Bug 1465756 - There is a unknown memory access in _dwarf_decode_s_leb128_chk() of dwarfdump.
Summary: There is a unknown memory access in _dwarf_decode_s_leb128_chk() of dwarfdump.
Status: NEW
Alias: None
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: libdwarf
Version: 7.5-Alt
Hardware: Unspecified
OS: Unspecified
unspecified
urgent
Target Milestone: rc
: ---
Assignee: Frank Ch. Eigler
QA Contact: qe-baseos-tools
URL:
Whiteboard:
Keywords: Reopened
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2017-06-28 07:01 UTC by owl337
Modified: 2019-06-01 17:44 UTC (History)
1 user (show)

(edit)
Clone Of:
(edit)
Last Closed: 2017-07-12 13:44:39 UTC


Attachments (Terms of Use)
Triggered by "dwarfdump POC1" (10.59 KB, application/x-rar)
2017-06-28 07:01 UTC, owl337
no flags Details
Triggered by "dwarfdump POC1" (10.59 KB, application/x-rar)
2017-06-28 07:02 UTC, owl337
no flags Details

Description owl337 2017-06-28 07:01:38 UTC
Created attachment 1292558 [details]
Triggered by  "dwarfdump  POC1"

Description of problem:

There is a unknown memory access in _dwarf_decode_s_leb128_chk() of dwarfdump. A crafted input will lead to remote denial of service  attack.

Version-Release number of selected component (if applicable):

<= latest version

How reproducible:

./dwarfdump $POC


Steps to Reproduce:

The normal and asan debug information are as follows:

$ ./dwarfdump POC1

.debug_info
ASAN:DEADLYSIGNAL
=================================================================
==42828==ERROR: AddressSanitizer: SEGV on unknown address 0x60462c598e45 (pc 0x0000005c5129 bp 0x60462c598e45 sp 0x7ffca7481000 T0)
    #0 0x5c5128  (/home/icy/real/dwarf-20170416-asan/dwarfdump/dwarfdump+0x5c5128)
    #1 0x60fd37  (/home/icy/real/dwarf-20170416-asan/dwarfdump/dwarfdump+0x60fd37)
    #2 0x60044e  (/home/icy/real/dwarf-20170416-asan/dwarfdump/dwarfdump+0x60044e)
    #3 0x5ff21a  (/home/icy/real/dwarf-20170416-asan/dwarfdump/dwarfdump+0x5ff21a)
    #4 0x5c6057  (/home/icy/real/dwarf-20170416-asan/dwarfdump/dwarfdump+0x5c6057)
    #5 0x51423d  (/home/icy/real/dwarf-20170416-asan/dwarfdump/dwarfdump+0x51423d)
    #6 0x511f72  (/home/icy/real/dwarf-20170416-asan/dwarfdump/dwarfdump+0x511f72)
    #7 0x4f7f08  (/home/icy/real/dwarf-20170416-asan/dwarfdump/dwarfdump+0x4f7f08)
    #8 0x7f47af33582f  (/lib/x86_64-linux-gnu/libc.so.6+0x2082f)
    #9 0x419458  (/home/icy/real/dwarf-20170416-asan/dwarfdump/dwarfdump+0x419458)

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV (/home/icy/real/dwarf-20170416-asan/dwarfdump/dwarfdump+0x5c5128) 
==42828==ABORTING

The vulnerability was triggered in function int
_dwarf_decode_s_leb128_chk() at dwarf_leb.c:291. We don't analyze the reason of the trigger careful, but the 'unknow address' reported by ASAN  is readable by gdb.

273 _dwarf_decode_s_leb128_chk(Dwarf_Small * leb128, Dwarf_Word * leb128_length,
274    Dwarf_Signed *outval,Dwarf_Byte_Ptr endptr)
275 {
...
280     /*  The byte_length value will be a small non-negative integer. */
281     unsigned byte_length = 1;
282 
283     /*  byte_length being the number of bytes of data absorbed so far in
284         turning the leb into a Dwarf_Signed. */
285     if (!outval) {
286         return DW_DLV_ERROR;
287     }
288     if (leb128 >= endptr) {
289         return DW_DLV_ERROR;
290     }
291     byte   = *leb128;
292     for (;;) {

The gdb debugging information is as follows:

(gdb)set args POC1
(gdb) r
...
.debug_info

Breakpoint 1, _dwarf_decode_s_leb128_chk (leb128=0x60462c598e45 "", leb128_length=0x7fffffffcf60, 
    outval=0x7fffffffcf80, endptr=0x61300000de1c "") at dwarf_leb.c:291
291	    byte   = *leb128;
(gdb) p leb128
$22 = (Dwarf_Small *) 0x60462c598e45 ""
(gdb) c
Continuing.

Program received signal SIGSEGV, Segmentation fault.
0x00000000005c5129 in _dwarf_decode_s_leb128_chk (leb128=0x60462c598e45 "", leb128_length=0x7fffffffcf60, 
    outval=0x7fffffffcf80, endptr=0x61300000de1c "") at dwarf_leb.c:291
291	    byte   = *leb128;
(gdb) bt
#0  0x00000000005c5129 in _dwarf_decode_s_leb128_chk (leb128=0x60462c598e45 "", leb128_length=0x7fffffffcf60, 
    outval=0x7fffffffcf80, endptr=0x61300000de1c "") at dwarf_leb.c:291
#1  0x000000000060fd38 in _dwarf_get_size_of_val (dbg=0x62400000c100, form=<optimized out>, 
    cu_version=<optimized out>, address_size=8, val_ptr=0x60462c598e45 "", v_length_size=4, 
    size_out=<optimized out>, section_end_ptr=<optimized out>, error=<optimized out>) at dwarf_util.c:371
#2  0x000000000060044f in _dwarf_get_value_ptr (die=<optimized out>, attr=18, attr_form=0x7fffffffd3a0, 
    ptr_to_value=<optimized out>, error=0x7fffffffdb40) at dwarf_query.c:519
#3  0x00000000005ff21b in dwarf_attr (die=<optimized out>, attr=16, ret_attr=0x7fffffffd4c0, 
    error=0x7fffffffdb40) at dwarf_query.c:614
#4  0x00000000005c6058 in dwarf_srcfiles (die=0x60400000d6e0, srcfiles=0x7fffffffdb20, 
    srcfilecount=0x7fffffffdb00, error=<optimized out>) at ./dwarf_line.c:326
#5  0x000000000051423e in print_one_die_section (dbg=<optimized out>, is_info=<optimized out>, 
    pod_err=<optimized out>) at print_die.c:812
#6  0x0000000000511f73 in print_infos (dbg=0x62400000c100, is_info=<optimized out>) at print_die.c:371
#7  0x00000000004f7f09 in process_one_file (l_config_file_data=<optimized out>, elf=<optimized out>, 
    elftied=<optimized out>, file_name=<optimized out>, tied_file_name=<optimized out>, 
    archive=<optimized out>) at dwarfdump.c:1293
#8  main (argc=<optimized out>, argv=<optimized out>) at dwarfdump.c:562

Actual results:

crash

Expected results:

crash

Additional info:

This vulnerability is detected by team OWL337, with our custom fuzzer collAFL. Please contact ganshuitao@gmail.com   and chaoz@tsinghua.edu.cn if you need more info about the team, the tool or the vulnerability.

Comment 2 owl337 2017-06-28 07:02 UTC
Created attachment 1292559 [details]
Triggered by  "dwarfdump  POC1"

Comment 5 Frank Ch. Eigler 2018-11-29 16:16:01 UTC
There appear to be no security-relevant uses of this tool, so a crash on invalid input is tolerable.


Note You need to log in before you can comment on or make changes to this bug.