GDB是一个用来调试C和C++程序的强力调试器。
GDB的DWARF和DWARF2代码中存在多个缓冲区溢出漏洞,远程攻击者可能利用此漏洞在用户机器上执行任意指令。
DWARF规范允许使用包含有操作列表的位置描述块确定一些调试符的最终真实地址。GDB在一个未经检查的64字节栈缓冲区执行这些操作,这就允许任何包含有多于64个操作的位置块(DW_FORM_block)使用用户数据覆盖当前的栈帧。dwarfread.c和dwarfread2.c中都存在这个问题。
GNU GDB 6.0 - 6.4
* 不要使用GDB调试可能包含有DWARF(2)调试信息的不可信任文件。
厂商补丁:
GNU
---
目前厂商已经发布了升级补丁以修复这个安全问题:
==== begin patch ====
diff -Naur gdb-6.5.orig/gdb/dwarf2read.c gdb-6.5/gdb/dwarf2read.c
--- gdb-6.5.orig/gdb/dwarf2read.c 2006-05-13 16:46:38.000000000 +0100
+++ gdb-6.5/gdb/dwarf2read.c 2006-08-14 21:37:33.000000000 +0100
@@ -8855,6 +8855,17 @@
dwarf_stack_op_name (op));
return (stack[stacki]);
}
+
+ /* Enforce maximum stack depth of 63 to avoid ++stacki writing
+ outside of the given size. Also enforce minimum > 0.
+ -- wad@google.com 14 Aug 2006 */
+ if (stacki >= sizeof(stack)/sizeof(*stack) - 1)
+ internal_error (__FILE__, __LINE__,
+ _("location description stack too deep: %d"),
+ stacki);
+ if (stacki <= 0)
+ internal_error (__FILE__, __LINE__,
+ _("location description stack too shallow"));
}
return (stack[stacki]);
}
diff -Naur gdb-6.5.orig/gdb/dwarfread.c gdb-6.5/gdb/dwarfread.c
--- gdb-6.5.orig/gdb/dwarfread.c 2005-12-17 22:33:59.000000000 +0000
+++ gdb-6.5/gdb/dwarfread.c 2006-08-14 21:37:30.000000000 +0100
@@ -2224,6 +2224,17 @@
stacki--;
break;
}
+
+ /* Enforce maximum stack depth of 63 to avoid ++stacki writing
+ outside of the given size. Also enforce minimum > 0.
+ -- wad@google.com 14 Aug 2006 */
+ if (stacki >= sizeof(stack)/sizeof(*stack) - 1)
+ internal_error (__FILE__, __LINE__,
+ _("location description stack too deep: %d"),
+ stacki);
+ if (stacki <= 0)
+ internal_error (__FILE__, __LINE__,
+ _("location description stack too shallow"));
}
return (stack[stacki]);
}
==== end patch ====