Bug 1388057
Summary: | memory allocation failure in allocate_elf (common.h) | ||||||
---|---|---|---|---|---|---|---|
Product: | [Fedora] Fedora | Reporter: | Agostino Sarubbo <ago> | ||||
Component: | elfutils | Assignee: | Mark Wielaard <mjw> | ||||
Status: | CLOSED ERRATA | QA Contact: | Fedora Extras Quality Assurance <extras-qa> | ||||
Severity: | unspecified | Docs Contact: | |||||
Priority: | unspecified | ||||||
Version: | rawhide | CC: | aoliva, fche, jakub, me, mjw, mjw, roland | ||||
Target Milestone: | --- | Keywords: | Reopened | ||||
Target Release: | --- | ||||||
Hardware: | x86_64 | ||||||
OS: | Linux | ||||||
Whiteboard: | |||||||
Fixed In Version: | elfutils-0.168-1.fc25 elfutils-0.168-1.fc24 | Doc Type: | If docs needed, set a value | ||||
Doc Text: | Story Points: | --- | |||||
Clone Of: | Environment: | ||||||
Last Closed: | 2017-01-11 12:19:17 UTC | Type: | Bug | ||||
Regression: | --- | Mount Type: | --- | ||||
Documentation: | --- | CRM: | |||||
Verified Versions: | Category: | --- | |||||
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||
Cloudforms Team: | --- | Target Upstream Version: | |||||
Embargoed: | |||||||
Attachments: |
|
Description
Agostino Sarubbo
2016-10-24 10:39:10 UTC
The problem is that the ELF file claims to have 1073901568 section headers. We then try to allocate memory for the sizeof (Elf_Scn) (208) times that number. Which is 223371526144. Plus the sizeof (Elf), 264 bytes. In total 223371526408 bytes (~208GB). Which obviously fails and returns NULL. This isn't really fatal. You just get an ELF_E_NOMEM. There is already a check that scncnt <= SIZE_MAX / (sizeof (Elf_Scn) + sizeof (Elf64_Shdr)) to prevent overflow. But that still allows for 67818912035696880 headers on 64bit systems (and 15790320 on 32bit systems). But even before that sanity check there is a call to get_shnum() which itself should sanity check that the "advertised" headers are really there. /* If the section headers were truncated, pretend none were there. */ if (ehdr.e64->e_shoff > maxsize || maxsize - ehdr.e64->e_shoff < sizeof (Elf64_Shdr) * result) result = 0; That should have triggered, but it doesn't because maxsize was set to infinity. The problem is that we only set maxsize in read_file() in case we mmap the file, but not when using pread. Posted a patch upstream: https://lists.fedorahosted.org/archives/list/elfutils-devel@lists.fedorahosted.org/message/EJWVY7TMRDEMWPAPNVU3V4MZYG5HANF2/ Does that help your case? I'll retest. I guess my test will be done when a new release includes this fix. So if you can make a release you will make my job easier. (In reply to Agostino Sarubbo from comment #3) > I'll retest. I guess my test will be done when a new release includes this > fix. So if you can make a release you will make my job easier. We are kind of waiting on each other :) I am afraid this isn't reason enough to do a new release, sorry. Also I would like some time for this bug and bug #1387584 to have some testing. Neither commit is even upstream yet because nobody commented, reviewed or tested them yet. If all you need is a "release" tar ball then you could try https://fedorapeople.org/~mjw/elfutils-0.167.tar.bz2 that is elfutils 0.167 + git + the two patches for fixing bug #1387584 and bug #1388057. Any testing is appreciated. The patch has been committed upstream and the fix will be in the next release. elfutils-0.168-1.fc25 has been submitted as an update to Fedora 25. https://bodhi.fedoraproject.org/updates/FEDORA-2016-0cdc2d3b14 elfutils-0.168-1.fc25 has been pushed to the Fedora 25 testing repository. If problems still persist, please make note of it in this bug report. See https://fedoraproject.org/wiki/QA:Updates_Testing for instructions on how to install test updates. You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2016-0cdc2d3b14 elfutils-0.168-1.fc25 has been pushed to the Fedora 25 stable repository. If problems still persist, please make note of it in this bug report. elfutils-0.168-1.fc24 has been submitted as an update to Fedora 24. https://bodhi.fedoraproject.org/updates/FEDORA-2017-6c9a495a48 elfutils-0.168-1.fc24 has been pushed to the Fedora 24 testing repository. If problems still persist, please make note of it in this bug report. See https://fedoraproject.org/wiki/QA:Updates_Testing for instructions on how to install test updates. You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2017-6c9a495a48 elfutils-0.168-1.fc24 has been pushed to the Fedora 24 stable repository. If problems still persist, please make note of it in this bug report. Mitre assigned CVE-2016-10254 to this issue. |