Summary: | Invalid Address Read problem in dwfl_segment_report_module.c when executing ./eu-stack --core=$POC | ||
---|---|---|---|
Product: | elfutils | Reporter: | wcventure <wcventure> |
Component: | libdw | Assignee: | Not yet assigned to anyone <unassigned> |
Status: | RESOLVED FIXED | ||
Severity: | normal | CC: | elfutils-devel, mark |
Priority: | P2 | ||
Version: | unspecified | ||
Target Milestone: | --- | ||
Host: | Target: | ||
Build: | Last reconfirmed: | 2018-10-14 00:00:00 | |
Attachments: | POC-stack |
Replicated under valgrind: ==13295== Invalid read of size 4 ==13295== at 0x50825BD: consider_notes (dwfl_segment_report_module.c:486) ==13295== by 0x50825BD: consider_phdr (dwfl_segment_report_module.c:529) ==13295== by 0x50825BD: dwfl_segment_report_module (dwfl_segment_report_module.c:590) ==13295== by 0x5086149: dwfl_core_file_report@@ELFUTILS_0.158 (core-file.c:541) ==13295== by 0x4026AB: parse_opt (stack.c:590) ==13295== by 0x58B4EB3: group_parse (argp-parse.c:256) ==13295== by 0x58B4EB3: parser_finalize (argp-parse.c:603) ==13295== by 0x58B4EB3: argp_parse (argp-parse.c:921) ==13295== by 0x401C89: main (stack.c:690) ==13295== Address 0x40b4114 is not stack'd, malloc'd or (recently) free'd Proposed patch: https://sourceware.org/ml/elfutils-devel/2018-q4/msg00022.html *** Bug 23753 has been marked as a duplicate of this bug. *** Thanks for paying attention to this problem and proposing to fix it in time. This bug was discovered by NTU Cyber-Security-Lab, for fuzzing research work. commit 20f9de9b5f704cec55df92406a50bcbcfca96acd Author: Mark Wielaard <mark@klomp.org> Date: Sun Oct 14 16:45:48 2018 +0200 libdwfl: Sanity check partial core file data reads. There were two issues when reading note data from a core file. We didn't check if the data we already had in a buffer was big enough. And if we did get the data, we should check if we got everything, or just a part of the data. https://sourceware.org/bugzilla/show_bug.cgi?id=23752 Signed-off-by: Mark Wielaard <mark@klomp.org> For reference this was assigned CVE-2018-18310. |
Created attachment 11306 [details] POC-stack Hi there, Our fuzzer caught Invalid Address Read problem in eu-stack of the latest elfutils-0.174 code base, this inputs will cause the segment faults and I have confirmed them with address sanitizer too. Please use the "./eu-stack --core=$POC" or "./eu-stack --core=$POC -abdilmsv" to reproduce the bug. If you have any questions, please let me know. The ASAN dumps the stack trace as follows: ASAN:DEADLYSIGNAL ================================================================= ==9753==ERROR: AddressSanitizer: SEGV on unknown address 0x7f6afb9ac114 (pc 0x7f6afa17a7dc bp 0x7fffc8bb1900 sp 0x7fffc8bb17f0 T0) ==9753==The signal is caused by a READ memory access. #0 0x7f6afa17a7db in consider_notes /elfutils-0.174/libdwfl/dwfl_segment_report_module.c:486 #1 0x7f6afa17accc in consider_phdr /elfutils-0.174/libdwfl/dwfl_segment_report_module.c:529 #2 0x7f6afa176fa2 in dwfl_segment_report_module /elfutils-0.174/libdwfl/dwfl_segment_report_module.c:590 #3 0x7f6afa185ce0 in dwfl_core_file_report /elfutils-0.174/libdwfl/core-file.c:541 #4 0x405106 in parse_opt /elfutils-0.174/src/stack.c:590 #5 0x7f6af9a64847 in argp_parse (/lib/x86_64-linux-gnu/libc.so.6+0x114847) #6 0x4056a7 in main /elfutils-0.174/src/stack.c:690 #7 0x7f6af997082f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f) #8 0x402308 in _start (/elfutils-0.174/build/bin/eu-stack+0x402308) AddressSanitizer can not provide additional info. SUMMARY: AddressSanitizer: SEGV /elfutils-0.174/libdwfl/dwfl_segment_report_module.c:486 in consider_notes ==9753==ABORTING