Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Patch gdb to fix CVE-2022-48064 and CVE-2022-48065 [Medium] #13261

Open
wants to merge 1 commit into
base: fasttrack/2.0
Choose a base branch
from
+158 −1
Open

Patch gdb to fix CVE-2022-48064 and CVE-2022-48065 [Medium] #13261

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
51 changes: 51 additions & 0 deletions SPECS/gdb/CVE-2022-48064.patch
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,51 @@
From 8f2c64de86bc3d7556121fe296dd679000283931 Mon Sep 17 00:00:00 2001
From: Alan Modra <amodra@gmail.com>
Date: Tue, 20 Dec 2022 23:47:03 +1030
Subject: [PATCH] PR29922, SHT_NOBITS section avoids section size sanity check

PR 29922
* dwarf2.c (find_debug_info): Ignore sections without
SEC_HAS_CONTENTS.
---
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
---
Upstream Patch Reference : https://sourceware.org/git/?p=binutils-gdb.git;a=patch;h=8f2c64de86bc3d7556121fe296dd679000283931
---

bfd/dwarf2.c | 12 +++++++++---
1 file changed, 9 insertions(+), 3 deletions(-)

diff --git a/bfd/dwarf2.c b/bfd/dwarf2.c
index 95f45708e9d..0cd8152ee6e 100644
--- a/bfd/dwarf2.c
+++ b/bfd/dwarf2.c
@@ -4831,16 +4831,19 @@ find_debug_info (bfd *abfd, const struct dwarf_debug_section *debug_sections,
{
look = debug_sections[debug_info].uncompressed_name;
msec = bfd_get_section_by_name (abfd, look);
- if (msec != NULL)
+ /* Testing SEC_HAS_CONTENTS is an anti-fuzzer measure. Of
+ course debug sections always have contents. */
+ if (msec != NULL && (msec->flags & SEC_HAS_CONTENTS) != 0)
return msec;

look = debug_sections[debug_info].compressed_name;
msec = bfd_get_section_by_name (abfd, look);
- if (msec != NULL)
+ if (msec != NULL && (msec->flags & SEC_HAS_CONTENTS) != 0)
return msec;

for (msec = abfd->sections; msec != NULL; msec = msec->next)
- if (startswith (msec->name, GNU_LINKONCE_INFO))
+ if ((msec->flags & SEC_HAS_CONTENTS) != 0
+ && startswith (msec->name, GNU_LINKONCE_INFO))
return msec;

return NULL;
@@ -4848,6 +4851,9 @@ find_debug_info (bfd *abfd, const struct dwarf_debug_section *debug_sections,

for (msec = after_sec->next; msec != NULL; msec = msec->next)
{
+ if ((msec->flags & SEC_HAS_CONTENTS) == 0)
+ continue;
+
look = debug_sections[debug_info].uncompressed_name;
if (strcmp (msec->name, look) == 0)
return msec;
--
2.43.5
101 changes: 101 additions & 0 deletions SPECS/gdb/CVE-2022-48065.patch
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,101 @@
From 4dbabcbb6bb82fc71ee411d6a8b81918d775a0b5 Mon Sep 17 00:00:00 2001
From: Alan Modra <amodra@gmail.com>
Date: Wed, 21 Dec 2022 21:40:12 +1030
Subject: [PATCH] PR29925, Memory leak in find_abstract_instance

The testcase in the PR had a variable with both DW_AT_decl_file and
DW_AT_specification, where the DW_AT_specification also specified
DW_AT_decl_file. This leads to a memory leak as the file name is
malloced and duplicates are not expected.

I've also changed find_abstract_instance to not use a temp for "name",
because that can result in a change in behaviour from the usual last
of duplicate attributes wins.

PR 29925
* dwarf2.c (find_abstract_instance): Delete "name" variable.
Free *filename_ptr before assigning new file name.
(scan_unit_for_symbols): Similarly free func->file and
var->file before assigning.

Modified patch <d28fbc7197ba0e021a43f873eff90b05dcdcff6a> to apply to AzureLinux: Added required free statements based on code.
Modified-by: Sandeep Karambelkar <skarambelkar@microsoft.com>
---
bfd/dwarf2.c | 13 +++++++------
1 file changed, 7 insertions(+), 6 deletions(-)

diff --git a/bfd/dwarf2.c b/bfd/dwarf2.c
index 83ca8a3..414c2d2 100644
--- a/bfd/dwarf2.c
+++ b/bfd/dwarf2.c
@@ -2873,7 +2873,6 @@ find_abstract_instance (struct comp_unit *unit,
struct abbrev_info *abbrev;
bfd_uint64_t die_ref = attr_ptr->u.val;
struct attribute attr;
- const char *name = NULL;

if (recur_count == 100)
{
@@ -3038,16 +3037,16 @@ find_abstract_instance (struct comp_unit *unit,
case DW_AT_name:
/* Prefer DW_AT_MIPS_linkage_name or DW_AT_linkage_name
over DW_AT_name. */
- if (name == NULL && is_str_attr (attr.form))
+ if (*pname == NULL && is_str_attr (attr.form))
{
- name = attr.u.str;
+ *pname = attr.u.str;
if (non_mangled (unit->lang))
*is_linkage = true;
}
break;
case DW_AT_specification:
if (!find_abstract_instance (unit, &attr, recur_count + 1,
- &name, is_linkage,
+ pname, is_linkage,
filename_ptr, linenumber_ptr))
return false;
break;
@@ -3057,13 +3056,14 @@ find_abstract_instance (struct comp_unit *unit,
non-string forms into these attributes. */
if (is_str_attr (attr.form))
{
- name = attr.u.str;
+ *pname = attr.u.str;
*is_linkage = true;
}
break;
case DW_AT_decl_file:
if (!comp_unit_maybe_decode_line_info (unit))
return false;
+ free (*filename_ptr);
*filename_ptr = concat_filename (unit->line_table,
attr.u.val);
break;
@@ -3076,7 +3076,6 @@ find_abstract_instance (struct comp_unit *unit,
}
}
}
- *pname = name;
return true;
}

@@ -3510,6 +3509,7 @@ scan_unit_for_symbols (struct comp_unit *unit)
break;

case DW_AT_decl_file:
+ free (func->file);
func->file = concat_filename (unit->line_table,
attr.u.val);
break;
@@ -3559,6 +3559,7 @@ scan_unit_for_symbols (struct comp_unit *unit)
break;

case DW_AT_decl_file:
+ free (var->file);
var->file = concat_filename (unit->line_table,
attr.u.val);
break;
--
2.45.2

7 changes: 6 additions & 1 deletion SPECS/gdb/gdb.spec
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,7 +1,7 @@
Summary: C debugger
Name: gdb
Version: 11.2
Release: 4%{?dist}
Release: 5%{?dist}
License: GPLv2+
Vendor: Microsoft Corporation
Distribution: Mariner
Expand All @@ -13,6 +13,8 @@ Patch1: CVE-2023-39129.patch
Patch2: CVE-2023-39130.patch
Patch3: CVE-2025-1176.patch
Patch4: CVE-2025-1182.patch
Patch5: CVE-2022-48064.patch
Patch6: CVE-2022-48065.patch
BuildRequires: expat-devel
BuildRequires: gcc-c++
BuildRequires: gcc-gfortran
Expand Down Expand Up @@ -93,6 +95,9 @@ rm -f $(dirname $(gcc -print-libgcc-file-name))/../specs
%{_mandir}/*/*

%changelog
* Thu Apr 03 2025 Sandeep Karambelkar <skarambelkar@microsoft.com> - 11.2-5
- Fix CVE-2022-48064, CVE-2022-48065

* Thu Feb 13 2025 Ankita Pareek <ankitapareek@microsoft.com> - 11.2-4
- Address CVE-2025-1176 and CVE-2025-1182

Expand Down
Loading