Bug 204841 - CVE-2006-4146 GDB buffer overflow
Summary: CVE-2006-4146 GDB buffer overflow
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 4
Classification: Red Hat
Component: gdb
Version: 4.0
Hardware: All
OS: Linux
low
low
Target Milestone: ---
: ---
Assignee: Jan Kratochvil
QA Contact: Jay Turner
URL:
Whiteboard: source=vendorsec,reported=20060815,im...
: 203876 (view as bug list)
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2006-08-31 20:39 UTC by Josh Bressers
Modified: 2018-10-19 20:29 UTC (History)
7 users (show)

Fixed In Version: RHSA-2007-0229
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2007-05-01 17:26:18 UTC


Attachments (Terms of Use)
Patch for CVE-2006-4146 (3.19 KB, patch)
2006-09-01 06:57 UTC, Will Drewry
no flags Details | Diff


Links
System ID Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2007:0229 normal SHIPPED_LIVE Low: gdb security and bug fix update 2007-05-01 17:21:30 UTC

Description Josh Bressers 2006-08-31 20:39:31 UTC
Will Drewry of the Google Security Team discovered multiple buffer overflows in
GDB's DWARF handling code.  His advisory is below:

The GNU Debugger (GDB) Multiple Vulnerabilities
-----------------------------------------------

Summary
-------

Multiple vulnerabilities have been discovered in the GNU debugger that allow
for the execution of arbitrary code.


Background
----------

GDB is the GNU Project Debugger. It is described on its project page
[http://www.gnu.org/software/gdb/] as allowing "you to see what is going on
`inside' another program while it executes -- or what another program was doing
at the moment it crashed."

DWARF is a information format standard used to represent debugging information
for a specific binary. While the first version was originally used in ELF, ELF
later moved to STABS. In more recent years, DWARF version 2.0 has been
reintroduced into ELF binaries. More information can be found at
http://dwarf.freestandards.org.


Impact
------

A successful exploit would result in the execution of arbitrary code on the
loading of a specially crafted executable.

This a viable mechanism for an attacker to escape restricted environments by
piggybacking exploit code on seeming harmless files often used for debugging.
In the worst case, this could allow for privilege escalation.


Workaround
----------

Do not use GDB on untrusted files that may have DWARF(2) debugging information,
e.g.  binaries and core files. There is no way to verify if an untrusted file
is safe to debug without investigating the debugging symbols manually.


Discussion
----------

Will Drewry <wad@google.com> of the Google Security Team has found multiple
exploitable vulnerabilities in the DWARF and DWARF2 code. Initially,
Tavis Ormandy <taviso@google.com>, also of the Google Security Team,
discovered a crash condition in GDB related to DWARF2 debugging information.
This discovery led to the further exploration of the condition, and the
discovery of the security implications.

The DWARF specification allows location description blocks containing a list of
operations to be used to determine the final real address for some debugging
symbol. GDB evaluates these operations on an unchecked stack buffer of size 64.
This allows for any location block (DW_FORM_block) with more than 64 operations
to overwrite the current stack frame with arbitrary user-supplied data.  This
behavior occurs in both dwarfread.c and dwarfread2.c.


Patch
-----

The following patch will work as a quick fix to the problem:

==== begin patch ====
diff -Naur gdb-6.5.orig/gdb/dwarf2read.c gdb-6.5/gdb/dwarf2read.c
--- gdb-6.5.orig/gdb/dwarf2read.c       2006-05-13 16:46:38.000000000 +0100
+++ gdb-6.5/gdb/dwarf2read.c    2006-08-14 21:37:33.000000000 +0100
@@ -8855,6 +8855,17 @@
                     dwarf_stack_op_name (op));
          return (stack[stacki]);
        }
+
+      /* Enforce maximum stack depth of 63 to avoid ++stacki writing
+         outside of the given size. Also enforce minimum > 0.
+         -- wad@google.com 14 Aug 2006 */
+      if (stacki >= sizeof(stack)/sizeof(*stack) - 1)
+        internal_error (__FILE__, __LINE__,
+                        _("location description stack too deep: %d"),
+                        stacki);
+      if (stacki <= 0)
+        internal_error (__FILE__, __LINE__,
+                        _("location description stack too shallow"));
     }
   return (stack[stacki]);
 }
diff -Naur gdb-6.5.orig/gdb/dwarfread.c gdb-6.5/gdb/dwarfread.c
--- gdb-6.5.orig/gdb/dwarfread.c        2005-12-17 22:33:59.000000000 +0000
+++ gdb-6.5/gdb/dwarfread.c     2006-08-14 21:37:30.000000000 +0100
@@ -2224,6 +2224,17 @@
          stacki--;
          break;
        }
+
+      /* Enforce maximum stack depth of 63 to avoid ++stacki writing
+         outside of the given size. Also enforce minimum > 0.
+         -- wad@google.com 14 Aug 2006 */
+      if (stacki >= sizeof(stack)/sizeof(*stack) - 1)
+        internal_error (__FILE__, __LINE__,
+                        _("location description stack too deep: %d"),
+                        stacki);
+      if (stacki <= 0)
+        internal_error (__FILE__, __LINE__,
+                        _("location description stack too shallow"));
     }
   return (stack[stacki]);
 }
==== end patch ====

Comment 1 Josh Bressers 2006-08-31 20:40:21 UTC
These issues also affect RHEL2.1 and RHEL3

Comment 3 Will Drewry 2006-09-01 06:57:21 UTC
Created attachment 135360 [details]
Patch for CVE-2006-4146

This is a replacement for the patch in the original advisory.

Comment 4 Alexandre Oliva 2006-09-04 06:17:12 UTC

*** This bug has been marked as a duplicate of 203876 ***

Comment 5 Josh Bressers 2006-09-12 16:53:29 UTC
*** Bug 203876 has been marked as a duplicate of this bug. ***

Comment 6 Jan Kratochvil 2006-10-15 01:15:40 UTC
Committed to CVS by aoliva, present in the collection "dist-4E-qu-candidate":

* Mon Sep  4 2006 Alexandre Oliva <aoliva@redhat.com> - 6.3.0.0-1.134
- Fix bug in patch for CVE-2006-4146. (BZ 203876)
* Wed Aug 23 2006 Alexandre Oliva <aoliva@redhat.com> - 6.3.0.0-1.133
- Avoid overflows and underflows in dwarf expression computation stack.


Comment 7 Jan Kratochvil 2007-01-04 17:05:19 UTC
Need all the three ACKs to pass Red Hat Errata Tool for RHEL-4.5.
The security fix has been already comitted to CVS a long time ago.


Comment 8 RHEL Product and Program Management 2007-01-04 17:10:17 UTC
This request was evaluated by Red Hat Product Management for inclusion in a Red
Hat Enterprise Linux maintenance release.  Product Management has requested
further review of this request by Red Hat Engineering, for potential
inclusion in a Red Hat Enterprise Linux Update release for currently deployed
products.  This request is not yet committed for inclusion in an Update
release.

Comment 9 Jay Turner 2007-01-04 19:17:26 UTC
QE ack for RHEL4.5.

Comment 13 Red Hat Bugzilla 2007-05-01 17:26:18 UTC
An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on the solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.

http://rhn.redhat.com/errata/RHSA-2007-0229.html



Note You need to log in before you can comment on or make changes to this bug.