Bug 1465756

Summary: There is a unknown memory access in _dwarf_decode_s_leb128_chk() of dwarfdump.
Product: Red Hat Enterprise Linux 7 Reporter: owl337 <v.owl337>
Component: libdwarfAssignee: Frank Ch. Eigler <fche>
Status: CLOSED WONTFIX QA Contact: qe-baseos-tools-bugs
Severity: urgent Docs Contact:
Priority: unspecified    
Version: 7.5-AltCC: mbenitez
Target Milestone: rcKeywords: Reopened
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2020-02-25 14:31:01 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Description Flags
Triggered by "dwarfdump POC1"
Triggered by "dwarfdump POC1" none

Description owl337 2017-06-28 07:01:38 UTC
Created attachment 1292558 [details]
Triggered by  "dwarfdump  POC1"

Description of problem:

There is a unknown memory access in _dwarf_decode_s_leb128_chk() of dwarfdump. A crafted input will lead to remote denial of service  attack.

Version-Release number of selected component (if applicable):

<= latest version

How reproducible:

./dwarfdump $POC

Steps to Reproduce:

The normal and asan debug information are as follows:

$ ./dwarfdump POC1

==42828==ERROR: AddressSanitizer: SEGV on unknown address 0x60462c598e45 (pc 0x0000005c5129 bp 0x60462c598e45 sp 0x7ffca7481000 T0)
    #0 0x5c5128  (/home/icy/real/dwarf-20170416-asan/dwarfdump/dwarfdump+0x5c5128)
    #1 0x60fd37  (/home/icy/real/dwarf-20170416-asan/dwarfdump/dwarfdump+0x60fd37)
    #2 0x60044e  (/home/icy/real/dwarf-20170416-asan/dwarfdump/dwarfdump+0x60044e)
    #3 0x5ff21a  (/home/icy/real/dwarf-20170416-asan/dwarfdump/dwarfdump+0x5ff21a)
    #4 0x5c6057  (/home/icy/real/dwarf-20170416-asan/dwarfdump/dwarfdump+0x5c6057)
    #5 0x51423d  (/home/icy/real/dwarf-20170416-asan/dwarfdump/dwarfdump+0x51423d)
    #6 0x511f72  (/home/icy/real/dwarf-20170416-asan/dwarfdump/dwarfdump+0x511f72)
    #7 0x4f7f08  (/home/icy/real/dwarf-20170416-asan/dwarfdump/dwarfdump+0x4f7f08)
    #8 0x7f47af33582f  (/lib/x86_64-linux-gnu/libc.so.6+0x2082f)
    #9 0x419458  (/home/icy/real/dwarf-20170416-asan/dwarfdump/dwarfdump+0x419458)

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV (/home/icy/real/dwarf-20170416-asan/dwarfdump/dwarfdump+0x5c5128) 

The vulnerability was triggered in function int
_dwarf_decode_s_leb128_chk() at dwarf_leb.c:291. We don't analyze the reason of the trigger careful, but the 'unknow address' reported by ASAN  is readable by gdb.

273 _dwarf_decode_s_leb128_chk(Dwarf_Small * leb128, Dwarf_Word * leb128_length,
274    Dwarf_Signed *outval,Dwarf_Byte_Ptr endptr)
275 {
280     /*  The byte_length value will be a small non-negative integer. */
281     unsigned byte_length = 1;
283     /*  byte_length being the number of bytes of data absorbed so far in
284         turning the leb into a Dwarf_Signed. */
285     if (!outval) {
286         return DW_DLV_ERROR;
287     }
288     if (leb128 >= endptr) {
289         return DW_DLV_ERROR;
290     }
291     byte   = *leb128;
292     for (;;) {

The gdb debugging information is as follows:

(gdb)set args POC1
(gdb) r

Breakpoint 1, _dwarf_decode_s_leb128_chk (leb128=0x60462c598e45 "", leb128_length=0x7fffffffcf60, 
    outval=0x7fffffffcf80, endptr=0x61300000de1c "") at dwarf_leb.c:291
291	    byte   = *leb128;
(gdb) p leb128
$22 = (Dwarf_Small *) 0x60462c598e45 ""
(gdb) c

Program received signal SIGSEGV, Segmentation fault.
0x00000000005c5129 in _dwarf_decode_s_leb128_chk (leb128=0x60462c598e45 "", leb128_length=0x7fffffffcf60, 
    outval=0x7fffffffcf80, endptr=0x61300000de1c "") at dwarf_leb.c:291
291	    byte   = *leb128;
(gdb) bt
#0  0x00000000005c5129 in _dwarf_decode_s_leb128_chk (leb128=0x60462c598e45 "", leb128_length=0x7fffffffcf60, 
    outval=0x7fffffffcf80, endptr=0x61300000de1c "") at dwarf_leb.c:291
#1  0x000000000060fd38 in _dwarf_get_size_of_val (dbg=0x62400000c100, form=<optimized out>, 
    cu_version=<optimized out>, address_size=8, val_ptr=0x60462c598e45 "", v_length_size=4, 
    size_out=<optimized out>, section_end_ptr=<optimized out>, error=<optimized out>) at dwarf_util.c:371
#2  0x000000000060044f in _dwarf_get_value_ptr (die=<optimized out>, attr=18, attr_form=0x7fffffffd3a0, 
    ptr_to_value=<optimized out>, error=0x7fffffffdb40) at dwarf_query.c:519
#3  0x00000000005ff21b in dwarf_attr (die=<optimized out>, attr=16, ret_attr=0x7fffffffd4c0, 
    error=0x7fffffffdb40) at dwarf_query.c:614
#4  0x00000000005c6058 in dwarf_srcfiles (die=0x60400000d6e0, srcfiles=0x7fffffffdb20, 
    srcfilecount=0x7fffffffdb00, error=<optimized out>) at ./dwarf_line.c:326
#5  0x000000000051423e in print_one_die_section (dbg=<optimized out>, is_info=<optimized out>, 
    pod_err=<optimized out>) at print_die.c:812
#6  0x0000000000511f73 in print_infos (dbg=0x62400000c100, is_info=<optimized out>) at print_die.c:371
#7  0x00000000004f7f09 in process_one_file (l_config_file_data=<optimized out>, elf=<optimized out>, 
    elftied=<optimized out>, file_name=<optimized out>, tied_file_name=<optimized out>, 
    archive=<optimized out>) at dwarfdump.c:1293
#8  main (argc=<optimized out>, argv=<optimized out>) at dwarfdump.c:562

Actual results:


Expected results:


Additional info:

This vulnerability is detected by team OWL337, with our custom fuzzer collAFL. Please contact ganshuitao   and chaoz.cn if you need more info about the team, the tool or the vulnerability.

Comment 2 owl337 2017-06-28 07:02:59 UTC
Created attachment 1292559 [details]
Triggered by  "dwarfdump  POC1"

Comment 5 Frank Ch. Eigler 2018-11-29 16:16:01 UTC
There appear to be no security-relevant uses of this tool, so a crash on invalid input is tolerable.

Comment 6 Frank Ch. Eigler 2020-02-25 14:31:01 UTC
low severity problem on a dormant package