Summary: | NT_PLATFORM core file note should be a zero terminated string | ||
---|---|---|---|
Product: | elfutils | Reporter: | wcventure <wcventure> |
Component: | tools | Assignee: | Not yet assigned to anyone <unassigned> |
Status: | RESOLVED FIXED | ||
Severity: | normal | CC: | elfutils-devel, mark |
Priority: | P2 | ||
Version: | unspecified | ||
Target Milestone: | --- | ||
Host: | Target: | ||
Build: | Last reconfirmed: | 2019-01-16 00:00:00 | |
Attachments: |
POC1
POC2 |
Description
wcventure
2019-01-12 09:28:38 UTC
Created attachment 11535 [details]
POC2
(In reply to wcventure from comment #0) > A Heap-buffer-overflow problem was discovered in the function elf32_xlatetom > in elf32_xlatetom.c in libelf, as distributed in ELFutils 0.147. A crafted > ELF input can cause segment faults and I have confirmed them with address > sanitizer too. Interesting. The same can be found running the reproducer under valgrind. The issue is that when eu-readelf -n tries to print the values of a core file ELF note and sees a NT_PLATFORM type, it doesn't check that the value is a properly zero terminated string. The simplest solution is to just not recognize such corrupt core file notes in ebl_core_note: https://sourceware.org/ml/elfutils-devel/2019-q1/msg00049.html commit de01cc6f9446187d69b9748bb3636361c79e77a4 Author: Mark Wielaard <mark@klomp.org> Date: Wed Jan 16 15:41:31 2019 +0100 libebl: Check NT_PLATFORM core notes contain a zero terminated string. Most strings in core notes are fixed size. But NT_PLATFORM contains just a variable length string. Check that it is actually zero terminated before passing to readelf to print. https://sourceware.org/bugzilla/show_bug.cgi?id=24089 Signed-off-by: Mark Wielaard <mark@klomp.org> Pushed to master. CVE-2019-7665 Note the CVE description is somewhat misleading, this is not a bug in libelf. |