Bug 1157276 (CVE-2014-8485)

Summary: CVE-2014-8485 binutils: lack of range checking leading to controlled write in _bfd_elf_setup_sections()
Product: [Other] Security Response Reporter: Murray McAllister <mmcallis>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: carnil, dan, dhowells, drieden, jakub, jrusnack, kanderso, law, lkundrak, masanari_iida, mprchlik, nickc, nobody+bgollahe, ohudlick, pfrankli, yozone
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: binutils 2.25 Doc Type: Bug Fix
Doc Text:
A buffer overflow flaw was found in the way various binutils utilities processed certain files. If a user were tricked into processing a specially crafted file, it could cause the utility used to process that file to crash or, potentially, execute arbitrary code with the privileges of the user running that utility.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2019-06-08 02:35:28 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1157277, 1168281, 1168302, 1172710    
Bug Blocks: 1156276, 1210268    
Attachments:
Description Flags
Fixes for buffer overruns etc in BFD library
none
Default strings to -a
none
Corrupt file that used to trigger a bug in the BFD library none

Description Murray McAllister 2014-10-26 22:19:52 UTC 
Michal Zalewski reported a lack of range checking in libbfd could be used to write to an arbitrary location in memory:

http://lcamtuf.blogspot.co.uk/2014/10/psa-dont-run-strings-on-untrusted-files.html

Running "strings" on a malicious file could cause "strings" to crash or, potentially, execute arbitrary code.

Upstream bug (no patch attached yet):

https://sourceware.org/bugzilla/show_bug.cgi?id=17510

References:

http://www.openwall.com/lists/oss-security/2014/10/24/10
Comment 1 Murray McAllister 2014-10-26 22:20:26 UTC 
Created binutils tracking bugs for this issue:

Affects: fedora-all [bug 1157277]
Comment 2 Murray McAllister 2014-10-27 00:26:01 UTC 
As noted in <http://seclists.org/oss-sec/2014/q4/444>, other utilities which are commonly run on untrusted binaries are also affected, such as objdump and nm
Comment 3 Murray McAllister 2014-10-27 02:59:24 UTC 
MITRE assigned CVE-2014-8485 to this issue:

http://www.openwall.com/lists/oss-security/2014/10/26/2
Comment 4 Nick Clifton 2014-10-27 14:00:10 UTC 
Fixed in:

 binutils-2.24-25.fc22
 binutils-2.24-24.fc21
 binutils-2.23.88.0.1-20.fc20

Cheers
  Nick
Comment 5 masanari iida 2014-10-31 02:25:10 UTC 
On RHEL6 (binutils-2.20.51.0.2-5.42.el6) with sample file from upstream,
the strings generate core file.

# strings ./strings-bfd-badptr
Segmentation fault (core dumped)
#

Core was generated by `strings ./strings-bfd-badptr'.
Program terminated with signal 11, Segmentation fault.
#0  0x0098d882 in bfd_section_from_shdr (abfd=0x9da7038, shindex=2)
    at elf.c:1868
1868                  if (idx->shdr != NULL
(gdb) bt
#0  0x0098d882 in bfd_section_from_shdr (abfd=0x9da7038, shindex=2)
    at elf.c:1868
#1  0x0097b75c in bfd_elf32_object_p (abfd=0x9da7038) at elfcode.h:898
#2  0x00957a2a in bfd_check_format_matches (abfd=0x9da7038, format=bfd_object,
    matching=0x0) at format.c:211
#3  0x00957d0d in bfd_check_format (abfd=0x9da7038, format=bfd_object)
    at format.c:95
#4  0x08049bae in strings_object_file (argc=2, argv=0xbfecace4)
    at strings.c:392
#5  strings_file (argc=2, argv=0xbfecace4) at strings.c:433
#6  main (argc=2, argv=0xbfecace4) at strings.c:302


Test on RHEL5 (binutils-2.17.50.0.6-5.el5), it did not generate core.

[root@burton05 tmp]# strings ./strings-bfd-badptr
hello world
.shstrtab
.text
.data
AAAA
[root@burton05 tmp]# strings ./strings-bfd-badptr2
hellAAAArld
.shstrtab
.text
.data

Test on RHEL7 (binutils-2.23.52.0.1-16.el7.x86_64),
it generated core dump.

So I guess both RHEL6 and RHEL7 seemed to be affected this issue.
Comment 6 Nick Clifton 2014-10-31 12:39:06 UTC 
Created attachment 952477 [details]
Fixes for buffer overruns etc in BFD library
Comment 7 Nick Clifton 2014-10-31 12:40:20 UTC 
Created attachment 952478 [details]
Default strings to -a
Comment 8 Nick Clifton 2014-10-31 12:48:43 UTC 
The strings-bfd-badptr and other malformed binaries that cause crashes in the BFD library can be found in this upstream PR:

  https://sourceware.org/bugzilla/show_bug.cgi?id=17512

I have uploaded two patches to this BZ.  The first - binutils-2.24-corrupt-binaries.patch - fixes all of the bugs exposed by the test cases in that PR.  This patch has been applied to the Fedora binutils, and I would recommend that it be applied to the RHEL binutils.

The second patch - binutils-2.24-strings-default-all.patch - is a result of discussions on the binutils mailing list.  It changes the default behaviour of the strings program to be the "-a" command line option.  This makes strings scan the entire binary for text, not just loadable data sections.  This means that the BFD library is not used (to find those data sections) and so strings is less likely to trigger a memory fault.  On the other hand it also makes the output from strings more likely to contain garbage, from all of the code sections and headers.

I am not sure whether this second patch should be applied to RHEL.  It does change the default behaviour of a program and this might not be acceptable.  The second patch has been applied to Fedora rawhide and F21, although not F20.
Comment 9 Vasyl Kaigorodov 2014-11-26 14:32:02 UTC 
Statement:

Red Hat Enterprise Linux 5 is now in Production 3 Phase of the support and maintenance life cycle. This has been rated as having Moderate security impact and is not currently planned to be addressed in future updates. For additional information, refer to the Red Hat Enterprise Linux Life Cycle: https://access.redhat.com/support/policy/updates/errata/.
Comment 14 Nick Clifton 2015-06-29 11:59:27 UTC 
Suggested entry in the release notes:

  The default behaviour of the strings program has changed.  
  Previously it would only display text found in loadable data 
  sections unless a command line option was used to specify 
  otherwise.  Now it will default to displaying text found 
  anywhere in the input file, unless a command line option is 
  used to restrict to data sections.

  The change has been made because of security concerns.  
  In order to determine where the data sections are in a file,
  it first has to be analysed.  If there are bugs in this 
  analysis code then they could be exploited by a specially 
  crafted input file and potentially used to gain access to 
  the system.  Scanning for strings anywhere in the input
  file does not need any analysis, so it is the safer 
  default option.
Comment 15 Nick Clifton 2015-06-29 12:06:36 UTC 
Created attachment 1044338 [details]
Corrupt file that used to trigger a bug in the BFD library

Note for QA:

  This is the testcase for this BZ.

  Running "strings string-bfd-badfree" used to crash the strings program, but this should no longer happen.  This includes running strings with the "-d" command line option as well.
Comment 17 errata-xmlrpc 2015-11-19 03:32:51 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2015:2079 https://rhn.redhat.com/errata/RHSA-2015-2079.html