Backport upstream commit d28fbc7197b which fixes RHBZ 2233965 (

CVE-2022-48065).
2023-10-01 11:38:40 +02:00 · 2023-10-01 11:38:40 +02:00 · fec73092bb
parent aca26db9ee
commit fec73092bb
5 changed files with 125 additions and 1 deletions
--- a/_gdb.spec.Patch.include
+++ b/_gdb.spec.Patch.include
@ -210,3 +210,6 @@ Patch047: gdb-bz2237392-dwarf-obstack-allocation.patch
 # avoids section size sanity check.
 Patch048: gdb-rhbz2233961-CVE-2022-4806.patch

+# Backport PR29925, Memory leak in find_abstract_instance
+Patch049: gdb-rhbz2233965-memory-leak.patch
+
--- a/_gdb.spec.patch.include
+++ b/_gdb.spec.patch.include
@ -46,3 +46,4 @@
 %patch -p1 -P046
 %patch -p1 -P047
 %patch -p1 -P048
+%patch -p1 -P049
--- a/1
+++ b/1
@ -46,3 +46,4 @@ gdb-bz2196395-debuginfod-legacy-openssl-crash.patch
 gdb-bz2237515-debuginfod-double-free.patch
 gdb-bz2237392-dwarf-obstack-allocation.patch
 gdb-rhbz2233961-CVE-2022-4806.patch
+gdb-rhbz2233965-memory-leak.patch
--- a/gdb-rhbz2233965-memory-leak.patch
+++ b/gdb-rhbz2233965-memory-leak.patch
@ -0,0 +1,115 @@
+From FEDORA_PATCHES Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Alexandra=20H=C3=A1jkov=C3=A1?= <ahajkova@redhat.com>
+Date: Sun, 1 Oct 2023 10:36:06 +0200
+Subject: gdb-rhbz2233965-memory-leak.patch
+
+;; Backport PR29925, Memory leak in find_abstract_instance
+
+PR29925, Memory leak in find_abstract_instance
+
+The testcase in the PR had a variable with both DW_AT_decl_file and
+DW_AT_specification, where the DW_AT_specification also specified
+DW_AT_decl_file.  This leads to a memory leak as the file name is
+malloced and duplicates are not expected.
+
+I've also changed find_abstract_instance to not use a temp for "name",
+because that can result in a change in behaviour from the usual last
+of duplicate attributes wins.
+
+	PR 29925
+	* dwarf2.c (find_abstract_instance): Delete "name" variable.
+	Free *filename_ptr before assigning new file name.
+	(scan_unit_for_symbols): Similarly free func->file and
+	var->file before assigning.
+
+diff --git a/bfd/dwarf2.c b/bfd/dwarf2.c
+--- a/bfd/dwarf2.c
+++ b/bfd/dwarf2.c
+@@ -3441,7 +3441,6 @@ find_abstract_instance (struct comp_unit *unit,
+   struct abbrev_info *abbrev;
+   uint64_t die_ref = attr_ptr->u.val;
+   struct attribute attr;
+-  const char *name = NULL;
+ 
+   if (recur_count == 100)
+     {
+@@ -3602,9 +3601,9 @@ find_abstract_instance (struct comp_unit *unit,
+ 		case DW_AT_name:
+ 		  /* Prefer DW_AT_MIPS_linkage_name or DW_AT_linkage_name
+ 		     over DW_AT_name.  */
+-		  if (name == NULL && is_str_form (&attr))
+		  if (*pname == NULL && is_str_form (&attr))
+ 		    {
+-		      name = attr.u.str;
+		      *pname = attr.u.str;
+ 		      if (mangle_style (unit->lang) == 0)
+ 			*is_linkage = true;
+ 		    }
+@@ -3612,7 +3611,7 @@ find_abstract_instance (struct comp_unit *unit,
+ 		case DW_AT_specification:
+ 		  if (is_int_form (&attr)
+ 		      && !find_abstract_instance (unit, &attr, recur_count + 1,
+-						  &name, is_linkage,
+						  pname, is_linkage,
+ 						  filename_ptr, linenumber_ptr))
+ 		    return false;
+ 		  break;
+@@ -3622,7 +3621,7 @@ find_abstract_instance (struct comp_unit *unit,
+ 		     non-string forms into these attributes.  */
+ 		  if (is_str_form (&attr))
+ 		    {
+-		      name = attr.u.str;
+		      *pname = attr.u.str;
+ 		      *is_linkage = true;
+ 		    }
+ 		  break;
+@@ -3630,8 +3629,11 @@ find_abstract_instance (struct comp_unit *unit,
+ 		  if (!comp_unit_maybe_decode_line_info (unit))
+ 		    return false;
+ 		  if (is_int_form (&attr))
+-		    *filename_ptr = concat_filename (unit->line_table,
+-						     attr.u.val);
+		    {
+		      free (*filename_ptr);
+		      *filename_ptr = concat_filename (unit->line_table,
+						       attr.u.val);
+		    }
+ 		  break;
+ 		case DW_AT_decl_line:
+ 		  if (is_int_form (&attr))
+@@ -3643,7 +3645,6 @@ find_abstract_instance (struct comp_unit *unit,
+ 	    }
+ 	}
+     }
+-  *pname = name;
+   return true;
+ }
+ 
+@@ -4139,8 +4140,11 @@ scan_unit_for_symbols (struct comp_unit *unit)
+ 
+ 		case DW_AT_decl_file:
+ 		  if (is_int_form (&attr))
+-		    func->file = concat_filename (unit->line_table,
+-						  attr.u.val);
+		    {
+		      free (func->file);
+		      func->file = concat_filename (unit->line_table,
+						    attr.u.val);
+		    }
+ 		  break;
+ 
+ 		case DW_AT_decl_line:
+@@ -4182,8 +4186,11 @@ scan_unit_for_symbols (struct comp_unit *unit)
+ 
+ 		case DW_AT_decl_file:
+ 		  if (is_int_form (&attr))
+-		    var->file = concat_filename (unit->line_table,
+-						 attr.u.val);
+		    {
+		      free (var->file);
+		      var->file = concat_filename (unit->line_table,
+						   attr.u.val);
+		    }
+ 		  break;
+ 
+ 		case DW_AT_decl_line:
--- a/gdb.spec
+++ b/gdb.spec
@ -57,7 +57,7 @@ Version: 13.2

 # The release always contains a leading reserved number, start it at 1.
 # `upstream' is not a part of `name' to stay fully rpm dependencies compatible for the testing.
-Release: 9%{?dist}
+Release: 10%{?dist}

 License: GPL-3.0-or-later AND BSD-3-clause AND FSFAP AND LGPL-2.1-or-later AND GPL-2.0-or-later AND LGPL-2.0-or-later AND LicenseRef-Fedora-Public-Domain AND GFDL-1.3-or-later AND LGPL-2.0-or-later WITH GCC-exception-2.0 AND GPL-3.0-or-later WITH GCC-exception-3.1 AND GPL-2.0-or-later WITH GNU-compiler-exception
 # Do not provide URL for snapshots as the file lasts there only for 2 days.
@ -1252,6 +1252,10 @@ fi
 %endif

 %changelog
+* Sun Oct 1 2023 Alexandra Hájková <ahajkova@redhat.com> - 13.2-10
+- Backport upstream commit d28fbc7197b which fixes RHBZ 2233965 (
+  CVE-2022-48065).
+
 * Thu Sep 28 2023 Kevin Buettner <kevinb@redhat.com>
 - Remove gdb-6.5-sharedlibrary-path.patch, which was upstreamed in
  commit 3ec033fab4a.