The libdw library provides support for accessing DWARF debugging information inside ELF files. An integer overflow flaw in check_section(), leading to a heap-based buffer overflow, was found in the libdw library. A malicious ELF file could cause an application using libdw (such as eu-readelf) to crash or, potentially, execute arbitrary code with the privileges of the user running the application.
This issue was discovered by Florian Weimer of the Red Hat Product Security Team.
This issue affects versions 0.153 and later.
A possible patch from Mark Wielaard:
diff --git a/libdw/dwarf_begin_elf.c b/libdw/dwarf_begin_elf.c
index 79daeac..cf37013 100644
@@ -282,6 +282,9 @@ check_section (Dwarf *result, GElf_Ehdr *ehdr, Elf_Scn *scn, bool inscngrp)
memcpy (&size, data->d_buf + 4, sizeof size);
size = be64toh (size);
+ if (unlikely (UINT64_MAX - size < sizeof (Elf_Data)))
Elf_Data *zdata = malloc (sizeof (Elf_Data) + size);
if (unlikely (zdata == NULL))
Created elfutils tracking bugs for this issue:
Affects: fedora-all [bug 1085729]
The patch submitted upstream has a slightly simpler check because unsigned overflow is well defined (unlike unsigned overflow, which would cause undefined behaviour, and for which the approach in comment #5 would be more appropriate):
elfutils-0.158-3.fc20 has been pushed to the Fedora 20 stable repository. If problems still persist, please make note of it in this bug report.
elfutils-0.158-3.fc19 has been pushed to the Fedora 19 stable repository. If problems still persist, please make note of it in this bug report.
This issue was fixed in Red Hat Enterprise Linux via the following advisory: