Bug 1377107
Summary: | libdwarf Integer Overflow | ||||||
---|---|---|---|---|---|---|---|
Product: | [Fedora] Fedora | Reporter: | puzzor <puzzorsj> | ||||
Component: | libdwarf | Assignee: | Tom Hughes <tom> | ||||
Status: | CLOSED ERRATA | QA Contact: | Fedora Extras Quality Assurance <extras-qa> | ||||
Severity: | low | Docs Contact: | |||||
Priority: | unspecified | ||||||
Version: | 24 | CC: | anemec, orion, tom | ||||
Target Milestone: | --- | ||||||
Target Release: | --- | ||||||
Hardware: | All | ||||||
OS: | Linux | ||||||
Whiteboard: | |||||||
Fixed In Version: | libdwarf-20161001-1.fc25 libdwarf-20160929-1.fc24 | Doc Type: | If docs needed, set a value | ||||
Doc Text: | Story Points: | --- | |||||
Clone Of: | Environment: | ||||||
Last Closed: | 2016-10-09 02:49:45 UTC | Type: | Bug | ||||
Regression: | --- | Mount Type: | --- | ||||
Documentation: | --- | CRM: | |||||
Verified Versions: | Category: | --- | |||||
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||
Cloudforms Team: | --- | Target Upstream Version: | |||||
Embargoed: | |||||||
Bug Depends On: | |||||||
Bug Blocks: | 1379624 | ||||||
Attachments: |
|
Has this been reported upstream? (In reply to Tom Hughes from comment #1) > Has this been reported upstream? Yes, with external link https://sourceforge.net/p/libdwarf/bugs/3/ libdwarf-20160923-1.fc24 has been pushed to the Fedora 24 testing repository. If problems still persist, please make note of it in this bug report. See https://fedoraproject.org/wiki/QA:Updates_Testing for instructions on how to install test updates. You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2016-328754be1c libdwarf-20160923-1.fc25 has been pushed to the Fedora 25 testing repository. If problems still persist, please make note of it in this bug report. See https://fedoraproject.org/wiki/QA:Updates_Testing for instructions on how to install test updates. You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2016-9b8717537a *** Bug 1379625 has been marked as a duplicate of this bug. *** libdwarf-20160929-1.fc25 has been pushed to the Fedora 25 testing repository. If problems still persist, please make note of it in this bug report. See https://fedoraproject.org/wiki/QA:Updates_Testing for instructions on how to install test updates. You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2016-9b8717537a libdwarf-20160929-1.fc24 has been pushed to the Fedora 24 testing repository. If problems still persist, please make note of it in this bug report. See https://fedoraproject.org/wiki/QA:Updates_Testing for instructions on how to install test updates. You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2016-328754be1c libdwarf-20161001-1.fc25 has been pushed to the Fedora 25 testing repository. If problems still persist, please make note of it in this bug report. See https://fedoraproject.org/wiki/QA:Updates_Testing for instructions on how to install test updates. You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2016-9b8717537a libdwarf-20161001-1.fc25 has been pushed to the Fedora 25 stable repository. If problems still persist, please make note of it in this bug report. libdwarf-20160929-1.fc24 has been pushed to the Fedora 24 stable repository. If problems still persist, please make note of it in this bug report. |
Created attachment 1202196 [details] poc and stack trace # Version libdwarf 20160613 # Address Sanitizer Output <0> tag: 17 DW_TAG_compile_unit name: "addrmap.c" FORM 0xe "DW_FORM_strp" <1> tag: 46 DW_TAG_subprogram name: "addr_map_insert" FORM 0xe "DW_FORM_strp" ASAN:SIGSEGV ================================================================= ==6825== ERROR: AddressSanitizer: SEGV on unknown address 0x0583903c (pc 0xb61f1a98 sp 0xbfa388b4 bp 0xbfa38d08 T0) AddressSanitizer can not provide additional info. #0 0xb61f1a97 (/usr/lib/i386-linux-gnu/libasan.so.0+0x1ba97) #1 0xb61e3c0b (/usr/lib/i386-linux-gnu/libasan.so.0+0xdc0b) #2 0x80a21b1 in _dwarf_get_size_of_val /home/fuzzing/fuzzing/dwarf-20160613/libdwarf/dwarf_util.c:210 #3 0x8054214 in _dwarf_next_die_info_ptr /home/fuzzing/fuzzing/dwarf-20160613/libdwarf/dwarf_die_deliv.c:1340 #4 0x80557a5 in dwarf_child /home/fuzzing/fuzzing/dwarf-20160613/libdwarf/dwarf_die_deliv.c:1640 #5 0x804b23f in get_die_and_siblings /home/fuzzing/fuzzing/dwarf-20160613/dwarfexample/./simplereader.c:573 #6 0x804b2a8 in get_die_and_siblings /home/fuzzing/fuzzing/dwarf-20160613/dwarfexample/./simplereader.c:579 #7 0x804b0a3 in read_cu_list /home/fuzzing/fuzzing/dwarf-20160613/dwarfexample/./simplereader.c:547 #8 0x804ab10 in main /home/fuzzing/fuzzing/dwarf-20160613/dwarfexample/./simplereader.c:475 #9 0xb600da82 (/lib/i386-linux-gnu/libc.so.6+0x19a82) #10 0x8049040 in _start (/home/fuzzing/fuzzing/dwarf-20160613/dwarfexample/simplereader+0x8049040) SUMMARY: AddressSanitizer: SEGV ??:0 ?? ==6825== ABORTING # PoC See poc # Analysis From the call stack we get to know the "val_ptr" caused the Access Violation directly. When we analyzed further, we found this was caused by a integer overflow in dwarf_die_deliv.c. Let's see the line 1354: "info_ptr += sizeofval;" In our case, sizeofval will be a very large value and when info_ptr adds this large value, it will cause an overflow and thus we checked the info_ptr with die_info_end, info_ptr will always less than die_info_end. See the debug info below: " Hardware watchpoint 3: info_ptr Old value = (Dwarf_Byte_Ptr) 0xb5003b35 "\001U\003Q\001" New value = (Dwarf_Byte_Ptr) 0x603903a <error: Cannot access memory at address 0x603903a> _dwarf_next_die_info_ptr (die_info_ptr=0xb5003b22 "\002\207", cu_context=0xb4e03d88, die_info_end=0xb5003db1 "", cu_info_start=0x0, want_AT_sibling=0, has_die_child=0xbfffeb10, next_die_ptr_out=0xbfffead0, error=0xbfffec80) at dwarf_die_deliv.c:1355 1355 if (info_ptr > die_info_end) { (gdb) print sizeofval $3 = 1359172869 (gdb) print info_ptr $4 = (Dwarf_Byte_Ptr) 0x603903a <error: Cannot access memory at address 0x603903a> " (Note that info_ptr is a Dwarf_Byte_Ptr and sizeofval is Dwarf_Unsigned) Later, the program will use this corrupt info_ptr to memcpy. # Report Timeline 2016.09.18: Shi Ji(@Puzzor) discovered this issue # Credit Shi Ji(@Puzzor) # PoC Contact us if you need PoC file