* [Bug backends/24102] A Heap-buffer-overflow problem was discovered in the function read_srclines in dwarf_getsrclines.c in libdw
2019-01-18 11:17 [Bug backends/24102] New: A Heap-buffer-overflow problem was discovered in the function read_srclines in dwarf_getsrclines.c in libdw wcventure at 126 dot com
2019-01-18 11:17 ` [Bug backends/24102] " wcventure at 126 dot com
@ 2019-01-18 11:17 ` wcventure at 126 dot com
2019-01-20 21:27 ` [Bug libdw/24102] " mark at klomp dot org
` (2 subsequent siblings)
4 siblings, 0 replies; 6+ messages in thread
From: wcventure at 126 dot com @ 2019-01-18 11:17 UTC (permalink / raw)
To: elfutils-devel
https://sourceware.org/bugzilla/show_bug.cgi?id=24102
--- Comment #1 from wcventure <wcventure at 126 dot com> ---
Created attachment 11543
--> https://sourceware.org/bugzilla/attachment.cgi?id=11543&action=edit
POC2
--
You are receiving this mail because:
You are on the CC list for the bug.
^ permalink raw reply [flat|nested] 6+ messages in thread
* [Bug backends/24102] A Heap-buffer-overflow problem was discovered in the function read_srclines in dwarf_getsrclines.c in libdw
2019-01-18 11:17 [Bug backends/24102] New: A Heap-buffer-overflow problem was discovered in the function read_srclines in dwarf_getsrclines.c in libdw wcventure at 126 dot com
@ 2019-01-18 11:17 ` wcventure at 126 dot com
2019-01-18 11:17 ` wcventure at 126 dot com
` (3 subsequent siblings)
4 siblings, 0 replies; 6+ messages in thread
From: wcventure at 126 dot com @ 2019-01-18 11:17 UTC (permalink / raw)
To: elfutils-devel
https://sourceware.org/bugzilla/show_bug.cgi?id=24102
--- Comment #2 from wcventure <wcventure at 126 dot com> ---
Created attachment 11544
--> https://sourceware.org/bugzilla/attachment.cgi?id=11544&action=edit
POC3
--
You are receiving this mail because:
You are on the CC list for the bug.
^ permalink raw reply [flat|nested] 6+ messages in thread
* [Bug backends/24102] New: A Heap-buffer-overflow problem was discovered in the function read_srclines in dwarf_getsrclines.c in libdw
@ 2019-01-18 11:17 wcventure at 126 dot com
2019-01-18 11:17 ` [Bug backends/24102] " wcventure at 126 dot com
` (4 more replies)
0 siblings, 5 replies; 6+ messages in thread
From: wcventure at 126 dot com @ 2019-01-18 11:17 UTC (permalink / raw)
To: elfutils-devel
https://sourceware.org/bugzilla/show_bug.cgi?id=24102
Bug ID: 24102
Summary: A Heap-buffer-overflow problem was discovered in the
function read_srclines in dwarf_getsrclines.c in libdw
Product: elfutils
Version: unspecified
Status: UNCONFIRMED
Severity: normal
Priority: P2
Component: backends
Assignee: unassigned at sourceware dot org
Reporter: wcventure at 126 dot com
CC: elfutils-devel at sourceware dot org
Target Milestone: ---
Created attachment 11542
--> https://sourceware.org/bugzilla/attachment.cgi?id=11542&action=edit
POC1
Hi,
A Heap-buffer-overflow problem was discovered in the function read_srclines in
dwarf_getsrclines.c in libdw, as distributed in ELFutils 0.175. A crafted ELF
input can cause segment faults and I have confirmed them with address sanitizer
too.
Here are the POC files. Please use "./eu-nm -C $POC" to reproduce the error.
$git log
> commit e65d91d21cb09d83b001fef9435e576ba447db32
> Author: Mark Wielaard <mark@klomp.org>
> Date: Wed Jan 16 12:25:57 2019 +0100
>
> libelf: Correct overflow check in note_xlate.
>
> We want to make sure the note_len doesn't overflow and becomes shorter
> than the note header. But the namesz and descsz checks got the note header
> size wrong). Replace the wrong constant (8) with a sizeof cvt_Nhdr (12).
>
> https://sourceware.org/bugzilla/show_bug.cgi?id=24084
>
> Signed-off-by: Mark Wielaard <mark@klomp.org>
The ASAN dumps the stack trace as follows:
> =================================================================
> ==17493==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x6100000003fc at pc 0x7fa8ef1fc077 bp 0x7ffebd930000 sp 0x7ffebd92fff0
> READ of size 1 at 0x6100000003fc thread T0
> #0 0x7fa8ef1fc076 in read_srclines /elfutils/libdw/dwarf_getsrclines.c:474
> #1 0x7fa8ef1fd149 in __libdw_getsrclines /elfutils/libdw/dwarf_getsrclines.c:1118
> #2 0x7fa8ef1fdefc in dwarf_getsrclines /elfutils/libdw/dwarf_getsrclines.c:1208
> #3 0x7fa8ef20a146 in dwarf_getsrcfiles /elfutils/libdw/dwarf_getsrcfiles.c:92
> #4 0x407f71 in get_local_names /elfutils/src/nm.c:644
> #5 0x407f71 in show_symbols /elfutils/src/nm.c:1285
> #6 0x40ef63 in handle_elf /elfutils/src/nm.c:1578
> #7 0x403964 in process_file /elfutils/src/nm.c:374
> #8 0x403964 in main /elfutils/src/nm.c:249
> #9 0x7fa8ee5a282f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f)
> #10 0x404608 in _start (/elfutils/build/bin/eu-nm+0x404608)
>
> 0x6100000003fc is located 0 bytes to the right of 188-byte region [0x610000000340,0x6100000003fc)
> allocated by thread T0 here:
> #0 0x7fa8ef682b90 in __interceptor_malloc (/usr/lib/x86_64-linux-gnu/libasan.so.4+0xdeb90)
> #1 0x7fa8eef3a08f in convert_data /elfutils/libelf/elf_getdata.c:157
> #2 0x7fa8eef3a08f in __libelf_set_data_list_rdlock /elfutils/libelf/elf_getdata.c:447
>
> SUMMARY: AddressSanitizer: heap-buffer-overflow /elfutils/libdw/dwarf_getsrclines.c:474 in read_srclines
> Shadow bytes around the buggy address:
> 0x0c207fff8020: fa fa fa fa fa fa fa fa 00 00 00 00 00 00 00 00
> 0x0c207fff8030: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
> 0x0c207fff8040: fa fa fa fa fa fa fa fa 00 00 00 00 00 00 00 00
> 0x0c207fff8050: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
> 0x0c207fff8060: fa fa fa fa fa fa fa fa 00 00 00 00 00 00 00 00
> =>0x0c207fff8070: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00[04]
> 0x0c207fff8080: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
> 0x0c207fff8090: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
> 0x0c207fff80a0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
> 0x0c207fff80b0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
> 0x0c207fff80c0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
> Shadow byte legend (one shadow byte represents 8 application bytes):
> Addressable: 00
> Partially addressable: 01 02 03 04 05 06 07
> Heap left redzone: fa
> Freed heap region: fd
> Stack left redzone: f1
> Stack mid redzone: f2
> Stack right redzone: f3
> Stack after return: f5
> Stack use after scope: f8
> Global redzone: f9
> Global init order: f6
> Poisoned by user: f7
> Container overflow: fc
> Array cookie: ac
> Intra object redzone: bb
> ASan internal: fe
> Left alloca redzone: ca
> Right alloca redzone: cb
> ==17493==ABORTING
--
You are receiving this mail because:
You are on the CC list for the bug.
^ permalink raw reply [flat|nested] 6+ messages in thread
* [Bug libdw/24102] A Heap-buffer-overflow problem was discovered in the function read_srclines in dwarf_getsrclines.c in libdw
2019-01-18 11:17 [Bug backends/24102] New: A Heap-buffer-overflow problem was discovered in the function read_srclines in dwarf_getsrclines.c in libdw wcventure at 126 dot com
2019-01-18 11:17 ` [Bug backends/24102] " wcventure at 126 dot com
2019-01-18 11:17 ` wcventure at 126 dot com
@ 2019-01-20 21:27 ` mark at klomp dot org
2019-01-22 17:16 ` mark at klomp dot org
2019-01-31 14:46 ` mark at klomp dot org
4 siblings, 0 replies; 6+ messages in thread
From: mark at klomp dot org @ 2019-01-20 21:27 UTC (permalink / raw)
To: elfutils-devel
https://sourceware.org/bugzilla/show_bug.cgi?id=24102
Mark Wielaard <mark at klomp dot org> changed:
What |Removed |Added
----------------------------------------------------------------------------
Status|UNCONFIRMED |ASSIGNED
Last reconfirmed| |2019-01-20
CC| |mark at klomp dot org
Component|backends |libdw
Ever confirmed|0 |1
--- Comment #3 from Mark Wielaard <mark at klomp dot org> ---
Nice find. Replicated using valgrind on the reproducers.
We would assume the dir and file tables were properly terminated by a NUL byte.
But if that wasn't actually there we could read one byte past the end of the
data buffer. A similar issue was in readelf.c (although it is harder to trigger
since readlelf has more sanity checks before it can get to this point).
Proposed fix:
https://sourceware.org/ml/elfutils-devel/2019-q1/msg00068.html
--
You are receiving this mail because:
You are on the CC list for the bug.
^ permalink raw reply [flat|nested] 6+ messages in thread
* [Bug libdw/24102] A Heap-buffer-overflow problem was discovered in the function read_srclines in dwarf_getsrclines.c in libdw
2019-01-18 11:17 [Bug backends/24102] New: A Heap-buffer-overflow problem was discovered in the function read_srclines in dwarf_getsrclines.c in libdw wcventure at 126 dot com
` (2 preceding siblings ...)
2019-01-20 21:27 ` [Bug libdw/24102] " mark at klomp dot org
@ 2019-01-22 17:16 ` mark at klomp dot org
2019-01-31 14:46 ` mark at klomp dot org
4 siblings, 0 replies; 6+ messages in thread
From: mark at klomp dot org @ 2019-01-22 17:16 UTC (permalink / raw)
To: elfutils-devel
https://sourceware.org/bugzilla/show_bug.cgi?id=24102
Mark Wielaard <mark at klomp dot org> changed:
What |Removed |Added
----------------------------------------------------------------------------
Status|ASSIGNED |RESOLVED
Resolution|--- |FIXED
--- Comment #4 from Mark Wielaard <mark at klomp dot org> ---
commit 2562759d6fe5b364fe224852e64e8bda39eb2e35
Author: Mark Wielaard <mark@klomp.org>
Date: Sun Jan 20 22:10:18 2019 +0100
libdw: Check terminating NUL byte in dwarf_getsrclines for dir/file table.
For DWARF version < 5 the .debug_line directory and file tables consist
of a terminating NUL byte after all strings. The code used to just skip
this without checking it actually existed. This could case a spurious
read past the end of data.
Fix the same issue in readelf.
https://sourceware.org/bugzilla/show_bug.cgi?id=24102
Signed-off-by: Mark Wielaard <mark@klomp.org>
Pushed to master.
--
You are receiving this mail because:
You are on the CC list for the bug.
^ permalink raw reply [flat|nested] 6+ messages in thread
* [Bug libdw/24102] A Heap-buffer-overflow problem was discovered in the function read_srclines in dwarf_getsrclines.c in libdw
2019-01-18 11:17 [Bug backends/24102] New: A Heap-buffer-overflow problem was discovered in the function read_srclines in dwarf_getsrclines.c in libdw wcventure at 126 dot com
` (3 preceding siblings ...)
2019-01-22 17:16 ` mark at klomp dot org
@ 2019-01-31 14:46 ` mark at klomp dot org
4 siblings, 0 replies; 6+ messages in thread
From: mark at klomp dot org @ 2019-01-31 14:46 UTC (permalink / raw)
To: elfutils-devel
https://sourceware.org/bugzilla/show_bug.cgi?id=24102
--- Comment #5 from Mark Wielaard <mark at klomp dot org> ---
Apparently this bug got assigned CVE-2019-7149
--
You are receiving this mail because:
You are on the CC list for the bug.
^ permalink raw reply [flat|nested] 6+ messages in thread
end of thread, other threads:[~2019-01-31 14:46 UTC | newest]
Thread overview: 6+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2019-01-18 11:17 [Bug backends/24102] New: A Heap-buffer-overflow problem was discovered in the function read_srclines in dwarf_getsrclines.c in libdw wcventure at 126 dot com
2019-01-18 11:17 ` [Bug backends/24102] " wcventure at 126 dot com
2019-01-18 11:17 ` wcventure at 126 dot com
2019-01-20 21:27 ` [Bug libdw/24102] " mark at klomp dot org
2019-01-22 17:16 ` mark at klomp dot org
2019-01-31 14:46 ` mark at klomp dot org
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).