24103 – dwfl_segment_report_module doesn't check whether the dyn data read from core file is truncated

Bug 24103 - dwfl_segment_report_module doesn't check whether the dyn data read from core file is truncated

Summary: dwfl_segment_report_module doesn't check whether the dyn data read from core ...

Status:	RESOLVED FIXED

Alias:	None

Product:	elfutils
Classification:	Unclassified
Component:	libdw (show other bugs)
Version:	unspecified

Importance:	P2 normal
Target Milestone:	---
Assignee:	Not yet assigned to anyone

URL:
Keywords:

Depends on:
Blocks:

Reported:	2019-01-18 11:32 UTC by wcventure
Modified:	2019-01-31 14:45 UTC (History)
CC List:	2 users (show)

See Also:
Host:
Target:
Build:
Last reconfirmed:	2019-01-20 00:00:00

Attachments
POC1 (3.73 KB, application/x-executable) 2019-01-18 11:32 UTC, wcventure	Details
POC2 (3.73 KB, application/x-executable) 2019-01-18 11:32 UTC, wcventure	Details
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description wcventure 2019-01-18 11:32:03 UTC

Created attachment 11545 [details]
POC1

Different from Bug 24081 and Bug 24089. This error occur in function elf64_xlatetom.

Please use the "eu-stack --core=$POC"to reproduce the bug.


$git log

> commit e65d91d21cb09d83b001fef9435e576ba447db32
> Author: Mark Wielaard <mark@klomp.org>
> Date:   Wed Jan 16 12:25:57 2019 +0100
> 
>     libelf: Correct overflow check in note_xlate.
> 
>     We want to make sure the note_len doesn't overflow and becomes shorter
>     than the note header. But the namesz and descsz checks got the note header
>     size wrong). Replace the wrong constant (8) with a sizeof cvt_Nhdr (12).
> 
>     https://sourceware.org/bugzilla/show_bug.cgi?id=24084
> 
>     Signed-off-by: Mark Wielaard <mark@klomp.org>


The ASAN dumps the stack trace as follows:

> =================================================================
> ==7964==ERROR: AddressSanitizer: unknown-crash on address 0x7f5eace16000 at pc 0x7f5eabd97e2b bp 0x7ffc6b0f0680 sp 0x7ffc6b0efe28
> READ of size 983520 at 0x7f5eace16000 thread T0
>     #0 0x7f5eabd97e2a in memmove (/usr/lib/x86_64-linux-gnu/libasan.so.4+0x7ae2a)
>     #1 0x7f5eaba8e510 in memmove /usr/include/x86_64-linux-gnu/bits/string3.h:59
>     #2 0x7f5eaba8e510 in elf64_xlatetom /home/wencheng/Experiment/elfutils/libelf/elf32_xlatetom.c:100
>     #3 0x7f5eab7d6e6b in dwfl_segment_report_module /home/wencheng/Experiment/elfutils/libdwfl/dwfl_segment_report_module.c:807
>     #4 0x7f5eab7ef0dd in dwfl_core_file_report /home/wencheng/Experiment/elfutils/libdwfl/core-file.c:543
>     #5 0x4033a3 in parse_opt /home/wencheng/Experiment/elfutils/src/stack.c:590
>     #6 0x7f5eab013847 in argp_parse (/lib/x86_64-linux-gnu/libc.so.6+0x114847)
>     #7 0x402860 in main /home/wencheng/Experiment/elfutils/src/stack.c:690
>     #8 0x7f5eaaf1f82f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f)
>     #9 0x4030d8 in _start (/home/wencheng/Experiment/elfutils/build/bin/eu-stack+0x4030d8)
> 
> Address 0x7f5eace16000 is a wild pointer.
> SUMMARY: AddressSanitizer: unknown-crash (/usr/lib/x86_64-linux-gnu/libasan.so.4+0x7ae2a) in memmove
> Shadow bytes around the buggy address:
>   0x0fec559babb0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
>   0x0fec559babc0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
>   0x0fec559babd0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
>   0x0fec559babe0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
>   0x0fec559babf0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
> =>0x0fec559bac00:[fe]fe fe fe fe fe fe fe fe fe fe fe fe fe fe fe
>   0x0fec559bac10: fe fe fe fe fe fe fe fe fe fe fe fe fe fe fe fe
>   0x0fec559bac20: fe fe fe fe fe fe fe fe fe fe fe fe fe fe fe fe
>   0x0fec559bac30: fe fe fe fe fe fe fe fe fe fe fe fe fe fe fe fe
>   0x0fec559bac40: fe fe fe fe fe fe fe fe fe fe fe fe fe fe fe fe
>   0x0fec559bac50: fe fe fe fe fe fe fe fe fe fe fe fe fe fe fe fe
> Shadow byte legend (one shadow byte represents 8 application bytes):
>   Addressable:           00
>   Partially addressable: 01 02 03 04 05 06 07 
>   Heap left redzone:       fa
>   Freed heap region:       fd
>   Stack left redzone:      f1
>   Stack mid redzone:       f2
>   Stack right redzone:     f3
>   Stack after return:      f5
>   Stack use after scope:   f8
>   Global redzone:          f9
>   Global init order:       f6
>   Poisoned by user:        f7
>   Container overflow:      fc
>   Array cookie:            ac
>   Intra object redzone:    bb
>   ASan internal:           fe
>   Left alloca redzone:     ca
>   Right alloca redzone:    cb
> ==7964==ABORTING

Comment 1 wcventure 2019-01-18 11:32:14 UTC

Created attachment 11546 [details]
POC2

Comment 2 Mark Wielaard 2019-01-20 22:08:48 UTC

Thanks. Replicated under valgrind.
This is similar to https://sourceware.org/bugzilla/show_bug.cgi?id=23752

We need to check if we got all the dynamic data we expected from the file.
Proposed patch:
https://sourceware.org/ml/elfutils-devel/2019-q1/msg00070.html

Comment 3 Mark Wielaard 2019-01-22 16:44:32 UTC

commit da5c5336a1eaf519de246f7d9f0f5585e1d4ac59
Author: Mark Wielaard <mark@klomp.org>
Date:   Sun Jan 20 23:05:56 2019 +0100

    libdwfl: Sanity check partial core file dyn data read.
    
    When reading the dyn data from the core file check if we got everything,
    or just part of the data.
    
    https://sourceware.org/bugzilla/show_bug.cgi?id=24103
    
    Signed-off-by: Mark Wielaard <mark@klomp.org>

Pushed to master.

Comment 4 Mark Wielaard 2019-01-31 14:45:51 UTC

Apparently this bug got assigned CVE-2019-7150