Bug 1377015 - libdwarf read_line_table_program Out-of-Bounds read
Summary: libdwarf read_line_table_program Out-of-Bounds read
Status: CLOSED WONTFIX
Alias: None
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: Unspecified
OS: Unspecified
unspecified
unspecified
Target Milestone: ---
Assignee: Andrej Nemec
QA Contact:
URL:
Whiteboard:
Keywords:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2016-09-17 14:25 UTC by puzzor
Modified: 2016-11-08 16:25 UTC (History)
3 users (show)

(edit)
Clone Of:
(edit)
Last Closed: 2016-09-27 07:00:19 UTC


Attachments (Terms of Use)
poc (44.00 KB, application/x-object)
2016-09-17 14:25 UTC, puzzor
no flags Details

Description puzzor 2016-09-17 14:25:43 UTC
Created attachment 1201947 [details]
poc

# Vulnerability
libdwarf line_ptr in dwarf_line_table_reader_common.c:1433 Out-of-Bounds read

# Version
libdwarf-20160613  ( https://www.prevanders.net/libdwarf-20160613.tar.gz )

# Address Sanitizer Output
==27763==ERROR: AddressSanitizer: heap-buffer-overflow on address 0xf4603f84 at pc 0x8408ede bp 0xffff6518 sp 0xffff6510
READ of size 1 at 0xf4603f84 thread T0
    #0 0x8408edd in read_line_table_program /home/puzzor/test-fuzzing/code/libdwarf/./dwarf_line_table_reader_common.c:1433
    #1 0x83f716c in _dwarf_internal_srclines /home/puzzor/test-fuzzing/code/libdwarf/./dwarf_line.c:690
    #2 0x841436c in dwarf_srclines_b /home/puzzor/test-fuzzing/code/libdwarf/./dwarf_line.c:944
    #3 0x81fbc28 in print_line_numbers_this_cu /home/puzzor/test-fuzzing/code/dwarfdump/print_lines.c:763
    #4 0x815c191 in print_one_die_section /home/puzzor/test-fuzzing/code/dwarfdump/print_die.c:850
    #5 0x81565c1 in print_infos /home/puzzor/test-fuzzing/code/dwarfdump/print_die.c:371
    #6 0x80eee08 in process_one_file /home/puzzor/test-fuzzing/code/dwarfdump/dwarfdump.c:1354
    #7 0x80e67ea in main /home/puzzor/test-fuzzing/code/dwarfdump/dwarfdump.c:647
    #8 0xf7d67af2 (/lib/i386-linux-gnu/libc.so.6+0x19af2)
    #9 0x80d24d4 in _start (/home/puzzor/test-fuzzing/code/dwarfdump/dwarfdump+0x80d24d4)

0xf4603f84 is located 0 bytes to the right of 1796-byte region [0xf4603880,0xf4603f84)
allocated by thread T0 here:
    #0 0x80bb101 in malloc (/home/puzzor/test-fuzzing/code/dwarfdump/dwarfdump+0x80bb101)
    #1 0xf7faf517 (/usr/lib/i386-linux-gnu/libelf.so.1+0x9517)

SUMMARY: AddressSanitizer: heap-buffer-overflow /home/puzzor/test-fuzzing/code/libdwarf/./dwarf_line_table_reader_common.c:1433 read_line_table_program
Shadow bytes around the buggy address:
  0x3e8c07a0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x3e8c07b0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x3e8c07c0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x3e8c07d0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x3e8c07e0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x3e8c07f0:[04]fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x3e8c0800: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x3e8c0810: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x3e8c0820: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x3e8c0830: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x3e8c0840: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:     fa
  Heap right redzone:    fb
  Freed heap region:     fd
  Stack left redzone:    f1
  Stack mid redzone:     f2
  Stack right redzone:   f3
  Stack partial redzone: f4
  Stack after return:    f5
  Stack use after scope: f8
  Global redzone:        f9
  Global init order:     f6
  Poisoned by user:      f7
  ASan internal:         fe
==27763==ABORTING


# PoC
See poc

# Report Timeline
2016-09-16: Shi Ji(@Puzzor) discovered this issue

# Credit
Shi Ji(@Puzzor)

Comment 1 Andrej Nemec 2016-09-20 13:59:22 UTC
Hello,

Please, use secalert@redhat.com to report security vulnerabilities to us next time. 

As for this issue, it looks like a local libdwarf crasher, which would make it low impact. Or is there something I have missed? 

You can try to post it to oss-security mailing list or request a CVE id from Mitre.

Thanks!

Comment 2 puzzor 2016-09-22 01:30:41 UTC
Use CVE-2016-7510 for this

Comment 3 Andrej Nemec 2016-09-23 08:10:44 UTC
(In reply to puzzor from comment #2)
> Use CVE-2016-7510 for this

Thanks for this report!

I have filed a proper vulnerability bug at:

https://bugzilla.redhat.com/show_bug.cgi?id=1378718

However, this still seems to be a low impact issue in my opinion, which is why I have wontfixed it for RHEL.

Next time, be sure to contact secalert@redhat.com directly please.

*** This bug has been marked as a duplicate of bug 1378718 ***

Comment 4 Tom Hughes 2016-09-26 21:32:11 UTC
*** Bug 1378718 has been marked as a duplicate of this bug. ***


Note You need to log in before you can comment on or make changes to this bug.