Bug 1289385 - out of bound read in libdwarf
out of bound read in libdwarf
Status: CLOSED RAWHIDE
Product: Fedora
Classification: Fedora
Component: libdwarf (Show other bugs)
rawhide
Unspecified Linux
unspecified Severity unspecified
: ---
: ---
Assigned To: Tom Hughes
Fedora Extras Quality Assurance
:
Depends On:
Blocks: CVE-2015-8538
  Show dependency treegraph
 
Reported: 2015-12-07 19:38 EST by xqx
Modified: 2015-12-14 09:35 EST (History)
3 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2015-12-09 04:03:04 EST
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)
the elf file with bug (212.82 KB, application/zip)
2015-12-07 19:38 EST, xqx
no flags Details

  None (edit)
Description xqx 2015-12-07 19:38:56 EST
Created attachment 1103406 [details]
the elf file with bug

There is a out of bound read in  latest release version dwarf-20151114, and we have tested the other version dwarf-20140805, so we guess the versions which are between these two version will be affected too.
when an odd elf file passed to dwarfdump, it would cause segment fault by invalid memory access.  please see the attachment for the elf file.

=========================================
Details: 
==========================================


if an elf file is passed to dwarfdump, a SIGSEGV will occur in libdwarf/dwarf_leb.c. 
please see attachment for the elf file.


when debugging it with gdb, the error information as follows:

--------------------------------
Program received signal SIGSEGV, Segmentation fault.
_dwarf_decode_u_leb128 (leb128=leb128@entry=0x80006a5be7a4 <error: Cannot access memory at address 0x80006a5be7a4>, leb128_length=leb128_length@entry=0x7fffffffda68) at dwarf_leb.c:57
57          if ((*leb128 & 0x80) == 0) {

(gdb) bt
#0  _dwarf_decode_u_leb128 (leb128=leb128@entry=0x80006a5be7a4 <error: Cannot access memory at address 0x80006a5be7a4>, leb128_length=leb128_length@entry=0x7fffffffda68) at dwarf_leb.c:57
#1  0x00000000004319fb in dwarf_attrlist (die=die@entry=0x6bb850, attrbuf=attrbuf@entry=0x7fffffffdb18, attrcnt=attrcnt@entry=0x7fffffffdb10, error=0x67c298 <err>) at dwarf_query.c:246
#2  0x0000000000410909 in print_one_die (dbg=dbg@entry=0x67ef00, die=die@entry=0x6bb850, print_information=1, die_indent_level=1, srcfiles=srcfiles@entry=0x0, cnt=cnt@entry=0, ignore_die_stack=ignore_die_stack@entry=0) at print_die.c:1211
#3  0x00000000004111d8 in print_die_and_children_internal (dbg=dbg@entry=0x67ef00, in_die_in=0x6a4a30, is_info=is_info@entry=1, srcfiles=srcfiles@entry=0x0, cnt=cnt@entry=0) at print_die.c:896
#4  0x00000000004115e5 in print_die_and_children_internal (dbg=dbg@entry=0x67ef00, in_die_in=0x6811a0, is_info=is_info@entry=1, srcfiles=0x0, cnt=0) at print_die.c:990
#5  0x0000000000411d1f in print_die_and_children (cnt=<optimized out>, srcfiles=<optimized out>, is_info=1, in_die_in=<optimized out>, dbg=0x67ef00) at print_die.c:778
#6  print_one_die_section (dbg=0x67ef00, is_info=is_info@entry=1) at print_die.c:725
#7  0x00000000004126a3 in print_infos (dbg=<optimized out>, is_info=is_info@entry=1) at print_die.c:319
#8  0x000000000040217a in process_one_file (config_file_data=0x6660c0 <config_file_data>, archive=0, tied_file_name=0x0, file_name=0x67d110 "./simplereader.elf", elftied=0x0, elf=<optimized out>) at dwarfdump.c:1280
#9  main (argc=<optimized out>, argv=<optimized out>) at dwarfdump.c:630

-----------------------------------------------
Comment 1 Tom Hughes 2015-12-08 04:19:51 EST
This is almost certainly an upstream bug given that we don't really do any patching of libdwarf (and assuming that the DWARF in your file is valid of course).
Comment 2 Tom Hughes 2015-12-08 04:21:32 EST
Interesting that although readelf doesn't crash it does issue various warnings about the debug data:

% readelf --debug-dump simplereader.elf > /tmp/readelf
readelf: Warning: Corrupt attribute block length: 72617744
readelf: Warning: Bogus end-of-siblings marker detected at offset 7d8f in .debug_info section
readelf: Warning: Bogus end-of-siblings marker detected at offset 7d90 in .debug_info section
readelf: Warning: Bogus end-of-siblings marker detected at offset 7d91 in .debug_info section
readelf: Warning: Further warnings about bogus end-of-sibling markers suppressed
readelf: Warning: Corrupt attribute block length: 72617744
Comment 3 Tom Hughes 2015-12-08 04:32:31 EST
This is (from readelf) the entry that is crashing it:

 <1><3047>: Abbrev Number: 30 (DW_TAG_structure_type)
    <3048>   DW_AT_sibling     : <0x375e>
    <304c>   DW_AT_name        : 219477 byte block: 66 5f 44 ...

Note that readelf is report a structure with a 219477 byte name (I've truncated it but it really did output a massively long line) which seems very wrong...
Comment 4 Tom Hughes 2015-12-08 05:30:46 EST
I think I have a fix (to make it safely abort instead of crashing) and I've asked upstream about it. The actual problem is this seemingly corrupt abbreviation entry:

<   67><0x00000390><code:  30> DW_TAG_structure_type        DW_children_yes
       <0x00000393>              DW_AT_sibling               DW_FORM_ref4
       <0x00000395>              DW_AT_name                  DW_FORM_block4
       <0x00000397>              <Unknown AT value 0x0>      <Unknown FORM value 0x7f>
<   68><0x000003a0><code:   0> null .debug_abbrev entry
<   69><0x000003a1><code:   0> null .debug_abbrev entry
<   70><0x000003a2><code:   3> DW_TAG_imported_declaration        <Unknown children value 0x49>
       <0x000003a5>              DW_AT_language              <Unknown FORM value 0x3f>
       <0x000003a7>              DW_AT_bit_offset            <Unknown FORM value 0x3a>
       <0x000003a9>              DW_AT_byte_size             <Unknown FORM value 0x3b>
       <0x000003ab>              DW_AT_byte_size             <Unknown FORM value 0x2>
       <0x000003ad>              DW_AT_subscr_data           <Unknown FORM value 0x0>
       <0x000003af>              <Unknown AT value 0x0>      DW_FORM_ref_sig8
       <0x000003b1>              DW_AT_artificial            <Unknown FORM value 0x0>
       <0x000003b3>              DW_AT_name                  DW_FORM_string
       <0x000003b5>              DW_AT_type                  DW_FORM_ref4
       <0x000003b7>              DW_AT_decl_file             DW_FORM_data1
       <0x000003b9>              DW_AT_decl_line             DW_FORM_data1
Comment 5 Tom Hughes 2015-12-09 04:03:04 EST
Upstream patch applied in libdwarf-20151114-2.fc24 build.

Note You need to log in before you can comment on or make changes to this bug.