Bug 1332144

Summary: Out of bound read bug in dwarf_dealloc()
Product: [Fedora] Fedora Reporter: lieanu <liuyue0310>
Component: libdwarfAssignee: Tom Hughes <tom>
Status: CLOSED ERRATA QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: rawhideCC: orion, tom
Target Milestone: ---   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: libdwarf-20160507-1.fc24 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2016-05-12 16:13:49 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Attachments:
Description Flags
Out of Bound Read none

Description lieanu 2016-05-02 11:15:32 UTC 
Created attachment 1152900 [details]
Out of Bound Read

Hi, 

I have informed this bug to upstream, reporting it here just for bug tracking, thanks.

Out of bound read bug in libdwarf git code.

dwarf_dealloc() did not check the Dwarf_Ptr space argument before using it. This will lead to a out-of-bound read bug.

 473         }
 474         type = alloc_type;
 475         malloc_addr = (char *)space - DW_RESERVE;
 476         r =(struct reserve_data_s *)malloc_addr;
 477         if(dbg != r->rd_dbg) {              <- $pc
 478             /*  Something is badly wrong. Better to leak than
 479                 to crash. */
 480             return;
 481         }
--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------[trace]--
#0  dwarf_dealloc (dbg=dbg@entry=0x655f30, space=0xa0, alloc_type=alloc_type@entry=1) at dwarf_alloc.c:477
#1  0x00002aaaaacf3296 in dealloc_srcfiles (dbg=0x655f30, srcfiles=0x66b8f0, srcfiles_count=17) at dwarf_macro5.c:1025
#2  0x00002aaaaacf50e6 in dealloc_srcfiles (srcfiles_count=<optimized out>, srcfiles=<optimized out>, dbg=<optimized out>) at dwarf_macro5.c:1021
-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------

gef> p &r->rd_dbg
$14 = (void **) 0x90
Comment 1 Fedora Update System 2016-05-08 10:27:23 UTC 
libdwarf-20160507-1.fc24 has been submitted as an update to Fedora 24. https://bodhi.fedoraproject.org/updates/FEDORA-2016-f36c5935e5
Comment 2 Fedora Update System 2016-05-09 00:55:04 UTC 
libdwarf-20160507-1.fc24 has been pushed to the Fedora 24 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2016-f36c5935e5
Comment 3 Fedora Update System 2016-05-12 16:13:11 UTC 
libdwarf-20160507-1.fc24 has been pushed to the Fedora 24 stable repository. If problems still persist, please make note of it in this bug report.