Bug 1377015

Summary: libdwarf read_line_table_program Out-of-Bounds read
Product: [Other] Security Response Reporter: puzzor <puzzorsj>
Component: vulnerabilityAssignee: Andrej Nemec <anemec>
Status: CLOSED WONTFIX QA Contact:
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: unspecifiedCC: anemec, fche, tom
Target Milestone: ---   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2016-09-27 07:00:19 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Attachments:
Description Flags
poc none

Description puzzor 2016-09-17 14:25:43 UTC 
Created attachment 1201947 [details]
poc

# Vulnerability
libdwarf line_ptr in dwarf_line_table_reader_common.c:1433 Out-of-Bounds read

# Version
libdwarf-20160613  ( https://www.prevanders.net/libdwarf-20160613.tar.gz )

# Address Sanitizer Output
==27763==ERROR: AddressSanitizer: heap-buffer-overflow on address 0xf4603f84 at pc 0x8408ede bp 0xffff6518 sp 0xffff6510
READ of size 1 at 0xf4603f84 thread T0
    #0 0x8408edd in read_line_table_program /home/puzzor/test-fuzzing/code/libdwarf/./dwarf_line_table_reader_common.c:1433
    #1 0x83f716c in _dwarf_internal_srclines /home/puzzor/test-fuzzing/code/libdwarf/./dwarf_line.c:690
    #2 0x841436c in dwarf_srclines_b /home/puzzor/test-fuzzing/code/libdwarf/./dwarf_line.c:944
    #3 0x81fbc28 in print_line_numbers_this_cu /home/puzzor/test-fuzzing/code/dwarfdump/print_lines.c:763
    #4 0x815c191 in print_one_die_section /home/puzzor/test-fuzzing/code/dwarfdump/print_die.c:850
    #5 0x81565c1 in print_infos /home/puzzor/test-fuzzing/code/dwarfdump/print_die.c:371
    #6 0x80eee08 in process_one_file /home/puzzor/test-fuzzing/code/dwarfdump/dwarfdump.c:1354
    #7 0x80e67ea in main /home/puzzor/test-fuzzing/code/dwarfdump/dwarfdump.c:647
    #8 0xf7d67af2 (/lib/i386-linux-gnu/libc.so.6+0x19af2)
    #9 0x80d24d4 in _start (/home/puzzor/test-fuzzing/code/dwarfdump/dwarfdump+0x80d24d4)

0xf4603f84 is located 0 bytes to the right of 1796-byte region [0xf4603880,0xf4603f84)
allocated by thread T0 here:
    #0 0x80bb101 in malloc (/home/puzzor/test-fuzzing/code/dwarfdump/dwarfdump+0x80bb101)
    #1 0xf7faf517 (/usr/lib/i386-linux-gnu/libelf.so.1+0x9517)

SUMMARY: AddressSanitizer: heap-buffer-overflow /home/puzzor/test-fuzzing/code/libdwarf/./dwarf_line_table_reader_common.c:1433 read_line_table_program
Shadow bytes around the buggy address:
  0x3e8c07a0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x3e8c07b0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x3e8c07c0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x3e8c07d0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x3e8c07e0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x3e8c07f0:[04]fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x3e8c0800: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x3e8c0810: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x3e8c0820: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x3e8c0830: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x3e8c0840: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:     fa
  Heap right redzone:    fb
  Freed heap region:     fd
  Stack left redzone:    f1
  Stack mid redzone:     f2
  Stack right redzone:   f3
  Stack partial redzone: f4
  Stack after return:    f5
  Stack use after scope: f8
  Global redzone:        f9
  Global init order:     f6
  Poisoned by user:      f7
  ASan internal:         fe
==27763==ABORTING


# PoC
See poc

# Report Timeline
2016-09-16: Shi Ji(@Puzzor) discovered this issue

# Credit
Shi Ji(@Puzzor)
Comment 1 Andrej Nemec 2016-09-20 13:59:22 UTC 
Hello,

Please, use secalert to report security vulnerabilities to us next time. 

As for this issue, it looks like a local libdwarf crasher, which would make it low impact. Or is there something I have missed? 

You can try to post it to oss-security mailing list or request a CVE id from Mitre.

Thanks!
Comment 2 puzzor 2016-09-22 01:30:41 UTC 
Use CVE-2016-7510 for this
Comment 3 Andrej Nemec 2016-09-23 08:10:44 UTC 
(In reply to puzzor from comment #2)
> Use CVE-2016-7510 for this

Thanks for this report!

I have filed a proper vulnerability bug at:

https://bugzilla.redhat.com/show_bug.cgi?id=1378718

However, this still seems to be a low impact issue in my opinion, which is why I have wontfixed it for RHEL.

Next time, be sure to contact secalert directly please.

*** This bug has been marked as a duplicate of bug 1378718 ***
Comment 4 Tom Hughes 2016-09-26 21:32:11 UTC 
*** Bug 1378718 has been marked as a duplicate of this bug. ***