[MEDIUM] Patch gdb for CVE-2021-32256 & CVE-2025-5244

[archana25-ms]

Merge Checklist

All boxes should be checked before merging the PR (just tick any boxes which don't apply to this PR)

• The toolchain has been rebuilt successfully (or no changes were made to it)
• The toolchain/worker package manifests are up-to-date
• Any updated packages successfully build (or no packages were changed)
• Packages depending on static components modified in this PR (Golang, *-static subpackages, etc.) have had their Release tag incremented.
• Package tests (%check section) have been verified with RUN_CHECK=y for existing SPEC files, or added to new SPEC files
• All package sources are available
• cgmanifest files are up-to-date and sorted (./cgmanifest.json, ./toolkit/scripts/toolchain/cgmanifest.json, .github/workflows/cgmanifest.json)
• LICENSE-MAP files are up-to-date (./LICENSES-AND-NOTICES/SPECS/data/licenses.json, ./LICENSES-AND-NOTICES/SPECS/LICENSES-MAP.md, ./LICENSES-AND-NOTICES/SPECS/LICENSE-EXCEPTIONS.PHOTON)
• All source files have up-to-date hashes in the *.signatures.json files
• sudo make go-tidy-all and sudo make go-test-coverage pass
• Documentation has been updated to match any changes to the build system
• Ready to merge

---

Summary

What does the PR accomplish, why was it needed?
Patch gdb for CVE-2021-32256

Change Log

• SPECS/gdb/CVE-2021-32256.patch
• SPECS/gdb/CVE-2025-5244.patch
• SPECS/gdb/gdb.spec

Patch application verification

Does this affect the toolchain?

NO

Associated issues

• #xxxx

Links to CVEs

• https://nvd.nist.gov/vuln/detail/CVE-2021-32256
• https://nvd.nist.gov/vuln/detail/CVE-2025-5244

Test Methodology

• Pipeline build id: xxxx

[kgodara912]

Buddy build. Patch matches with upstream reference.

[kgodara912]

Please check the build failure, it seems that patch is for some other version of gdb.

[archana25-ms]

Buddy Build link - https://dev.azure.com/mariner-org/mariner/_build/results?buildId=831310&view=results

Build is passed. Please verify

[kgodara912]

Full build

[kgodara912]

Previous full build was with gcc PR. This is only for gdb one: Full build.

[Malateshk007]

@kgodara912, requesting your review on this!

[kgodara912]

I have re-triggered full build with latest baseline as previous two full builds weren't successful. Once full build passes, we will go to next steps.

[kgodara912]

Buddy build is almost successful except libguestfs failure only for ARM64 which is known to be flaky in the past. Patches match with upstream reference and buddy build is successful except test which is fixed in another PR. The fix infinite recursion patch was taken from https://gcc.gnu.org/pipermail/gcc-patches/2022-January/589277.html. Also, the code matches with upstream source for libiberty, https://github.com/gcc-mirror/gcc/blob/master/libiberty/rust-demangle.c. LGTM.

[archana25-ms]

Verification of gdb functionality using a sample C file

Program file 1 :
hello_loop.c

GDB verification log :
gdb-hello-loop.txt.txt

Program file 2:
gdb_test.c.txt

GDB verification log:
gdb-test-verifcation.txt

[kgodara912]

Buddy build

[kgodara912]

Buddy build as previous buddy build couldn't succeed.

[archana25-ms]

Current status:

Able to reproduce the test failure manually in 2.0 CBL mariner container, libctf tests fails for gdb as follows:

ERROR: (DejaGnu) proc "is_elf_format" does not exist.
The error code is TCL LOOKUP COMMAND is_elf_format
The info on the error is:
invalid command name "is_elf_format"
    while executing
"::tcl_unknown is_elf_format"
    ("uplevel" body line 1)
    invoked from within
"uplevel 1 ::tcl_unknown $args"
ERROR: tcl error sourcing /tmp/gdb-11.2/libctf/testsuite/libctf-lookup/lookup.exp.
ERROR: tcl error code TCL LOOKUP COMMAND is_elf_format
ERROR: invalid command name "is_elf_format"
    while executing
"is_elf_format"
    (file "/tmp/gdb-11.2/libctf/testsuite/libctf-lookup/lookup.exp" line 21)
    invoked from within
"source /tmp/gdb-11.2/libctf/testsuite/libctf-lookup/lookup.exp"
    ("uplevel" body line 1)
    invoked from within
"uplevel #0 source /tmp/gdb-11.2/libctf/testsuite/libctf-lookup/lookup.exp"
    invoked from within
"catch "uplevel #0 source $test_file_name" msg"
Running /tmp/gdb-11.2/libctf/testsuite/libctf-regression/regression.exp ...
ERROR: (DejaGnu) proc "check_ctf_available" does not exist.
The error code is TCL LOOKUP COMMAND check_ctf_available
The info on the error is:
invalid command name "check_ctf_available"

Currently checking on fixing this error

[kgodara912]

We still have test failures even after removing libctf test suite: buddy build

[kgodara912]

The test failures in the pipeline are precisely because of the addition of patches by this PR.

7568 time="2025-09-10T09:41:21Z" level=debug msg="in:  _RMCs4fqI2P2rA04_13const_genericINtB0_4CharKc76_E"
7569 time="2025-09-10T09:41:21Z" level=debug msg="out: (null)"
7570 time="2025-09-10T09:41:21Z" level=debug msg="exp: <const_generic::Char<'v'>>"
7571 time="2025-09-10T09:41:21Z" level=debug msg="FAIL at line 289, options --format=auto:"
7572 time="2025-09-10T09:41:21Z" level=debug msg="in:  _RMCs4fqI2P2rA04_13const_genericINtB0_4CharKca_E"
7573 time="2025-09-10T09:41:21Z" level=debug msg="out: (null)"
7574 time="2025-09-10T09:41:21Z" level=debug msg="exp: <const_generic::Char<'\\n'>>"
7575 time="2025-09-10T09:41:21Z" level=debug msg="FAIL at line 293, options --format=auto:"
7576 time="2025-09-10T09:41:21Z" level=debug msg="in:  _RMCs4fqI2P2rA04_13const_genericINtB0_4CharKc2202_E"
7577 time="2025-09-10T09:41:21Z" level=debug msg="out: (null)"
7578 time="2025-09-10T09:41:21Z" level=debug msg="exp: <const_generic::Char<'\\u{2202}'>>"
7579 time="2025-09-10T09:41:21Z" level=debug msg="./test-demangle: 68 tests, 18 failures"
7580 time="2025-09-10T09:41:21Z" level=debug msg="make[3]: Leaving directory '/usr/src/mariner/BUILD/gdb-11.2/libiberty/testsuite'"
7581 time="2025-09-10T09:41:21Z" level=debug msg="make[3]: *** [Makefile:58: check-rust-demangle] Error 1"
7582 time="2025-09-10T09:41:21Z" level=debug msg="make[3]: *** Waiting for unfinished jobs...."

Specifically SPECS/gdb/fix-infinite-recursion.patch patch is causing the additional failures in gdb tests. Please address the failures.

[archana25-ms]

Upon removing fix-infinite-recursion.patch, following build error is being observed for CVE-2021-32256 patch

After applying the fix-infinite-recursion.patch, build issue gets resolved but test fails for libiberty as follows

Found - https://gcc.gnu.org/bugzilla/show_bug.cgi?id=100177 where the changes present in this link is already present.
Analysing this test failure.

[archana25-ms]

Test is successful after the change in CVE-2021-32256

[bhagyapathak]

Buddy Build [InProgress]

[archana25-ms]

Buddy Build [InProgress]

Buddy build is success and test is passed

[bhagyapathak]

Full Build [InProgress]

[bhagyapathak]

The full build is currently failing on ARM for libguestfs (libguestfs-1.44.0-20).
GDB fixes for CVE-2021-32256 and CVE-2025-5244 are unlikely to break libguestfs.
@kgodara912 could you please confirm if we should prioritize investigation on this failure?

[Kanishk-Bansal]

Buddy Build

[archana25-ms]

Buddy Build

Buddy build is successful

[kgodara912]

Full build is successful except libguestfs for arm64. The buddy build pipeline was run again with both the packages, buddy build where libguestfs compiles fine for arm64, amd64 test failures for libguestfs are known. The fix-infinite-recursion.patch matches with upstream, https://github.com/gcc-mirror/gcc/commit/f10bec5ffa487ad3033ed5f38cfd0fc7d696deab.patch. gdb tests are passing after a small change in goto pass_return in one CVE file. LGTM.