Bug 1639911 (CVE-2018-18309)
| Summary: | CVE-2018-18309 binutils: invalid memory address dereference in read_reloc in reloc.c | ||
|---|---|---|---|
| Product: | [Other] Security Response | Reporter: | Laura Pardo <lpardo> |
| Component: | vulnerability | Assignee: | Red Hat Product Security <security-response-team> |
| Status: | CLOSED WONTFIX | QA Contact: | |
| Severity: | low | Docs Contact: | |
| Priority: | low | ||
| Version: | unspecified | CC: | abhgupta, ahardin, aoliva, bleanhar, bmontgom, ccoleman, dbaker, dedgar, dvlasenk, eparis, erik-fedora, fweimer, jakub, jburrell, jgoulding, jokerman, klember, ktietz, law, mchappel, nickc, nstielau, ohudlick, rjones, sjubran, sthangav, trankin, yselkowi |
| Target Milestone: | --- | Keywords: | Security |
| Target Release: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | Doc Type: | If docs needed, set a value | |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2019-06-10 10:39:52 UTC | Type: | --- |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
| Bug Depends On: | 1639912, 1639913, 1639914, 1639916, 1639917 | ||
| Bug Blocks: | 1639915 | ||
|
Description
Laura Pardo
2018-10-16 22:22:46 UTC
Created binutils tracking bugs for this issue: Affects: fedora-all [bug 1639914] Created mingw-binutils tracking bugs for this issue: Affects: epel-all [bug 1639912] Affects: fedora-all [bug 1639916] Unable to reproduce on RHEL*. Kept building this until I found a vulnerable version. I was only able to get this to reproduce in mainline and was NOT able to reproduce this in 2.31.1. Upstream report states "the latest binutils(v2.31.1)", so I was at least expecting a crash in that. Did a `git checkout a4cd947aca23d58966ead843e120f4c19db01030` to get to the target version the upstream fix mentions, and that did indeed crash. Seems like it was introduced then? Nevertheless, RHEL* still not affected. ``` [root@ binutils]# ./objdump -v GNU objdump (GNU Binutils) 2.31.51.20180914 Copyright (C) 2018 Free Software Foundation, Inc. This program is free software; you may redistribute it under the terms of the GNU General Public License version 3 or (at your option) any later version. This program has absolutely no warranty. [root@ binutils]# ./objdump -xg -W ~/poc ./objdump: /root/poc: unknown type [0x7000001] section `�������bss' /root/poc: file format elf64-little /root/poc architecture: UNKNOWN!, flags 0x00000011: HAS_RELOC, HAS_SYMS start address 0xff03010000000000 ...... lots of junk skipped here ...... Can't get contents for section '.debug_info'. Length: 44 Version: 2 Offset into .debug_info: 0x0 Pointer Size: 0 Segment Size: 0 ./objdump: Error: Invalid address size in .debug_aranges section! Contents of the .debug_info section: ./objdump: Warning: Invalid pointer size (0) in compunit header, using 4 instead Compilation Unit @ offset 0x0: Length: 0x10 (32-bit) Version: 21 Abbrev Offset: 0x0 Pointer Size: 4 ./objdump: Warning: CU at offset 0 contains corrupt or unsupported version number: 21. ./objdump: Warning: Invalid pointer size (0) in compunit header, using 4 instead Compilation Unit @ offset 0x14: Length: 0x2 (32-bit) Version: 48 Abbrev Offset: 0x14 Pointer Size: 4 ./objdump: Warning: CU at offset 14 contains corrupt or unsupported version number: 48. ./objdump: Warning: Invalid pointer size (23) in compunit header, using 4 instead Compilation Unit @ offset 0x1a: Length: 0x140000 (32-bit) Version: 0 Abbrev Offset: 0x11 Pointer Size: 4 ./objdump: Warning: Debug info is corrupted, .debug_info header at 0x1a has length 140000 Segmentation fault [root@ binutils]# ``` |