RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.
Bug 1465756 - There is a unknown memory access in _dwarf_decode_s_leb128_chk() of dwarfdump.
Summary: There is a unknown memory access in _dwarf_decode_s_leb128_chk() of dwarfdump.
Alias: None
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: libdwarf
Version: 7.5-Alt
Hardware: Unspecified
OS: Unspecified
Target Milestone: rc
: ---
Assignee: Frank Ch. Eigler
QA Contact: qe-baseos-tools-bugs
Depends On:
TreeView+ depends on / blocked
Reported: 2017-06-28 07:01 UTC by owl337
Modified: 2020-02-25 14:31 UTC (History)
1 user (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Last Closed: 2020-02-25 14:31:01 UTC
Target Upstream Version:

Attachments (Terms of Use)
Triggered by "dwarfdump POC1" (10.59 KB, application/x-rar)
2017-06-28 07:01 UTC, owl337
no flags Details
Triggered by "dwarfdump POC1" (10.59 KB, application/x-rar)
2017-06-28 07:02 UTC, owl337
no flags Details

Description owl337 2017-06-28 07:01:38 UTC
Created attachment 1292558 [details]
Triggered by  "dwarfdump  POC1"

Description of problem:

There is a unknown memory access in _dwarf_decode_s_leb128_chk() of dwarfdump. A crafted input will lead to remote denial of service  attack.

Version-Release number of selected component (if applicable):

<= latest version

How reproducible:

./dwarfdump $POC

Steps to Reproduce:

The normal and asan debug information are as follows:

$ ./dwarfdump POC1

==42828==ERROR: AddressSanitizer: SEGV on unknown address 0x60462c598e45 (pc 0x0000005c5129 bp 0x60462c598e45 sp 0x7ffca7481000 T0)
    #0 0x5c5128  (/home/icy/real/dwarf-20170416-asan/dwarfdump/dwarfdump+0x5c5128)
    #1 0x60fd37  (/home/icy/real/dwarf-20170416-asan/dwarfdump/dwarfdump+0x60fd37)
    #2 0x60044e  (/home/icy/real/dwarf-20170416-asan/dwarfdump/dwarfdump+0x60044e)
    #3 0x5ff21a  (/home/icy/real/dwarf-20170416-asan/dwarfdump/dwarfdump+0x5ff21a)
    #4 0x5c6057  (/home/icy/real/dwarf-20170416-asan/dwarfdump/dwarfdump+0x5c6057)
    #5 0x51423d  (/home/icy/real/dwarf-20170416-asan/dwarfdump/dwarfdump+0x51423d)
    #6 0x511f72  (/home/icy/real/dwarf-20170416-asan/dwarfdump/dwarfdump+0x511f72)
    #7 0x4f7f08  (/home/icy/real/dwarf-20170416-asan/dwarfdump/dwarfdump+0x4f7f08)
    #8 0x7f47af33582f  (/lib/x86_64-linux-gnu/libc.so.6+0x2082f)
    #9 0x419458  (/home/icy/real/dwarf-20170416-asan/dwarfdump/dwarfdump+0x419458)

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV (/home/icy/real/dwarf-20170416-asan/dwarfdump/dwarfdump+0x5c5128) 

The vulnerability was triggered in function int
_dwarf_decode_s_leb128_chk() at dwarf_leb.c:291. We don't analyze the reason of the trigger careful, but the 'unknow address' reported by ASAN  is readable by gdb.

273 _dwarf_decode_s_leb128_chk(Dwarf_Small * leb128, Dwarf_Word * leb128_length,
274    Dwarf_Signed *outval,Dwarf_Byte_Ptr endptr)
275 {
280     /*  The byte_length value will be a small non-negative integer. */
281     unsigned byte_length = 1;
283     /*  byte_length being the number of bytes of data absorbed so far in
284         turning the leb into a Dwarf_Signed. */
285     if (!outval) {
286         return DW_DLV_ERROR;
287     }
288     if (leb128 >= endptr) {
289         return DW_DLV_ERROR;
290     }
291     byte   = *leb128;
292     for (;;) {

The gdb debugging information is as follows:

(gdb)set args POC1
(gdb) r

Breakpoint 1, _dwarf_decode_s_leb128_chk (leb128=0x60462c598e45 "", leb128_length=0x7fffffffcf60, 
    outval=0x7fffffffcf80, endptr=0x61300000de1c "") at dwarf_leb.c:291
291	    byte   = *leb128;
(gdb) p leb128
$22 = (Dwarf_Small *) 0x60462c598e45 ""
(gdb) c

Program received signal SIGSEGV, Segmentation fault.
0x00000000005c5129 in _dwarf_decode_s_leb128_chk (leb128=0x60462c598e45 "", leb128_length=0x7fffffffcf60, 
    outval=0x7fffffffcf80, endptr=0x61300000de1c "") at dwarf_leb.c:291
291	    byte   = *leb128;
(gdb) bt
#0  0x00000000005c5129 in _dwarf_decode_s_leb128_chk (leb128=0x60462c598e45 "", leb128_length=0x7fffffffcf60, 
    outval=0x7fffffffcf80, endptr=0x61300000de1c "") at dwarf_leb.c:291
#1  0x000000000060fd38 in _dwarf_get_size_of_val (dbg=0x62400000c100, form=<optimized out>, 
    cu_version=<optimized out>, address_size=8, val_ptr=0x60462c598e45 "", v_length_size=4, 
    size_out=<optimized out>, section_end_ptr=<optimized out>, error=<optimized out>) at dwarf_util.c:371
#2  0x000000000060044f in _dwarf_get_value_ptr (die=<optimized out>, attr=18, attr_form=0x7fffffffd3a0, 
    ptr_to_value=<optimized out>, error=0x7fffffffdb40) at dwarf_query.c:519
#3  0x00000000005ff21b in dwarf_attr (die=<optimized out>, attr=16, ret_attr=0x7fffffffd4c0, 
    error=0x7fffffffdb40) at dwarf_query.c:614
#4  0x00000000005c6058 in dwarf_srcfiles (die=0x60400000d6e0, srcfiles=0x7fffffffdb20, 
    srcfilecount=0x7fffffffdb00, error=<optimized out>) at ./dwarf_line.c:326
#5  0x000000000051423e in print_one_die_section (dbg=<optimized out>, is_info=<optimized out>, 
    pod_err=<optimized out>) at print_die.c:812
#6  0x0000000000511f73 in print_infos (dbg=0x62400000c100, is_info=<optimized out>) at print_die.c:371
#7  0x00000000004f7f09 in process_one_file (l_config_file_data=<optimized out>, elf=<optimized out>, 
    elftied=<optimized out>, file_name=<optimized out>, tied_file_name=<optimized out>, 
    archive=<optimized out>) at dwarfdump.c:1293
#8  main (argc=<optimized out>, argv=<optimized out>) at dwarfdump.c:562

Actual results:


Expected results:


Additional info:

This vulnerability is detected by team OWL337, with our custom fuzzer collAFL. Please contact ganshuitao   and chaoz.cn if you need more info about the team, the tool or the vulnerability.

Comment 2 owl337 2017-06-28 07:02:59 UTC
Created attachment 1292559 [details]
Triggered by  "dwarfdump  POC1"

Comment 5 Frank Ch. Eigler 2018-11-29 16:16:01 UTC
There appear to be no security-relevant uses of this tool, so a crash on invalid input is tolerable.

Comment 6 Frank Ch. Eigler 2020-02-25 14:31:01 UTC
low severity problem on a dormant package

Note You need to log in before you can comment on or make changes to this bug.