+++ /dev/null
-From 6ad3791f095cfc1b0294f62c4b3a524ba735595e Mon Sep 17 00:00:00 2001
-From: Sandra Loosemore <sandra@codesourcery.com>
-Date: Thu, 25 Apr 2019 07:27:02 -0700
-Subject: [PATCH] Detect invalid length field in debug frame FDE header.
-
-GDB was failing to catch cases where a corrupt ELF or core file
-contained an invalid length value in a Dwarf debug frame FDE header.
-It was checking for buffer overflow but not cases where the length was
-negative or caused pointer wrap-around.
-
-In addition to the additional validity check, this patch cleans up the
-multiple signed/unsigned conversions on the length field so that an
-unsigned representation is used consistently throughout.
-
-This patch fixes CVE-2017-9778 and PR gdb/21600.
-
-2019-04-25 Sandra Loosemore <sandra@codesourcery.com>
- Kang Li <kanglictf@gmail.com>
-
- PR gdb/21600
-
- * dwarf2-frame.c (read_initial_length): Be consistent about using
- unsigned representation of length.
- (decode_frame_entry_1): Likewise. Check for wraparound of
- end pointer as well as buffer overflow.
-
-Upstream-Status: Backport
-CVE: CVE-2017-9778
-Signed-off-by: Anuj Mittal <anuj.mittal@intel.com>
----
- gdb/ChangeLog | 10 ++++++++++
- gdb/dwarf2-frame.c | 14 +++++++-------
- 2 files changed, 17 insertions(+), 7 deletions(-)
-
-diff --git a/gdb/ChangeLog b/gdb/ChangeLog
-index 1c125de..d028d2b 100644
---- a/gdb/ChangeLog
-+++ b/gdb/ChangeLog
-@@ -1,3 +1,13 @@
-+2019-04-25 Sandra Loosemore <sandra@codesourcery.com>
-+ Kang Li <kanglictf@gmail.com>
-+
-+ PR gdb/21600
-+
-+ * dwarf2-frame.c (read_initial_length): Be consistent about using
-+ unsigned representation of length.
-+ (decode_frame_entry_1): Likewise. Check for wraparound of
-+ end pointer as well as buffer overflow.
-+
- 2019-05-11 Joel Brobecker <brobecker@adacore.com>
-
- * version.in: Set GDB version number to 8.3.
-diff --git a/gdb/dwarf2-frame.c b/gdb/dwarf2-frame.c
-index 178ac44..dc5d3b3 100644
---- a/gdb/dwarf2-frame.c
-+++ b/gdb/dwarf2-frame.c
-@@ -1488,7 +1488,7 @@ static ULONGEST
- read_initial_length (bfd *abfd, const gdb_byte *buf,
- unsigned int *bytes_read_ptr)
- {
-- LONGEST result;
-+ ULONGEST result;
-
- result = bfd_get_32 (abfd, buf);
- if (result == 0xffffffff)
-@@ -1789,7 +1789,7 @@ decode_frame_entry_1 (struct comp_unit *unit, const gdb_byte *start,
- {
- struct gdbarch *gdbarch = get_objfile_arch (unit->objfile);
- const gdb_byte *buf, *end;
-- LONGEST length;
-+ ULONGEST length;
- unsigned int bytes_read;
- int dwarf64_p;
- ULONGEST cie_id;
-@@ -1800,15 +1800,15 @@ decode_frame_entry_1 (struct comp_unit *unit, const gdb_byte *start,
- buf = start;
- length = read_initial_length (unit->abfd, buf, &bytes_read);
- buf += bytes_read;
-- end = buf + length;
--
-- /* Are we still within the section? */
-- if (end > unit->dwarf_frame_buffer + unit->dwarf_frame_size)
-- return NULL;
-+ end = buf + (size_t) length;
-
- if (length == 0)
- return end;
-
-+ /* Are we still within the section? */
-+ if (end <= buf || end > unit->dwarf_frame_buffer + unit->dwarf_frame_size)
-+ return NULL;
-+
- /* Distinguish between 32 and 64-bit encoded frame info. */
- dwarf64_p = (bytes_read == 12);
-
---
-2.20.1
-
