Hide Forgot
Elfutils is vulnerable to a heap-based buffer over-read in the libdw/dwarf_getaranges.c:dwarf_getaranges() function. An attacker could exploit this to cause a crash in the eu-addr2line command via a crafted file. Upstream Bug: https://sourceware.org/bugzilla/show_bug.cgi?id=23541 Upstream Patch: https://sourceware.org/git/?p=elfutils.git;a=commit;h=29e31978ba51c1051743a503ee325b5ebc03d7e9
Created elfutils tracking bugs for this issue: Affects: fedora-all [bug 1623753]
Reproduced on F28 with elfutils-0.173-1.fc28.x86_64: # eu-addr2line -e addr2line-buffer-over-flow1 -- 500 50 10 -1000 ??:0 ================================================================= ==30==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x60f0000001dc at pc 0x7f006dcdede6 bp 0x7ffe3f369f40 sp 0x7ffe3f369f30 READ of size 1 at 0x60f0000001dc thread T0 #0 0x7f006dcdede5 in __libdw_find_attr /usr/src/debug/elfutils-0.173-1.fc28.x86_64/libdw/memory-access.h:97 #1 0x7f006dcdb67b in dwarf_attr (/lib64/libdw.so.1+0x2667b) #2 0x7f006dd05e85 in __libdw_intern_next_unit /usr/src/debug/elfutils-0.173-1.fc28.x86_64/libdw/libdw_findcu.c:187 #3 0x7f006dd06417 in __libdw_findcu /usr/src/debug/elfutils-0.173-1.fc28.x86_64/libdw/libdw_findcu.c:250 #4 0x7f006dcfdb13 in dwarf_getaranges (/lib64/libdw.so.1+0x48b13) #5 0x7f006dd4309c in addrarange cu.c:54 #6 0x7f006dd4309c in __libdwfl_addrcu cu.c:313 #7 0x7f006dd449b9 in dwfl_module_getsrc (/lib64/libdw.so.1+0x8f9b9) #8 0x5572d99886e7 (/usr/bin/eu-addr2line+0x66e7) #9 0x5572d9986b82 (/usr/bin/eu-addr2line+0x4b82) #10 0x7f006d34424a in __libc_start_main (/lib64/libc.so.6+0x2324a) #11 0x5572d9986fb9 (/usr/bin/eu-addr2line+0x4fb9) 0x60f0000001dc is located 0 bytes to the right of 172-byte region [0x60f000000130,0x60f0000001dc) allocated by thread T0 here: #0 0x7f006e094c48 in malloc (/lib64/libasan.so.5+0xeec48) #1 0x7f006da91863 in convert_data /usr/src/debug/elfutils-0.173-1.fc28.x86_64/libelf/elf_getdata.c:149 #2 0x7f006da91863 in __libelf_set_data_list_rdlock /usr/src/debug/elfutils-0.173-1.fc28.x86_64/libelf/elf_getdata.c:431 #3 0x7f006da91ce8 in __elf_getdata_rdlock /usr/src/debug/elfutils-0.173-1.fc28.x86_64/libelf/elf_getdata.c:538 #4 0x7f006dcd6960 in check_section /usr/src/debug/elfutils-0.173-1.fc28.x86_64/libdw/dwarf_begin_elf.c:167 #5 0x7f006dcd78b2 in global_read /usr/src/debug/elfutils-0.173-1.fc28.x86_64/libdw/dwarf_begin_elf.c:310 #6 0x7f006dd3633e in load_dw dwfl_module_getdwarf.c:1340 #7 0x7f006dd369a7 in find_dw dwfl_module_getdwarf.c:1390 #8 0x7f006dd44996 in dwfl_module_getsrc (/lib64/libdw.so.1+0x8f996) #9 0x5572d99886e7 (/usr/bin/eu-addr2line+0x66e7) #10 0x5572d9986b82 (/usr/bin/eu-addr2line+0x4b82) #11 0x7f006d34424a in __libc_start_main (/lib64/libc.so.6+0x2324a) SUMMARY: AddressSanitizer: heap-buffer-overflow /usr/src/debug/elfutils-0.173-1.fc28.x86_64/libdw/memory-access.h:97 in __libdw_find_attr Shadow bytes around the buggy address: 0x0c1e7fff7fe0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0c1e7fff7ff0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0c1e7fff8000: fa fa fa fa fa fa fa fa 00 00 00 00 00 00 00 00 0x0c1e7fff8010: 00 00 00 00 00 00 00 00 00 00 00 00 00 fa fa fa 0x0c1e7fff8020: fa fa fa fa fa fa 00 00 00 00 00 00 00 00 00 00 =>0x0c1e7fff8030: 00 00 00 00 00 00 00 00 00 00 00[04]fa fa fa fa 0x0c1e7fff8040: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c1e7fff8050: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c1e7fff8060: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c1e7fff8070: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c1e7fff8080: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
This issue has been addressed in the following products: Red Hat Enterprise Linux 7 Via RHSA-2019:2197 https://access.redhat.com/errata/RHSA-2019:2197
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s): https://access.redhat.com/security/cve/cve-2018-16062