Created attachment 1201947 [details] poc # Vulnerability libdwarf line_ptr in dwarf_line_table_reader_common.c:1433 Out-of-Bounds read # Version libdwarf-20160613 ( https://www.prevanders.net/libdwarf-20160613.tar.gz ) # Address Sanitizer Output ==27763==ERROR: AddressSanitizer: heap-buffer-overflow on address 0xf4603f84 at pc 0x8408ede bp 0xffff6518 sp 0xffff6510 READ of size 1 at 0xf4603f84 thread T0 #0 0x8408edd in read_line_table_program /home/puzzor/test-fuzzing/code/libdwarf/./dwarf_line_table_reader_common.c:1433 #1 0x83f716c in _dwarf_internal_srclines /home/puzzor/test-fuzzing/code/libdwarf/./dwarf_line.c:690 #2 0x841436c in dwarf_srclines_b /home/puzzor/test-fuzzing/code/libdwarf/./dwarf_line.c:944 #3 0x81fbc28 in print_line_numbers_this_cu /home/puzzor/test-fuzzing/code/dwarfdump/print_lines.c:763 #4 0x815c191 in print_one_die_section /home/puzzor/test-fuzzing/code/dwarfdump/print_die.c:850 #5 0x81565c1 in print_infos /home/puzzor/test-fuzzing/code/dwarfdump/print_die.c:371 #6 0x80eee08 in process_one_file /home/puzzor/test-fuzzing/code/dwarfdump/dwarfdump.c:1354 #7 0x80e67ea in main /home/puzzor/test-fuzzing/code/dwarfdump/dwarfdump.c:647 #8 0xf7d67af2 (/lib/i386-linux-gnu/libc.so.6+0x19af2) #9 0x80d24d4 in _start (/home/puzzor/test-fuzzing/code/dwarfdump/dwarfdump+0x80d24d4) 0xf4603f84 is located 0 bytes to the right of 1796-byte region [0xf4603880,0xf4603f84) allocated by thread T0 here: #0 0x80bb101 in malloc (/home/puzzor/test-fuzzing/code/dwarfdump/dwarfdump+0x80bb101) #1 0xf7faf517 (/usr/lib/i386-linux-gnu/libelf.so.1+0x9517) SUMMARY: AddressSanitizer: heap-buffer-overflow /home/puzzor/test-fuzzing/code/libdwarf/./dwarf_line_table_reader_common.c:1433 read_line_table_program Shadow bytes around the buggy address: 0x3e8c07a0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x3e8c07b0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x3e8c07c0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x3e8c07d0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x3e8c07e0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 =>0x3e8c07f0:[04]fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x3e8c0800: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x3e8c0810: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd 0x3e8c0820: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd 0x3e8c0830: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd 0x3e8c0840: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd Shadow byte legend (one shadow byte represents 8 application bytes): Addressable: 00 Partially addressable: 01 02 03 04 05 06 07 Heap left redzone: fa Heap right redzone: fb Freed heap region: fd Stack left redzone: f1 Stack mid redzone: f2 Stack right redzone: f3 Stack partial redzone: f4 Stack after return: f5 Stack use after scope: f8 Global redzone: f9 Global init order: f6 Poisoned by user: f7 ASan internal: fe ==27763==ABORTING # PoC See poc # Report Timeline 2016-09-16: Shi Ji(@Puzzor) discovered this issue # Credit Shi Ji(@Puzzor)
Hello, Please, use secalert to report security vulnerabilities to us next time. As for this issue, it looks like a local libdwarf crasher, which would make it low impact. Or is there something I have missed? You can try to post it to oss-security mailing list or request a CVE id from Mitre. Thanks!
Use CVE-2016-7510 for this
(In reply to puzzor from comment #2) > Use CVE-2016-7510 for this Thanks for this report! I have filed a proper vulnerability bug at: https://bugzilla.redhat.com/show_bug.cgi?id=1378718 However, this still seems to be a low impact issue in my opinion, which is why I have wontfixed it for RHEL. Next time, be sure to contact secalert directly please. *** This bug has been marked as a duplicate of bug 1378718 ***
*** Bug 1378718 has been marked as a duplicate of this bug. ***