Bug 1465756
Summary: | There is a unknown memory access in _dwarf_decode_s_leb128_chk() of dwarfdump. | ||||||||
---|---|---|---|---|---|---|---|---|---|
Product: | Red Hat Enterprise Linux 7 | Reporter: | owl337 <v.owl337> | ||||||
Component: | libdwarf | Assignee: | Frank Ch. Eigler <fche> | ||||||
Status: | CLOSED WONTFIX | QA Contact: | qe-baseos-tools-bugs | ||||||
Severity: | urgent | Docs Contact: | |||||||
Priority: | unspecified | ||||||||
Version: | 7.5-Alt | CC: | mbenitez | ||||||
Target Milestone: | rc | Keywords: | Reopened | ||||||
Target Release: | --- | ||||||||
Hardware: | Unspecified | ||||||||
OS: | Unspecified | ||||||||
Whiteboard: | |||||||||
Fixed In Version: | Doc Type: | If docs needed, set a value | |||||||
Doc Text: | Story Points: | --- | |||||||
Clone Of: | Environment: | ||||||||
Last Closed: | 2020-02-25 14:31:01 UTC | Type: | Bug | ||||||
Regression: | --- | Mount Type: | --- | ||||||
Documentation: | --- | CRM: | |||||||
Verified Versions: | Category: | --- | |||||||
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||||
Cloudforms Team: | --- | Target Upstream Version: | |||||||
Embargoed: | |||||||||
Attachments: |
|
Created attachment 1292559 [details]
Triggered by "dwarfdump POC1"
There appear to be no security-relevant uses of this tool, so a crash on invalid input is tolerable. low severity problem on a dormant package |
Created attachment 1292558 [details] Triggered by "dwarfdump POC1" Description of problem: There is a unknown memory access in _dwarf_decode_s_leb128_chk() of dwarfdump. A crafted input will lead to remote denial of service attack. Version-Release number of selected component (if applicable): <= latest version How reproducible: ./dwarfdump $POC Steps to Reproduce: The normal and asan debug information are as follows: $ ./dwarfdump POC1 .debug_info ASAN:DEADLYSIGNAL ================================================================= ==42828==ERROR: AddressSanitizer: SEGV on unknown address 0x60462c598e45 (pc 0x0000005c5129 bp 0x60462c598e45 sp 0x7ffca7481000 T0) #0 0x5c5128 (/home/icy/real/dwarf-20170416-asan/dwarfdump/dwarfdump+0x5c5128) #1 0x60fd37 (/home/icy/real/dwarf-20170416-asan/dwarfdump/dwarfdump+0x60fd37) #2 0x60044e (/home/icy/real/dwarf-20170416-asan/dwarfdump/dwarfdump+0x60044e) #3 0x5ff21a (/home/icy/real/dwarf-20170416-asan/dwarfdump/dwarfdump+0x5ff21a) #4 0x5c6057 (/home/icy/real/dwarf-20170416-asan/dwarfdump/dwarfdump+0x5c6057) #5 0x51423d (/home/icy/real/dwarf-20170416-asan/dwarfdump/dwarfdump+0x51423d) #6 0x511f72 (/home/icy/real/dwarf-20170416-asan/dwarfdump/dwarfdump+0x511f72) #7 0x4f7f08 (/home/icy/real/dwarf-20170416-asan/dwarfdump/dwarfdump+0x4f7f08) #8 0x7f47af33582f (/lib/x86_64-linux-gnu/libc.so.6+0x2082f) #9 0x419458 (/home/icy/real/dwarf-20170416-asan/dwarfdump/dwarfdump+0x419458) AddressSanitizer can not provide additional info. SUMMARY: AddressSanitizer: SEGV (/home/icy/real/dwarf-20170416-asan/dwarfdump/dwarfdump+0x5c5128) ==42828==ABORTING The vulnerability was triggered in function int _dwarf_decode_s_leb128_chk() at dwarf_leb.c:291. We don't analyze the reason of the trigger careful, but the 'unknow address' reported by ASAN is readable by gdb. 273 _dwarf_decode_s_leb128_chk(Dwarf_Small * leb128, Dwarf_Word * leb128_length, 274 Dwarf_Signed *outval,Dwarf_Byte_Ptr endptr) 275 { ... 280 /* The byte_length value will be a small non-negative integer. */ 281 unsigned byte_length = 1; 282 283 /* byte_length being the number of bytes of data absorbed so far in 284 turning the leb into a Dwarf_Signed. */ 285 if (!outval) { 286 return DW_DLV_ERROR; 287 } 288 if (leb128 >= endptr) { 289 return DW_DLV_ERROR; 290 } 291 byte = *leb128; 292 for (;;) { The gdb debugging information is as follows: (gdb)set args POC1 (gdb) r ... .debug_info Breakpoint 1, _dwarf_decode_s_leb128_chk (leb128=0x60462c598e45 "", leb128_length=0x7fffffffcf60, outval=0x7fffffffcf80, endptr=0x61300000de1c "") at dwarf_leb.c:291 291 byte = *leb128; (gdb) p leb128 $22 = (Dwarf_Small *) 0x60462c598e45 "" (gdb) c Continuing. Program received signal SIGSEGV, Segmentation fault. 0x00000000005c5129 in _dwarf_decode_s_leb128_chk (leb128=0x60462c598e45 "", leb128_length=0x7fffffffcf60, outval=0x7fffffffcf80, endptr=0x61300000de1c "") at dwarf_leb.c:291 291 byte = *leb128; (gdb) bt #0 0x00000000005c5129 in _dwarf_decode_s_leb128_chk (leb128=0x60462c598e45 "", leb128_length=0x7fffffffcf60, outval=0x7fffffffcf80, endptr=0x61300000de1c "") at dwarf_leb.c:291 #1 0x000000000060fd38 in _dwarf_get_size_of_val (dbg=0x62400000c100, form=<optimized out>, cu_version=<optimized out>, address_size=8, val_ptr=0x60462c598e45 "", v_length_size=4, size_out=<optimized out>, section_end_ptr=<optimized out>, error=<optimized out>) at dwarf_util.c:371 #2 0x000000000060044f in _dwarf_get_value_ptr (die=<optimized out>, attr=18, attr_form=0x7fffffffd3a0, ptr_to_value=<optimized out>, error=0x7fffffffdb40) at dwarf_query.c:519 #3 0x00000000005ff21b in dwarf_attr (die=<optimized out>, attr=16, ret_attr=0x7fffffffd4c0, error=0x7fffffffdb40) at dwarf_query.c:614 #4 0x00000000005c6058 in dwarf_srcfiles (die=0x60400000d6e0, srcfiles=0x7fffffffdb20, srcfilecount=0x7fffffffdb00, error=<optimized out>) at ./dwarf_line.c:326 #5 0x000000000051423e in print_one_die_section (dbg=<optimized out>, is_info=<optimized out>, pod_err=<optimized out>) at print_die.c:812 #6 0x0000000000511f73 in print_infos (dbg=0x62400000c100, is_info=<optimized out>) at print_die.c:371 #7 0x00000000004f7f09 in process_one_file (l_config_file_data=<optimized out>, elf=<optimized out>, elftied=<optimized out>, file_name=<optimized out>, tied_file_name=<optimized out>, archive=<optimized out>) at dwarfdump.c:1293 #8 main (argc=<optimized out>, argv=<optimized out>) at dwarfdump.c:562 Actual results: crash Expected results: crash Additional info: This vulnerability is detected by team OWL337, with our custom fuzzer collAFL. Please contact ganshuitao and chaoz.cn if you need more info about the team, the tool or the vulnerability.