Bug 1388057 - memory allocation failure in allocate_elf (common.h)
Summary: memory allocation failure in allocate_elf (common.h)
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Fedora
Classification: Fedora
Component: elfutils
Version: rawhide
Hardware: x86_64
OS: Linux
unspecified
unspecified
Target Milestone: ---
Assignee: Mark Wielaard
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2016-10-24 10:39 UTC by Agostino Sarubbo
Modified: 2017-03-22 10:11 UTC (History)
7 users (show)

Fixed In Version: elfutils-0.168-1.fc25 elfutils-0.168-1.fc24
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2017-01-11 12:19:17 UTC


Attachments (Terms of Use)
stacktrace (7.44 KB, text/plain)
2016-10-24 10:39 UTC, Agostino Sarubbo
no flags Details

Description Agostino Sarubbo 2016-10-24 10:39:10 UTC
Created attachment 1213447 [details]
stacktrace

Description of problem:
During the fuzz of libdwarf I got a memory allocation failure.
From the stacktrace seems that the fault is in elfutils.

Version-Release number of selected component (if applicable):
0.166

How reproducible:
dwarfdump $REPRODUCER

Reproducer: https://github.com/asarubbo/poc/raw/master/00011-elfutils-memalloc-allocate_elf

Comment 1 Mark Wielaard 2016-10-24 11:42:15 UTC
The problem is that the ELF file claims to have 1073901568 section headers. We then try to allocate memory for the sizeof (Elf_Scn) (208) times that number. Which is 223371526144. Plus the sizeof (Elf), 264 bytes. In total 223371526408 bytes (~208GB). Which obviously fails and returns NULL. This isn't really fatal. You just get an ELF_E_NOMEM.

There is already a check that scncnt <= SIZE_MAX / (sizeof (Elf_Scn) + sizeof (Elf64_Shdr)) to prevent overflow. But that still allows for 67818912035696880 headers on 64bit systems (and 15790320 on 32bit systems).

Comment 2 Mark Wielaard 2016-10-26 11:19:35 UTC
But even before that sanity check there is a call to get_shnum() which itself should sanity check that the "advertised" headers are really there.

      /* If the section headers were truncated, pretend none were there.  */
      if (ehdr.e64->e_shoff > maxsize
          || maxsize - ehdr.e64->e_shoff < sizeof (Elf64_Shdr) * result)
        result = 0;

That should have triggered, but it doesn't because maxsize was set to infinity.

The problem is that we only set maxsize in read_file() in case we mmap the file, but not when using pread. Posted a patch upstream:
https://lists.fedorahosted.org/archives/list/elfutils-devel@lists.fedorahosted.org/message/EJWVY7TMRDEMWPAPNVU3V4MZYG5HANF2/

Does that help your case?

Comment 3 Agostino Sarubbo 2016-10-26 11:53:22 UTC
I'll retest. I guess my test will be done when a new release includes this fix. So if you can make a release you will make my job easier.

Comment 4 Mark Wielaard 2016-10-26 12:22:20 UTC
(In reply to Agostino Sarubbo from comment #3)
> I'll retest. I guess my test will be done when a new release includes this
> fix. So if you can make a release you will make my job easier.

We are kind of waiting on each other :) I am afraid this isn't reason enough to do a new release, sorry. Also I would like some time for this bug and bug #1387584 to have some testing. Neither commit is even upstream yet because nobody commented, reviewed or tested them yet.

Comment 5 Mark Wielaard 2016-10-26 12:47:56 UTC
If all you need is a "release" tar ball then you could try https://fedorapeople.org/~mjw/elfutils-0.167.tar.bz2 that is elfutils 0.167 + git + the two patches for fixing bug #1387584 and bug #1388057. Any testing is appreciated.

Comment 6 Mark Wielaard 2016-11-10 11:17:42 UTC
The patch has been committed upstream and the fix will be in the next release.

Comment 7 Fedora Update System 2016-12-28 19:23:16 UTC
elfutils-0.168-1.fc25 has been submitted as an update to Fedora 25. https://bodhi.fedoraproject.org/updates/FEDORA-2016-0cdc2d3b14

Comment 8 Fedora Update System 2016-12-29 09:21:07 UTC
elfutils-0.168-1.fc25 has been pushed to the Fedora 25 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2016-0cdc2d3b14

Comment 9 Fedora Update System 2016-12-31 22:20:28 UTC
elfutils-0.168-1.fc25 has been pushed to the Fedora 25 stable repository. If problems still persist, please make note of it in this bug report.

Comment 10 Fedora Update System 2017-01-01 13:37:33 UTC
elfutils-0.168-1.fc24 has been submitted as an update to Fedora 24. https://bodhi.fedoraproject.org/updates/FEDORA-2017-6c9a495a48

Comment 11 Fedora Update System 2017-01-02 01:50:52 UTC
elfutils-0.168-1.fc24 has been pushed to the Fedora 24 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2017-6c9a495a48

Comment 12 Fedora Update System 2017-01-11 12:19:17 UTC
elfutils-0.168-1.fc24 has been pushed to the Fedora 24 stable repository. If problems still persist, please make note of it in this bug report.

Comment 13 Agostino Sarubbo 2017-03-22 10:11:11 UTC
Mitre assigned CVE-2016-10254 to this issue.


Note You need to log in before you can comment on or make changes to this bug.