Bug 23752

Summary: Invalid Address Read problem in dwfl_segment_report_module.c when executing ./eu-stack --core=$POC
Product: elfutils Reporter: wcventure <wcventure>
Component: libdwAssignee: Not yet assigned to anyone <unassigned>
Severity: normal CC: elfutils-devel, mark
Priority: P2    
Version: unspecified   
Target Milestone: ---   
Host: Target:
Build: Last reconfirmed: 2018-10-14 00:00:00
Attachments: POC-stack

Description wcventure 2018-10-10 09:31:18 UTC
Created attachment 11306 [details]

Hi there,

Our fuzzer caught Invalid Address Read problem in eu-stack of the latest elfutils-0.174 code base, this inputs will cause the segment faults and I have confirmed them with address sanitizer too. Please use the "./eu-stack --core=$POC" or "./eu-stack --core=$POC -abdilmsv" to reproduce the bug. If you have any questions, please let me know.

The ASAN dumps the stack trace as follows:

==9753==ERROR: AddressSanitizer: SEGV on unknown address 0x7f6afb9ac114 (pc 0x7f6afa17a7dc bp 0x7fffc8bb1900 sp 0x7fffc8bb17f0 T0)
==9753==The signal is caused by a READ memory access.
    #0 0x7f6afa17a7db in consider_notes /elfutils-0.174/libdwfl/dwfl_segment_report_module.c:486
    #1 0x7f6afa17accc in consider_phdr /elfutils-0.174/libdwfl/dwfl_segment_report_module.c:529
    #2 0x7f6afa176fa2 in dwfl_segment_report_module /elfutils-0.174/libdwfl/dwfl_segment_report_module.c:590
    #3 0x7f6afa185ce0 in dwfl_core_file_report /elfutils-0.174/libdwfl/core-file.c:541
    #4 0x405106 in parse_opt /elfutils-0.174/src/stack.c:590
    #5 0x7f6af9a64847 in argp_parse (/lib/x86_64-linux-gnu/libc.so.6+0x114847)
    #6 0x4056a7 in main /elfutils-0.174/src/stack.c:690
    #7 0x7f6af997082f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f)
    #8 0x402308 in _start (/elfutils-0.174/build/bin/eu-stack+0x402308)

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV /elfutils-0.174/libdwfl/dwfl_segment_report_module.c:486 in consider_notes
Comment 1 Mark Wielaard 2018-10-14 13:14:47 UTC
Replicated under valgrind:

==13295== Invalid read of size 4
==13295==    at 0x50825BD: consider_notes (dwfl_segment_report_module.c:486)
==13295==    by 0x50825BD: consider_phdr (dwfl_segment_report_module.c:529)
==13295==    by 0x50825BD: dwfl_segment_report_module (dwfl_segment_report_module.c:590)
==13295==    by 0x5086149: dwfl_core_file_report@@ELFUTILS_0.158 (core-file.c:541)
==13295==    by 0x4026AB: parse_opt (stack.c:590)
==13295==    by 0x58B4EB3: group_parse (argp-parse.c:256)
==13295==    by 0x58B4EB3: parser_finalize (argp-parse.c:603)
==13295==    by 0x58B4EB3: argp_parse (argp-parse.c:921)
==13295==    by 0x401C89: main (stack.c:690)
==13295==  Address 0x40b4114 is not stack'd, malloc'd or (recently) free'd
Comment 2 Mark Wielaard 2018-10-14 14:49:21 UTC
Proposed patch: https://sourceware.org/ml/elfutils-devel/2018-q4/msg00022.html
Comment 3 Mark Wielaard 2018-10-14 15:03:42 UTC
*** Bug 23753 has been marked as a duplicate of this bug. ***
Comment 4 wcventure 2018-10-14 16:22:55 UTC
Thanks for paying attention to this problem and proposing to fix it in time.
This bug was discovered by NTU Cyber-Security-Lab, for fuzzing research work.
Comment 5 Mark Wielaard 2018-10-19 22:26:53 UTC
commit 20f9de9b5f704cec55df92406a50bcbcfca96acd
Author: Mark Wielaard <mark@klomp.org>
Date:   Sun Oct 14 16:45:48 2018 +0200

    libdwfl: Sanity check partial core file data reads.
    There were two issues when reading note data from a core file.
    We didn't check if the data we already had in a buffer was big
    enough. And if we did get the data, we should check if we got
    everything, or just a part of the data.
    Signed-off-by: Mark Wielaard <mark@klomp.org>
Comment 6 Mark Wielaard 2018-11-14 11:53:30 UTC
For reference this was assigned CVE-2018-18310.