Bug 1332149 - Null dereference bug in READ_AREA_LENGTH()
Summary: Null dereference bug in READ_AREA_LENGTH()
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Fedora
Classification: Fedora
Component: libdwarf
Version: rawhide
Hardware: Unspecified
OS: Unspecified
unspecified
unspecified
Target Milestone: ---
Assignee: Tom Hughes
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2016-05-02 11:25 UTC by lieanu
Modified: 2016-05-12 16:13 UTC (History)
2 users (show)

Fixed In Version: libdwarf-20160507-1.fc24
Clone Of:
Environment:
Last Closed: 2016-05-12 16:13:40 UTC
Type: Bug
Embargoed:

Attachments (Terms of Use)
Null 02 bug (9.22 KB, application/x-executable)
2016-05-02 11:25 UTC, lieanu 		no flags Details
View All

Description lieanu 2016-05-02 11:25:56 UTC 
Created attachment 1152912 [details]
Null 02 bug

Hi,

I have informed this bug to upstream, reporting it here just for bug tracking, thanks.

Null dereference bug in lastest libdwarf git code.

0x2aaaaacde455   <_dwarf_make_CU_Context+181>  add    rsi,r12
0x2aaaaacde458   <_dwarf_make_CU_Context+184>  repz cmps BYTE PTR ds [rsi],BYTE PTR es [rdi]
0x2aaaaacde45a   <_dwarf_make_CU_Context+186>  jne    0x2aaaaacde467 <_dwarf_make_CU_Context+199>
0x2aaaaacde45c   <_dwarf_make_CU_Context+188>  mov    DWORD PTR [r14+0x138],0x1
0x2aaaaacde467   <_dwarf_make_CU_Context+199>  lea    rax,[rsp+0x58]             <- $pc
0x2aaaaacde46c   <_dwarf_make_CU_Context+204>  mov    QWORD PTR [rsp+0x58],0x0
0x2aaaaacde475   <_dwarf_make_CU_Context+213>  mov    edx,0x4
0x2aaaaacde47a   <_dwarf_make_CU_Context+218>  mov    rsi,r13
0x2aaaaacde47d   <_dwarf_make_CU_Context+221>  mov    QWORD PTR [rsp],rax
---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------[source:dwarf_die_deliv.c+293]--
 289         if (section_name_ends_with_dwo(secname)) {
 290             cu_context->cc_is_dwo = TRUE;
 291         }
 292         /* READ_AREA_LENGTH updates cu_ptr for consumed bytes */
 293         READ_AREA_LENGTH(dbg, length, Dwarf_Unsigned,               <- $pc
 294             cu_ptr, local_length_size, local_extension_size);
 295         cu_context->cc_length_size = local_length_size;
 296         cu_context->cc_extension_size = local_extension_size;
 297     
--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------[trace]--
#0  _dwarf_make_CU_Context (dbg=dbg@entry=0x655a40, offset=offset@entry=0, is_info=is_info@entry=1, context_out=context_out@entry=0x7fffffffd758, error=error@entry=0x7fffffffdb28) at dwarf_die_deliv.c:293
#1  0x00002aaaaacdf666 in _dwarf_next_cu_header_internal (dbg=dbg@entry=0x655a40, is_info=is_info@entry=1, cu_header_length=cu_header_length@entry=0x7fffffffd960, version_stamp=version_stamp@entry=0x7fffffffd956, abbrev_offset=abbrev_offset@entry=0x7fffffffd968, address_size=address_size@entry=0x7fffffffd958, offset_size=offset_size@entry=0x7fffffffd95c, extension_size=extension_size@
entry=0x7fffffffd95a, signature_out=signature_out@entry=0x7fffffffd9d0, has_signature=has_signature@entry=0x0, typeoffset=typeoffset@entry=0x7fffffffd970, next_cu_offset=next_cu_offset@entry=0x7fffffffd978, header_type=header_type@entry=0x7fffffffd95e, error=error@entry=0x7fffffffdb28) at dwarf_die_deliv.c:852
#2  0x00002aaaaacdfaea in dwarf_next_cu_header_d (dbg=dbg@entry=0x655a40, is_info=is_info@entry=1, cu_header_length=cu_header_length@entry=0x7fffffffd960, version_stamp=version_stamp@entry=0x7fffffffd956, abbrev_offset=abbrev_offset@entry=0x7fffffffd968, address_size=address_size@entry=0x7fffffffd958, offset_size=offset_size@entry=0x7fffffffd95c, extension_size=extension_size@entry=0x7fffffffd95a, signature=signature@entry=0x7fffffffd9d0, typeoffset=typeoffset@entry=0x7fffffffd970, next_cu_offset=next_cu_offset@entry=0x7fffffffd978, header_cu_type=header_cu_type@entry=0x7fffffffd95e, error=error@entry=0x7fffffffdb28) at dwarf_die_deliv.c:606
-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
gdb > p cu_ptr
$1 = (Dwarf_Byte_Ptr) 0x0

READ_AREA_LENGTH() (especially READ_UNALIGNED())is a unsafe function, no source and dest ptr checking. 
Using READ_UNALIGNED_CK() may be a better choice.
Comment 1 Tom Hughes 2016-05-02 11:34:24 UTC 
If you really want to open these bugs then please feel free, but all you're actually doing is creating work for me because when the next libdwarf release comes out I will have to go through each one by hand and check that it is fixed :-(
Comment 2 lieanu 2016-05-02 11:43:39 UTC 
I'm very sorry for that.
I just want to request CVE IDs for these bugs, but email in libdwarf-list cannot be referred outside(No public url can point to there).
So I think that reporting these bugs here maybe a better choice. 
If you have any other better ideas, please let me know, thanks a lot.

Yue Liu,
Comment 3 Fedora Update System 2016-05-08 10:27:11 UTC 
libdwarf-20160507-1.fc24 has been submitted as an update to Fedora 24. https://bodhi.fedoraproject.org/updates/FEDORA-2016-f36c5935e5
Comment 4 Fedora Update System 2016-05-09 00:54:57 UTC 
libdwarf-20160507-1.fc24 has been pushed to the Fedora 24 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2016-f36c5935e5
Comment 5 Fedora Update System 2016-05-12 16:13:05 UTC 
libdwarf-20160507-1.fc24 has been pushed to the Fedora 24 stable repository. If problems still persist, please make note of it in this bug report.
Note You need to log in before you can comment on or make changes to this bug.