Bug 1289385 - out of bound read in libdwarf
Summary: out of bound read in libdwarf
Keywords:
Status: CLOSED RAWHIDE
Alias: None
Product: Fedora
Classification: Fedora
Component: libdwarf
Version: rawhide
Hardware: Unspecified
OS: Linux
unspecified
unspecified
Target Milestone: ---
Assignee: Tom Hughes
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
Depends On:
Blocks: CVE-2015-8538
TreeView+ depends on / blocked
 
Reported: 2015-12-08 00:38 UTC by xqx
Modified: 2015-12-14 14:35 UTC (History)
3 users (show)

Fixed In Version:
Clone Of:
Environment:
Last Closed: 2015-12-09 09:03:04 UTC
Type: Bug
Embargoed:


Attachments (Terms of Use)
the elf file with bug (212.82 KB, application/zip)
2015-12-08 00:38 UTC, xqx
no flags Details

Description xqx 2015-12-08 00:38:56 UTC
Created attachment 1103406 [details]
the elf file with bug

There is a out of bound read in  latest release version dwarf-20151114, and we have tested the other version dwarf-20140805, so we guess the versions which are between these two version will be affected too.
when an odd elf file passed to dwarfdump, it would cause segment fault by invalid memory access.  please see the attachment for the elf file.

=========================================
Details: 
==========================================


if an elf file is passed to dwarfdump, a SIGSEGV will occur in libdwarf/dwarf_leb.c. 
please see attachment for the elf file.


when debugging it with gdb, the error information as follows:

--------------------------------
Program received signal SIGSEGV, Segmentation fault.
_dwarf_decode_u_leb128 (leb128=leb128@entry=0x80006a5be7a4 <error: Cannot access memory at address 0x80006a5be7a4>, leb128_length=leb128_length@entry=0x7fffffffda68) at dwarf_leb.c:57
57          if ((*leb128 & 0x80) == 0) {

(gdb) bt
#0  _dwarf_decode_u_leb128 (leb128=leb128@entry=0x80006a5be7a4 <error: Cannot access memory at address 0x80006a5be7a4>, leb128_length=leb128_length@entry=0x7fffffffda68) at dwarf_leb.c:57
#1  0x00000000004319fb in dwarf_attrlist (die=die@entry=0x6bb850, attrbuf=attrbuf@entry=0x7fffffffdb18, attrcnt=attrcnt@entry=0x7fffffffdb10, error=0x67c298 <err>) at dwarf_query.c:246
#2  0x0000000000410909 in print_one_die (dbg=dbg@entry=0x67ef00, die=die@entry=0x6bb850, print_information=1, die_indent_level=1, srcfiles=srcfiles@entry=0x0, cnt=cnt@entry=0, ignore_die_stack=ignore_die_stack@entry=0) at print_die.c:1211
#3  0x00000000004111d8 in print_die_and_children_internal (dbg=dbg@entry=0x67ef00, in_die_in=0x6a4a30, is_info=is_info@entry=1, srcfiles=srcfiles@entry=0x0, cnt=cnt@entry=0) at print_die.c:896
#4  0x00000000004115e5 in print_die_and_children_internal (dbg=dbg@entry=0x67ef00, in_die_in=0x6811a0, is_info=is_info@entry=1, srcfiles=0x0, cnt=0) at print_die.c:990
#5  0x0000000000411d1f in print_die_and_children (cnt=<optimized out>, srcfiles=<optimized out>, is_info=1, in_die_in=<optimized out>, dbg=0x67ef00) at print_die.c:778
#6  print_one_die_section (dbg=0x67ef00, is_info=is_info@entry=1) at print_die.c:725
#7  0x00000000004126a3 in print_infos (dbg=<optimized out>, is_info=is_info@entry=1) at print_die.c:319
#8  0x000000000040217a in process_one_file (config_file_data=0x6660c0 <config_file_data>, archive=0, tied_file_name=0x0, file_name=0x67d110 "./simplereader.elf", elftied=0x0, elf=<optimized out>) at dwarfdump.c:1280
#9  main (argc=<optimized out>, argv=<optimized out>) at dwarfdump.c:630

-----------------------------------------------

Comment 1 Tom Hughes 2015-12-08 09:19:51 UTC
This is almost certainly an upstream bug given that we don't really do any patching of libdwarf (and assuming that the DWARF in your file is valid of course).

Comment 2 Tom Hughes 2015-12-08 09:21:32 UTC
Interesting that although readelf doesn't crash it does issue various warnings about the debug data:

% readelf --debug-dump simplereader.elf > /tmp/readelf
readelf: Warning: Corrupt attribute block length: 72617744
readelf: Warning: Bogus end-of-siblings marker detected at offset 7d8f in .debug_info section
readelf: Warning: Bogus end-of-siblings marker detected at offset 7d90 in .debug_info section
readelf: Warning: Bogus end-of-siblings marker detected at offset 7d91 in .debug_info section
readelf: Warning: Further warnings about bogus end-of-sibling markers suppressed
readelf: Warning: Corrupt attribute block length: 72617744

Comment 3 Tom Hughes 2015-12-08 09:32:31 UTC
This is (from readelf) the entry that is crashing it:

 <1><3047>: Abbrev Number: 30 (DW_TAG_structure_type)
    <3048>   DW_AT_sibling     : <0x375e>
    <304c>   DW_AT_name        : 219477 byte block: 66 5f 44 ...

Note that readelf is report a structure with a 219477 byte name (I've truncated it but it really did output a massively long line) which seems very wrong...

Comment 4 Tom Hughes 2015-12-08 10:30:46 UTC
I think I have a fix (to make it safely abort instead of crashing) and I've asked upstream about it. The actual problem is this seemingly corrupt abbreviation entry:

<   67><0x00000390><code:  30> DW_TAG_structure_type        DW_children_yes
       <0x00000393>              DW_AT_sibling               DW_FORM_ref4
       <0x00000395>              DW_AT_name                  DW_FORM_block4
       <0x00000397>              <Unknown AT value 0x0>      <Unknown FORM value 0x7f>
<   68><0x000003a0><code:   0> null .debug_abbrev entry
<   69><0x000003a1><code:   0> null .debug_abbrev entry
<   70><0x000003a2><code:   3> DW_TAG_imported_declaration        <Unknown children value 0x49>
       <0x000003a5>              DW_AT_language              <Unknown FORM value 0x3f>
       <0x000003a7>              DW_AT_bit_offset            <Unknown FORM value 0x3a>
       <0x000003a9>              DW_AT_byte_size             <Unknown FORM value 0x3b>
       <0x000003ab>              DW_AT_byte_size             <Unknown FORM value 0x2>
       <0x000003ad>              DW_AT_subscr_data           <Unknown FORM value 0x0>
       <0x000003af>              <Unknown AT value 0x0>      DW_FORM_ref_sig8
       <0x000003b1>              DW_AT_artificial            <Unknown FORM value 0x0>
       <0x000003b3>              DW_AT_name                  DW_FORM_string
       <0x000003b5>              DW_AT_type                  DW_FORM_ref4
       <0x000003b7>              DW_AT_decl_file             DW_FORM_data1
       <0x000003b9>              DW_AT_decl_line             DW_FORM_data1

Comment 5 Tom Hughes 2015-12-09 09:03:04 UTC
Upstream patch applied in libdwarf-20151114-2.fc24 build.


Note You need to log in before you can comment on or make changes to this bug.