Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process. The following link provides references to all essential vulnerability management information. If something is wrong or missing, please contact a member of PSIRT. https://spaces.redhat.com/display/PRODSEC/Vulnerability+Management+-+Essential+Documents+for+Engineering+Teams
Summary: This fix provided by 9ca499644a21ceb3f946d1c179c38a83be084490 does not affect GDB. (See analysis below.) Therefore, I'm closing this as NOTABUG (for GDB). Analysis: Commit 9ca499644a21ceb3f946d1c179c38a83be084490 from H.J. Lu changes the return type of elf_swap_shdr_in from void to bool. A return statement has been added to the end of the function so that it'll return true if it gets that far. The critical part is this hunk: @@ -341,6 +341,9 @@ elf_swap_shdr_in (bfd *abfd, { _bfd_error_handler (_("warning: %pB has a section " "extending past end of file"), abfd); + /* PR ld/33457: Don't match corrupt section header. */ + if (abfd->is_linker_input) + return false; abfd->read_only = 1; } } The added lines are in a block which will execute when an invalid section size has been detected by bfd. However, and this is the important part - a false value is returned only when abfd->is_linker_input is non-zero (true). A search of the sources show that this field is set to 1 in ld/ldlang.c and ld/ldfile.c, i.e. in the linker. This field is never set by GDB (because it's not a linker). So, for GDB, false cannot be returned by elf_swap_shdr_in. H.J.'s patch also changes elf_object_p which, via some macro magic end up being named bfd_elf64_object_p and bfd_elf32_object_p. These are H.J.'s changes for elf_object_p: @@ -642,9 +646,9 @@ elf_object_p (bfd *abfd) /* Read the first section header at index 0, and convert to internal form. */ - if (bfd_read (&x_shdr, sizeof x_shdr, abfd) != sizeof (x_shdr)) + if (bfd_read (&x_shdr, sizeof x_shdr, abfd) != sizeof (x_shdr) + || !elf_swap_shdr_in (abfd, &x_shdr, &i_shdr)) goto got_no_match; - elf_swap_shdr_in (abfd, &x_shdr, &i_shdr); /* If the section count is zero, the actual count is in the first section header. */ @@ -730,9 +734,9 @@ elf_object_p (bfd *abfd) to internal form. */ for (shindex = 1; shindex < i_ehdrp->e_shnum; shindex++) { - if (bfd_read (&x_shdr, sizeof x_shdr, abfd) != sizeof (x_shdr)) + if (bfd_read (&x_shdr, sizeof x_shdr, abfd) != sizeof (x_shdr) + || !elf_swap_shdr_in (abfd, &x_shdr, i_shdrp + shindex)) goto got_no_match; - elf_swap_shdr_in (abfd, &x_shdr, i_shdrp + shindex); /* Sanity check sh_link and sh_info. */ if (i_shdrp[shindex].sh_link >= num_sec) Since the return type of elf_swap_shdr_in has been changed from void to bool, it is now used to check for failure along with the call to bfd_read(). For GDB, since elf_swap_shdr_in failure cannot occur, the order of execution is the same as it was before this patch was introduced. H.J.'s commit log says: elf: Don't match corrupt section header in linker input Don't swap in nor match corrupt section header in linker input to avoid linker crash later. It clearly states that the bug being fixed is for the linker. Could there be a similar bug in GDB? Perhaps, but that would need to be demonstrated and then fixed in some other manner. The point is that H.J.'s linker fix doesn't affect GDB. As such, there's no point in back-porting it for GDB.