Bug 1465756 - There is a unknown memory access in _dwarf_decode_s_leb128_chk() of dwarfdump.
Summary: There is a unknown memory access in _dwarf_decode_s_leb128_chk() of dwarfdump.
Keywords:
Status: CLOSED WONTFIX
Alias: None
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: libdwarf
Version: 7.5-Alt
Hardware: Unspecified
OS: Unspecified
unspecified
urgent
Target Milestone: rc
: ---
Assignee: Frank Ch. Eigler
QA Contact: qe-baseos-tools-bugs
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2017-06-28 07:01 UTC by owl337
Modified: 2020-02-25 14:31 UTC (History)
1 user (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2020-02-25 14:31:01 UTC
Target Upstream Version:


Attachments (Terms of Use)
Triggered by "dwarfdump POC1" (10.59 KB, application/x-rar)
2017-06-28 07:01 UTC, owl337
no flags Details
Triggered by "dwarfdump POC1" (10.59 KB, application/x-rar)
2017-06-28 07:02 UTC, owl337
no flags Details

Description owl337 2017-06-28 07:01:38 UTC
Created attachment 1292558 [details]
Triggered by  "dwarfdump  POC1"

Description of problem:

There is a unknown memory access in _dwarf_decode_s_leb128_chk() of dwarfdump. A crafted input will lead to remote denial of service  attack.

Version-Release number of selected component (if applicable):

<= latest version

How reproducible:

./dwarfdump $POC


Steps to Reproduce:

The normal and asan debug information are as follows:

$ ./dwarfdump POC1

.debug_info
ASAN:DEADLYSIGNAL
=================================================================
==42828==ERROR: AddressSanitizer: SEGV on unknown address 0x60462c598e45 (pc 0x0000005c5129 bp 0x60462c598e45 sp 0x7ffca7481000 T0)
    #0 0x5c5128  (/home/icy/real/dwarf-20170416-asan/dwarfdump/dwarfdump+0x5c5128)
    #1 0x60fd37  (/home/icy/real/dwarf-20170416-asan/dwarfdump/dwarfdump+0x60fd37)
    #2 0x60044e  (/home/icy/real/dwarf-20170416-asan/dwarfdump/dwarfdump+0x60044e)
    #3 0x5ff21a  (/home/icy/real/dwarf-20170416-asan/dwarfdump/dwarfdump+0x5ff21a)
    #4 0x5c6057  (/home/icy/real/dwarf-20170416-asan/dwarfdump/dwarfdump+0x5c6057)
    #5 0x51423d  (/home/icy/real/dwarf-20170416-asan/dwarfdump/dwarfdump+0x51423d)
    #6 0x511f72  (/home/icy/real/dwarf-20170416-asan/dwarfdump/dwarfdump+0x511f72)
    #7 0x4f7f08  (/home/icy/real/dwarf-20170416-asan/dwarfdump/dwarfdump+0x4f7f08)
    #8 0x7f47af33582f  (/lib/x86_64-linux-gnu/libc.so.6+0x2082f)
    #9 0x419458  (/home/icy/real/dwarf-20170416-asan/dwarfdump/dwarfdump+0x419458)

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV (/home/icy/real/dwarf-20170416-asan/dwarfdump/dwarfdump+0x5c5128) 
==42828==ABORTING

The vulnerability was triggered in function int
_dwarf_decode_s_leb128_chk() at dwarf_leb.c:291. We don't analyze the reason of the trigger careful, but the 'unknow address' reported by ASAN  is readable by gdb.

273 _dwarf_decode_s_leb128_chk(Dwarf_Small * leb128, Dwarf_Word * leb128_length,
274    Dwarf_Signed *outval,Dwarf_Byte_Ptr endptr)
275 {
...
280     /*  The byte_length value will be a small non-negative integer. */
281     unsigned byte_length = 1;
282 
283     /*  byte_length being the number of bytes of data absorbed so far in
284         turning the leb into a Dwarf_Signed. */
285     if (!outval) {
286         return DW_DLV_ERROR;
287     }
288     if (leb128 >= endptr) {
289         return DW_DLV_ERROR;
290     }
291     byte   = *leb128;
292     for (;;) {

The gdb debugging information is as follows:

(gdb)set args POC1
(gdb) r
...
.debug_info

Breakpoint 1, _dwarf_decode_s_leb128_chk (leb128=0x60462c598e45 "", leb128_length=0x7fffffffcf60, 
    outval=0x7fffffffcf80, endptr=0x61300000de1c "") at dwarf_leb.c:291
291	    byte   = *leb128;
(gdb) p leb128
$22 = (Dwarf_Small *) 0x60462c598e45 ""
(gdb) c
Continuing.

Program received signal SIGSEGV, Segmentation fault.
0x00000000005c5129 in _dwarf_decode_s_leb128_chk (leb128=0x60462c598e45 "", leb128_length=0x7fffffffcf60, 
    outval=0x7fffffffcf80, endptr=0x61300000de1c "") at dwarf_leb.c:291
291	    byte   = *leb128;
(gdb) bt
#0  0x00000000005c5129 in _dwarf_decode_s_leb128_chk (leb128=0x60462c598e45 "", leb128_length=0x7fffffffcf60, 
    outval=0x7fffffffcf80, endptr=0x61300000de1c "") at dwarf_leb.c:291
#1  0x000000000060fd38 in _dwarf_get_size_of_val (dbg=0x62400000c100, form=<optimized out>, 
    cu_version=<optimized out>, address_size=8, val_ptr=0x60462c598e45 "", v_length_size=4, 
    size_out=<optimized out>, section_end_ptr=<optimized out>, error=<optimized out>) at dwarf_util.c:371
#2  0x000000000060044f in _dwarf_get_value_ptr (die=<optimized out>, attr=18, attr_form=0x7fffffffd3a0, 
    ptr_to_value=<optimized out>, error=0x7fffffffdb40) at dwarf_query.c:519
#3  0x00000000005ff21b in dwarf_attr (die=<optimized out>, attr=16, ret_attr=0x7fffffffd4c0, 
    error=0x7fffffffdb40) at dwarf_query.c:614
#4  0x00000000005c6058 in dwarf_srcfiles (die=0x60400000d6e0, srcfiles=0x7fffffffdb20, 
    srcfilecount=0x7fffffffdb00, error=<optimized out>) at ./dwarf_line.c:326
#5  0x000000000051423e in print_one_die_section (dbg=<optimized out>, is_info=<optimized out>, 
    pod_err=<optimized out>) at print_die.c:812
#6  0x0000000000511f73 in print_infos (dbg=0x62400000c100, is_info=<optimized out>) at print_die.c:371
#7  0x00000000004f7f09 in process_one_file (l_config_file_data=<optimized out>, elf=<optimized out>, 
    elftied=<optimized out>, file_name=<optimized out>, tied_file_name=<optimized out>, 
    archive=<optimized out>) at dwarfdump.c:1293
#8  main (argc=<optimized out>, argv=<optimized out>) at dwarfdump.c:562

Actual results:

crash

Expected results:

crash

Additional info:

This vulnerability is detected by team OWL337, with our custom fuzzer collAFL. Please contact ganshuitao   and chaoz.cn if you need more info about the team, the tool or the vulnerability.

Comment 2 owl337 2017-06-28 07:02:59 UTC
Created attachment 1292559 [details]
Triggered by  "dwarfdump  POC1"

Comment 5 Frank Ch. Eigler 2018-11-29 16:16:01 UTC
There appear to be no security-relevant uses of this tool, so a crash on invalid input is tolerable.

Comment 6 Frank Ch. Eigler 2020-02-25 14:31:01 UTC
low severity problem on a dormant package


Note You need to log in before you can comment on or make changes to this bug.