Message ID | 20240202120735.3742584-1-Deepthi.Hemraj@windriver.com |
---|---|
State | Accepted, archived |
Commit | 67b62fd57d7073b42db2747227d07841d0d064e3 |
Delegated to: | Steve Sakoman |
Headers | show |
Series | [kirkstone,V3,1/2] gdb: Fix CVE-2023-39129 | expand |
On 2024-02-02 7:07 a.m., Hemraj, Deepthi via lists.openembedded.org wrote: > From: Deepthi Hemraj<Deepthi.Hemraj@windriver.com> > > Issue: LIN1022-4854 > > Signed-off-by: Deepthi Hemraj<Deepthi.Hemraj@windriver.com> > --- > .../binutils/binutils-2.38.inc | 1 + > .../binutils/0035-CVE-2023-39129.patch | 50 +++++++++++++++++++ > 2 files changed, 51 insertions(+) > create mode 100644 meta/recipes-devtools/binutils/binutils/0035-CVE-2023-39129.patch > > diff --git a/meta/recipes-devtools/binutils/binutils-2.38.inc b/meta/recipes-devtools/binutils/binutils-2.38.inc This commit fixes the version of gdb internal to binutils. I had forgotten that binutils carried a copy of gdb so it's good that you noticed but our binutils recipe disables compiling gdb or gdb-server: https://git.openembedded.org/openembedded-core/tree/meta/recipes-devtools/binutils/binutils_2.38.bb?h=kirkstone#n21 And from a mickledore build, it seems that we don't install an binary with gdb in it's name, as expected from the reicpe; ❯ fd gdb tmp-glibc/work/core2-64-wrs-linux/binutils/2.40-r0/packages-split/ tmp-glibc/work/core2-64-wrs-linux/binutils/2.40-r0/packages-split/binutils-src/usr/src/debug/binutils/2.40-r0/gold/gdb-index.cc tmp-glibc/work/core2-64-wrs-linux/binutils/2.40-r0/packages-split/binutils-src/usr/src/debug/binutils/2.40-r0/gold/gdb-index.h tmp-glibc/work/core2-64-wrs-linux/binutils/2.40-r0/packages-split/binutils-src/usr/src/debug/binutils/2.40-r0/include/gdb tmp-glibc/work/core2-64-wrs-linux/binutils/2.40-r0/packages-split/binutils-src/usr/src/debug/binutils/2.40-r0/include/gdb/gdb-index.h Added Khem in case Steve isn't sure if we should be patching the internal gdb in binutils. I guess it won't do any harm but it is extra work that we could just avoid. If you need to re-submit, please do so with a proper shortlog: You have: [kirkstone][PATCH V3 1/2] gdb: Fix CVE-2023-39129 It should be something like: [kirkstone][PATCH V3 1/2] binutils: internal gdb: Fix CVE-2023-39129 Thanks,
On Fri, Feb 2, 2024 at 6:38 AM Randy MacLeod via lists.openembedded.org <randy.macleod=windriver.com@lists.openembedded.org> wrote: > > On 2024-02-02 7:07 a.m., Hemraj, Deepthi via lists.openembedded.org wrote: > > From: Deepthi Hemraj <Deepthi.Hemraj@windriver.com> > > Issue: LIN1022-4854 > > Signed-off-by: Deepthi Hemraj <Deepthi.Hemraj@windriver.com> > --- > .../binutils/binutils-2.38.inc | 1 + > .../binutils/0035-CVE-2023-39129.patch | 50 +++++++++++++++++++ > 2 files changed, 51 insertions(+) > create mode 100644 meta/recipes-devtools/binutils/binutils/0035-CVE-2023-39129.patch > > diff --git a/meta/recipes-devtools/binutils/binutils-2.38.inc b/meta/recipes-devtools/binutils/binutils-2.38.inc > > This commit fixes the version of gdb internal to binutils. > I had forgotten that binutils carried a copy of gdb so it's good that you noticed but > our binutils recipe disables compiling gdb or gdb-server: > > https://git.openembedded.org/openembedded-core/tree/meta/recipes-devtools/binutils/binutils_2.38.bb?h=kirkstone#n21 > > And from a mickledore build, it seems that we don't install an binary with gdb in it's name, as expected from the reicpe; > > ❯ fd gdb tmp-glibc/work/core2-64-wrs-linux/binutils/2.40-r0/packages-split/ > tmp-glibc/work/core2-64-wrs-linux/binutils/2.40-r0/packages-split/binutils-src/usr/src/debug/binutils/2.40-r0/gold/gdb-index.cc > tmp-glibc/work/core2-64-wrs-linux/binutils/2.40-r0/packages-split/binutils-src/usr/src/debug/binutils/2.40-r0/gold/gdb-index.h > tmp-glibc/work/core2-64-wrs-linux/binutils/2.40-r0/packages-split/binutils-src/usr/src/debug/binutils/2.40-r0/include/gdb > tmp-glibc/work/core2-64-wrs-linux/binutils/2.40-r0/packages-split/binutils-src/usr/src/debug/binutils/2.40-r0/include/gdb/gdb-index.h > > > Added Khem in case Steve isn't sure if we should be patching the internal gdb in binutils. > I guess it won't do any harm but it is extra work that we could just avoid. > > > If you need to re-submit, please do so with a proper shortlog: > You have: > [kirkstone][PATCH V3 1/2] gdb: Fix CVE-2023-39129 > > It should be something like: > [kirkstone][PATCH V3 1/2] binutils: internal gdb: Fix CVE-2023-39129 Given the number of open issues with this patchset I'm going to drop this version and wait for a "V4" that addresses these issues. Steve
diff --git a/meta/recipes-devtools/binutils/binutils-2.38.inc b/meta/recipes-devtools/binutils/binutils-2.38.inc index 3787063cba..83dff20855 100644 --- a/meta/recipes-devtools/binutils/binutils-2.38.inc +++ b/meta/recipes-devtools/binutils/binutils-2.38.inc @@ -69,5 +69,6 @@ SRC_URI = "\ file://0032-CVE-2022-47010.patch \ file://0033-CVE-2022-47007.patch \ file://0034-CVE-2022-48064.patch \ + file://0035-CVE-2023-39129.patch \ " S = "${WORKDIR}/git" diff --git a/meta/recipes-devtools/binutils/binutils/0035-CVE-2023-39129.patch b/meta/recipes-devtools/binutils/binutils/0035-CVE-2023-39129.patch new file mode 100644 index 0000000000..63fb44d59a --- /dev/null +++ b/meta/recipes-devtools/binutils/binutils/0035-CVE-2023-39129.patch @@ -0,0 +1,50 @@ +From: Keith Seitz <keiths@...> +Date: Wed, 2 Aug 2023 15:35:11 +0000 (-0700) +Subject: Verify COFF symbol stringtab offset +X-Git-Tag: gdb-14-branchpoint~473 +X-Git-Url: https://sourceware.org/git/?p=binutils-gdb.git;a=commitdiff_plain;h=58abdf887821a5da09ba184c6e400a3bc5cccd5a + +Verify COFF symbol stringtab offset + +This patch addresses an issue with malformed/fuzzed debug information that +was recently reported in gdb/30639. That bug specifically deals with +an ASAN issue, but the reproducer provided by the reporter causes a +another failure outside of ASAN: + +Upstream-Status: Backport [https://sourceware.org/git/?p=binutils-gdb.git;a=commitdiff_plain;h=58abdf887821a5da09ba184c6e400a3bc5cccd5a] + +CVE: CVE-2023-39129 + +Signed-off-by: Deepthi Hemraj <Deepthi.Hemraj@windriver.com> + +diff --git a/gdb/coffread.c b/gdb/coffread.c +--- a/gdb/coffread.c ++++ b/gdb/coffread.c +@@ -159,6 +160,7 @@ static file_ptr linetab_offset; + static file_ptr linetab_size; + + static char *stringtab = NULL; ++static long stringtab_length = 0; + + extern void stabsread_clear_cache (void); + +@@ -1303,6 +1298,7 @@ init_stringtab (bfd *abfd, file_ptr offset, gdb::unique_xmalloc_ptr<char> *stora + /* This is in target format (probably not very useful, and not + currently used), not host format. */ + memcpy (stringtab, lengthbuf, sizeof lengthbuf); ++ stringtab_length = length; + if (length == sizeof length) /* Empty table -- just the count. */ + return 0; + +@@ -1322,8 +1318,9 @@ getsymname (struct internal_syment *symbol_entry) + + if (symbol_entry->_n._n_n._n_zeroes == 0) + { +- /* FIXME: Probably should be detecting corrupt symbol files by +- seeing whether offset points to within the stringtab. */ ++ if (symbol_entry->_n._n_n._n_offset > stringtab_length) ++ error (_("COFF Error: string table offset (%ld) outside string table (length %ld)"), ++ symbol_entry->_n._n_n._n_offset, stringtab_length); + result = stringtab + symbol_entry->_n._n_n._n_offset; + } + else