Bug 1377107 - libdwarf Integer Overflow
Summary: libdwarf Integer Overflow
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Fedora
Classification: Fedora
Component: libdwarf
Version: 24
Hardware: All
OS: Linux
unspecified
low
Target Milestone: ---
Assignee: Tom Hughes
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
: 1379625 (view as bug list)
Depends On:
Blocks: CVE-2016-7511
TreeView+ depends on / blocked
 
Reported: 2016-09-18 14:22 UTC by puzzor
Modified: 2016-11-08 15:55 UTC (History)
3 users (show)

Fixed In Version: libdwarf-20161001-1.fc25 libdwarf-20160929-1.fc24
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2016-10-09 02:49:45 UTC
Type: Bug


Attachments (Terms of Use)
poc and stack trace (4.38 KB, application/zip)
2016-09-18 14:22 UTC, puzzor
no flags Details

Description puzzor 2016-09-18 14:22:43 UTC
Created attachment 1202196 [details]
poc and stack trace

# Version
libdwarf 20160613

# Address Sanitizer Output
<0> tag: 17 DW_TAG_compile_unit  name: "addrmap.c" FORM 0xe "DW_FORM_strp"
<1> tag: 46 DW_TAG_subprogram  name: "addr_map_insert" FORM 0xe "DW_FORM_strp"
ASAN:SIGSEGV
=================================================================
==6825== ERROR: AddressSanitizer: SEGV on unknown address 0x0583903c (pc 0xb61f1a98 sp 0xbfa388b4 bp 0xbfa38d08 T0)
AddressSanitizer can not provide additional info.
    #0 0xb61f1a97 (/usr/lib/i386-linux-gnu/libasan.so.0+0x1ba97)
    #1 0xb61e3c0b (/usr/lib/i386-linux-gnu/libasan.so.0+0xdc0b)
    #2 0x80a21b1 in _dwarf_get_size_of_val /home/fuzzing/fuzzing/dwarf-20160613/libdwarf/dwarf_util.c:210
    #3 0x8054214 in _dwarf_next_die_info_ptr /home/fuzzing/fuzzing/dwarf-20160613/libdwarf/dwarf_die_deliv.c:1340
    #4 0x80557a5 in dwarf_child /home/fuzzing/fuzzing/dwarf-20160613/libdwarf/dwarf_die_deliv.c:1640
    #5 0x804b23f in get_die_and_siblings /home/fuzzing/fuzzing/dwarf-20160613/dwarfexample/./simplereader.c:573
    #6 0x804b2a8 in get_die_and_siblings /home/fuzzing/fuzzing/dwarf-20160613/dwarfexample/./simplereader.c:579
    #7 0x804b0a3 in read_cu_list /home/fuzzing/fuzzing/dwarf-20160613/dwarfexample/./simplereader.c:547
    #8 0x804ab10 in main /home/fuzzing/fuzzing/dwarf-20160613/dwarfexample/./simplereader.c:475
    #9 0xb600da82 (/lib/i386-linux-gnu/libc.so.6+0x19a82)
    #10 0x8049040 in _start (/home/fuzzing/fuzzing/dwarf-20160613/dwarfexample/simplereader+0x8049040)
SUMMARY: AddressSanitizer: SEGV ??:0 ??
==6825== ABORTING

# PoC
See poc

# Analysis
From the call stack we get to know the "val_ptr" caused the Access Violation directly. When we analyzed further, we found this was caused by a integer overflow in dwarf_die_deliv.c. Let's see the line 1354:
"info_ptr += sizeofval;"
In our case, sizeofval will be a very large value and when info_ptr adds this large value, it will cause an overflow and thus we checked the info_ptr with die_info_end, info_ptr will always less than die_info_end.
See the debug info below:
"
Hardware watchpoint 3: info_ptr
Old value = (Dwarf_Byte_Ptr) 0xb5003b35 "\001U\003Q\001"
New value = (Dwarf_Byte_Ptr) 0x603903a <error: Cannot access memory at address 0x603903a>
_dwarf_next_die_info_ptr (die_info_ptr=0xb5003b22 "\002\207", cu_context=0xb4e03d88, die_info_end=0xb5003db1 "", cu_info_start=0x0, want_AT_sibling=0, 
    has_die_child=0xbfffeb10, next_die_ptr_out=0xbfffead0, error=0xbfffec80) at dwarf_die_deliv.c:1355
1355                if (info_ptr > die_info_end) {
(gdb) print sizeofval 
$3 = 1359172869
(gdb) print info_ptr 
$4 = (Dwarf_Byte_Ptr) 0x603903a <error: Cannot access memory at address 0x603903a>
"
(Note that info_ptr is a Dwarf_Byte_Ptr and sizeofval is Dwarf_Unsigned)
Later, the program will use this corrupt info_ptr to memcpy.

# Report Timeline
2016.09.18: Shi Ji(@Puzzor) discovered this issue

# Credit
Shi Ji(@Puzzor)

# PoC
Contact us if you need PoC file

Comment 1 Tom Hughes 2016-09-18 14:23:39 UTC
Has this been reported upstream?

Comment 2 puzzor 2016-09-18 14:25:19 UTC
(In reply to Tom Hughes from comment #1)
> Has this been reported upstream?

Yes, with external link https://sourceforge.net/p/libdwarf/bugs/3/

Comment 3 Fedora Update System 2016-09-27 06:20:22 UTC
libdwarf-20160923-1.fc24 has been pushed to the Fedora 24 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2016-328754be1c

Comment 4 Fedora Update System 2016-09-27 07:20:47 UTC
libdwarf-20160923-1.fc25 has been pushed to the Fedora 25 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2016-9b8717537a

Comment 5 Tom Hughes 2016-09-27 09:33:45 UTC
*** Bug 1379625 has been marked as a duplicate of this bug. ***

Comment 6 Fedora Update System 2016-09-30 20:24:45 UTC
libdwarf-20160929-1.fc25 has been pushed to the Fedora 25 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2016-9b8717537a

Comment 7 Fedora Update System 2016-10-01 05:28:08 UTC
libdwarf-20160929-1.fc24 has been pushed to the Fedora 24 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2016-328754be1c

Comment 8 Fedora Update System 2016-10-03 14:24:29 UTC
libdwarf-20161001-1.fc25 has been pushed to the Fedora 25 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2016-9b8717537a

Comment 9 Fedora Update System 2016-10-09 02:49:45 UTC
libdwarf-20161001-1.fc25 has been pushed to the Fedora 25 stable repository. If problems still persist, please make note of it in this bug report.

Comment 10 Fedora Update System 2016-10-09 06:21:53 UTC
libdwarf-20160929-1.fc24 has been pushed to the Fedora 24 stable repository. If problems still persist, please make note of it in this bug report.


Note You need to log in before you can comment on or make changes to this bug.