Bug 1623752 (CVE-2018-16062) - CVE-2018-16062 elfutils: Heap-based buffer over-read in libdw/dwarf_getaranges.c:dwarf_getaranges() via crafted file
Summary: CVE-2018-16062 elfutils: Heap-based buffer over-read in libdw/dwarf_getarange...
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2018-16062
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
low
low
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 1623753 1623754 1625260 1625515 1625516
Blocks: 1623755
TreeView+ depends on / blocked
 
Reported: 2018-08-30 06:21 UTC by Sam Fowler
Modified: 2019-09-29 14:57 UTC (History)
23 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
An out-of-bounds read was discovered in elfutils in the way it reads DWARF address ranges information. Function dwarf_getaranges() in dwarf_getaranges.c does not properly check whether it reads beyond the limits of the ELF section. An attacker could use this flaw to cause a denial of service via a crafted file.
Clone Of:
Environment:
Last Closed: 2019-08-06 13:19:11 UTC


Attachments (Terms of Use)


Links
System ID Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2019:2197 None None None 2019-08-06 12:27:01 UTC

Description Sam Fowler 2018-08-30 06:21:21 UTC
Elfutils is vulnerable to a heap-based buffer over-read in the libdw/dwarf_getaranges.c:dwarf_getaranges() function. An attacker could exploit this to cause a crash in the eu-addr2line command via a crafted file.


Upstream Bug:

https://sourceware.org/bugzilla/show_bug.cgi?id=23541


Upstream Patch:

https://sourceware.org/git/?p=elfutils.git;a=commit;h=29e31978ba51c1051743a503ee325b5ebc03d7e9

Comment 1 Sam Fowler 2018-08-30 06:21:55 UTC
Created elfutils tracking bugs for this issue:

Affects: fedora-all [bug 1623753]

Comment 3 Sam Fowler 2018-08-30 06:27:41 UTC
Reproduced on F28 with elfutils-0.173-1.fc28.x86_64:

# eu-addr2line -e addr2line-buffer-over-flow1 -- 500 50 10 -1000
??:0
=================================================================
==30==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x60f0000001dc at pc 0x7f006dcdede6 bp 0x7ffe3f369f40 sp 0x7ffe3f369f30
READ of size 1 at 0x60f0000001dc thread T0
    #0 0x7f006dcdede5 in __libdw_find_attr /usr/src/debug/elfutils-0.173-1.fc28.x86_64/libdw/memory-access.h:97
    #1 0x7f006dcdb67b in dwarf_attr (/lib64/libdw.so.1+0x2667b)
    #2 0x7f006dd05e85 in __libdw_intern_next_unit /usr/src/debug/elfutils-0.173-1.fc28.x86_64/libdw/libdw_findcu.c:187
    #3 0x7f006dd06417 in __libdw_findcu /usr/src/debug/elfutils-0.173-1.fc28.x86_64/libdw/libdw_findcu.c:250
    #4 0x7f006dcfdb13 in dwarf_getaranges (/lib64/libdw.so.1+0x48b13)
    #5 0x7f006dd4309c in addrarange cu.c:54
    #6 0x7f006dd4309c in __libdwfl_addrcu cu.c:313
    #7 0x7f006dd449b9 in dwfl_module_getsrc (/lib64/libdw.so.1+0x8f9b9)
    #8 0x5572d99886e7  (/usr/bin/eu-addr2line+0x66e7)
    #9 0x5572d9986b82  (/usr/bin/eu-addr2line+0x4b82)
    #10 0x7f006d34424a in __libc_start_main (/lib64/libc.so.6+0x2324a)
    #11 0x5572d9986fb9  (/usr/bin/eu-addr2line+0x4fb9)

0x60f0000001dc is located 0 bytes to the right of 172-byte region [0x60f000000130,0x60f0000001dc)
allocated by thread T0 here:
    #0 0x7f006e094c48 in malloc (/lib64/libasan.so.5+0xeec48)
    #1 0x7f006da91863 in convert_data /usr/src/debug/elfutils-0.173-1.fc28.x86_64/libelf/elf_getdata.c:149
    #2 0x7f006da91863 in __libelf_set_data_list_rdlock /usr/src/debug/elfutils-0.173-1.fc28.x86_64/libelf/elf_getdata.c:431
    #3 0x7f006da91ce8 in __elf_getdata_rdlock /usr/src/debug/elfutils-0.173-1.fc28.x86_64/libelf/elf_getdata.c:538
    #4 0x7f006dcd6960 in check_section /usr/src/debug/elfutils-0.173-1.fc28.x86_64/libdw/dwarf_begin_elf.c:167
    #5 0x7f006dcd78b2 in global_read /usr/src/debug/elfutils-0.173-1.fc28.x86_64/libdw/dwarf_begin_elf.c:310
    #6 0x7f006dd3633e in load_dw dwfl_module_getdwarf.c:1340
    #7 0x7f006dd369a7 in find_dw dwfl_module_getdwarf.c:1390
    #8 0x7f006dd44996 in dwfl_module_getsrc (/lib64/libdw.so.1+0x8f996)
    #9 0x5572d99886e7  (/usr/bin/eu-addr2line+0x66e7)
    #10 0x5572d9986b82  (/usr/bin/eu-addr2line+0x4b82)
    #11 0x7f006d34424a in __libc_start_main (/lib64/libc.so.6+0x2324a)

SUMMARY: AddressSanitizer: heap-buffer-overflow /usr/src/debug/elfutils-0.173-1.fc28.x86_64/libdw/memory-access.h:97 in __libdw_find_attr
Shadow bytes around the buggy address:
  0x0c1e7fff7fe0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c1e7fff7ff0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c1e7fff8000: fa fa fa fa fa fa fa fa 00 00 00 00 00 00 00 00
  0x0c1e7fff8010: 00 00 00 00 00 00 00 00 00 00 00 00 00 fa fa fa
  0x0c1e7fff8020: fa fa fa fa fa fa 00 00 00 00 00 00 00 00 00 00
=>0x0c1e7fff8030: 00 00 00 00 00 00 00 00 00 00 00[04]fa fa fa fa
  0x0c1e7fff8040: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c1e7fff8050: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c1e7fff8060: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c1e7fff8070: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c1e7fff8080: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa

Comment 7 errata-xmlrpc 2019-08-06 12:27:00 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2019:2197 https://access.redhat.com/errata/RHSA-2019:2197

Comment 8 Product Security DevOps Team 2019-08-06 13:19:11 UTC
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2018-16062


Note You need to log in before you can comment on or make changes to this bug.