[kirkstone] gdb: Fix CVE-2023-39130

From: Sanjana <sanjana.venkatesh@windriver.com>

Issue: LIN1022-4855

Signed-off-by: Sanjana <sanjana.venkatesh@windriver.com>
---
 meta/recipes-devtools/gdb/gdb.inc             |   1 +
 .../gdb/gdb/0013-CVE-2023-39130.patch         | 328 ++++++++++++++++++
 2 files changed, 329 insertions(+)
 create mode 100644 meta/recipes-devtools/gdb/gdb/0013-CVE-2023-39130.patch

This patch doesn't seem to take into account your previous fix for
CVE-2023-39129

I modified this patch to apply it after your CVE-2023-39129 fix, and
there seem to be conflicts:

ERROR: gdb-cross-x86_64-11.2-r0 do_patch: Applying patch
'0013-CVE-2023-39130.patch' on target directory
'/home/steve/builds/poky-contrib-kirkstone/build/tmp/work/x86_64-linux/gdb-cross-x86_64/11.2-r0/gdb-11.2'
CmdError('quilt --quiltrc
/home/steve/builds/poky-contrib-kirkstone/build/tmp/work/x86_64-linux/gdb-cross-x86_64/11.2-r0/recipe-sysroot-native/etc/quiltrc
push', 0, 'stdout: Applying patch 0013-CVE-2023-39130.patch
patching file gdb/coff-pe-read.c
Hunk #1 FAILED at 254.
Hunk #2 succeeded at 323 (offset 37 lines).
Hunk #3 succeeded at 376 (offset 41 lines).
Hunk #4 FAILED at 387.
Hunk #5 FAILED at 433.
Hunk #6 FAILED at 481.
Hunk #7 FAILED at 639.
5 out of 7 hunks FAILED -- rejects in file gdb/coff-pe-read.c
patching file gdb/coffread.c
Hunk #1 succeeded at 691 (offset -20 lines).
Hunk #2 FAILED at 805.
Hunk #3 FAILED at 1306.
2 out of 3 hunks FAILED -- rejects in file gdb/coffread.c
patching file gdb/dbxread.c
Hunk #1 succeeded at 812 (offset 3 lines).
Hunk #2 FAILED at 2156.
1 out of 2 hunks FAILED -- rejects in file gdb/dbxread.c
patching file gdb/xcoffread.c
Hunk #1 FAILED at 779.
1 out of 1 hunk FAILED -- rejects in file gdb/xcoffread.c
Patch 0013-CVE-2023-39130.patch does not apply (enforce with -f)

I'm going to remove both patches from my test queue.  Please submit a
V2 as a patch series including both fixes.

Thanks,

Steve

On Sun, Dec 17, 2023 at 9:41 PM Sanjana.Venkatesh via
lists.openembedded.org
<Sanjana.Venkatesh=windriver.com@lists.openembedded.org> wrote:
>
> From: Sanjana <sanjana.venkatesh@windriver.com>
>
> Issue: LIN1022-4855
>
> Signed-off-by: Sanjana <sanjana.venkatesh@windriver.com>
> ---
>  meta/recipes-devtools/gdb/gdb.inc             |   1 +
>  .../gdb/gdb/0013-CVE-2023-39130.patch         | 328 ++++++++++++++++++
>  2 files changed, 329 insertions(+)
>  create mode 100644 meta/recipes-devtools/gdb/gdb/0013-CVE-2023-39130.patch
>
> diff --git a/meta/recipes-devtools/gdb/gdb.inc b/meta/recipes-devtools/gdb/gdb.inc
> index 099bd2d8f5..62b813d5cb 100644
> --- a/meta/recipes-devtools/gdb/gdb.inc
> +++ b/meta/recipes-devtools/gdb/gdb.inc
> @@ -15,5 +15,6 @@ SRC_URI = "${GNU_MIRROR}/gdb/gdb-${PV}.tar.xz \
>             file://0009-Fix-invalid-sigprocmask-call.patch \
>             file://0010-gdbserver-ctrl-c-handling.patch \
>             file://0011-CVE-2023-39128.patch \
> +           file://0013-CVE-2023-39130.patch \
>             "
>  SRC_URI[sha256sum] = "1497c36a71881b8671a9a84a0ee40faab788ca30d7ba19d8463c3cc787152e32"
> diff --git a/meta/recipes-devtools/gdb/gdb/0013-CVE-2023-39130.patch b/meta/recipes-devtools/gdb/gdb/0013-CVE-2023-39130.patch
> new file mode 100644
> index 0000000000..9cf6645c58
> --- /dev/null
> +++ b/meta/recipes-devtools/gdb/gdb/0013-CVE-2023-39130.patch
> @@ -0,0 +1,328 @@
> +From: Alan Modra <amodra@gmail.com>
> +Date: Wed, 9 Aug 2023 00:28:36 +0000 (+0930)
> +Subject: gdb: warn unused result for bfd IO functions
> +X-Git-Tag: gdb-14-branchpoint~669
> +X-Git-Url: https://sourceware.org/git/?p=binutils-gdb.git;a=commitdiff_plain;h=2db20b97f1dc3e5dce3d6ed74a8a62f0dede8c80
> +
> +gdb: warn unused result for bfd IO functions
> +
> +This fixes the compilation warnings introduced by my bfdio.c patch.
> +
> +The removed bfd_seeks in coff_symfile_read date back to 1994, commit
> +7f4c859520, prior to which the file used stdio rather than bfd to read
> +symbols.  Since it now uses bfd to read the file there should be no
> +need to synchronise to bfd's idea of the file position.  I also fixed
> +a potential uninitialised memory access.
> +
> +Approved-By: Andrew Burgess <aburgess@redhat.com>
> +
> +Upstream-Status: Backport [https://sourceware.org/git/?p=binutils-gdb.git;a=commitdiff_plain;h=2db20b97f1dc3e5dce3d6ed74a8a62f0dede8c80]
> +
> +CVE: CVE-2023-39130
> +
> +Signed-off-by: Sanjana Venkatesh <Sanjana.Venkatesh@windriver.com>
> +
> +---
> +
> +diff --git a/gdb/coff-pe-read.c b/gdb/coff-pe-read.c
> +index b82b43c84cf..0d76ebdbfce 100644
> +--- a/gdb/coff-pe-read.c
> ++++ b/gdb/coff-pe-read.c
> +@@ -254,23 +254,31 @@ read_pe_truncate_name (char *dll_name)
> +
> + /* Low-level support functions, direct from the ld module pe-dll.c.  */
> + static unsigned int
> +-pe_get16 (bfd *abfd, int where)
> ++pe_get16 (bfd *abfd, int where, bool *fail)
> + {
> +   unsigned char b[2];
> +
> +-  bfd_seek (abfd, (file_ptr) where, SEEK_SET);
> +-  bfd_read (b, (bfd_size_type) 2, abfd);
> ++  if (bfd_seek (abfd, where, SEEK_SET) != 0
> ++      || bfd_read (b, 2, abfd) != 2)
> ++    {
> ++      *fail = true;
> ++      return 0;
> ++    }
> +   return b[0] + (b[1] << 8);
> + }
> +
> + static unsigned int
> +-pe_get32 (bfd *abfd, int where)
> ++pe_get32 (bfd *abfd, int where, bool *fail)
> + {
> +   unsigned char b[4];
> +
> +-  bfd_seek (abfd, (file_ptr) where, SEEK_SET);
> +-  bfd_read (b, (bfd_size_type) 4, abfd);
> +-  return b[0] + (b[1] << 8) + (b[2] << 16) + (b[3] << 24);
> ++  if (bfd_seek (abfd, where, SEEK_SET) != 0
> ++      || bfd_read (b, 4, abfd) != 4)
> ++    {
> ++      *fail = true;
> ++      return 0;
> ++    }
> ++  return b[0] + (b[1] << 8) + (b[2] << 16) + ((unsigned) b[3] << 24);
> + }
> +
> + static unsigned int
> +@@ -286,7 +294,7 @@ pe_as32 (void *ptr)
> + {
> +   unsigned char *b = (unsigned char *) ptr;
> +
> +-  return b[0] + (b[1] << 8) + (b[2] << 16) + (b[3] << 24);
> ++  return b[0] + (b[1] << 8) + (b[2] << 16) + ((unsigned) b[3] << 24);
> + }
> +
> + /* Read the (non-debug) export symbol table from a portable
> +@@ -335,37 +343,50 @@ read_pe_exported_syms (minimal_symbol_reader &reader,
> +            || strcmp (target, "pei-i386") == 0
> +            || strcmp (target, "pe-arm-wince-little") == 0
> +            || strcmp (target, "pei-arm-wince-little") == 0);
> ++
> ++  /* Possibly print a debug message about DLL not having a valid format.  */
> ++  auto maybe_print_debug_msg = [&] () -> void {
> ++    if (debug_coff_pe_read)
> ++      gdb_printf (gdb_stdlog, _("%s doesn't appear to be a DLL\n"),
> ++                bfd_get_filename (dll));
> ++  };
> ++
> +   if (!is_pe32 && !is_pe64)
> +-    {
> +-      /* This is not a recognized PE format file.  Abort now, because
> +-       the code is untested on anything else.  *FIXME* test on
> +-       further architectures and loosen or remove this test.  */
> +-      return;
> +-    }
> ++    return maybe_print_debug_msg ();
> +
> +   /* Get pe_header, optional header and numbers of export entries.  */
> +-  pe_header_offset = pe_get32 (dll, 0x3c);
> ++  bool fail = false;
> ++  pe_header_offset = pe_get32 (dll, 0x3c, &fail);
> ++  if (fail)
> ++    return maybe_print_debug_msg ();
> +   opthdr_ofs = pe_header_offset + 4 + 20;
> +   if (is_pe64)
> +-    num_entries = pe_get32 (dll, opthdr_ofs + 108);
> ++    num_entries = pe_get32 (dll, opthdr_ofs + 108, &fail);
> +   else
> +-    num_entries = pe_get32 (dll, opthdr_ofs + 92);
> ++    num_entries = pe_get32 (dll, opthdr_ofs + 92, &fail);
> ++  if (fail)
> ++    return maybe_print_debug_msg ();
> +
> +   if (num_entries < 1)                /* No exports.  */
> +     return;
> +   if (is_pe64)
> +     {
> +-      export_opthdrrva = pe_get32 (dll, opthdr_ofs + 112);
> +-      export_opthdrsize = pe_get32 (dll, opthdr_ofs + 116);
> ++      export_opthdrrva = pe_get32 (dll, opthdr_ofs + 112, &fail);
> ++      export_opthdrsize = pe_get32 (dll, opthdr_ofs + 116, &fail);
> +     }
> +   else
> +     {
> +-      export_opthdrrva = pe_get32 (dll, opthdr_ofs + 96);
> +-      export_opthdrsize = pe_get32 (dll, opthdr_ofs + 100);
> ++      export_opthdrrva = pe_get32 (dll, opthdr_ofs + 96, &fail);
> ++      export_opthdrsize = pe_get32 (dll, opthdr_ofs + 100, &fail);
> +     }
> +-  nsections = pe_get16 (dll, pe_header_offset + 4 + 2);
> ++  if (fail)
> ++    return maybe_print_debug_msg ();
> ++
> ++  nsections = pe_get16 (dll, pe_header_offset + 4 + 2, &fail);
> +   secptr = (pe_header_offset + 4 + 20 +
> +-          pe_get16 (dll, pe_header_offset + 4 + 16));
> ++          pe_get16 (dll, pe_header_offset + 4 + 16, &fail));
> ++  if (fail)
> ++    return maybe_print_debug_msg ();
> +   expptr = 0;
> +   export_size = 0;
> +
> +@@ -374,12 +395,13 @@ read_pe_exported_syms (minimal_symbol_reader &reader,
> +     {
> +       char sname[8];
> +       unsigned long secptr1 = secptr + 40 * i;
> +-      unsigned long vaddr = pe_get32 (dll, secptr1 + 12);
> +-      unsigned long vsize = pe_get32 (dll, secptr1 + 16);
> +-      unsigned long fptr = pe_get32 (dll, secptr1 + 20);
> ++      unsigned long vaddr = pe_get32 (dll, secptr1 + 12, &fail);
> ++      unsigned long vsize = pe_get32 (dll, secptr1 + 16, &fail);
> ++      unsigned long fptr = pe_get32 (dll, secptr1 + 20, &fail);
> +
> +-      bfd_seek (dll, (file_ptr) secptr1, SEEK_SET);
> +-      bfd_read (sname, (bfd_size_type) sizeof (sname), dll);
> ++      if (fail
> ++        || bfd_seek (dll, secptr1, SEEK_SET) != 0
> ++        || bfd_read (sname, sizeof (sname), dll) != sizeof (sname))
> +
> +       if ((strcmp (sname, ".edata") == 0)
> +         || (vaddr <= export_opthdrrva && export_opthdrrva < vaddr + vsize))
> +@@ -420,16 +442,18 @@ read_pe_exported_syms (minimal_symbol_reader &reader,
> +   for (i = 0; i < nsections; i++)
> +     {
> +       unsigned long secptr1 = secptr + 40 * i;
> +-      unsigned long vsize = pe_get32 (dll, secptr1 + 8);
> +-      unsigned long vaddr = pe_get32 (dll, secptr1 + 12);
> +-      unsigned long characteristics = pe_get32 (dll, secptr1 + 36);
> ++      unsigned long vsize = pe_get32 (dll, secptr1 + 8, &fail);
> ++      unsigned long vaddr = pe_get32 (dll, secptr1 + 12, &fail);
> ++      unsigned long characteristics = pe_get32 (dll, secptr1 + 36, &fail);
> +       char sec_name[SCNNMLEN + 1];
> +       int sectix;
> +       unsigned int bfd_section_index;
> +       asection *section;
> +
> +-      bfd_seek (dll, (file_ptr) secptr1 + 0, SEEK_SET);
> +-      bfd_read (sec_name, (bfd_size_type) SCNNMLEN, dll);
> ++      if (fail
> ++        || bfd_seek (dll, secptr1 + 0, SEEK_SET) != 0
> ++        || bfd_read (sec_name, SCNNMLEN, dll) != SCNNMLEN)
> ++      return maybe_print_debug_msg ();
> +       sec_name[SCNNMLEN] = '\0';
> +
> +       sectix = read_pe_section_index (sec_name);
> +@@ -468,8 +492,9 @@ read_pe_exported_syms (minimal_symbol_reader &reader,
> +   gdb::def_vector<unsigned char> expdata_storage (export_size);
> +   expdata = expdata_storage.data ();
> +
> +-  bfd_seek (dll, (file_ptr) expptr, SEEK_SET);
> +-  bfd_read (expdata, (bfd_size_type) export_size, dll);
> ++  if (bfd_seek (dll, expptr, SEEK_SET) != 0
> ++      || bfd_read (expdata, export_size, dll) != export_size)
> ++    return maybe_print_debug_msg ();
> +   erva = expdata - export_rva;
> +
> +   nexp = pe_as32 (expdata + 24);
> +@@ -626,20 +651,27 @@ pe_text_section_offset (struct bfd *abfd)
> +     }
> +
> +   /* Get pe_header, optional header and numbers of sections.  */
> +-  pe_header_offset = pe_get32 (abfd, 0x3c);
> +-  nsections = pe_get16 (abfd, pe_header_offset + 4 + 2);
> ++  bool fail = false;
> ++  pe_header_offset = pe_get32 (abfd, 0x3c, &fail);
> ++  if (fail)
> ++    return DEFAULT_COFF_PE_TEXT_SECTION_OFFSET;
> ++  nsections = pe_get16 (abfd, pe_header_offset + 4 + 2, &fail);
> +   secptr = (pe_header_offset + 4 + 20 +
> +-          pe_get16 (abfd, pe_header_offset + 4 + 16));
> ++          pe_get16 (abfd, pe_header_offset + 4 + 16, &fail));
> ++  if (fail)
> ++    return DEFAULT_COFF_PE_TEXT_SECTION_OFFSET;
> +
> +   /* Get the rva and size of the export section.  */
> +   for (i = 0; i < nsections; i++)
> +     {
> +       char sname[SCNNMLEN + 1];
> +       unsigned long secptr1 = secptr + 40 * i;
> +-      unsigned long vaddr = pe_get32 (abfd, secptr1 + 12);
> ++      unsigned long vaddr = pe_get32 (abfd, secptr1 + 12, &fail);
> +
> +-      bfd_seek (abfd, (file_ptr) secptr1, SEEK_SET);
> +-      bfd_read (sname, (bfd_size_type) SCNNMLEN, abfd);
> ++      if (fail
> ++        || bfd_seek (abfd, secptr1, SEEK_SET) != 0
> ++        || bfd_read (sname, SCNNMLEN, abfd) != SCNNMLEN)
> ++      return DEFAULT_COFF_PE_TEXT_SECTION_OFFSET;
> +       sname[SCNNMLEN] = '\0';
> +       if (strcmp (sname, ".text") == 0)
> +       return vaddr;
> +diff --git a/gdb/coffread.c b/gdb/coffread.c
> +index 583db6bceb0..6a995ae2241 100644
> +--- a/gdb/coffread.c
> ++++ b/gdb/coffread.c
> +@@ -711,8 +711,6 @@ coff_symfile_read (struct objfile *objfile, symfile_add_flags symfile_flags)
> +
> +       /* FIXME: dubious.  Why can't we use something normal like
> +        bfd_get_section_contents?  */
> +-      bfd_seek (abfd, abfd->where, 0);
> +-
> +       stabstrsize = bfd_section_size (info->stabstrsect);
> +
> +       coffstab_build_psymtabs (objfile,
> +@@ -807,22 +805,6 @@ coff_symtab_read (minimal_symbol_reader &reader,
> +
> +   scoped_free_pendings free_pending;
> +
> +-  /* Work around a stdio bug in SunOS4.1.1 (this makes me nervous....
> +-     it's hard to know I've really worked around it.  The fix should
> +-     be harmless, anyway).  The symptom of the bug is that the first
> +-     fread (in read_one_sym), will (in my example) actually get data
> +-     from file offset 268, when the fseek was to 264 (and ftell shows
> +-     264).  This causes all hell to break loose.  I was unable to
> +-     reproduce this on a short test program which operated on the same
> +-     file, performing (I think) the same sequence of operations.
> +-
> +-     It stopped happening when I put in this (former) rewind().
> +-
> +-     FIXME: Find out if this has been reported to Sun, whether it has
> +-     been fixed in a later release, etc.  */
> +-
> +-  bfd_seek (objfile->obfd.get (), 0, 0);
> +-
> +   /* Position to read the symbol table.  */
> +   val = bfd_seek (objfile->obfd.get (), symtab_offset, 0);
> +   if (val < 0)
> +@@ -1308,12 +1290,13 @@ init_stringtab (bfd *abfd, file_ptr offset, gdb::unique_xmalloc_ptr<char> *stora
> +   if (bfd_seek (abfd, offset, 0) < 0)
> +     return -1;
> +
> +-  val = bfd_read ((char *) lengthbuf, sizeof lengthbuf, abfd);
> +-  length = bfd_h_get_32 (symfile_bfd, lengthbuf);
> +-
> ++  val = bfd_read (lengthbuf, sizeof lengthbuf, abfd);
> +   /* If no string table is needed, then the file may end immediately
> +      after the symbols.  Just return with `stringtab' set to null.  */
> +-  if (val != sizeof lengthbuf || length < sizeof lengthbuf)
> ++  if (val != sizeof lengthbuf)
> ++    return 0;
> ++  length = bfd_h_get_32 (symfile_bfd, lengthbuf);
> ++  if (length < sizeof lengthbuf)
> +     return 0;
> +
> +   storage->reset ((char *) xmalloc (length));
> +diff --git a/gdb/dbxread.c b/gdb/dbxread.c
> +index 75bbd510155..ddc61d9d539 100644
> +--- a/gdb/dbxread.c
> ++++ b/gdb/dbxread.c
> +@@ -809,7 +809,8 @@ stabs_seek (int sym_offset)
> +       symbuf_left -= sym_offset;
> +     }
> +   else
> +-    bfd_seek (symfile_bfd, sym_offset, SEEK_CUR);
> ++    if (bfd_seek (symfile_bfd, sym_offset, SEEK_CUR) != 0)
> ++      perror_with_name (bfd_get_filename (symfile_bfd));
> + }
> +
> + #define INTERNALIZE_SYMBOL(intern, extern, abfd)                      \
> +@@ -2155,8 +2156,8 @@ dbx_expand_psymtab (legacy_psymtab *pst, struct objfile *objfile)
> +       symbol_size = SYMBOL_SIZE (pst);
> +
> +       /* Read in this file's symbols.  */
> +-      bfd_seek (objfile->obfd.get (), SYMBOL_OFFSET (pst), SEEK_SET);
> +-      read_ofile_symtab (objfile, pst);
> ++      if (bfd_seek (objfile->obfd.get (), SYMBOL_OFFSET (pst), SEEK_SET) == 0)
> ++      read_ofile_symtab (objfile, pst);
> +     }
> +
> +   pst->readin = true;
> +diff --git a/gdb/xcoffread.c b/gdb/xcoffread.c
> +index 8ce4b28d133..63eb538ca05 100644
> +--- a/gdb/xcoffread.c
> ++++ b/gdb/xcoffread.c
> +@@ -779,8 +779,9 @@ enter_line_range (struct subfile *subfile, unsigned beginoffset,
> +
> +   while (curoffset <= limit_offset)
> +     {
> +-      bfd_seek (abfd, curoffset, SEEK_SET);
> +-      bfd_read (ext_lnno, linesz, abfd);
> ++      if (bfd_seek (abfd, curoffset, SEEK_SET) != 0
> ++        || bfd_read (ext_lnno, linesz, abfd) != linesz)
> ++      return;
> +       bfd_coff_swap_lineno_in (abfd, ext_lnno, &int_lnno);
> +
> +       /* Find the address this line represents.  */
> --
> 2.42.0
>
>
> -=-=-=-=-=-=-=-=-=-=-=-
> Links: You receive all messages sent to this group.
> View/Reply Online (#192608): https://lists.openembedded.org/g/openembedded-core/message/192608
> Mute This Topic: https://lists.openembedded.org/mt/103238950/3620601
> Group Owner: openembedded-core+owner@lists.openembedded.org
> Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [steve@sakoman.com]
> -=-=-=-=-=-=-=-=-=-=-=-
>