Patch gdb to fix CVE-2022-48064 and CVE-2022-48065 [Medium] (#13261)

(cherry picked from commit e749bf4)

Author: jslobodzian

SPECS/gdb/CVE-2022-48064.patch

@@ -0,0 +1,51 @@
+From 8f2c64de86bc3d7556121fe296dd679000283931 Mon Sep 17 00:00:00 2001
+From: Alan Modra <amodra@gmail.com>
+Date: Tue, 20 Dec 2022 23:47:03 +1030
+Subject: [PATCH] PR29922, SHT_NOBITS section avoids section size sanity check
+
+	PR 29922
+	* dwarf2.c (find_debug_info): Ignore sections without
+	SEC_HAS_CONTENTS.
+---
+ bfd/dwarf2.c | 12 +++++++++---
+ 1 file changed, 9 insertions(+), 3 deletions(-)
+
+diff --git a/bfd/dwarf2.c b/bfd/dwarf2.c
+index 95f45708e9d..0cd8152ee6e 100644
+--- a/bfd/dwarf2.c
++++ b/bfd/dwarf2.c
+@@ -4831,16 +4831,19 @@ find_debug_info (bfd *abfd, const struct dwarf_debug_section *debug_sections,
+     {
+       look = debug_sections[debug_info].uncompressed_name;
+       msec = bfd_get_section_by_name (abfd, look);
+-      if (msec != NULL)
++      /* Testing SEC_HAS_CONTENTS is an anti-fuzzer measure.  Of
++	 course debug sections always have contents.  */
++      if (msec != NULL && (msec->flags & SEC_HAS_CONTENTS) != 0)
+ 	return msec;
+
+       look = debug_sections[debug_info].compressed_name;
+       msec = bfd_get_section_by_name (abfd, look);
+-      if (msec != NULL)
++      if (msec != NULL && (msec->flags & SEC_HAS_CONTENTS) != 0)
+         return msec;
+
+       for (msec = abfd->sections; msec != NULL; msec = msec->next)
+-	if (startswith (msec->name, GNU_LINKONCE_INFO))
++	if ((msec->flags & SEC_HAS_CONTENTS) != 0
++	    && startswith (msec->name, GNU_LINKONCE_INFO))
+ 	  return msec;
+
+       return NULL;
+@@ -4848,6 +4851,9 @@ find_debug_info (bfd *abfd, const struct dwarf_debug_section *debug_sections,
+
+   for (msec = after_sec->next; msec != NULL; msec = msec->next)
+     {
++      if ((msec->flags & SEC_HAS_CONTENTS) == 0)
++	continue;
++
+       look = debug_sections[debug_info].uncompressed_name;
+       if (strcmp (msec->name, look) == 0)
+ 	return msec;
+-- 
+2.43.5

SPECS/gdb/CVE-2022-48065.patch

@@ -0,0 +1,101 @@
+From 4dbabcbb6bb82fc71ee411d6a8b81918d775a0b5 Mon Sep 17 00:00:00 2001
+From: Alan Modra <amodra@gmail.com>
+Date: Wed, 21 Dec 2022 21:40:12 +1030
+Subject: [PATCH] PR29925, Memory leak in find_abstract_instance
+
+The testcase in the PR had a variable with both DW_AT_decl_file and
+DW_AT_specification, where the DW_AT_specification also specified
+DW_AT_decl_file.  This leads to a memory leak as the file name is
+malloced and duplicates are not expected.
+
+I've also changed find_abstract_instance to not use a temp for "name",
+because that can result in a change in behaviour from the usual last
+of duplicate attributes wins.
+
+	PR 29925
+	* dwarf2.c (find_abstract_instance): Delete "name" variable.
+	Free *filename_ptr before assigning new file name.
+	(scan_unit_for_symbols): Similarly free func->file and
+	var->file before assigning.
+
+Modified patch <d28fbc7197ba0e021a43f873eff90b05dcdcff6a> to apply to AzureLinux: Added required free statements based on code.
+Modified-by: Sandeep Karambelkar <skarambelkar@microsoft.com>
+---
+ bfd/dwarf2.c | 13 +++++++------
+ 1 file changed, 7 insertions(+), 6 deletions(-)
+
+diff --git a/bfd/dwarf2.c b/bfd/dwarf2.c
+index 83ca8a3..414c2d2 100644
+--- a/bfd/dwarf2.c
++++ b/bfd/dwarf2.c
+@@ -2873,7 +2873,6 @@ find_abstract_instance (struct comp_unit *unit,
+   struct abbrev_info *abbrev;
+   bfd_uint64_t die_ref = attr_ptr->u.val;
+   struct attribute attr;
+-  const char *name = NULL;
+
+   if (recur_count == 100)
+     {
+@@ -3038,16 +3037,16 @@ find_abstract_instance (struct comp_unit *unit,
+ 		case DW_AT_name:
+ 		  /* Prefer DW_AT_MIPS_linkage_name or DW_AT_linkage_name
+ 		     over DW_AT_name.  */
+-		  if (name == NULL && is_str_attr (attr.form))
++		  if (*pname == NULL && is_str_attr (attr.form))
+ 		    {
+-		      name = attr.u.str;
++		      *pname = attr.u.str;
+ 		      if (non_mangled (unit->lang))
+ 			*is_linkage = true;
+ 		    }
+ 		  break;
+ 		case DW_AT_specification:
+ 		  if (!find_abstract_instance (unit, &attr, recur_count + 1,
+-					       &name, is_linkage,
++					       pname, is_linkage,
+ 					       filename_ptr, linenumber_ptr))
+ 		    return false;
+ 		  break;
+@@ -3057,13 +3056,14 @@ find_abstract_instance (struct comp_unit *unit,
+ 		     non-string forms into these attributes.  */
+ 		  if (is_str_attr (attr.form))
+ 		    {
+-		      name = attr.u.str;
++		      *pname = attr.u.str;
+ 		      *is_linkage = true;
+ 		    }
+ 		  break;
+ 		case DW_AT_decl_file:
+ 		  if (!comp_unit_maybe_decode_line_info (unit))
+ 		    return false;
++		  free (*filename_ptr);
+ 		  *filename_ptr = concat_filename (unit->line_table,
+ 						   attr.u.val);
+ 		  break;
+@@ -3076,7 +3076,6 @@ find_abstract_instance (struct comp_unit *unit,
+ 	    }
+ 	}
+     }
+-  *pname = name;
+   return true;
+ }
+
+@@ -3510,6 +3509,7 @@ scan_unit_for_symbols (struct comp_unit *unit)
+ 		  break;
+
+ 		case DW_AT_decl_file:
++		  free (func->file);
+ 		  func->file = concat_filename (unit->line_table,
+ 						attr.u.val);
+ 		  break;
+@@ -3559,6 +3559,7 @@ scan_unit_for_symbols (struct comp_unit *unit)
+ 		  break;
+
+ 		case DW_AT_decl_file:
++		  free (var->file);
+ 		  var->file = concat_filename (unit->line_table,
+ 					       attr.u.val);
+ 		  break;
+-- 
+2.45.2
+

SPECS/gdb/gdb.spec

@@ -1,7 +1,7 @@
 Summary:        C debugger
 Name:           gdb
 Version:        11.2
-Release:        4%{?dist}
+Release:        5%{?dist}
 License:        GPLv2+
 Vendor:         Microsoft Corporation
 Distribution:   Mariner
@@ -13,6 +13,8 @@ Patch1:         CVE-2023-39129.patch
 Patch2:         CVE-2023-39130.patch
 Patch3:         CVE-2025-1176.patch
 Patch4:         CVE-2025-1182.patch
+Patch5:         CVE-2022-48064.patch
+Patch6:         CVE-2022-48065.patch
 BuildRequires:  expat-devel
 BuildRequires:  gcc-c++
 BuildRequires:  gcc-gfortran
@@ -93,6 +95,9 @@ rm -f $(dirname $(gcc -print-libgcc-file-name))/../specs
 %{_mandir}/*/*
 
 %changelog
+* Thu Apr 03 2025 Sandeep Karambelkar <skarambelkar@microsoft.com> - 11.2-5
+- Fix CVE-2022-48064, CVE-2022-48065
+
 * Thu Feb 13 2025 Ankita Pareek <ankitapareek@microsoft.com> - 11.2-4
 - Address CVE-2025-1176 and CVE-2025-1182