Bugzilla will be upgraded to version 5.0 on a still to be determined date in the near future. The original upgrade date has been delayed.
First Last Prev Next    This bug is not in your last search results.
Bug 1623752 - (CVE-2018-16062) CVE-2018-16062 elfutils: Heap-based buffer over-read in libdw/dwarf_getaranges.c:dwarf_getaranges() via crafted file
CVE-2018-16062 elfutils: Heap-based buffer over-read in libdw/dwarf_getarange...
Status: NEW
Product: Security Response
Classification: Other
Component: vulnerability (Show other bugs)
unspecified
All Linux
low Severity low
: ---
: ---
Assigned To: Red Hat Product Security
impact=low,public=20180817,reported=2...
: Security
Depends On: 1623754 1625260 1625515 1625516 1623753
Blocks: 1623755
  Show dependency treegraph
 
Reported: 2018-08-30 02:21 EDT by Sam Fowler
Modified: 2018-10-24 06:00 EDT (History)
25 users (show)

See Also:
Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
An out-of-bounds read was discovered in elfutils in the way it reads DWARF address ranges information. Function dwarf_getaranges() in dwarf_getaranges.c does not properly check whether it reads beyond the limits of the ELF section. An attacker could use this flaw to cause a denial of service via a crafted file.
Story Points: ---
Clone Of:
Environment:
Last Closed:
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)
Add an attachment (proposed patch, testcase, etc.)

  None (edit)
Description Sam Fowler 2018-08-30 02:21:21 EDT 
Elfutils is vulnerable to a heap-based buffer over-read in the libdw/dwarf_getaranges.c:dwarf_getaranges() function. An attacker could exploit this to cause a crash in the eu-addr2line command via a crafted file.


Upstream Bug:

https://sourceware.org/bugzilla/show_bug.cgi?id=23541


Upstream Patch:

https://sourceware.org/git/?p=elfutils.git;a=commit;h=29e31978ba51c1051743a503ee325b5ebc03d7e9
Comment 1 Sam Fowler 2018-08-30 02:21:55 EDT 
Created elfutils tracking bugs for this issue:

Affects: fedora-all [bug 1623753]
Comment 3 Sam Fowler 2018-08-30 02:27:41 EDT 
Reproduced on F28 with elfutils-0.173-1.fc28.x86_64:

# eu-addr2line -e addr2line-buffer-over-flow1 -- 500 50 10 -1000
??:0
=================================================================
==30==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x60f0000001dc at pc 0x7f006dcdede6 bp 0x7ffe3f369f40 sp 0x7ffe3f369f30
READ of size 1 at 0x60f0000001dc thread T0
    #0 0x7f006dcdede5 in __libdw_find_attr /usr/src/debug/elfutils-0.173-1.fc28.x86_64/libdw/memory-access.h:97
    #1 0x7f006dcdb67b in dwarf_attr (/lib64/libdw.so.1+0x2667b)
    #2 0x7f006dd05e85 in __libdw_intern_next_unit /usr/src/debug/elfutils-0.173-1.fc28.x86_64/libdw/libdw_findcu.c:187
    #3 0x7f006dd06417 in __libdw_findcu /usr/src/debug/elfutils-0.173-1.fc28.x86_64/libdw/libdw_findcu.c:250
    #4 0x7f006dcfdb13 in dwarf_getaranges (/lib64/libdw.so.1+0x48b13)
    #5 0x7f006dd4309c in addrarange cu.c:54
    #6 0x7f006dd4309c in __libdwfl_addrcu cu.c:313
    #7 0x7f006dd449b9 in dwfl_module_getsrc (/lib64/libdw.so.1+0x8f9b9)
    #8 0x5572d99886e7  (/usr/bin/eu-addr2line+0x66e7)
    #9 0x5572d9986b82  (/usr/bin/eu-addr2line+0x4b82)
    #10 0x7f006d34424a in __libc_start_main (/lib64/libc.so.6+0x2324a)
    #11 0x5572d9986fb9  (/usr/bin/eu-addr2line+0x4fb9)

0x60f0000001dc is located 0 bytes to the right of 172-byte region [0x60f000000130,0x60f0000001dc)
allocated by thread T0 here:
    #0 0x7f006e094c48 in malloc (/lib64/libasan.so.5+0xeec48)
    #1 0x7f006da91863 in convert_data /usr/src/debug/elfutils-0.173-1.fc28.x86_64/libelf/elf_getdata.c:149
    #2 0x7f006da91863 in __libelf_set_data_list_rdlock /usr/src/debug/elfutils-0.173-1.fc28.x86_64/libelf/elf_getdata.c:431
    #3 0x7f006da91ce8 in __elf_getdata_rdlock /usr/src/debug/elfutils-0.173-1.fc28.x86_64/libelf/elf_getdata.c:538
    #4 0x7f006dcd6960 in check_section /usr/src/debug/elfutils-0.173-1.fc28.x86_64/libdw/dwarf_begin_elf.c:167
    #5 0x7f006dcd78b2 in global_read /usr/src/debug/elfutils-0.173-1.fc28.x86_64/libdw/dwarf_begin_elf.c:310
    #6 0x7f006dd3633e in load_dw dwfl_module_getdwarf.c:1340
    #7 0x7f006dd369a7 in find_dw dwfl_module_getdwarf.c:1390
    #8 0x7f006dd44996 in dwfl_module_getsrc (/lib64/libdw.so.1+0x8f996)
    #9 0x5572d99886e7  (/usr/bin/eu-addr2line+0x66e7)
    #10 0x5572d9986b82  (/usr/bin/eu-addr2line+0x4b82)
    #11 0x7f006d34424a in __libc_start_main (/lib64/libc.so.6+0x2324a)

SUMMARY: AddressSanitizer: heap-buffer-overflow /usr/src/debug/elfutils-0.173-1.fc28.x86_64/libdw/memory-access.h:97 in __libdw_find_attr
Shadow bytes around the buggy address:
  0x0c1e7fff7fe0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c1e7fff7ff0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c1e7fff8000: fa fa fa fa fa fa fa fa 00 00 00 00 00 00 00 00
  0x0c1e7fff8010: 00 00 00 00 00 00 00 00 00 00 00 00 00 fa fa fa
  0x0c1e7fff8020: fa fa fa fa fa fa 00 00 00 00 00 00 00 00 00 00
=>0x0c1e7fff8030: 00 00 00 00 00 00 00 00 00 00 00[04]fa fa fa fa
  0x0c1e7fff8040: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c1e7fff8050: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c1e7fff8060: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c1e7fff8070: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c1e7fff8080: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Note You need to log in before you can comment on or make changes to this bug.
First Last Prev Next    This bug is not in your last search results.