| Summary: | Divide-by-zero Problem in function arlib_add_symbols() in arlib.c in elfutils-0.174 | ||
|---|---|---|---|
| Product: | elfutils | Reporter: | wcventure <wcventure> |
| Component: | tools | Assignee: | Not yet assigned to anyone <unassigned> |
| Status: | RESOLVED FIXED | ||
| Severity: | critical | CC: | mark, namboru |
| Priority: | P2 | ||
| Version: | unspecified | ||
| Target Milestone: | --- | ||
| Host: | Target: | ||
| Build: | Last reconfirmed: | 2018-10-18 00:00:00 | |
| Attachments: |
POC1
POC2 |
||
Created attachment 11336 [details]
POC1
I have also confirmed them with Address Sanitizer.
The ASAN dumps the stack trace as follows:
ASAN:DEADLYSIGNAL
=================================================================
==2496==ERROR: AddressSanitizer: FPE on unknown address 0x0000004065d8 (pc 0x0000004065d8 bp 0x7ffd4c109620 sp 0x7ffd4c109550 T0)
#0 0x4065d7 in arlib_add_symbols /media/hjwang/01D3344861A8D2E0/wcventure/Project/elfutils/src/arlib.c:255
#1 0x4029c5 in handle_file /media/hjwang/01D3344861A8D2E0/wcventure/Project/elfutils/src/ranlib.c:193
#2 0x4029c5 in main /media/hjwang/01D3344861A8D2E0/wcventure/Project/elfutils/src/ranlib.c:110
#3 0x7fc97b51982f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f)
#4 0x403d28 in _start (/media/hjwang/01D3344861A8D2E0/wcventure/Project/elfutils/build/bin/eu-ranlib+0x403d28)
AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: FPE /media/hjwang/01D3344861A8D2E0/wcventure/Project/elfutils/src/arlib.c:255 in arlib_add_symbols
==2496==ABORTING
Aborted
Created attachment 11337 [details]
POC2
Please use " ./eu-ranlib $POC " to reproduce this bug. This bug was discovered by NTU Cyber-Security-Lab, for fuzzing research work. If you have any questions, please let me know.
Thanks for the report. Proposed fix posted: https://sourceware.org/ml/elfutils-devel/2018-q4/msg00055.html commit 2b16a9be69939822dcafe075413468daac98b327 Author: Mark Wielaard <mark@klomp.org> Date: Thu Oct 18 19:01:52 2018 +0200 arlib: Check that sh_entsize isn't zero. A bogus ELF file could have sh_entsize as zero. Don't divide by zero, but just assume there are no symbols in the section. https://sourceware.org/bugzilla/show_bug.cgi?id=23786 Signed-off-by: Mark Wielaard <mark@klomp.org> For reference this was assigned CVE-2018-18521. Note that this bug was not in a generic library, just in the code shared by the eu-ar and eu-ranlib binaries. Bully Anniversary Edition: https://modandroidapk.com/bully-anniversary-edition/ I’m a regular user of this site. It’s a good site. I’m an IT student and I face lots of difficulties during my projects. And this site always saves me. It helps me a lot in my projects. Thank you so much for that. http://liveplantbasedlife.com/veganism/obtaining-the-nutrients-you-need-from-a-vegan-diet/ Nice content. Thanks for this wonderful content!! My site: <a href="https://apkmod1.com/"> Ultra gamers </a> <a href="https://doneapk.com/">Doneapk</a> I really enjoy reading this blog as it has very authentic information that i love to know and practice Info jasa SEO Indonesia https://seohandal.id |
Hi, I found some floating point exception in function arlib_add_symbols() in arlib.c of the latest elfutils-0.174 code base. I have confirmed them with GDB and Address Sanitizer. Here are the POC files. Please use " ./eu-ranlib $POC " to reproduce this bug. I'll also show you the debugging process. It seems that this is caused by the divide-by-zero. In arlib.c:255, there exist a division calculation: > int nsyms = shdr->sh_size / shdr->sh_entsize; I can provide you some testcases to make shdr->sh_entsize = 0. And you can use the testcases to reproduce the bug. Divide by zero is bad. We need to make a check before doing division calculation.