Bug 1387584 - memory allocation failure in __libelf_set_rawdata_wrlock (elf_getdata.c)
Summary: memory allocation failure in __libelf_set_rawdata_wrlock (elf_getdata.c)
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Fedora
Classification: Fedora
Component: elfutils
Version: rawhide
Hardware: Unspecified
OS: Unspecified
unspecified
unspecified
Target Milestone: ---
Assignee: Mark Wielaard
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2016-10-21 10:29 UTC by Agostino Sarubbo
Modified: 2017-03-22 10:11 UTC (History)
7 users (show)

Fixed In Version: elfutils-0.168-1.fc25 elfutils-0.168-1.fc24
Clone Of:
Environment:
Last Closed: 2017-01-11 12:19:22 UTC
Type: Bug
Embargoed:

Attachments (Terms of Use)
stacktrace (7.73 KB, text/plain)
2016-10-21 10:29 UTC, Agostino Sarubbo 		no flags Details
reproducer (30.10 KB, application/x-executable)
2016-10-21 10:30 UTC, Agostino Sarubbo 		no flags Details
View All

Description Agostino Sarubbo 2016-10-21 10:29:57 UTC 
Created attachment 1212780 [details]
stacktrace

Description of problem:
During the fuzz of libdwarf I got a memory allocation failure.
From the stacktrace seems that the fault is in elfutils.

Version-Release number of selected component (if applicable):
0.166

How reproducible:
dwarfdump $REPRODUCER
Comment 1 Agostino Sarubbo 2016-10-21 10:30:21 UTC 
Created attachment 1212781 [details]
reproducer
Comment 2 Mark Wielaard 2016-10-21 10:56:22 UTC 
So I assume that the problem is when trying to get the data for the debug_abbrev section, which has a ridiculous big size:

[28] .debug_abbrev        PROGBITS     0000000000000000 00001223 8000000110  0        0   0  1

The reported memory allocation failure is here:

          /* We have to read the data from the file.  Allocate the needed
             memory.  */
          scn->rawdata_base = scn->rawdata.d.d_buf
            = (char *) malloc (size);
          if (scn->rawdata.d.d_buf == NULL)
            {
              __libelf_seterrno (ELF_E_NOMEM);
              return 1;
            }

Where size is shdr->sh_size (0x8000000110 == 549755814160) which will obviously fail and the code will return ELF_E_NOMEM.
Comment 3 Agostino Sarubbo 2016-10-21 12:23:53 UTC 
Thanks for the response. Do you think it needs to be fixed or it is fine as-is?
Comment 4 Mark Wielaard 2016-10-21 12:27:43 UTC 
(In reply to Agostino Sarubbo from comment #3)
> Thanks for the response. Do you think it needs to be fixed or it is fine
> as-is?

In another code path we actually check the size first to make sure the data is all in the file. If the malloc succeeded the code would fail a few lines later anyway when we couldn't read all section data. We could add a sanity check and return ELF_E_INVALID_SECTION_HEADER before even attempting the malloc.
Comment 5 Mark Wielaard 2016-10-21 13:27:23 UTC 
I posted a patch to add that sanity check upstream:
https://lists.fedorahosted.org/archives/list/elfutils-devel@lists.fedorahosted.org/message/Q4LE47FPEVRZANMV6JE2NMHYO4H5MHGJ/

Please let me know if that helps your case.
Comment 6 Agostino Sarubbo 2016-10-21 13:33:47 UTC 
(In reply to Mark Wielaard from comment #5)
> I posted a patch to add that sanity check upstream:
> https://lists.fedorahosted.org/archives/list/elfutils-devel@lists.
> fedorahosted.org/message/Q4LE47FPEVRZANMV6JE2NMHYO4H5MHGJ/
> 
> Please let me know if that helps your case.

I'll retest.
Comment 7 Mark Wielaard 2016-11-10 11:14:12 UTC 
The patch has been pushed upstream now and will be in the next release.
Comment 8 Fedora Update System 2016-12-28 19:23:25 UTC 
elfutils-0.168-1.fc25 has been submitted as an update to Fedora 25. https://bodhi.fedoraproject.org/updates/FEDORA-2016-0cdc2d3b14
Comment 9 Fedora Update System 2016-12-29 09:21:11 UTC 
elfutils-0.168-1.fc25 has been pushed to the Fedora 25 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2016-0cdc2d3b14
Comment 10 Fedora Update System 2016-12-31 22:20:33 UTC 
elfutils-0.168-1.fc25 has been pushed to the Fedora 25 stable repository. If problems still persist, please make note of it in this bug report.
Comment 11 Fedora Update System 2017-01-01 13:37:39 UTC 
elfutils-0.168-1.fc24 has been submitted as an update to Fedora 24. https://bodhi.fedoraproject.org/updates/FEDORA-2017-6c9a495a48
Comment 12 Fedora Update System 2017-01-02 01:50:57 UTC 
elfutils-0.168-1.fc24 has been pushed to the Fedora 24 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2017-6c9a495a48
Comment 13 Fedora Update System 2017-01-11 12:19:22 UTC 
elfutils-0.168-1.fc24 has been pushed to the Fedora 24 stable repository. If problems still persist, please make note of it in this bug report.
Comment 14 Agostino Sarubbo 2017-03-22 10:11:35 UTC 
Mitre assigned CVE-2016-10255 to this issue
Note You need to log in before you can comment on or make changes to this bug.