Bug 1465756 - There is a unknown memory access in _dwarf_decode_s_leb128_chk() of dwarfdump.
There is a unknown memory access in _dwarf_decode_s_leb128_chk() of dwarfdump.
Status: NEW
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: libdwarf (Show other bugs)
7.5-Alt
Unspecified Unspecified
unspecified Severity urgent
: rc
: ---
Assigned To: Frank Ch. Eigler
qe-baseos-tools
: Reopened
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2017-06-28 03:01 EDT by owl337
Modified: 2017-07-26 08:36 EDT (History)
1 user (show)

See Also:
Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2017-07-12 09:44:39 EDT
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)
Triggered by "dwarfdump POC1" (10.59 KB, application/x-rar)
2017-06-28 03:01 EDT, owl337
no flags Details
Triggered by "dwarfdump POC1" (10.59 KB, application/x-rar)
2017-06-28 03:02 EDT, owl337
no flags Details

  None (edit)
Description owl337 2017-06-28 03:01:38 EDT
Created attachment 1292558 [details]
Triggered by  "dwarfdump  POC1"

Description of problem:

There is a unknown memory access in _dwarf_decode_s_leb128_chk() of dwarfdump. A crafted input will lead to remote denial of service  attack.

Version-Release number of selected component (if applicable):

<= latest version

How reproducible:

./dwarfdump $POC


Steps to Reproduce:

The normal and asan debug information are as follows:

$ ./dwarfdump POC1

.debug_info
ASAN:DEADLYSIGNAL
=================================================================
==42828==ERROR: AddressSanitizer: SEGV on unknown address 0x60462c598e45 (pc 0x0000005c5129 bp 0x60462c598e45 sp 0x7ffca7481000 T0)
    #0 0x5c5128  (/home/icy/real/dwarf-20170416-asan/dwarfdump/dwarfdump+0x5c5128)
    #1 0x60fd37  (/home/icy/real/dwarf-20170416-asan/dwarfdump/dwarfdump+0x60fd37)
    #2 0x60044e  (/home/icy/real/dwarf-20170416-asan/dwarfdump/dwarfdump+0x60044e)
    #3 0x5ff21a  (/home/icy/real/dwarf-20170416-asan/dwarfdump/dwarfdump+0x5ff21a)
    #4 0x5c6057  (/home/icy/real/dwarf-20170416-asan/dwarfdump/dwarfdump+0x5c6057)
    #5 0x51423d  (/home/icy/real/dwarf-20170416-asan/dwarfdump/dwarfdump+0x51423d)
    #6 0x511f72  (/home/icy/real/dwarf-20170416-asan/dwarfdump/dwarfdump+0x511f72)
    #7 0x4f7f08  (/home/icy/real/dwarf-20170416-asan/dwarfdump/dwarfdump+0x4f7f08)
    #8 0x7f47af33582f  (/lib/x86_64-linux-gnu/libc.so.6+0x2082f)
    #9 0x419458  (/home/icy/real/dwarf-20170416-asan/dwarfdump/dwarfdump+0x419458)

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV (/home/icy/real/dwarf-20170416-asan/dwarfdump/dwarfdump+0x5c5128) 
==42828==ABORTING

The vulnerability was triggered in function int
_dwarf_decode_s_leb128_chk() at dwarf_leb.c:291. We don't analyze the reason of the trigger careful, but the 'unknow address' reported by ASAN  is readable by gdb.

273 _dwarf_decode_s_leb128_chk(Dwarf_Small * leb128, Dwarf_Word * leb128_length,
274    Dwarf_Signed *outval,Dwarf_Byte_Ptr endptr)
275 {
...
280     /*  The byte_length value will be a small non-negative integer. */
281     unsigned byte_length = 1;
282 
283     /*  byte_length being the number of bytes of data absorbed so far in
284         turning the leb into a Dwarf_Signed. */
285     if (!outval) {
286         return DW_DLV_ERROR;
287     }
288     if (leb128 >= endptr) {
289         return DW_DLV_ERROR;
290     }
291     byte   = *leb128;
292     for (;;) {

The gdb debugging information is as follows:

(gdb)set args POC1
(gdb) r
...
.debug_info

Breakpoint 1, _dwarf_decode_s_leb128_chk (leb128=0x60462c598e45 "", leb128_length=0x7fffffffcf60, 
    outval=0x7fffffffcf80, endptr=0x61300000de1c "") at dwarf_leb.c:291
291	    byte   = *leb128;
(gdb) p leb128
$22 = (Dwarf_Small *) 0x60462c598e45 ""
(gdb) c
Continuing.

Program received signal SIGSEGV, Segmentation fault.
0x00000000005c5129 in _dwarf_decode_s_leb128_chk (leb128=0x60462c598e45 "", leb128_length=0x7fffffffcf60, 
    outval=0x7fffffffcf80, endptr=0x61300000de1c "") at dwarf_leb.c:291
291	    byte   = *leb128;
(gdb) bt
#0  0x00000000005c5129 in _dwarf_decode_s_leb128_chk (leb128=0x60462c598e45 "", leb128_length=0x7fffffffcf60, 
    outval=0x7fffffffcf80, endptr=0x61300000de1c "") at dwarf_leb.c:291
#1  0x000000000060fd38 in _dwarf_get_size_of_val (dbg=0x62400000c100, form=<optimized out>, 
    cu_version=<optimized out>, address_size=8, val_ptr=0x60462c598e45 "", v_length_size=4, 
    size_out=<optimized out>, section_end_ptr=<optimized out>, error=<optimized out>) at dwarf_util.c:371
#2  0x000000000060044f in _dwarf_get_value_ptr (die=<optimized out>, attr=18, attr_form=0x7fffffffd3a0, 
    ptr_to_value=<optimized out>, error=0x7fffffffdb40) at dwarf_query.c:519
#3  0x00000000005ff21b in dwarf_attr (die=<optimized out>, attr=16, ret_attr=0x7fffffffd4c0, 
    error=0x7fffffffdb40) at dwarf_query.c:614
#4  0x00000000005c6058 in dwarf_srcfiles (die=0x60400000d6e0, srcfiles=0x7fffffffdb20, 
    srcfilecount=0x7fffffffdb00, error=<optimized out>) at ./dwarf_line.c:326
#5  0x000000000051423e in print_one_die_section (dbg=<optimized out>, is_info=<optimized out>, 
    pod_err=<optimized out>) at print_die.c:812
#6  0x0000000000511f73 in print_infos (dbg=0x62400000c100, is_info=<optimized out>) at print_die.c:371
#7  0x00000000004f7f09 in process_one_file (l_config_file_data=<optimized out>, elf=<optimized out>, 
    elftied=<optimized out>, file_name=<optimized out>, tied_file_name=<optimized out>, 
    archive=<optimized out>) at dwarfdump.c:1293
#8  main (argc=<optimized out>, argv=<optimized out>) at dwarfdump.c:562

Actual results:

crash

Expected results:

crash

Additional info:

This vulnerability is detected by team OWL337, with our custom fuzzer collAFL. Please contact ganshuitao@gmail.com   and chaoz@tsinghua.edu.cn if you need more info about the team, the tool or the vulnerability.
Comment 2 owl337 2017-06-28 03:02 EDT
Created attachment 1292559 [details]
Triggered by  "dwarfdump  POC1"

Note You need to log in before you can comment on or make changes to this bug.