From fec73092bb4319882628579f01491de5d9542d2c Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Alexandra=20H=C3=A1jkov=C3=A1?= Date: Sun, 1 Oct 2023 11:38:40 +0200 Subject: [PATCH] Backport upstream commit d28fbc7197b which fixes RHBZ 2233965 ( CVE-2022-48065). --- _gdb.spec.Patch.include | 3 + _gdb.spec.patch.include | 1 + _patch_order | 1 + gdb-rhbz2233965-memory-leak.patch | 115 ++++++++++++++++++++++++++++++ gdb.spec | 6 +- 5 files changed, 125 insertions(+), 1 deletion(-) create mode 100644 gdb-rhbz2233965-memory-leak.patch diff --git a/_gdb.spec.Patch.include b/_gdb.spec.Patch.include index 3ad950e..c4e21fe 100644 --- a/_gdb.spec.Patch.include +++ b/_gdb.spec.Patch.include @@ -210,3 +210,6 @@ Patch047: gdb-bz2237392-dwarf-obstack-allocation.patch # avoids section size sanity check. Patch048: gdb-rhbz2233961-CVE-2022-4806.patch +# Backport PR29925, Memory leak in find_abstract_instance +Patch049: gdb-rhbz2233965-memory-leak.patch + diff --git a/_gdb.spec.patch.include b/_gdb.spec.patch.include index ef55dd0..2ca0c1f 100644 --- a/_gdb.spec.patch.include +++ b/_gdb.spec.patch.include @@ -46,3 +46,4 @@ %patch -p1 -P046 %patch -p1 -P047 %patch -p1 -P048 +%patch -p1 -P049 diff --git a/_patch_order b/_patch_order index f8f4cf3..27ac848 100644 --- a/_patch_order +++ b/_patch_order @@ -46,3 +46,4 @@ gdb-bz2196395-debuginfod-legacy-openssl-crash.patch gdb-bz2237515-debuginfod-double-free.patch gdb-bz2237392-dwarf-obstack-allocation.patch gdb-rhbz2233961-CVE-2022-4806.patch +gdb-rhbz2233965-memory-leak.patch diff --git a/gdb-rhbz2233965-memory-leak.patch b/gdb-rhbz2233965-memory-leak.patch new file mode 100644 index 0000000..004ba3b --- /dev/null +++ b/gdb-rhbz2233965-memory-leak.patch @@ -0,0 +1,115 @@ +From FEDORA_PATCHES Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Alexandra=20H=C3=A1jkov=C3=A1?= +Date: Sun, 1 Oct 2023 10:36:06 +0200 +Subject: gdb-rhbz2233965-memory-leak.patch + +;; Backport PR29925, Memory leak in find_abstract_instance + +PR29925, Memory leak in find_abstract_instance + +The testcase in the PR had a variable with both DW_AT_decl_file and +DW_AT_specification, where the DW_AT_specification also specified +DW_AT_decl_file. This leads to a memory leak as the file name is +malloced and duplicates are not expected. + +I've also changed find_abstract_instance to not use a temp for "name", +because that can result in a change in behaviour from the usual last +of duplicate attributes wins. + + PR 29925 + * dwarf2.c (find_abstract_instance): Delete "name" variable. + Free *filename_ptr before assigning new file name. + (scan_unit_for_symbols): Similarly free func->file and + var->file before assigning. + +diff --git a/bfd/dwarf2.c b/bfd/dwarf2.c +--- a/bfd/dwarf2.c ++++ b/bfd/dwarf2.c +@@ -3441,7 +3441,6 @@ find_abstract_instance (struct comp_unit *unit, + struct abbrev_info *abbrev; + uint64_t die_ref = attr_ptr->u.val; + struct attribute attr; +- const char *name = NULL; + + if (recur_count == 100) + { +@@ -3602,9 +3601,9 @@ find_abstract_instance (struct comp_unit *unit, + case DW_AT_name: + /* Prefer DW_AT_MIPS_linkage_name or DW_AT_linkage_name + over DW_AT_name. */ +- if (name == NULL && is_str_form (&attr)) ++ if (*pname == NULL && is_str_form (&attr)) + { +- name = attr.u.str; ++ *pname = attr.u.str; + if (mangle_style (unit->lang) == 0) + *is_linkage = true; + } +@@ -3612,7 +3611,7 @@ find_abstract_instance (struct comp_unit *unit, + case DW_AT_specification: + if (is_int_form (&attr) + && !find_abstract_instance (unit, &attr, recur_count + 1, +- &name, is_linkage, ++ pname, is_linkage, + filename_ptr, linenumber_ptr)) + return false; + break; +@@ -3622,7 +3621,7 @@ find_abstract_instance (struct comp_unit *unit, + non-string forms into these attributes. */ + if (is_str_form (&attr)) + { +- name = attr.u.str; ++ *pname = attr.u.str; + *is_linkage = true; + } + break; +@@ -3630,8 +3629,11 @@ find_abstract_instance (struct comp_unit *unit, + if (!comp_unit_maybe_decode_line_info (unit)) + return false; + if (is_int_form (&attr)) +- *filename_ptr = concat_filename (unit->line_table, +- attr.u.val); ++ { ++ free (*filename_ptr); ++ *filename_ptr = concat_filename (unit->line_table, ++ attr.u.val); ++ } + break; + case DW_AT_decl_line: + if (is_int_form (&attr)) +@@ -3643,7 +3645,6 @@ find_abstract_instance (struct comp_unit *unit, + } + } + } +- *pname = name; + return true; + } + +@@ -4139,8 +4140,11 @@ scan_unit_for_symbols (struct comp_unit *unit) + + case DW_AT_decl_file: + if (is_int_form (&attr)) +- func->file = concat_filename (unit->line_table, +- attr.u.val); ++ { ++ free (func->file); ++ func->file = concat_filename (unit->line_table, ++ attr.u.val); ++ } + break; + + case DW_AT_decl_line: +@@ -4182,8 +4186,11 @@ scan_unit_for_symbols (struct comp_unit *unit) + + case DW_AT_decl_file: + if (is_int_form (&attr)) +- var->file = concat_filename (unit->line_table, +- attr.u.val); ++ { ++ free (var->file); ++ var->file = concat_filename (unit->line_table, ++ attr.u.val); ++ } + break; + + case DW_AT_decl_line: diff --git a/gdb.spec b/gdb.spec index 527cd6e..0a572db 100644 --- a/gdb.spec +++ b/gdb.spec @@ -57,7 +57,7 @@ Version: 13.2 # The release always contains a leading reserved number, start it at 1. # `upstream' is not a part of `name' to stay fully rpm dependencies compatible for the testing. -Release: 9%{?dist} +Release: 10%{?dist} License: GPL-3.0-or-later AND BSD-3-clause AND FSFAP AND LGPL-2.1-or-later AND GPL-2.0-or-later AND LGPL-2.0-or-later AND LicenseRef-Fedora-Public-Domain AND GFDL-1.3-or-later AND LGPL-2.0-or-later WITH GCC-exception-2.0 AND GPL-3.0-or-later WITH GCC-exception-3.1 AND GPL-2.0-or-later WITH GNU-compiler-exception # Do not provide URL for snapshots as the file lasts there only for 2 days. @@ -1252,6 +1252,10 @@ fi %endif %changelog +* Sun Oct 1 2023 Alexandra Hájková - 13.2-10 +- Backport upstream commit d28fbc7197b which fixes RHBZ 2233965 ( + CVE-2022-48065). + * Thu Sep 28 2023 Kevin Buettner - Remove gdb-6.5-sharedlibrary-path.patch, which was upstreamed in commit 3ec033fab4a.