Bug 1625056
Summary: | CVE-2018-16403 elfutils: Heap-based buffer over-read in libdw/dwarf_getabbrev.c and libwd/dwarf_hasattr.c causes crash [fedora-all] | ||
---|---|---|---|
Product: | [Fedora] Fedora | Reporter: | Sam Fowler <sfowler> |
Component: | elfutils | Assignee: | Mark Wielaard <mjw> |
Status: | CLOSED ERRATA | QA Contact: | Fedora Extras Quality Assurance <extras-qa> |
Severity: | low | Docs Contact: | |
Priority: | low | ||
Version: | 28 | CC: | aoliva, fche, jakub, me, mjw, sfowler |
Target Milestone: | --- | Keywords: | Security, SecurityTracking |
Target Release: | --- | ||
Hardware: | Unspecified | ||
OS: | Unspecified | ||
Whiteboard: | |||
Fixed In Version: | elfutils-0.174-1.fc29 elfutils-0.174-1.fc28 | Doc Type: | Release Note |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2018-09-30 23:25:18 UTC | Type: | --- |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: | |||
Bug Depends On: | |||
Bug Blocks: | 1625055 |
Description
Sam Fowler
2018-09-04 04:46:28 UTC
Use the following template to for the 'fedpkg update' request to submit an update for this issue as it contains the top-level parent bug(s) as well as this tracking bug. This will ensure that all associated bugs get updated when new packages are pushed to stable. ===== # bugfix, security, enhancement, newpackage (required) type=security # testing, stable request=testing # Bug numbers: 1234,9876 bugs=1625055,1625056 # Description of your update notes=Security fix for [PUT CVEs HERE] # Enable request automation based on the stable/unstable karma thresholds autokarma=True stable_karma=3 unstable_karma=-3 # Automatically close bugs when this marked as stable close_bugs=True # Suggest that users restart after update suggest_reboot=False ====== Additionally, you may opt to use the bodhi web interface to submit updates: https://bodhi.fedoraproject.org/updates/new Reproduces on F28 with elfutils-0.173-1.fc28.x86_64: # eu-readelf -w CVE-2018-16403 2>&1 | ./asan_symbolizer.py DWARF section [ 5] '.debug_info' at offset 0x8a: [Offset] Compilation unit at offset 0: Version: 2, Abbreviation section offset: 0, Address size: 8, Offset size: 4 eu-readelf: cannot get tag of DIE at offset [b] in section '.debug_info': invalid DWARF ================================================================= ==53==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x606000000656 at pc 0x7fb7931fea62 bp 0x7ffce2f30cc0 sp 0x7ffce2f30cb0 READ of size 1 at 0x606000000656 thread T0 #0 0x7fb7931fea61 in dwarf_getabbrevattr_data (/lib64/libdw.so.1+0x37a61) #0 0x55a4827b86a1 in ?? /usr/src/debug/elfutils-0.173-1.fc28.x86_64/src/readelf.c:5046 #1 0x55a4827ca27f in ?? /usr/src/debug/elfutils-0.173-1.fc28.x86_64/src/readelf.c:11144 #2 0x55a4827d2111 in ?? /usr/src/debug/elfutils-0.173-1.fc28.x86_64/src/readelf.c:997 #3 0x55a4827d5a01 in ?? /usr/src/debug/elfutils-0.173-1.fc28.x86_64/src/readelf.c:761 #5 0x7fb79323f254 in dwfl_getmodules (/lib64/libdw.so.1+0x78254) #4 0x55a4827b5dfd in ?? /usr/src/debug/elfutils-0.173-1.fc28.x86_64/src/readelf.c:869 #5 0x55a4827ae848 in ?? /usr/src/debug/elfutils-0.173-1.fc28.x86_64/src/readelf.c:351 #8 0x7fb7927cc24a in __libc_start_main (/lib64/libc.so.6+0x2324a) #6 0x55a4827aee49 in ?? ??:0 0x606000000656 is located 0 bytes to the right of 54-byte region [0x606000000620,0x606000000656) allocated by thread T0 here: #0 0x7fb7935a6c48 in malloc (/lib64/libasan.so.5+0xeec48) #1 0x7fb792fa38b7 in convert_data /usr/src/debug/elfutils-0.173-1.fc28.x86_64/libelf/elf_getdata.c:164 #2 0x7fb792fa38b7 in __libelf_set_data_list_rdlock /usr/src/debug/elfutils-0.173-1.fc28.x86_64/libelf/elf_getdata.c:431 #3 0x7fb792fa3ce8 in __elf_getdata_rdlock /usr/src/debug/elfutils-0.173-1.fc28.x86_64/libelf/elf_getdata.c:538 #4 0x7fb7931e8960 in check_section /usr/src/debug/elfutils-0.173-1.fc28.x86_64/libdw/dwarf_begin_elf.c:167 #5 0x7fb7931e98b2 in global_read /usr/src/debug/elfutils-0.173-1.fc28.x86_64/libdw/dwarf_begin_elf.c:310 #6 0x7fb79324833e in load_dw dwfl_module_getdwarf.c:1340 #7 0x7fb7932489a7 in find_dw dwfl_module_getdwarf.c:1390 addr2line: Dwarf Error: Offset (1330118656) greater than or equal to .debug_str size (57456). addr2line: Dwarf Error: Offset (1330118656) greater than or equal to .debug_str size (57456). addr2line: Dwarf Error: Offset (1330118656) greater than or equal to .debug_str size (57456). addr2line: Dwarf Error: Offset (1330118656) greater than or equal to .debug_str size (57456). addr2line: Dwarf Error: Offset (1330118656) greater than or equal to .debug_str size (57456). addr2line: Dwarf Error: Offset (1330118656) greater than or equal to .debug_str size (57456). #7 0x55a4827c9736 in print_debug /usr/src/debug/elfutils-0.173-1.fc28.x86_64/src/readelf.c:10875 #8 0x55a4827d2111 in process_elf_file /usr/src/debug/elfutils-0.173-1.fc28.x86_64/src/readelf.c:997 #9 0x55a4827d5a01 in process_dwflmod /usr/src/debug/elfutils-0.173-1.fc28.x86_64/src/readelf.c:761 #11 0x7fb79323f254 in dwfl_getmodules (/lib64/libdw.so.1+0x78254) #10 0x55a4827b5dfd in process_file /usr/src/debug/elfutils-0.173-1.fc28.x86_64/src/readelf.c:869 #11 0x55a4827ae848 in main /usr/src/debug/elfutils-0.173-1.fc28.x86_64/src/readelf.c:351 #14 0x7fb7927cc24a in __libc_start_main (/lib64/libc.so.6+0x2324a) SUMMARY: AddressSanitizer: heap-buffer-overflow (/lib64/libdw.so.1+0x37a61) in dwarf_getabbrevattr_data Shadow bytes around the buggy address: 0x0c0c7fff8070: 00 00 00 00 00 00 00 fa fa fa fa fa 00 00 00 00 0x0c0c7fff8080: 00 00 00 fa fa fa fa fa fd fd fd fd fd fd fd fa 0x0c0c7fff8090: fa fa fa fa fd fd fd fd fd fd fd fa fa fa fa fa 0x0c0c7fff80a0: fd fd fd fd fd fd fd fa fa fa fa fa fd fd fd fd 0x0c0c7fff80b0: fd fd fd fa fa fa fa fa fd fd fd fd fd fd fd fa =>0x0c0c7fff80c0: fa fa fa fa 00 00 00 00 00 00[06]fa fa fa fa fa 0x0c0c7fff80d0: 00 00 00 00 00 00 00 fa fa fa fa fa fd fd fd fd 0x0c0c7fff80e0: fd fd fd fa fa fa fa fa fd fd fd fd fd fd fd fa 0x0c0c7fff80f0: fa fa fa fa fd fd fd fd fd fd fd fa fa fa fa fa 0x0c0c7fff8100: fd fd fd fd fd fd fd fa fa fa fa fa fd fd fd fd 0x0c0c7fff8110: fd fd fd fa fa fa fa fa fd fd fd fd fd fd fd fa elfutils-0.174-1.fc29 has been submitted as an update to Fedora 29. https://bodhi.fedoraproject.org/updates/FEDORA-2018-32c8599fe1 elfutils-0.174-1.fc29 has been pushed to the Fedora 29 testing repository. If problems still persist, please make note of it in this bug report. See https://fedoraproject.org/wiki/QA:Updates_Testing for instructions on how to install test updates. You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2018-32c8599fe1 elfutils-0.174-1.fc28 has been submitted as an update to Fedora 28. https://bodhi.fedoraproject.org/updates/FEDORA-2018-1eec1f0d17 elfutils-0.174-1.fc28 has been pushed to the Fedora 28 testing repository. If problems still persist, please make note of it in this bug report. See https://fedoraproject.org/wiki/QA:Updates_Testing for instructions on how to install test updates. You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2018-1eec1f0d17 elfutils-0.174-1.fc29 has been pushed to the Fedora 29 stable repository. If problems still persist, please make note of it in this bug report. elfutils-0.174-1.fc28 has been pushed to the Fedora 28 stable repository. If problems still persist, please make note of it in this bug report. |