Bug 1232265 (CVE-2015-3239) - CVE-2015-3239 libunwind: off-by-one in dwarf_to_unw_regnum()
Summary: CVE-2015-3239 libunwind: off-by-one in dwarf_to_unw_regnum()
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2015-3239
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
low
low
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 1233114 1238264 1238265 1238852 1238853 1238854 1238855 1238856 1238857 1238858 1238859 1250665
Blocks: 1232274
TreeView+ depends on / blocked
 
Reported: 2015-06-16 11:44 UTC by Vasyl Kaigorodov
Modified: 2019-09-29 13:33 UTC (History)
29 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
An off-by-one array indexing error was found in the libunwind API, which could cause an error when reading untrusted binaries or dwarf debug info data. Red Hat products do not call the API in this way; and it is unlikely that any exploitable attack vector exists in current builds or supported usage.
Clone Of:
Environment:
Last Closed: 2016-01-28 20:51:00 UTC


Attachments (Terms of Use)


Links
System ID Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2015:1675 normal SHIPPED_LIVE Low: libunwind security update 2015-08-24 23:57:58 UTC
GNU Savannah 45276 None None None Never
Red Hat Product Errata RHSA-2015:1768 normal SHIPPED_LIVE Low: libunwind security update 2015-09-10 16:05:00 UTC
Red Hat Product Errata RHSA-2015:1769 normal SHIPPED_LIVE Low: libunwind security update 2015-09-10 16:04:37 UTC

Description Vasyl Kaigorodov 2015-06-16 11:44:54 UTC
Paolo Bonzini from Red Hat reported following issue in libunwind:

An invalid DW_OP_bregXX opcodes can access dwarf_to_unw_regnum_map one
item past the end. Spotted by Coverity, suggested patch below:

"""
--- a/include/dwarf_i.h
+++ b/include/dwarf_i.h
@@ -20,7 +20,7 @@
extern const uint8_t dwarf_to_unw_regnum_map[DWARF_REGNUM_MAP_LENGTH];
/* REG is evaluated multiple times; it better be side-effects free! */
# define dwarf_to_unw_regnum(reg) \
- (((reg) <= DWARF_REGNUM_MAP_LENGTH) ? dwarf_to_unw_regnum_map[reg] : 0)
+ (((reg) < DWARF_REGNUM_MAP_LENGTH) ? dwarf_to_unw_regnum_map[reg] : 0)
#endif

#ifdef UNW_LOCAL_ONLY
"""

Upstream bug: http://savannah.nongnu.org/bugs/?45276

Comment 4 Vasyl Kaigorodov 2015-07-01 13:40:08 UTC
Created libunwind tracking bugs for this issue:

Affects: fedora-all [bug 1238264]
Affects: epel-all [bug 1238265]

Comment 9 Fedora Update System 2015-07-21 08:08:54 UTC
libunwind-1.1-10.fc22 has been pushed to the Fedora 22 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 10 Fedora Update System 2015-07-30 00:37:15 UTC
libunwind-1.1-10.fc21 has been pushed to the Fedora 21 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 11 Garth Mollett 2015-07-31 00:57:32 UTC
Acknowledgements:

This issue was discovered by Paolo Bonzini of Red Hat.

Comment 13 Fedora Update System 2015-07-31 18:34:12 UTC
libunwind-1.1-3.el6 has been pushed to the Fedora EPEL 6 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 14 Fedora Update System 2015-07-31 18:35:58 UTC
libunwind-1.1-10.el7 has been pushed to the Fedora EPEL 7 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 19 errata-xmlrpc 2015-08-24 19:58:08 UTC
This issue has been addressed in the following products:

  OpenStack 6 for RHEL 7

Via RHSA-2015:1675 https://rhn.redhat.com/errata/RHSA-2015-1675.html

Comment 20 errata-xmlrpc 2015-09-10 12:04:49 UTC
This issue has been addressed in the following products:

  OpenStack 5 for RHEL 7

Via RHSA-2015:1769 https://rhn.redhat.com/errata/RHSA-2015-1769.html

Comment 21 errata-xmlrpc 2015-09-10 12:05:14 UTC
This issue has been addressed in the following products:

  OpenStack 5 for RHEL 6

Via RHSA-2015:1768 https://rhn.redhat.com/errata/RHSA-2015-1768.html


Note You need to log in before you can comment on or make changes to this bug.