gdb-6_5-7_fc6 from embargo branch.

2006-09-04 07:49:04 +00:00 · 2006-09-04 07:49:04 +00:00 · e6628c4a6c
parent a23697f5db
commit e6628c4a6c
2 changed files with 67 additions and 23 deletions
--- a/gdb-6.5-dwarf-stack-overflow.patch
+++ b/gdb-6.5-dwarf-stack-overflow.patch
@ -1,49 +1,89 @@
 for gdb/ChangeLog:
-2006-08-14  Will Drewry <wad@google.com>
+2006-08-22  Will Drewry <wad@google.com>
+	    Tavis Ormandy <taviso@google.com>

-	* dwarf2read.c (decode_locdesc): Avoid overflows in expression
-	stack.
+	* dwarf2read.c (decode_locdesc): Enforce location description stack
+	boundaries.
 	* dwarfread.c (locval): Likewise.

 Index: gdb-6.5/gdb/dwarf2read.c
 ===================================================================
--- gdb-6.5.orig/gdb/dwarf2read.c	2006-08-23 04:12:09.000000000 -0300
-+++ gdb-6.5/gdb/dwarf2read.c	2006-08-23 04:16:17.000000000 -0300
-@@ -8864,6 +8864,16 @@ decode_locdesc (struct dwarf_block *blk,
+--- gdb-6.5.orig/gdb/dwarf2read.c	2006-09-04 02:02:23.000000000 -0300
+++ gdb-6.5/gdb/dwarf2read.c	2006-09-04 02:02:23.000000000 -0300
+@@ -8667,8 +8667,7 @@ dwarf2_fundamental_type (struct objfile 
+    callers will only want a very basic result and this can become a
+    complaint.
+ 
+-   Note that stack[0] is unused except as a default error return.
+-   Note that stack overflow is not yet handled.  */
+   Note that stack[0] is unused except as a default error return. */
+ 
+ static CORE_ADDR
+ decode_locdesc (struct dwarf_block *blk, struct dwarf2_cu *cu)
+@@ -8685,7 +8684,7 @@ decode_locdesc (struct dwarf_block *blk,
+ 
+   i = 0;
+   stacki = 0;
+-  stack[stacki] = 0;
+  stack[++stacki] = 0;
+ 
+   while (i < size)
+     {
+@@ -8864,6 +8863,16 @@ decode_locdesc (struct dwarf_block *blk,
 		     dwarf_stack_op_name (op));
 	  return (stack[stacki]);
 	}
-+
-+      /* Enforce maximum stack depth of 63 to avoid ++stacki writing
-+	 outside of the given size.  Also enforce minimum > 0.  */
-+      if (stacki >= sizeof(stack)/sizeof(*stack) - 1)
+      /* Enforce maximum stack depth of size-1 to avoid ++stacki writing
+         outside of the allocated space. Also enforce minimum > 0.
+         -- wad@google.com 14 Aug 2006 */
+      if (stacki >= sizeof (stack) / sizeof (*stack) - 1)
 +	internal_error (__FILE__, __LINE__,
-+			_("location description stack too deep: %d"),
-+			stacki);
+	                _("location description stack too deep: %d"),
+	                stacki);
 +      if (stacki <= 0)
 +	internal_error (__FILE__, __LINE__,
-+			_("location description stack too shallow"));
+	                _("location description stack too shallow"));
     }
   return (stack[stacki]);
 }
 Index: gdb-6.5/gdb/dwarfread.c
 ===================================================================
 --- gdb-6.5.orig/gdb/dwarfread.c	2005-12-17 20:33:59.000000000 -0200
-+++ gdb-6.5/gdb/dwarfread.c	2006-08-23 04:17:24.000000000 -0300
-@@ -2224,6 +2224,16 @@ locval (struct dieinfo *dip)
+++ gdb-6.5/gdb/dwarfread.c	2006-09-04 02:02:23.000000000 -0300
+@@ -2138,9 +2138,7 @@ decode_line_numbers (char *linetable)
+ 
+    NOTES
+ 
+-   Note that stack[0] is unused except as a default error return.
+-   Note that stack overflow is not yet handled.
+- */
+   Note that stack[0] is unused except as a default error return. */
+ 
+ static int
+ locval (struct dieinfo *dip)
+@@ -2160,7 +2158,7 @@ locval (struct dieinfo *dip)
+   loc += nbytes;
+   end = loc + locsize;
+   stacki = 0;
+-  stack[stacki] = 0;
+  stack[++stacki] = 0;
+   dip->isreg = 0;
+   dip->offreg = 0;
+   dip->optimized_out = 1;
+@@ -2224,6 +2222,16 @@ locval (struct dieinfo *dip)
 	  stacki--;
 	  break;
 	}
-+
-+      /* Enforce maximum stack depth of 63 to avoid ++stacki writing
-+	 outside of the given size.  Also enforce minimum > 0.  */
-+      if (stacki >= sizeof(stack)/sizeof(*stack) - 1)
+      /* Enforce maximum stack depth of size-1 to avoid ++stacki writing
+         outside of the allocated space. Also enforce minimum > 0.
+         -- wad@google.com 14 Aug 2006 */
+      if (stacki >= sizeof (stack) / sizeof (*stack) - 1)
 +	internal_error (__FILE__, __LINE__,
-+			_("location description stack too deep: %d"),
-+			stacki);
+	                _("location description stack too deep: %d"),
+	                stacki);
 +      if (stacki <= 0)
 +	internal_error (__FILE__, __LINE__,
-+			_("location description stack too shallow"));
+	                _("location description stack too shallow"));
     }
   return (stack[stacki]);
 }
--- a/gdb.spec
+++ b/gdb.spec
@ -11,7 +11,7 @@ Name: gdb
 Version: 6.5

 # The release always contains a leading reserved number, start it at 0.
-Release: 6%{?dist}
+Release: 7%{?dist}

 License: GPL
 Group: Development/Debuggers
@ -247,6 +247,7 @@ Patch188: gdb-6.5-bz203661-emit-relocs.patch
 Patch189: gdb-6.5-opcodes-i386-nopmem.patch

 # Security patch: avoid stack overflows in dwarf expression computation.
+# CVE-2006-4146
 Patch190: gdb-6.5-dwarf-stack-overflow.patch

 BuildRequires: ncurses-devel glibc-devel gcc make gzip texinfo dejagnu gettext
@ -510,6 +511,9 @@ fi
 # don't include the files in include, they are part of binutils

 %changelog
+* Mon Sep  4 2006 Alexandre Oliva <aoliva@redhat.com> - 6.5-7
+- Fix bug in patch for CVE-2006-4146. (BZ 203873, BZ 203880)
+
 * Thu Aug 24 2006 Alexandre Oliva <aoliva@redhat.com> - 6.5-6
 - Avoid overflows and underflows in dwarf expression computation stack.
 (BZ 203873)