Bug 1623752 (CVE-2018-16062)

Summary: CVE-2018-16062 elfutils: Heap-based buffer over-read in libdw/dwarf_getaranges.c:dwarf_getaranges() via crafted file
Product: [Other] Security Response Reporter: Sam Fowler <sfowler>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: low Docs Contact:
Priority: low    
Version: unspecifiedCC: abhgupta, bmcclain, dbaker, dblechte, dfediuck, drepper, eedri, fche, jakub, jokerman, kanderso, mcermak, me, mgoldboi, michal.skrivanek, mjw, mjw, mnewsome, ohudlick, sbonazzo, sherold, sthangav, trankin
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
An out-of-bounds read was discovered in elfutils in the way it reads DWARF address ranges information. Function dwarf_getaranges() in dwarf_getaranges.c does not properly check whether it reads beyond the limits of the ELF section. An attacker could use this flaw to cause a denial of service via a crafted file.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2019-08-06 13:19:11 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1623753, 1623754, 1625260, 1625515, 1625516    
Bug Blocks: 1623755    

Description Sam Fowler 2018-08-30 06:21:21 UTC 
Elfutils is vulnerable to a heap-based buffer over-read in the libdw/dwarf_getaranges.c:dwarf_getaranges() function. An attacker could exploit this to cause a crash in the eu-addr2line command via a crafted file.


Upstream Bug:

https://sourceware.org/bugzilla/show_bug.cgi?id=23541


Upstream Patch:

https://sourceware.org/git/?p=elfutils.git;a=commit;h=29e31978ba51c1051743a503ee325b5ebc03d7e9
Comment 1 Sam Fowler 2018-08-30 06:21:55 UTC 
Created elfutils tracking bugs for this issue:

Affects: fedora-all [bug 1623753]
Comment 3 Sam Fowler 2018-08-30 06:27:41 UTC 
Reproduced on F28 with elfutils-0.173-1.fc28.x86_64:

# eu-addr2line -e addr2line-buffer-over-flow1 -- 500 50 10 -1000
??:0
=================================================================
==30==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x60f0000001dc at pc 0x7f006dcdede6 bp 0x7ffe3f369f40 sp 0x7ffe3f369f30
READ of size 1 at 0x60f0000001dc thread T0
    #0 0x7f006dcdede5 in __libdw_find_attr /usr/src/debug/elfutils-0.173-1.fc28.x86_64/libdw/memory-access.h:97
    #1 0x7f006dcdb67b in dwarf_attr (/lib64/libdw.so.1+0x2667b)
    #2 0x7f006dd05e85 in __libdw_intern_next_unit /usr/src/debug/elfutils-0.173-1.fc28.x86_64/libdw/libdw_findcu.c:187
    #3 0x7f006dd06417 in __libdw_findcu /usr/src/debug/elfutils-0.173-1.fc28.x86_64/libdw/libdw_findcu.c:250
    #4 0x7f006dcfdb13 in dwarf_getaranges (/lib64/libdw.so.1+0x48b13)
    #5 0x7f006dd4309c in addrarange cu.c:54
    #6 0x7f006dd4309c in __libdwfl_addrcu cu.c:313
    #7 0x7f006dd449b9 in dwfl_module_getsrc (/lib64/libdw.so.1+0x8f9b9)
    #8 0x5572d99886e7  (/usr/bin/eu-addr2line+0x66e7)
    #9 0x5572d9986b82  (/usr/bin/eu-addr2line+0x4b82)
    #10 0x7f006d34424a in __libc_start_main (/lib64/libc.so.6+0x2324a)
    #11 0x5572d9986fb9  (/usr/bin/eu-addr2line+0x4fb9)

0x60f0000001dc is located 0 bytes to the right of 172-byte region [0x60f000000130,0x60f0000001dc)
allocated by thread T0 here:
    #0 0x7f006e094c48 in malloc (/lib64/libasan.so.5+0xeec48)
    #1 0x7f006da91863 in convert_data /usr/src/debug/elfutils-0.173-1.fc28.x86_64/libelf/elf_getdata.c:149
    #2 0x7f006da91863 in __libelf_set_data_list_rdlock /usr/src/debug/elfutils-0.173-1.fc28.x86_64/libelf/elf_getdata.c:431
    #3 0x7f006da91ce8 in __elf_getdata_rdlock /usr/src/debug/elfutils-0.173-1.fc28.x86_64/libelf/elf_getdata.c:538
    #4 0x7f006dcd6960 in check_section /usr/src/debug/elfutils-0.173-1.fc28.x86_64/libdw/dwarf_begin_elf.c:167
    #5 0x7f006dcd78b2 in global_read /usr/src/debug/elfutils-0.173-1.fc28.x86_64/libdw/dwarf_begin_elf.c:310
    #6 0x7f006dd3633e in load_dw dwfl_module_getdwarf.c:1340
    #7 0x7f006dd369a7 in find_dw dwfl_module_getdwarf.c:1390
    #8 0x7f006dd44996 in dwfl_module_getsrc (/lib64/libdw.so.1+0x8f996)
    #9 0x5572d99886e7  (/usr/bin/eu-addr2line+0x66e7)
    #10 0x5572d9986b82  (/usr/bin/eu-addr2line+0x4b82)
    #11 0x7f006d34424a in __libc_start_main (/lib64/libc.so.6+0x2324a)

SUMMARY: AddressSanitizer: heap-buffer-overflow /usr/src/debug/elfutils-0.173-1.fc28.x86_64/libdw/memory-access.h:97 in __libdw_find_attr
Shadow bytes around the buggy address:
  0x0c1e7fff7fe0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c1e7fff7ff0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c1e7fff8000: fa fa fa fa fa fa fa fa 00 00 00 00 00 00 00 00
  0x0c1e7fff8010: 00 00 00 00 00 00 00 00 00 00 00 00 00 fa fa fa
  0x0c1e7fff8020: fa fa fa fa fa fa 00 00 00 00 00 00 00 00 00 00
=>0x0c1e7fff8030: 00 00 00 00 00 00 00 00 00 00 00[04]fa fa fa fa
  0x0c1e7fff8040: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c1e7fff8050: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c1e7fff8060: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c1e7fff8070: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c1e7fff8080: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Comment 7 errata-xmlrpc 2019-08-06 12:27:00 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2019:2197 https://access.redhat.com/errata/RHSA-2019:2197
Comment 8 Product Security DevOps Team 2019-08-06 13:19:11 UTC 
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2018-16062