Bug 1085663 (CVE-2014-0172)

Summary: CVE-2014-0172 elfutils: integer overflow, leading to a heap-based buffer overflow in libdw
Product: [Other] Security Response Reporter: Murray McAllister <mmcallis>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: aoliva, drepper, fche, fweimer, jakub, jan.kratochvil, jkurik, jrusnack, kanderso, lkocman, mbenitez, me, mfranc, mjw, mjw, mnewsome, nobody+bgollahe, pfrields, roland, security-response-team, tmlcoch
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: elfutils 0.160 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2015-06-15 06:33:17 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1085729, 1139128    
Bug Blocks: 1085665    

Description Murray McAllister 2014-04-09 05:39:10 UTC 
The libdw library provides support for accessing DWARF debugging information inside ELF files. An integer overflow flaw in check_section(), leading to a heap-based buffer overflow, was found in the libdw library. A malicious ELF file could cause an application using libdw (such as eu-readelf) to crash or, potentially, execute arbitrary code with the privileges of the user running the application.

Acknowledgements:

This issue was discovered by Florian Weimer of the Red Hat Product Security Team.
Comment 5 Murray McAllister 2014-04-09 08:25:32 UTC 
This issue affects versions 0.153 and later.

A possible patch from  Mark Wielaard:

diff --git a/libdw/dwarf_begin_elf.c b/libdw/dwarf_begin_elf.c
index 79daeac..cf37013 100644
--- a/libdw/dwarf_begin_elf.c
+++ b/libdw/dwarf_begin_elf.c
@@ -282,6 +282,9 @@ check_section (Dwarf *result, GElf_Ehdr *ehdr, Elf_Scn *scn, bool inscngrp)
            memcpy (&size, data->d_buf + 4, sizeof size);
            size = be64toh (size);
 
+           if (unlikely (UINT64_MAX - size < sizeof (Elf_Data)))
+             break;
+
            Elf_Data *zdata = malloc (sizeof (Elf_Data) + size);
            if (unlikely (zdata == NULL))
              break;
Comment 6 Murray McAllister 2014-04-09 08:29:14 UTC 
Created elfutils tracking bugs for this issue:

Affects: fedora-all [bug 1085729]
Comment 9 Mark Wielaard 2014-04-09 13:34:59 UTC 
The patch submitted upstream has a slightly simpler check because unsigned overflow is well defined (unlike unsigned overflow, which would cause undefined behaviour, and for which the approach in comment #5 would be more appropriate):

https://lists.fedorahosted.org/pipermail/elfutils-devel/2014-April/003921.html
Comment 13 Fedora Update System 2014-04-18 15:36:52 UTC 
elfutils-0.158-3.fc20 has been pushed to the Fedora 20 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 14 Fedora Update System 2014-04-30 04:06:41 UTC 
elfutils-0.158-3.fc19 has been pushed to the Fedora 19 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 25 Huzaifa S. Sidhpurwala 2015-06-15 06:33:17 UTC 
This issue was fixed in Red Hat Enterprise Linux via the following advisory:

https://rhn.redhat.com/errata/RHEA-2015-0369.html