@@ -16,5 +16,6 @@ SRC_URI = "${GNU_MIRROR}/gdb/gdb-${PV}.tar.xz \
file://0010-gdbserver-ctrl-c-handling.patch \
file://0011-CVE-2023-39128.patch \
file://0012-CVE-2023-39129.patch \
+ file://0013-CVE-2023-39130.patch \
"
SRC_URI[sha256sum] = "1497c36a71881b8671a9a84a0ee40faab788ca30d7ba19d8463c3cc787152e32"
new file mode 100644
@@ -0,0 +1,326 @@
+From 2db20b97f1dc3e5dce3d6ed74a8a62f0dede8c80 Mon Sep 17 00:00:00 2001
+From: Alan Modra <amodra@gmail.com>
+Date: Wed, 9 Aug 2023 09:58:36 +0930
+Subject: [PATCH] gdb: warn unused result for bfd IO functions
+
+This fixes the compilation warnings introduced by my bfdio.c patch.
+
+The removed bfd_seeks in coff_symfile_read date back to 1994, commit
+7f4c859520, prior to which the file used stdio rather than bfd to read
+symbols. Since it now uses bfd to read the file there should be no
+need to synchronise to bfd's idea of the file position. I also fixed
+a potential uninitialised memory access.
+
+Approved-By: Andrew Burgess <aburgess@redhat.com>
+
+Upstream-Status: Backport from [https://sourceware.org/git/?p=binutils-gdb.git;a=commitdiff;h=2db20b97f1dc3e5dce3d6ed74a8a62f0dede8c80]
+CVE: CVE-2023-39130
+Signed-off-by: Deepthi Hemraj <Deepthi.Hemraj@windriver.com>
+---
+ gdb/coff-pe-read.c | 114 +++++++++++++++++++++++++++++----------------
+ gdb/coffread.c | 27 ++---------
+ gdb/dbxread.c | 7 +--
+ gdb/xcoffread.c | 5 +-
+ 4 files changed, 85 insertions(+), 68 deletions(-)
+
+diff --git a/gdb/coff-pe-read.c b/gdb/coff-pe-read.c
+--- a/gdb/coff-pe-read.c
++++ b/gdb/coff-pe-read.c
+@@ -291,23 +291,31 @@ read_pe_truncate_name (char *dll_name)
+
+ /* Low-level support functions, direct from the ld module pe-dll.c. */
+ static unsigned int
+-pe_get16 (bfd *abfd, int where)
++pe_get16 (bfd *abfd, int where, bool *fail)
+ {
+ unsigned char b[2];
+
+- bfd_seek (abfd, (file_ptr) where, SEEK_SET);
+- bfd_bread (b, (bfd_size_type) 2, abfd);
++ if (bfd_seek (abfd, where, SEEK_SET) != 0
++ || bfd_bread (b, 2, abfd) != 2)
++ {
++ *fail = true;
++ return 0;
++ }
+ return b[0] + (b[1] << 8);
+ }
+
+ static unsigned int
+-pe_get32 (bfd *abfd, int where)
++pe_get32 (bfd *abfd, int where, bool *fail)
+ {
+ unsigned char b[4];
+
+- bfd_seek (abfd, (file_ptr) where, SEEK_SET);
+- bfd_bread (b, (bfd_size_type) 4, abfd);
+- return b[0] + (b[1] << 8) + (b[2] << 16) + (b[3] << 24);
++ if (bfd_seek (abfd, where, SEEK_SET) != 0
++ || bfd_bread (b, 4, abfd) != 4)
++ {
++ *fail = true;
++ return 0;
++ }
++ return b[0] + (b[1] << 8) + (b[2] << 16) + ((unsigned) b[3] << 24);
+ }
+
+ static unsigned int
+@@ -323,7 +331,7 @@ pe_as32 (void *ptr)
+ {
+ unsigned char *b = (unsigned char *) ptr;
+
+- return b[0] + (b[1] << 8) + (b[2] << 16) + (b[3] << 24);
++ return b[0] + (b[1] << 8) + (b[2] << 16) + ((unsigned) b[3] << 24);
+ }
+
+ /* Read the (non-debug) export symbol table from a portable
+@@ -376,37 +384,50 @@ read_pe_exported_syms (minimal_symbol_re
+ || strcmp (target, "pei-i386") == 0
+ || strcmp (target, "pe-arm-wince-little") == 0
+ || strcmp (target, "pei-arm-wince-little") == 0);
++
++ /* Possibly print a debug message about DLL not having a valid format. */
++ auto maybe_print_debug_msg = [&] () -> void {
++ if (debug_coff_pe_read)
++ fprintf_unfiltered (gdb_stdlog, _("%s doesn't appear to be a DLL\n"),
++ bfd_get_filename (dll));
++ };
++
+ if (!is_pe32 && !is_pe64)
+- {
+- /* This is not a recognized PE format file. Abort now, because
+- the code is untested on anything else. *FIXME* test on
+- further architectures and loosen or remove this test. */
+- return;
+- }
++ return maybe_print_debug_msg ();
+
+ /* Get pe_header, optional header and numbers of export entries. */
+- pe_header_offset = pe_get32 (dll, 0x3c);
++ bool fail = false;
++ pe_header_offset = pe_get32 (dll, 0x3c, &fail);
++ if (fail)
++ return maybe_print_debug_msg ();
+ opthdr_ofs = pe_header_offset + 4 + 20;
+ if (is_pe64)
+- num_entries = pe_get32 (dll, opthdr_ofs + 108);
++ num_entries = pe_get32 (dll, opthdr_ofs + 108, &fail);
+ else
+- num_entries = pe_get32 (dll, opthdr_ofs + 92);
++ num_entries = pe_get32 (dll, opthdr_ofs + 92, &fail);
++ if (fail)
++ return maybe_print_debug_msg ();
+
+ if (num_entries < 1) /* No exports. */
+ return;
+ if (is_pe64)
+ {
+- export_opthdrrva = pe_get32 (dll, opthdr_ofs + 112);
+- export_opthdrsize = pe_get32 (dll, opthdr_ofs + 116);
++ export_opthdrrva = pe_get32 (dll, opthdr_ofs + 112, &fail);
++ export_opthdrsize = pe_get32 (dll, opthdr_ofs + 116, &fail);
+ }
+ else
+ {
+- export_opthdrrva = pe_get32 (dll, opthdr_ofs + 96);
+- export_opthdrsize = pe_get32 (dll, opthdr_ofs + 100);
++ export_opthdrrva = pe_get32 (dll, opthdr_ofs + 96, &fail);
++ export_opthdrsize = pe_get32 (dll, opthdr_ofs + 100, &fail);
+ }
+- nsections = pe_get16 (dll, pe_header_offset + 4 + 2);
++ if (fail)
++ return maybe_print_debug_msg ();
++
++ nsections = pe_get16 (dll, pe_header_offset + 4 + 2, &fail);
+ secptr = (pe_header_offset + 4 + 20 +
+- pe_get16 (dll, pe_header_offset + 4 + 16));
++ pe_get16 (dll, pe_header_offset + 4 + 16, &fail));
++ if (fail)
++ return maybe_print_debug_msg ();
+ expptr = 0;
+ export_size = 0;
+
+@@ -415,12 +436,13 @@ read_pe_exported_syms (minimal_symbol_re
+ {
+ char sname[8];
+ unsigned long secptr1 = secptr + 40 * i;
+- unsigned long vaddr = pe_get32 (dll, secptr1 + 12);
+- unsigned long vsize = pe_get32 (dll, secptr1 + 16);
+- unsigned long fptr = pe_get32 (dll, secptr1 + 20);
+-
+- bfd_seek (dll, (file_ptr) secptr1, SEEK_SET);
+- bfd_bread (sname, (bfd_size_type) sizeof (sname), dll);
++ unsigned long vaddr = pe_get32 (dll, secptr1 + 12, &fail);
++ unsigned long vsize = pe_get32 (dll, secptr1 + 16, &fail);
++ unsigned long fptr = pe_get32 (dll, secptr1 + 20, &fail);
++
++ if (fail
++ || bfd_seek (dll, secptr1, SEEK_SET) != 0
++ || bfd_bread (sname, sizeof (sname), dll) != sizeof (sname))
+
+ if ((strcmp (sname, ".edata") == 0)
+ || (vaddr <= export_opthdrrva && export_opthdrrva < vaddr + vsize))
+@@ -461,16 +483,18 @@ read_pe_exported_syms (minimal_symbol_re
+ for (i = 0; i < nsections; i++)
+ {
+ unsigned long secptr1 = secptr + 40 * i;
+- unsigned long vsize = pe_get32 (dll, secptr1 + 8);
+- unsigned long vaddr = pe_get32 (dll, secptr1 + 12);
+- unsigned long characteristics = pe_get32 (dll, secptr1 + 36);
++ unsigned long vsize = pe_get32 (dll, secptr1 + 8, &fail);
++ unsigned long vaddr = pe_get32 (dll, secptr1 + 12, &fail);
++ unsigned long characteristics = pe_get32 (dll, secptr1 + 36, &fail);
+ char sec_name[SCNNMLEN + 1];
+ int sectix;
+ unsigned int bfd_section_index;
+ asection *section;
+
+- bfd_seek (dll, (file_ptr) secptr1 + 0, SEEK_SET);
+- bfd_bread (sec_name, (bfd_size_type) SCNNMLEN, dll);
++ if (fail
++ || bfd_seek (dll, secptr1 + 0, SEEK_SET) != 0
++ || bfd_bread (sec_name, SCNNMLEN, dll) != SCNNMLEN)
++ return maybe_print_debug_msg ();
+ sec_name[SCNNMLEN] = '\0';
+
+ sectix = read_pe_section_index (sec_name);
+@@ -509,8 +533,9 @@ read_pe_exported_syms (minimal_symbol_re
+ gdb::def_vector<unsigned char> expdata_storage (export_size);
+ expdata = expdata_storage.data ();
+
+- bfd_seek (dll, (file_ptr) expptr, SEEK_SET);
+- bfd_bread (expdata, (bfd_size_type) export_size, dll);
++ if (bfd_seek (dll, expptr, SEEK_SET) != 0
++ || bfd_bread (expdata, export_size, dll) != export_size)
++ return maybe_print_debug_msg ();
+ erva = expdata - export_rva;
+
+ nexp = pe_as32 (expdata + 24);
+@@ -658,20 +683,27 @@ pe_text_section_offset (struct bfd *abfd
+ }
+
+ /* Get pe_header, optional header and numbers of sections. */
+- pe_header_offset = pe_get32 (abfd, 0x3c);
+- nsections = pe_get16 (abfd, pe_header_offset + 4 + 2);
++ bool fail = false;
++ pe_header_offset = pe_get32 (abfd, 0x3c, &fail);
++ if (fail)
++ return DEFAULT_COFF_PE_TEXT_SECTION_OFFSET;
++ nsections = pe_get16 (abfd, pe_header_offset + 4 + 2, &fail);
+ secptr = (pe_header_offset + 4 + 20 +
+- pe_get16 (abfd, pe_header_offset + 4 + 16));
++ pe_get16 (abfd, pe_header_offset + 4 + 16, &fail));
++ if (fail)
++ return DEFAULT_COFF_PE_TEXT_SECTION_OFFSET;
+
+ /* Get the rva and size of the export section. */
+ for (i = 0; i < nsections; i++)
+ {
+ char sname[SCNNMLEN + 1];
+ unsigned long secptr1 = secptr + 40 * i;
+- unsigned long vaddr = pe_get32 (abfd, secptr1 + 12);
++ unsigned long vaddr = pe_get32 (abfd, secptr1 + 12, &fail);
+
+- bfd_seek (abfd, (file_ptr) secptr1, SEEK_SET);
+- bfd_bread (sname, (bfd_size_type) SCNNMLEN, abfd);
++ if (fail
++ || bfd_seek (abfd, secptr1, SEEK_SET) != 0
++ || bfd_bread (sname, SCNNMLEN, abfd) != SCNNMLEN)
++ return DEFAULT_COFF_PE_TEXT_SECTION_OFFSET;
+ sname[SCNNMLEN] = '\0';
+ if (strcmp (sname, ".text") == 0)
+ return vaddr;
+diff --git a/gdb/coffread.c b/gdb/coffread.c
+--- a/gdb/coffread.c
++++ b/gdb/coffread.c
+@@ -690,8 +690,6 @@ coff_symfile_read (struct objfile *objfi
+
+ /* FIXME: dubious. Why can't we use something normal like
+ bfd_get_section_contents? */
+- bfd_seek (abfd, abfd->where, 0);
+-
+ stabstrsize = bfd_section_size (info->stabstrsect);
+
+ coffstab_build_psymtabs (objfile,
+@@ -780,22 +778,6 @@ coff_symtab_read (minimal_symbol_reader
+
+ scoped_free_pendings free_pending;
+
+- /* Work around a stdio bug in SunOS4.1.1 (this makes me nervous....
+- it's hard to know I've really worked around it. The fix should
+- be harmless, anyway). The symptom of the bug is that the first
+- fread (in read_one_sym), will (in my example) actually get data
+- from file offset 268, when the fseek was to 264 (and ftell shows
+- 264). This causes all hell to break loose. I was unable to
+- reproduce this on a short test program which operated on the same
+- file, performing (I think) the same sequence of operations.
+-
+- It stopped happening when I put in this (former) rewind().
+-
+- FIXME: Find out if this has been reported to Sun, whether it has
+- been fixed in a later release, etc. */
+-
+- bfd_seek (objfile->obfd, 0, 0);
+-
+ /* Position to read the symbol table. */
+ val = bfd_seek (objfile->obfd, symtab_offset, 0);
+ if (val < 0)
+@@ -1285,12 +1267,13 @@ init_stringtab (bfd *abfd, file_ptr offs
+ if (bfd_seek (abfd, offset, 0) < 0)
+ return -1;
+
+- val = bfd_bread ((char *) lengthbuf, sizeof lengthbuf, abfd);
+- length = bfd_h_get_32 (symfile_bfd, lengthbuf);
+-
++ val = bfd_bread (lengthbuf, sizeof lengthbuf, abfd);
+ /* If no string table is needed, then the file may end immediately
+ after the symbols. Just return with `stringtab' set to null. */
+- if (val != sizeof lengthbuf || length < sizeof lengthbuf)
++ if (val != sizeof lengthbuf)
++ return 0;
++ length = bfd_h_get_32 (symfile_bfd, lengthbuf);
++ if (length < sizeof lengthbuf)
+ return 0;
+
+ storage->reset ((char *) xmalloc (length));
+diff --git a/gdb/dbxread.c b/gdb/dbxread.c
+--- a/gdb/dbxread.c
++++ b/gdb/dbxread.c
+@@ -812,7 +812,8 @@ stabs_seek (int sym_offset)
+ symbuf_left -= sym_offset;
+ }
+ else
+- bfd_seek (symfile_bfd, sym_offset, SEEK_CUR);
++ if (bfd_seek (symfile_bfd, sym_offset, SEEK_CUR) != 0)
++ perror_with_name (bfd_get_filename (symfile_bfd));
+ }
+
+ #define INTERNALIZE_SYMBOL(intern, extern, abfd) \
+@@ -2095,8 +2096,8 @@ dbx_expand_psymtab (legacy_psymtab *pst,
+ symbol_size = SYMBOL_SIZE (pst);
+
+ /* Read in this file's symbols. */
+- bfd_seek (objfile->obfd, SYMBOL_OFFSET (pst), SEEK_SET);
+- read_ofile_symtab (objfile, pst);
++ if (bfd_seek (objfile->obfd, SYMBOL_OFFSET (pst), SEEK_SET) == 0)
++ read_ofile_symtab (objfile, pst);
+ }
+
+ pst->readin = true;
+diff --git a/gdb/xcoffread.c b/gdb/xcoffread.c
+--- a/gdb/xcoffread.c
++++ b/gdb/xcoffread.c
+@@ -865,8 +865,9 @@ enter_line_range (struct subfile *subfil
+
+ while (curoffset <= limit_offset)
+ {
+- bfd_seek (abfd, curoffset, SEEK_SET);
+- bfd_bread (ext_lnno, linesz, abfd);
++ if (bfd_seek (abfd, curoffset, SEEK_SET) != 0
++ || bfd_bread (ext_lnno, linesz, abfd) != linesz)
++ return;
+ bfd_coff_swap_lineno_in (abfd, ext_lnno, &int_lnno);
+
+ /* Find the address this line represents. */
+--
+2.39.3