diff --git a/SPECS/gdb/CVE-2022-48064.patch b/SPECS/gdb/CVE-2022-48064.patch new file mode 100644 index 00000000000..b102b94a70c --- /dev/null +++ b/SPECS/gdb/CVE-2022-48064.patch @@ -0,0 +1,51 @@ +From 8f2c64de86bc3d7556121fe296dd679000283931 Mon Sep 17 00:00:00 2001 +From: Alan Modra +Date: Tue, 20 Dec 2022 23:47:03 +1030 +Subject: [PATCH] PR29922, SHT_NOBITS section avoids section size sanity check + + PR 29922 + * dwarf2.c (find_debug_info): Ignore sections without + SEC_HAS_CONTENTS. +--- + bfd/dwarf2.c | 12 +++++++++--- + 1 file changed, 9 insertions(+), 3 deletions(-) + +diff --git a/bfd/dwarf2.c b/bfd/dwarf2.c +index 95f45708e9d..0cd8152ee6e 100644 +--- a/bfd/dwarf2.c ++++ b/bfd/dwarf2.c +@@ -4831,16 +4831,19 @@ find_debug_info (bfd *abfd, const struct dwarf_debug_section *debug_sections, + { + look = debug_sections[debug_info].uncompressed_name; + msec = bfd_get_section_by_name (abfd, look); +- if (msec != NULL) ++ /* Testing SEC_HAS_CONTENTS is an anti-fuzzer measure. Of ++ course debug sections always have contents. */ ++ if (msec != NULL && (msec->flags & SEC_HAS_CONTENTS) != 0) + return msec; + + look = debug_sections[debug_info].compressed_name; + msec = bfd_get_section_by_name (abfd, look); +- if (msec != NULL) ++ if (msec != NULL && (msec->flags & SEC_HAS_CONTENTS) != 0) + return msec; + + for (msec = abfd->sections; msec != NULL; msec = msec->next) +- if (startswith (msec->name, GNU_LINKONCE_INFO)) ++ if ((msec->flags & SEC_HAS_CONTENTS) != 0 ++ && startswith (msec->name, GNU_LINKONCE_INFO)) + return msec; + + return NULL; +@@ -4848,6 +4851,9 @@ find_debug_info (bfd *abfd, const struct dwarf_debug_section *debug_sections, + + for (msec = after_sec->next; msec != NULL; msec = msec->next) + { ++ if ((msec->flags & SEC_HAS_CONTENTS) == 0) ++ continue; ++ + look = debug_sections[debug_info].uncompressed_name; + if (strcmp (msec->name, look) == 0) + return msec; +-- +2.43.5 diff --git a/SPECS/gdb/CVE-2022-48065.patch b/SPECS/gdb/CVE-2022-48065.patch new file mode 100644 index 00000000000..69f4a7a1986 --- /dev/null +++ b/SPECS/gdb/CVE-2022-48065.patch @@ -0,0 +1,101 @@ +From 4dbabcbb6bb82fc71ee411d6a8b81918d775a0b5 Mon Sep 17 00:00:00 2001 +From: Alan Modra +Date: Wed, 21 Dec 2022 21:40:12 +1030 +Subject: [PATCH] PR29925, Memory leak in find_abstract_instance + +The testcase in the PR had a variable with both DW_AT_decl_file and +DW_AT_specification, where the DW_AT_specification also specified +DW_AT_decl_file. This leads to a memory leak as the file name is +malloced and duplicates are not expected. + +I've also changed find_abstract_instance to not use a temp for "name", +because that can result in a change in behaviour from the usual last +of duplicate attributes wins. + + PR 29925 + * dwarf2.c (find_abstract_instance): Delete "name" variable. + Free *filename_ptr before assigning new file name. + (scan_unit_for_symbols): Similarly free func->file and + var->file before assigning. + +Modified patch to apply to AzureLinux: Added required free statements based on code. +Modified-by: Sandeep Karambelkar +--- + bfd/dwarf2.c | 13 +++++++------ + 1 file changed, 7 insertions(+), 6 deletions(-) + +diff --git a/bfd/dwarf2.c b/bfd/dwarf2.c +index 83ca8a3..414c2d2 100644 +--- a/bfd/dwarf2.c ++++ b/bfd/dwarf2.c +@@ -2873,7 +2873,6 @@ find_abstract_instance (struct comp_unit *unit, + struct abbrev_info *abbrev; + bfd_uint64_t die_ref = attr_ptr->u.val; + struct attribute attr; +- const char *name = NULL; + + if (recur_count == 100) + { +@@ -3038,16 +3037,16 @@ find_abstract_instance (struct comp_unit *unit, + case DW_AT_name: + /* Prefer DW_AT_MIPS_linkage_name or DW_AT_linkage_name + over DW_AT_name. */ +- if (name == NULL && is_str_attr (attr.form)) ++ if (*pname == NULL && is_str_attr (attr.form)) + { +- name = attr.u.str; ++ *pname = attr.u.str; + if (non_mangled (unit->lang)) + *is_linkage = true; + } + break; + case DW_AT_specification: + if (!find_abstract_instance (unit, &attr, recur_count + 1, +- &name, is_linkage, ++ pname, is_linkage, + filename_ptr, linenumber_ptr)) + return false; + break; +@@ -3057,13 +3056,14 @@ find_abstract_instance (struct comp_unit *unit, + non-string forms into these attributes. */ + if (is_str_attr (attr.form)) + { +- name = attr.u.str; ++ *pname = attr.u.str; + *is_linkage = true; + } + break; + case DW_AT_decl_file: + if (!comp_unit_maybe_decode_line_info (unit)) + return false; ++ free (*filename_ptr); + *filename_ptr = concat_filename (unit->line_table, + attr.u.val); + break; +@@ -3076,7 +3076,6 @@ find_abstract_instance (struct comp_unit *unit, + } + } + } +- *pname = name; + return true; + } + +@@ -3510,6 +3509,7 @@ scan_unit_for_symbols (struct comp_unit *unit) + break; + + case DW_AT_decl_file: ++ free (func->file); + func->file = concat_filename (unit->line_table, + attr.u.val); + break; +@@ -3559,6 +3559,7 @@ scan_unit_for_symbols (struct comp_unit *unit) + break; + + case DW_AT_decl_file: ++ free (var->file); + var->file = concat_filename (unit->line_table, + attr.u.val); + break; +-- +2.45.2 + diff --git a/SPECS/gdb/gdb.spec b/SPECS/gdb/gdb.spec index 443d3af1554..6975057b53c 100644 --- a/SPECS/gdb/gdb.spec +++ b/SPECS/gdb/gdb.spec @@ -1,7 +1,7 @@ Summary: C debugger Name: gdb Version: 11.2 -Release: 4%{?dist} +Release: 5%{?dist} License: GPLv2+ Vendor: Microsoft Corporation Distribution: Mariner @@ -13,6 +13,8 @@ Patch1: CVE-2023-39129.patch Patch2: CVE-2023-39130.patch Patch3: CVE-2025-1176.patch Patch4: CVE-2025-1182.patch +Patch5: CVE-2022-48064.patch +Patch6: CVE-2022-48065.patch BuildRequires: expat-devel BuildRequires: gcc-c++ BuildRequires: gcc-gfortran @@ -93,6 +95,9 @@ rm -f $(dirname $(gcc -print-libgcc-file-name))/../specs %{_mandir}/*/* %changelog +* Thu Apr 03 2025 Sandeep Karambelkar - 11.2-5 +- Fix CVE-2022-48064, CVE-2022-48065 + * Thu Feb 13 2025 Ankita Pareek - 11.2-4 - Address CVE-2025-1176 and CVE-2025-1182