Bug 1623752 (CVE-2018-16062)
Summary: | CVE-2018-16062 elfutils: Heap-based buffer over-read in libdw/dwarf_getaranges.c:dwarf_getaranges() via crafted file | ||
---|---|---|---|
Product: | [Other] Security Response | Reporter: | Sam Fowler <sfowler> |
Component: | vulnerability | Assignee: | Red Hat Product Security <security-response-team> |
Status: | CLOSED ERRATA | QA Contact: | |
Severity: | low | Docs Contact: | |
Priority: | low | ||
Version: | unspecified | CC: | abhgupta, bmcclain, dbaker, dblechte, dfediuck, drepper, eedri, fche, jakub, jokerman, kanderso, mcermak, me, mgoldboi, michal.skrivanek, mjw, mjw, mnewsome, ohudlick, sbonazzo, sherold, sthangav, trankin |
Target Milestone: | --- | Keywords: | Security |
Target Release: | --- | ||
Hardware: | All | ||
OS: | Linux | ||
Whiteboard: | |||
Fixed In Version: | Doc Type: | If docs needed, set a value | |
Doc Text: |
An out-of-bounds read was discovered in elfutils in the way it reads DWARF address ranges information. Function dwarf_getaranges() in dwarf_getaranges.c does not properly check whether it reads beyond the limits of the ELF section. An attacker could use this flaw to cause a denial of service via a crafted file.
|
Story Points: | --- |
Clone Of: | Environment: | ||
Last Closed: | 2019-08-06 13:19:11 UTC | Type: | --- |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: | |||
Bug Depends On: | 1623753, 1623754, 1625260, 1625515, 1625516 | ||
Bug Blocks: | 1623755 |
Description
Sam Fowler
2018-08-30 06:21:21 UTC
Created elfutils tracking bugs for this issue: Affects: fedora-all [bug 1623753] Reproduced on F28 with elfutils-0.173-1.fc28.x86_64: # eu-addr2line -e addr2line-buffer-over-flow1 -- 500 50 10 -1000 ??:0 ================================================================= ==30==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x60f0000001dc at pc 0x7f006dcdede6 bp 0x7ffe3f369f40 sp 0x7ffe3f369f30 READ of size 1 at 0x60f0000001dc thread T0 #0 0x7f006dcdede5 in __libdw_find_attr /usr/src/debug/elfutils-0.173-1.fc28.x86_64/libdw/memory-access.h:97 #1 0x7f006dcdb67b in dwarf_attr (/lib64/libdw.so.1+0x2667b) #2 0x7f006dd05e85 in __libdw_intern_next_unit /usr/src/debug/elfutils-0.173-1.fc28.x86_64/libdw/libdw_findcu.c:187 #3 0x7f006dd06417 in __libdw_findcu /usr/src/debug/elfutils-0.173-1.fc28.x86_64/libdw/libdw_findcu.c:250 #4 0x7f006dcfdb13 in dwarf_getaranges (/lib64/libdw.so.1+0x48b13) #5 0x7f006dd4309c in addrarange cu.c:54 #6 0x7f006dd4309c in __libdwfl_addrcu cu.c:313 #7 0x7f006dd449b9 in dwfl_module_getsrc (/lib64/libdw.so.1+0x8f9b9) #8 0x5572d99886e7 (/usr/bin/eu-addr2line+0x66e7) #9 0x5572d9986b82 (/usr/bin/eu-addr2line+0x4b82) #10 0x7f006d34424a in __libc_start_main (/lib64/libc.so.6+0x2324a) #11 0x5572d9986fb9 (/usr/bin/eu-addr2line+0x4fb9) 0x60f0000001dc is located 0 bytes to the right of 172-byte region [0x60f000000130,0x60f0000001dc) allocated by thread T0 here: #0 0x7f006e094c48 in malloc (/lib64/libasan.so.5+0xeec48) #1 0x7f006da91863 in convert_data /usr/src/debug/elfutils-0.173-1.fc28.x86_64/libelf/elf_getdata.c:149 #2 0x7f006da91863 in __libelf_set_data_list_rdlock /usr/src/debug/elfutils-0.173-1.fc28.x86_64/libelf/elf_getdata.c:431 #3 0x7f006da91ce8 in __elf_getdata_rdlock /usr/src/debug/elfutils-0.173-1.fc28.x86_64/libelf/elf_getdata.c:538 #4 0x7f006dcd6960 in check_section /usr/src/debug/elfutils-0.173-1.fc28.x86_64/libdw/dwarf_begin_elf.c:167 #5 0x7f006dcd78b2 in global_read /usr/src/debug/elfutils-0.173-1.fc28.x86_64/libdw/dwarf_begin_elf.c:310 #6 0x7f006dd3633e in load_dw dwfl_module_getdwarf.c:1340 #7 0x7f006dd369a7 in find_dw dwfl_module_getdwarf.c:1390 #8 0x7f006dd44996 in dwfl_module_getsrc (/lib64/libdw.so.1+0x8f996) #9 0x5572d99886e7 (/usr/bin/eu-addr2line+0x66e7) #10 0x5572d9986b82 (/usr/bin/eu-addr2line+0x4b82) #11 0x7f006d34424a in __libc_start_main (/lib64/libc.so.6+0x2324a) SUMMARY: AddressSanitizer: heap-buffer-overflow /usr/src/debug/elfutils-0.173-1.fc28.x86_64/libdw/memory-access.h:97 in __libdw_find_attr Shadow bytes around the buggy address: 0x0c1e7fff7fe0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0c1e7fff7ff0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0c1e7fff8000: fa fa fa fa fa fa fa fa 00 00 00 00 00 00 00 00 0x0c1e7fff8010: 00 00 00 00 00 00 00 00 00 00 00 00 00 fa fa fa 0x0c1e7fff8020: fa fa fa fa fa fa 00 00 00 00 00 00 00 00 00 00 =>0x0c1e7fff8030: 00 00 00 00 00 00 00 00 00 00 00[04]fa fa fa fa 0x0c1e7fff8040: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c1e7fff8050: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c1e7fff8060: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c1e7fff8070: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c1e7fff8080: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa This issue has been addressed in the following products: Red Hat Enterprise Linux 7 Via RHSA-2019:2197 https://access.redhat.com/errata/RHSA-2019:2197 This bug is now closed. Further updates for individual products will be reflected on the CVE page(s): https://access.redhat.com/security/cve/cve-2018-16062 |