthi, >> What can you find out about the "follow-up" patches? Based on your comments on the follow-up patches from mjw (LIN1022-5854), these two patches were found. https://github.com/TOUCHTHEARTWORK/binutils/commit/91df9a6f810bca02883dae9275715b4960ea02f0 https://github.com/TOUCHTHEARTWORK/binutils/commit/a6ce491c3d926650407927a338d9678ca983bee4 However these patches modifies the error messages and does not have any affect on the code. Hence they don't seem to be relevant for us. Thank you, Deepthi H > > Signed-off-by: Deepthi Hemraj <Deepthi.Hemraj@windriver.com> > --- > meta/recipes-devtools/gdb/gdb.inc | 1 + > .../gdb/gdb/0012-CVE-2023-39129.patch | 50 +++++++++++++++++++ > 2 files changed, 51 insertions(+) > create mode 100644 meta/recipes-devtools/gdb/gdb/0012-CVE-2023-39129.patch > > diff --git a/meta/recipes-devtools/gdb/gdb.inc b/meta/recipes-devtools/gdb/gdb.inc > index 099bd2d8f5..ad2b3ad4b7 100644 > --- a/meta/recipes-devtools/gdb/gdb.inc > +++ b/meta/recipes-devtools/gdb/gdb.inc > @@ -15,5 +15,6 @@ SRC_URI = "${GNU_MIRROR}/gdb/gdb-${PV}.tar.xz \ > file://0009-Fix-invalid-sigprocmask-call.patch \ > file://0010-gdbserver-ctrl-c-handling.patch \ > file://0011-CVE-2023-39128.patch \ > + file://0012-CVE-2023-39129.patch \ > " > SRC_URI[sha256sum] = "1497c36a71881b8671a9a84a0ee40faab788ca30d7ba19d8463c3cc787152e32" > diff --git a/meta/recipes-devtools/gdb/gdb/0012-CVE-2023-39129.patch b/meta/recipes-devtools/gdb/gdb/0012-CVE-2023-39129.patch > new file mode 100644 > index 0000000000..63fb44d59a > --- /dev/null > +++ b/meta/recipes-devtools/gdb/gdb/0012-CVE-2023-39129.patch > @@ -0,0 +1,50 @@ > +From: Keith Seitz <keiths@...> > +Date: Wed, 2 Aug 2023 15:35:11 +0000 (-0700) > +Subject: Verify COFF symbol stringtab offset > +X-Git-Tag: gdb-14-branchpoint~473 > +X-Git-Url: https://sourceware.org/git/?p=binutils-gdb.git;a=commitdiff_plain;h=58abdf887821a5da09ba184c6e400a3bc5cccd5a > + > +Verify COFF symbol stringtab offset > + > +This patch addresses an issue with malformed/fuzzed debug information that > +was recently reported in gdb/30639. That bug specifically deals with > +an ASAN issue, but the reproducer provided by the reporter causes a > +another failure outside of ASAN: > + > +Upstream-Status: Backport [https://sourceware.org/git/?p=binutils-gdb.git;a=commitdiff_plain;h=58abdf887821a5da09ba184c6e400a3bc5cccd5a] > + > +CVE: CVE-2023-39129 > + > +Signed-off-by: Deepthi Hemraj <Deepthi.Hemraj@windriver.com> > + > +diff --git a/gdb/coffread.c b/gdb/coffread.c > +--- a/gdb/coffread.c > ++++ b/gdb/coffread.c > +@@ -159,6 +160,7 @@ static file_ptr linetab_offset; > + static file_ptr linetab_size; > + > + static char *stringtab = NULL; > ++static long stringtab_length = 0; > + > + extern void stabsread_clear_cache (void); > + > +@@ -1303,6 +1298,7 @@ init_stringtab (bfd *abfd, file_ptr offset, gdb::unique_xmalloc_ptr<char> *stora > + /* This is in target format (probably not very useful, and not > + currently used), not host format. */ > + memcpy (stringtab, lengthbuf, sizeof lengthbuf); > ++ stringtab_length = length; > + if (length == sizeof length) /* Empty table -- just the count. */ > + return 0; > + > +@@ -1322,8 +1318,9 @@ getsymname (struct internal_syment *symbol_entry) > + > + if (symbol_entry->_n._n_n._n_zeroes == 0) > + { > +- /* FIXME: Probably should be detecting corrupt symbol files by > +- seeing whether offset points to within the stringtab. */ > ++ if (symbol_entry->_n._n_n._n_offset > stringtab_length) > ++ error (_("COFF Error: string table offset (%ld) outside string table (length %ld)"), > ++ symbol_entry->_n._n_n._n_offset, stringtab_length); > + result = stringtab + symbol_entry->_n._n_n._n_offset; > + } > + else > -- > 2.43.0 > > > > > > -=-=-=-=-=-=-=-=-=-=-=- > Links: You receive all messages sent to this group. > View/Reply Online (#194805): https://lists.openembedded.org/g/openembedded-core/message/194805 > Mute This Topic: https://lists.openembedded.org/mt/104117785/3616765 > Group Owner: openembedded-core+owner@lists.openembedded.org > Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [randy.macleod@windriver.com] > -=-=-=-=-=-=-=-=-=-=-=- > > > -- > # Randy MacLeod > # Wind River Linux
On 2024-02-08 5:44 a.m., Hemraj, Deepthi wrote: > > Hi Randy, > > >> " Fixed by 58abdf88782 (and follow-up patches from mjw). " > >> > >> Deepthi, > >> What can you find out about the "follow-up" patches? > > Based on your comments on the follow-up patches from mjw > (LIN1022-5854), these two patches were found. > > https://github.com/TOUCHTHEARTWORK/binutils/commit/91df9a6f810bca02883dae9275715b4960ea02f0 > > https://github.com/TOUCHTHEARTWORK/binutils/commit/a6ce491c3d926650407927a338d9678ca983bee4 > > However these patches modifies the error messages and does not have > any affect on the code. Hence they don't seem to be relevant for us. > Okay, thanks for checking and it seems there are no additional commits and Steve has merged the fix to kirkstone so we're done ! ../Randy > Thank you, > > Deepthi H >
diff --git a/meta/recipes-devtools/gdb/gdb.inc b/meta/recipes-devtools/gdb/gdb.inc index 099bd2d8f5..ad2b3ad4b7 100644 --- a/meta/recipes-devtools/gdb/gdb.inc +++ b/meta/recipes-devtools/gdb/gdb.inc @@ -15,5 +15,6 @@ SRC_URI = "${GNU_MIRROR}/gdb/gdb-${PV}.tar.xz \ file://0009-Fix-invalid-sigprocmask-call.patch \ file://0010-gdbserver-ctrl-c-handling.patch \ file://0011-CVE-2023-39128.patch \ + file://0012-CVE-2023-39129.patch \ " SRC_URI[sha256sum] = "1497c36a71881b8671a9a84a0ee40faab788ca30d7ba19d8463c3cc787152e32" diff --git a/meta/recipes-devtools/gdb/gdb/0012-CVE-2023-39129.patch b/meta/recipes-devtools/gdb/gdb/0012-CVE-2023-39129.patch new file mode 100644 index 0000000000..63fb44d59a --- /dev/null +++ b/meta/recipes-devtools/gdb/gdb/0012-CVE-2023-39129.patch @@ -0,0 +1,50 @@ +From: Keith Seitz <keiths@...> +Date: Wed, 2 Aug 2023 15:35:11 +0000 (-0700) +Subject: Verify COFF symbol stringtab offset +X-Git-Tag: gdb-14-branchpoint~473 +X-Git-Url: https://sourceware.org/git/?p=binutils-gdb.git;a=commitdiff_plain;h=58abdf887821a5da09ba184c6e400a3bc5cccd5a + +Verify COFF symbol stringtab offset + +This patch addresses an issue with malformed/fuzzed debug information that +was recently reported in gdb/30639. That bug specifically deals with +an ASAN issue, but the reproducer provided by the reporter causes a +another failure outside of ASAN: + +Upstream-Status: Backport [https://sourceware.org/git/?p=binutils-gdb.git;a=commitdiff_plain;h=58abdf887821a5da09ba184c6e400a3bc5cccd5a] + +CVE: CVE-2023-39129 + +Signed-off-by: Deepthi Hemraj <Deepthi.Hemraj@windriver.com> + +diff --git a/gdb/coffread.c b/gdb/coffread.c +--- a/gdb/coffread.c ++++ b/gdb/coffread.c +@@ -159,6 +160,7 @@ static file_ptr linetab_offset; + static file_ptr linetab_size; + + static char *stringtab = NULL; ++static long stringtab_length = 0; + + extern void stabsread_clear_cache (void); + +@@ -1303,6 +1298,7 @@ init_stringtab (bfd *abfd, file_ptr offset, gdb::unique_xmalloc_ptr<char> *stora + /* This is in target format (probably not very useful, and not + currently used), not host format. */ + memcpy (stringtab, lengthbuf, sizeof lengthbuf); ++ stringtab_length = length; + if (length == sizeof length) /* Empty table -- just the count. */ + return 0; + +@@ -1322,8 +1318,9 @@ getsymname (struct internal_syment *symbol_entry) + + if (symbol_entry->_n._n_n._n_zeroes == 0) + { +- /* FIXME: Probably should be detecting corrupt symbol files by +- seeing whether offset points to within the stringtab. */ ++ if (symbol_entry->_n._n_n._n_offset > stringtab_length) ++ error (_("COFF Error: string table offset (%ld) outside string table (length %ld)"), ++ symbol_entry->_n._n_n._n_offset, stringtab_length); + result = stringtab + symbol_entry->_n._n_n._n_offset; + } + else