From ed8eee7ab5f53717e8846fb05decb85d60dd2e74 Mon Sep 17 00:00:00 2001
From: Andrew Burgess <aburgess@redhat.com>
Date: Thu, 14 Sep 2023 22:22:33 +0100
Subject: [PATCH] Backport upstream fix for RHBZ 2237392

Backport upstream commit 54392c4df604f20 to fix an incorrect
obstack allocation that wold lead to memory corruption (RHBZ 2237392).
---
 _gdb.spec.Patch.include                      |  4 ++
 _gdb.spec.patch.include                      |  1 +
 _patch_order                                 |  1 +
 gdb-bz2237392-dwarf-obstack-allocation.patch | 68 ++++++++++++++++++++
 gdb.spec                                     |  3 +
 5 files changed, 77 insertions(+)
 create mode 100644 gdb-bz2237392-dwarf-obstack-allocation.patch

diff --git a/_gdb.spec.Patch.include b/_gdb.spec.Patch.include
index ac17a1d..e3f21e9 100644
--- a/_gdb.spec.Patch.include
+++ b/_gdb.spec.Patch.include
@@ -211,3 +211,7 @@ Patch047: gdb-bz2196395-debuginfod-legacy-openssl-crash.patch
 # free issue in the debuginfod code.
 Patch048: gdb-bz2237515-debuginfod-double-free.patch
 
+# Backport upstream commit 54392c4df604f20 to fix an incorrect
+# obstack allocation that wold lead to memory corruption.
+Patch049: gdb-bz2237392-dwarf-obstack-allocation.patch
+
diff --git a/_gdb.spec.patch.include b/_gdb.spec.patch.include
index ef55dd0..2ca0c1f 100644
--- a/_gdb.spec.patch.include
+++ b/_gdb.spec.patch.include
@@ -46,3 +46,4 @@
 %patch -p1 -P046
 %patch -p1 -P047
 %patch -p1 -P048
+%patch -p1 -P049
diff --git a/_patch_order b/_patch_order
index d90b52f..4f99a83 100644
--- a/_patch_order
+++ b/_patch_order
@@ -46,3 +46,4 @@ gdb-rhbz2192105-ftbs-dangling-pointer
 gdb-rhbz2160211-excessive-core-file-warnings.patch
 gdb-bz2196395-debuginfod-legacy-openssl-crash.patch
 gdb-bz2237515-debuginfod-double-free.patch
+gdb-bz2237392-dwarf-obstack-allocation.patch
diff --git a/gdb-bz2237392-dwarf-obstack-allocation.patch b/gdb-bz2237392-dwarf-obstack-allocation.patch
new file mode 100644
index 0000000..424cad3
--- /dev/null
+++ b/gdb-bz2237392-dwarf-obstack-allocation.patch
@@ -0,0 +1,68 @@
+From FEDORA_PATCHES Mon Sep 17 00:00:00 2001
+From: Andrew Burgess <aburgess@redhat.com>
+Date: Thu, 14 Sep 2023 13:06:26 +0100
+Subject: gdb-bz2237392-dwarf-obstack-allocation.patch
+
+;; Backport upstream commit 54392c4df604f20 to fix an incorrect
+;; obstack allocation that wold lead to memory corruption.
+
+gdb: fix buffer overflow in DWARF reader
+
+In this commit:
+
+  commit 48ac197b0c209ccf1f2de9704eb6cdf7c5c73a8e
+  Date:   Fri Nov 19 10:12:44 2021 -0700
+
+      Handle multiple addresses in call_site_target
+
+a buffer overflow bug was introduced when the following code was
+added:
+
+  CORE_ADDR *saved = XOBNEWVAR (&objfile->objfile_obstack, CORE_ADDR,
+                                addresses.size ());
+  std::copy (addresses.begin (), addresses.end (), saved);
+
+The definition of XOBNEWVAR is (from libiberty.h):
+
+  #define XOBNEWVAR(O, T, S)	((T *) obstack_alloc ((O), (S)))
+
+So 'saved' is going to point to addresses.size () bytes of memory,
+however, the std::copy will write addresses.size () number of
+CORE_ADDR sized entries to the address pointed to by 'saved', this is
+going to result in memory corruption.
+
+The mistake is that we should have used XOBNEWVEC, which allocates a
+vector of entries, the definition of XOBNEWVEC is:
+
+  #define XOBNEWVEC(O, T, N) \
+    ((T *) obstack_alloc ((O), sizeof (T) * (N)))
+
+Which means we will have set aside enough space to create a copy of
+the contents of the addresses vector.
+
+I'm not sure how to create a test for this problem, this issue cropped
+up when debugging a particular i686 built binary, which just happened
+to trigger a glibc assertion (likely due to random memory corruption),
+debugging the same binary built for x86-64 appeared to work just fine.
+
+Using valgrind on the failing GDB binary pointed straight to the cause
+of the problem, and with this patch in place there are no longer
+valgrind errors in this area.
+
+If anyone has ideas for a test I'm happy to work on something.
+
+Co-Authored-By: Keith Seitz <keiths@redhat.com>
+Approved-By: Tom Tromey <tom@tromey.com>
+
+diff --git a/gdb/dwarf2/read.c b/gdb/dwarf2/read.c
+--- a/gdb/dwarf2/read.c
++++ b/gdb/dwarf2/read.c
+@@ -12506,7 +12506,7 @@ read_call_site_scope (struct die_info *die, struct dwarf2_cu *cu)
+ 	  std::vector<CORE_ADDR> addresses;
+ 	  dwarf2_ranges_read_low_addrs (ranges_offset, target_cu,
+ 					target_die->tag, addresses);
+-	  CORE_ADDR *saved = XOBNEWVAR (&objfile->objfile_obstack, CORE_ADDR,
++	  CORE_ADDR *saved = XOBNEWVEC (&objfile->objfile_obstack, CORE_ADDR,
+ 					addresses.size ());
+ 	  std::copy (addresses.begin (), addresses.end (), saved);
+ 	  call_site->target.set_loc_array (addresses.size (), saved);
diff --git a/gdb.spec b/gdb.spec
index 3cca409..934875f 100644
--- a/gdb.spec
+++ b/gdb.spec
@@ -1252,6 +1252,9 @@ fi
 %endif
 
 %changelog
+* Wed Aug 14 2023 Andrew Burgess <aburgess@redhat.com>
+- Backport upstream commit 54392c4df604f20, which fixes RHBZ 2237392.
+
 * Wed Aug 13 2023 Andrew Burgess <aburgess@redhat.com>
 - Backport upstream commit f96328accde1e63, which fixes RHBZ 2237515.