diff --git a/backport-0001-CVE-2021-32256.patch b/backport-0001-CVE-2021-32256.patch new file mode 100644 index 0000000000000000000000000000000000000000..6544ac6bf22842c9b805f440b217b38b5561d879 --- /dev/null +++ b/backport-0001-CVE-2021-32256.patch @@ -0,0 +1,127 @@ +From f10f8617a302f45dae721eae0cd659911f03d864 Mon Sep 17 00:00:00 2001 +From: Nick Clifton +Date: Mon, 31 Jan 2022 14:36:31 +0000 +Subject: [PATCH] Import patch from mainline GCC to fix an infinite recusion in + the Rust demangler. + + PR 98886 + PR 99935 + * rust-demangle.c (struct rust_demangler): Add a recursion + counter. + (demangle_path): Increment/decrement the recursion counter upon + entry and exit. Fail if the counter exceeds a fixed limit. + (demangle_type): Likewise. + (rust_demangle_callback): Initialise the recursion counter, + disabling if requested by the option flags. + +Reference:https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=f10f8617a302f45dae721eae0cd659911f03d864 +Conflict:Remove libiberty/ChangeLog +--- + libiberty/ChangeLog | 12 ++++++++++ + libiberty/rust-demangle.c | 47 ++++++++++++++++++++++++++++++++++----- + 2 files changed, 53 insertions(+), 6 deletions(-) + +diff --git a/libiberty/rust-demangle.c b/libiberty/rust-demangle.c +index 18c760491bd..3b24d63892a 100644 +--- a/libiberty/rust-demangle.c ++++ b/libiberty/rust-demangle.c +@@ -74,6 +74,12 @@ struct rust_demangler + /* Rust mangling version, with legacy mangling being -1. */ + int version; + ++ /* Recursion depth. */ ++ unsigned int recursion; ++ /* Maximum number of times demangle_path may be called recursively. */ ++#define RUST_MAX_RECURSION_COUNT 1024 ++#define RUST_NO_RECURSION_LIMIT ((unsigned int) -1) ++ + uint64_t bound_lifetime_depth; + }; + +@@ -671,6 +677,15 @@ demangle_path (struct rust_demangler *rdm, int in_value) + if (rdm->errored) + return; + ++ if (rdm->recursion != RUST_NO_RECURSION_LIMIT) ++ { ++ ++ rdm->recursion; ++ if (rdm->recursion > RUST_MAX_RECURSION_COUNT) ++ /* FIXME: There ought to be a way to report ++ that the recursion limit has been reached. */ ++ goto fail_return; ++ } ++ + switch (tag = next (rdm)) + { + case 'C': +@@ -688,10 +703,7 @@ demangle_path (struct rust_demangler *rdm, int in_value) + case 'N': + ns = next (rdm); + if (!ISLOWER (ns) && !ISUPPER (ns)) +- { +- rdm->errored = 1; +- return; +- } ++ goto fail_return; + + demangle_path (rdm, in_value); + +@@ -776,9 +788,15 @@ demangle_path (struct rust_demangler *rdm, int in_value) + } + break; + default: +- rdm->errored = 1; +- return; ++ goto fail_return; + } ++ goto pass_return; ++ ++ fail_return: ++ rdm->errored = 1; ++ pass_return: ++ if (rdm->recursion != RUST_NO_RECURSION_LIMIT) ++ -- rdm->recursion; + } + + static void +@@ -870,6 +888,19 @@ demangle_type (struct rust_demangler *rdm) + return; + } + ++ if (rdm->recursion != RUST_NO_RECURSION_LIMIT) ++ { ++ ++ rdm->recursion; ++ if (rdm->recursion > RUST_MAX_RECURSION_COUNT) ++ /* FIXME: There ought to be a way to report ++ that the recursion limit has been reached. */ ++ { ++ rdm->errored = 1; ++ -- rdm->recursion; ++ return; ++ } ++ } ++ + switch (tag) + { + case 'R': +@@ -1030,6 +1061,9 @@ demangle_type (struct rust_demangler *rdm) + rdm->next--; + demangle_path (rdm, 0); + } ++ ++ if (rdm->recursion != RUST_NO_RECURSION_LIMIT) ++ -- rdm->recursion; + } + + /* A trait in a trait object may have some "existential projections" +@@ -1320,6 +1354,7 @@ rust_demangle_callback (const char *mangled, int options, + rdm.skipping_printing = 0; + rdm.verbose = (options & DMGL_VERBOSE) != 0; + rdm.version = 0; ++ rdm.recursion = (options & DMGL_NO_RECURSE_LIMIT) ? RUST_NO_RECURSION_LIMIT : 0; + rdm.bound_lifetime_depth = 0; + + /* Rust symbols always start with _R (v0) or _ZN (legacy). */ +-- +2.43.0 + diff --git a/backport-0002-CVE-2021-32256.patch b/backport-0002-CVE-2021-32256.patch new file mode 100644 index 0000000000000000000000000000000000000000..8fc11b65cbdcacefb45df2d0d05912c86ed95d69 --- /dev/null +++ b/backport-0002-CVE-2021-32256.patch @@ -0,0 +1,147 @@ +From d8efadbdd94772562fed8fba9ce553587a62550f Mon Sep 17 00:00:00 2001 +From: Nick Clifton +Date: Mon, 4 Jul 2022 13:57:12 +0100 +Subject: [PATCH] Synchronize libbierty sources with gcc. + +Reference:https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=d8efadbdd94772562fed8fba9ce553587a62550f +Conflict:Remove ChangeLog libiberty/ChangeLog +--- + ChangeLog | 13 ++++ + libiberty/ChangeLog | 146 ++++++++++++++++++++++++++++++++++++-- + libiberty/configure | 1 + + libiberty/configure.ac | 1 + + libiberty/rust-demangle.c | 46 +++++++++--- + 5 files changed, 192 insertions(+), 15 deletions(-) + +diff --git a/libiberty/configure b/libiberty/configure +index e09ddd91e58..306c07bd37e 100755 +--- a/libiberty/configure ++++ b/libiberty/configure +@@ -2461,6 +2461,7 @@ ac_compiler_gnu=$ac_cv_c_compiler_gnu + + + ++ + # This works around the fact that libtool configuration may change LD + # for this particular configuration, but some shells, instead of + # keeping the changes in LD private, export them just because LD is +diff --git a/libiberty/configure.ac b/libiberty/configure.ac +index f59f35e1f20..6c1ff9c6093 100644 +--- a/libiberty/configure.ac ++++ b/libiberty/configure.ac +@@ -2,6 +2,7 @@ dnl Process this file with autoconf to produce a configure script + + AC_INIT + AC_CONFIG_SRCDIR([xmalloc.c]) ++AC_CONFIG_MACRO_DIRS([../config]) + + # This works around the fact that libtool configuration may change LD + # for this particular configuration, but some shells, instead of +diff --git a/libiberty/rust-demangle.c b/libiberty/rust-demangle.c +index bb58d900e27..d6daf23af27 100644 +--- a/libiberty/rust-demangle.c ++++ b/libiberty/rust-demangle.c +@@ -126,7 +126,7 @@ parse_integer_62 (struct rust_demangler *rdm) + return 0; + + x = 0; +- while (!eat (rdm, '_')) ++ while (!eat (rdm, '_') && !rdm->errored) + { + c = next (rdm); + x *= 62; +@@ -1082,6 +1082,18 @@ demangle_path_maybe_open_generics (struct rust_demangler *rdm) + if (rdm->errored) + return open; + ++ if (rdm->recursion != RUST_NO_RECURSION_LIMIT) ++ { ++ ++ rdm->recursion; ++ if (rdm->recursion > RUST_MAX_RECURSION_COUNT) ++ { ++ /* FIXME: There ought to be a way to report ++ that the recursion limit has been reached. */ ++ rdm->errored = 1; ++ goto end_of_func; ++ } ++ } ++ + if (eat (rdm, 'B')) + { + backref = parse_integer_62 (rdm); +@@ -1107,6 +1119,11 @@ demangle_path_maybe_open_generics (struct rust_demangler *rdm) + } + else + demangle_path (rdm, 0); ++ ++ end_of_func: ++ if (rdm->recursion != RUST_NO_RECURSION_LIMIT) ++ -- rdm->recursion; ++ + return open; + } + +@@ -1148,6 +1165,15 @@ demangle_const (struct rust_demangler *rdm) + if (rdm->errored) + return; + ++ if (rdm->recursion != RUST_NO_RECURSION_LIMIT) ++ { ++ ++ rdm->recursion; ++ if (rdm->recursion > RUST_MAX_RECURSION_COUNT) ++ /* FIXME: There ought to be a way to report ++ that the recursion limit has been reached. */ ++ goto fail_return; ++ } ++ + if (eat (rdm, 'B')) + { + backref = parse_integer_62 (rdm); +@@ -1158,7 +1184,7 @@ demangle_const (struct rust_demangler *rdm) + demangle_const (rdm); + rdm->next = old_next; + } +- return; ++ goto pass_return; + } + + ty_tag = next (rdm); +@@ -1167,7 +1193,7 @@ demangle_const (struct rust_demangler *rdm) + /* Placeholder. */ + case 'p': + PRINT ("_"); +- return; ++ goto pass_return; + + /* Unsigned integer types. */ + case 'h': +@@ -1200,18 +1226,20 @@ demangle_const (struct rust_demangler *rdm) + break; + + default: +- rdm->errored = 1; +- return; ++ goto fail_return; + } + +- if (rdm->errored) +- return; +- +- if (rdm->verbose) ++ if (!rdm->errored && rdm->verbose) + { + PRINT (": "); + PRINT (basic_type (ty_tag)); + } ++ ++ fail_return: ++ rdm->errored = 1; ++ pass_return: ++ if (rdm->recursion != RUST_NO_RECURSION_LIMIT) ++ -- rdm->recursion; + } + + static void +-- +2.43.0 + diff --git a/backport-0003-CVE-2021-32256.patch b/backport-0003-CVE-2021-32256.patch new file mode 100644 index 0000000000000000000000000000000000000000..02d7bad64aed6837bb9695021f62277ed77a22d3 --- /dev/null +++ b/backport-0003-CVE-2021-32256.patch @@ -0,0 +1,26 @@ +From 96c33f79ded357e871c43af04238dfdedebac86c Mon Sep 17 00:00:00 2001 +From: Nick Clifton +Date: Mon, 4 Jul 2022 16:28:02 +0100 +Subject: [PATCH] Fix snafu in rust demangler recursion limit code + +Reference:https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=96c33f79ded357e871c43af04238dfdedebac86c +Conflict:NA +--- + libiberty/rust-demangle.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/libiberty/rust-demangle.c b/libiberty/rust-demangle.c +index d6daf23af27..8dfeeac2a4f 100644 +--- a/libiberty/rust-demangle.c ++++ b/libiberty/rust-demangle.c +@@ -1234,6 +1234,7 @@ demangle_const (struct rust_demangler *rdm) + PRINT (": "); + PRINT (basic_type (ty_tag)); + } ++ goto pass_return; + + fail_return: + rdm->errored = 1; +-- +2.43.0 + diff --git a/gdb.spec b/gdb.spec index 716d694c584e52164698e6b575867183446c3826..3ac5bd1d723ac191f126ed78ec616eae86122f09 100644 --- a/gdb.spec +++ b/gdb.spec @@ -1,6 +1,6 @@ Name: gdb Version: 11.1 -Release: 12 +Release: 13 License: GPLv3+ and GPLv3+ with exceptions and GPLv2+ and GPLv2+ with exceptions and GPL+ and LGPLv2+ and LGPLv3+ and BSD and Public Domain and GFDL-1.3 Source: ftp://sourceware.org/pub/gdb/releases/gdb-%{version}.tar.xz @@ -109,6 +109,9 @@ Patch90: backport-CVE-2023-39130.patch Patch91: backport-CVE-2022-48064.patch Patch92: backport-CVE-2025-11082.patch Patch93: backport-CVE-2025-11494.patch +Patch94: backport-0001-CVE-2021-32256.patch +Patch95: backport-0002-CVE-2021-32256.patch +Patch96: backport-0003-CVE-2021-32256.patch %global gdb_src gdb-%{version} %global gdb_build build-%{_target_platform} @@ -385,6 +388,9 @@ rm -f $RPM_BUILD_ROOT%{_datadir}/gdb/python/gdb/command/backtrace.py %{_infodir}/gdb.info* %changelog +* Thu Oct 23 2025 wangxiao - 11.1-13 +- fix CVE-2021-32256 + * Fri Oct 10 2025 Deyuan Fan - 11.1-12 - fix CVE-2025-11494