Bug 1332149

Summary: Null dereference bug in READ_AREA_LENGTH()
Product: [Fedora] Fedora Reporter: lieanu <liuyue0310>
Component: libdwarfAssignee: Tom Hughes <tom>
Status: CLOSED ERRATA QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: rawhideCC: orion, tom
Target Milestone: ---   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: libdwarf-20160507-1.fc24 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2016-05-12 16:13:40 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Attachments:
Description Flags
Null 02 bug none

Description lieanu 2016-05-02 11:25:56 UTC 
Created attachment 1152912 [details]
Null 02 bug

Hi,

I have informed this bug to upstream, reporting it here just for bug tracking, thanks.

Null dereference bug in lastest libdwarf git code.

0x2aaaaacde455   <_dwarf_make_CU_Context+181>  add    rsi,r12
0x2aaaaacde458   <_dwarf_make_CU_Context+184>  repz cmps BYTE PTR ds [rsi],BYTE PTR es [rdi]
0x2aaaaacde45a   <_dwarf_make_CU_Context+186>  jne    0x2aaaaacde467 <_dwarf_make_CU_Context+199>
0x2aaaaacde45c   <_dwarf_make_CU_Context+188>  mov    DWORD PTR [r14+0x138],0x1
0x2aaaaacde467   <_dwarf_make_CU_Context+199>  lea    rax,[rsp+0x58]             <- $pc
0x2aaaaacde46c   <_dwarf_make_CU_Context+204>  mov    QWORD PTR [rsp+0x58],0x0
0x2aaaaacde475   <_dwarf_make_CU_Context+213>  mov    edx,0x4
0x2aaaaacde47a   <_dwarf_make_CU_Context+218>  mov    rsi,r13
0x2aaaaacde47d   <_dwarf_make_CU_Context+221>  mov    QWORD PTR [rsp],rax
---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------[source:dwarf_die_deliv.c+293]--
 289         if (section_name_ends_with_dwo(secname)) {
 290             cu_context->cc_is_dwo = TRUE;
 291         }
 292         /* READ_AREA_LENGTH updates cu_ptr for consumed bytes */
 293         READ_AREA_LENGTH(dbg, length, Dwarf_Unsigned,               <- $pc
 294             cu_ptr, local_length_size, local_extension_size);
 295         cu_context->cc_length_size = local_length_size;
 296         cu_context->cc_extension_size = local_extension_size;
 297     
--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------[trace]--
#0  _dwarf_make_CU_Context (dbg=dbg@entry=0x655a40, offset=offset@entry=0, is_info=is_info@entry=1, context_out=context_out@entry=0x7fffffffd758, error=error@entry=0x7fffffffdb28) at dwarf_die_deliv.c:293
#1  0x00002aaaaacdf666 in _dwarf_next_cu_header_internal (dbg=dbg@entry=0x655a40, is_info=is_info@entry=1, cu_header_length=cu_header_length@entry=0x7fffffffd960, version_stamp=version_stamp@entry=0x7fffffffd956, abbrev_offset=abbrev_offset@entry=0x7fffffffd968, address_size=address_size@entry=0x7fffffffd958, offset_size=offset_size@entry=0x7fffffffd95c, extension_size=extension_size@
entry=0x7fffffffd95a, signature_out=signature_out@entry=0x7fffffffd9d0, has_signature=has_signature@entry=0x0, typeoffset=typeoffset@entry=0x7fffffffd970, next_cu_offset=next_cu_offset@entry=0x7fffffffd978, header_type=header_type@entry=0x7fffffffd95e, error=error@entry=0x7fffffffdb28) at dwarf_die_deliv.c:852
#2  0x00002aaaaacdfaea in dwarf_next_cu_header_d (dbg=dbg@entry=0x655a40, is_info=is_info@entry=1, cu_header_length=cu_header_length@entry=0x7fffffffd960, version_stamp=version_stamp@entry=0x7fffffffd956, abbrev_offset=abbrev_offset@entry=0x7fffffffd968, address_size=address_size@entry=0x7fffffffd958, offset_size=offset_size@entry=0x7fffffffd95c, extension_size=extension_size@entry=0x7fffffffd95a, signature=signature@entry=0x7fffffffd9d0, typeoffset=typeoffset@entry=0x7fffffffd970, next_cu_offset=next_cu_offset@entry=0x7fffffffd978, header_cu_type=header_cu_type@entry=0x7fffffffd95e, error=error@entry=0x7fffffffdb28) at dwarf_die_deliv.c:606
-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
gdb > p cu_ptr
$1 = (Dwarf_Byte_Ptr) 0x0

READ_AREA_LENGTH() (especially READ_UNALIGNED())is a unsafe function, no source and dest ptr checking. 
Using READ_UNALIGNED_CK() may be a better choice.
Comment 1 Tom Hughes 2016-05-02 11:34:24 UTC 
If you really want to open these bugs then please feel free, but all you're actually doing is creating work for me because when the next libdwarf release comes out I will have to go through each one by hand and check that it is fixed :-(
Comment 2 lieanu 2016-05-02 11:43:39 UTC 
I'm very sorry for that.
I just want to request CVE IDs for these bugs, but email in libdwarf-list cannot be referred outside(No public url can point to there).
So I think that reporting these bugs here maybe a better choice. 
If you have any other better ideas, please let me know, thanks a lot.

Yue Liu,
Comment 3 Fedora Update System 2016-05-08 10:27:11 UTC 
libdwarf-20160507-1.fc24 has been submitted as an update to Fedora 24. https://bodhi.fedoraproject.org/updates/FEDORA-2016-f36c5935e5
Comment 4 Fedora Update System 2016-05-09 00:54:57 UTC 
libdwarf-20160507-1.fc24 has been pushed to the Fedora 24 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2016-f36c5935e5
Comment 5 Fedora Update System 2016-05-12 16:13:05 UTC 
libdwarf-20160507-1.fc24 has been pushed to the Fedora 24 stable repository. If problems still persist, please make note of it in this bug report.