import gdb-10.2-11.el9

SOURCES/_gdb.spec.Patch.include

@@ -463,3 +463,19 @@ Patch111: gdb-rhbz1870017-p10-plt-prologue-skipping.patch
 # (Simon Marchi, RHBZ 2086761)
 Patch112: gdb-rhbz2086761-unknown-cfa-rule.patch
 
+# Backport "Fix assertion failure in copy_type"
+# (Tom Tromey, RHBZ2155439)
+Patch113: gdb-rhbz2155439-assert-failure-copy_type.patch
+
+# Backport "[gdb/testsuite] Fix PR20630 regression test in gdb.base/printcmds.exp"
+# (Tom de Vries)
+Patch114: gdb-fix-gdb.base-printcmds-s390x-regressions.patch
+
+# Backport "[gdb/breakpoint] Fix assert in jit_event_handler"
+# (Tom de Vries, RHBZ2130624)
+Patch115: gdb-rhbz-2130624-assert_in_jit_event_handler.patch
+
+# Backport libiberty: prevent buffer overflow when decoding user input
+# (Luís Ferreira, RHBZ2132600)
+Patch116: libiberty-rhbz-2132600-prevent-buffer-overflow.patch
+

SOURCES/_gdb.spec.patch.include

@@ -110,3 +110,7 @@
 %patch110 -p1
 %patch111 -p1
 %patch112 -p1
+%patch113 -p1
+%patch114 -p1
+%patch115 -p1
+%patch116 -p1

SOURCES/gdb-fix-gdb.base-printcmds-s390x-regressions.patch

@@ -0,0 +1,71 @@
+From FEDORA_PATCHES Mon Sep 17 00:00:00 2001
+From: Tom de Vries <tdevries@suse.de>
+Date: Mon, 12 Dec 2022 15:21:33 +0100
+Subject: gdb-fix-gdb.base-printcmds-s390x-regressions.patch
+
+;; Backport "[gdb/testsuite] Fix PR20630 regression test in gdb.base/printcmds.exp"
+;; (Tom de Vries)
+
+On s390x-linux, I run into:
+...
+(gdb) print {unsigned char}{65}^M
+$749 = 0 '\000'^M
+(gdb) FAIL: gdb.base/printcmds.exp: print {unsigned char}{65}
+...
+
+In contrast, on x86_64-linux, we have:
+...
+(gdb) print {unsigned char}{65}^M
+$749 = 65 'A'^M
+(gdb) PASS: gdb.base/printcmds.exp: print {unsigned char}{65}
+...
+
+The first problem here is that the test is supposed to be a regression test
+for PR20630, which can be reproduced (for an unfixed gdb) like this:
+...
+(gdb) p {unsigned char[]}{0x17}
+gdbtypes.c:4641: internal-error: copy_type: \
+  Assertion `TYPE_OBJFILE_OWNED (type)' failed.
+...
+but it's not due to insufficient quoting (note the dropped '[]').
+
+That's easy to fix, but after that we have on s390 (big endian):
+...
+(gdb) print {unsigned char[]}{65}^M
+$749 = ""^M
+...
+and on x86_64 (little endian):
+...
+(gdb) print {unsigned char[]}{65}^M
+$749 = "A"^M
+...
+
+Fix this by using 0xffffffff, such that in both cases we have:
+...
+(gdb) print {unsigned char[]}{0xffffffff}^M
+$749 = "\377\377\377\377"^M
+...
+
+Tested on x86_64-linux and s390x-linux.
+
+diff --git a/gdb/testsuite/gdb.base/printcmds.exp b/gdb/testsuite/gdb.base/printcmds.exp
+--- a/gdb/testsuite/gdb.base/printcmds.exp
++++ b/gdb/testsuite/gdb.base/printcmds.exp
+@@ -717,6 +717,7 @@ proc test_print_string_constants {} {
+ }
+ 
+ proc test_print_array_constants {} {
++    global hex
+ 
+     if [target_info exists gdb,cannot_call_functions] {
+ 	unsupported "this target can not call functions"
+@@ -735,7 +736,8 @@ proc test_print_array_constants {} {
+     gdb_test "print *&{4,5,6}\[1\]"	"Attempt to take address of value not located in memory."
+ 
+     # This used to cause a crash.
+-    gdb_test "print {unsigned char[]}{65}" " = 65 'A'"
++    set val [string_to_regexp {"\377\377\377\377"}]
++    gdb_test "print {unsigned char\[\]}{0xffffffff}" " = $val"
+ }
+ 
+ proc test_print_enums {} {

SOURCES/gdb-rhbz-2130624-assert_in_jit_event_handler.patch

@@ -0,0 +1,115 @@
+From FEDORA_PATCHES Mon Sep 17 00:00:00 2001
+From: Tom de Vries <tdevries@suse.de>
+Date: Fri, 21 May 2021 15:09:14 +0200
+Subject: gdb-rhbz-2130624-assert_in_jit_event_handler.patch
+
+;; Backport "[gdb/breakpoint] Fix assert in jit_event_handler"
+;; (Tom de Vries, RHBZ2130624)
+
+Consider a minimal test-case test.c:
+...
+int main (void) { return 0; }
+...
+which we can compile into llvm byte code using clang:
+...
+$ clang -g -S -emit-llvm --target=x86_64-unknown-unknown-elf test.c
+...
+and then run using lli, which uses the llvm jit:
+...
+$ lli test.ll
+...
+
+If we run this under gdb, we run into an assert:
+...
+$ gdb -q -batch -ex run --args /usr/bin/lli test.ll
+Dwarf Error: Cannot not find DIE at 0x18a936e7 \
+  [from module libLLVM.so.10-10.0.1-lp152.30.4.x86_64.debug]
+
+[Thread debugging using libthread_db enabled]
+Using host libthread_db library "/lib64/libthread_db.so.1".
+src/gdb/jit.c:1178: internal-error: \
+  void jit_event_handler(gdbarch*, objfile*): \
+  Assertion `jiter->jiter_data != nullptr' failed.
+...
+
+This is caused by the following.
+
+When running jit_breakpoint_re_set_internal, we first handle
+libLLVM.so.10.debug, and set a jit breakpoint.
+
+Next we handle libLLVM.so.10:
+...
+(gdb) p the_objfile.original_name
+$42 = 0x2494170 "libLLVM.so.10"
+...
+but the minimal symbols we find are from libLLVM.so.10.debug:
+...
+(gdb) p reg_symbol.objfile.original_name
+$43 = 0x38e7c50 "libLLVM.so.10-10.0.1-lp152.30.4.x86_64.debug"
+(gdb) p desc_symbol.objfile.original_name
+$44 = 0x38e7c50 "libLLVM.so.10-10.0.1-lp152.30.4.x86_64.debug"
+...
+and consequently, the objf_data is the one from libLLVM.so.10.debug:
+...
+      jiter_objfile_data *objf_data
+        = get_jiter_objfile_data (reg_symbol.objfile);
+...
+and so we hit this:
+...
+      if (objf_data->cached_code_address == addr)
+        continue;
+...
+and no second jit breakpoint is inserted.
+
+Subsequently, the jit breakpoint is triggered and handled, but when finding
+the symbol for the breakpoint address we get:
+...
+(gdb) p jit_bp_sym.objfile.original_name
+$52 = 0x2494170 "libLLVM.so.10"
+...
+
+The assert 'jiter->jiter_data != nullptr' triggers because it checks
+libLLVM.so.10 while the one with jiter_data setup is libLLVM.so.10.debug.
+
+This fixes the assert:
+...
+       jiter_objfile_data *objf_data
+-        = get_jiter_objfile_data (reg_symbol.objfile);
+-        = get_jiter_objfile_data (the_objfile);
+...
+but consequently we'll have two jit breakpoints, so we also make sure we don't
+set a jit breakpoint on separate debug objects like libLLVM.so.10.debug.
+
+Tested on x86_64-linux.
+
+gdb/ChangeLog:
+
+2021-05-21  Tom de Vries  <tdevries@suse.de>
+
+	PR breakpoint/27889
+	* jit.c (jit_breakpoint_re_set_internal): Skip separate debug
+	objects.  Call get_jiter_objfile_data with the_objfile.
+
+diff --git a/gdb/jit.c b/gdb/jit.c
+--- a/gdb/jit.c
++++ b/gdb/jit.c
+@@ -893,6 +893,10 @@ jit_breakpoint_re_set_internal (struct gdbarch *gdbarch, program_space *pspace)
+ {
+   for (objfile *the_objfile : pspace->objfiles ())
+     {
++      /* Skip separate debug objects.  */
++      if (the_objfile->separate_debug_objfile_backlink != nullptr)
++	continue;
++
+       if (the_objfile->skip_jit_symbol_lookup)
+ 	continue;
+ 
+@@ -919,7 +923,7 @@ jit_breakpoint_re_set_internal (struct gdbarch *gdbarch, program_space *pspace)
+ 	}
+ 
+       jiter_objfile_data *objf_data
+-	= get_jiter_objfile_data (reg_symbol.objfile);
++	= get_jiter_objfile_data (the_objfile);
+       objf_data->register_code = reg_symbol.minsym;
+       objf_data->descriptor = desc_symbol.minsym;
+ 

SOURCES/gdb-rhbz2155439-assert-failure-copy_type.patch

@@ -0,0 +1,73 @@
+From FEDORA_PATCHES Mon Sep 17 00:00:00 2001
+From: Bruno Larsen <blarsen@redhat.com>
+Date: Wed, 22 Mar 2023 15:48:00 +0100
+Subject: gdb-rhbz2155439-assert-failure-copy_type.patch
+
+;; Backport "Fix assertion failure in copy_type"
+;; (Tom Tromey, RHBZ2155439)
+
+PR exp/20630 points out a simple way to cause an assertion failure in
+copy_type -- but this was found in the wild a few times as well.
+
+copy_type only works for objfile-owned types, but there isn't a deep
+reason for this.  This patch fixes the bug by updating copy_type to
+work for any sort of type.
+
+Better would perhaps be to finally implement type GC, but I still
+haven't attempted this.
+
+Bug: https://sourceware.org/bugzilla/show_bug.cgi?id=20630
+
+diff --git a/gdb/gdbtypes.c b/gdb/gdbtypes.c
+--- a/gdb/gdbtypes.c
++++ b/gdb/gdbtypes.c
+@@ -5504,27 +5504,24 @@ copy_type_recursive (struct objfile *objfile,
+ }
+ 
+ /* Make a copy of the given TYPE, except that the pointer & reference
+-   types are not preserved.
+-   
+-   This function assumes that the given type has an associated objfile.
+-   This objfile is used to allocate the new type.  */
++   types are not preserved.  */
+ 
+ struct type *
+ copy_type (const struct type *type)
+ {
+-  struct type *new_type;
+-
+-  gdb_assert (TYPE_OBJFILE_OWNED (type));
+-
+-  new_type = alloc_type_copy (type);
++  struct type *new_type = alloc_type_copy (type);
+   TYPE_INSTANCE_FLAGS (new_type) = TYPE_INSTANCE_FLAGS (type);
+   TYPE_LENGTH (new_type) = TYPE_LENGTH (type);
+   memcpy (TYPE_MAIN_TYPE (new_type), TYPE_MAIN_TYPE (type),
+ 	  sizeof (struct main_type));
+   if (type->main_type->dyn_prop_list != NULL)
+-    new_type->main_type->dyn_prop_list
+-      = copy_dynamic_prop_list (&TYPE_OBJFILE (type) -> objfile_obstack,
+-				type->main_type->dyn_prop_list);
++    {
++      struct obstack *storage = (TYPE_OBJFILE_OWNED (type)
++				 ? &TYPE_OBJFILE (type)->objfile_obstack
++				 : gdbarch_obstack (TYPE_OWNER (type).gdbarch));
++      new_type->main_type->dyn_prop_list
++	= copy_dynamic_prop_list (storage, type->main_type->dyn_prop_list);
++    }
+ 
+   return new_type;
+ }
+diff --git a/gdb/testsuite/gdb.base/printcmds.exp b/gdb/testsuite/gdb.base/printcmds.exp
+--- a/gdb/testsuite/gdb.base/printcmds.exp
++++ b/gdb/testsuite/gdb.base/printcmds.exp
+@@ -733,6 +733,9 @@ proc test_print_array_constants {} {
+     gdb_test_escape_braces "print {{0,1,2},{3,4,5}}"  " = {{0, 1, 2}, {3, 4, 5}}"
+     gdb_test "print {4,5,6}\[2\]"	" = 6"
+     gdb_test "print *&{4,5,6}\[1\]"	"Attempt to take address of value not located in memory."
++
++    # This used to cause a crash.
++    gdb_test "print {unsigned char[]}{65}" " = 65 'A'"
+ }
+ 
+ proc test_print_enums {} {

SOURCES/libiberty-rhbz-2132600-prevent-buffer-overflow.patch

@@ -0,0 +1,27 @@
+From FEDORA_PATCHES Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Lu=C3=ADs=20Ferreira?= <contact@lsferreira.net>
+Date: Thu, 23 Sep 2021 11:33:47 -0400
+Subject: libiberty-rhbz-2132600-prevent-buffer-overflow.patch
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+;; Backport libiberty: prevent buffer overflow when decoding user input
+;; (Luís Ferreira, RHBZ2132600)
+
+libiberty/
+	* d-demangle.c (dlang_symbol_backref): Ensure strlen of
+	string is less than length computed by dlang_number.
+
+diff --git a/libiberty/d-demangle.c b/libiberty/d-demangle.c
+--- a/libiberty/d-demangle.c
++++ b/libiberty/d-demangle.c
+@@ -380,7 +380,7 @@ dlang_symbol_backref (string *decl, const char *mangled,
+ 
+   /* Must point to a simple identifier.  */
+   backref = dlang_number (backref, &len);
+-  if (backref == NULL)
++  if (backref == NULL || strlen (backref) < len)
+     return NULL;
+ 
+   backref = dlang_lname (decl, backref, len);

SPECS/gdb.spec

@@ -37,7 +37,7 @@ Version: 10.2
 
 # The release always contains a leading reserved number, start it at 1.
 # `upstream' is not a part of `name' to stay fully rpm dependencies compatible for the testing.
-Release: 10%{?dist}
+Release: 11%{?dist}
 
 License: GPLv3+ and GPLv3+ with exceptions and GPLv2+ and GPLv2+ with exceptions and GPL+ and LGPLv2+ and LGPLv3+ and BSD and Public Domain and GFDL
 # Do not provide URL for snapshots as the file lasts there only for 2 days.
@@ -1158,7 +1158,21 @@ fi
 %endif
 
 %changelog
-* Wed Mar 15 2023 MSVSphere Packaging Team <packager@msvsphere.ru> - 10.2-10
+* Wed Mar 29 2023 Bruno Larsen <blarsen@redhat.com> - 10.2-11.el9
+- Backport "libiberty: prevent buffer overflow when decoding user input"
+  (Luís Ferreira, RHBZ2132600)
+
+* Mon Mar 27 2023 Bruno Larsen <blarsen@redhat.com>
+- Backport "[gdb/breakpoint] Fix assert in jit_event_handler"
+  (Tom de Vries, RHBZ 2130624)
+
+* Wed Mar 23 2023 Bruno Larsen <blarsen@redhat.com>
+- Bakport "Fix assertion failure in copy_type"
+  (Tom Tromey, RHBZ 2155439)
+- Bakport "[gdb/testsuite] Fix PR20630 regression test in gdb.base/printcmds.exp"
+  (Tom de Vries)
+
+* Wed Mar 15 2023 MSVSphere Packaging Team <packager@msvsphere.ru> - 10.2-10.el9
 - Rebuilt for MSVSphere 9.1.
 
 * Tue May 24 2022 Keith Seitz <keiths@redhat.com> - 10.2-10.el9