Bug 24102

Summary: A Heap-buffer-overflow problem was discovered in the function read_srclines in dwarf_getsrclines.c in libdw
Product: elfutils Reporter: wcventure <wcventure>
Component: libdwAssignee: Not yet assigned to anyone <unassigned>
Status: RESOLVED FIXED    
Severity: normal CC: elfutils-devel, mark
Priority: P2    
Version: unspecified   
Target Milestone: ---   
Host: Target:
Build: Last reconfirmed: 2019-01-20 00:00:00
Attachments: POC1
POC2
POC3

Description wcventure 2019-01-18 11:17:03 UTC 
Created attachment 11542 [details]
POC1

Hi, 

A Heap-buffer-overflow problem was discovered in the function read_srclines in dwarf_getsrclines.c in libdw, as distributed in ELFutils 0.175. A crafted ELF input can cause segment faults and I have confirmed them with address sanitizer too.

Here are the POC files. Please use "./eu-nm -C $POC" to reproduce the error.

$git log

> commit e65d91d21cb09d83b001fef9435e576ba447db32
> Author: Mark Wielaard <mark@klomp.org>
> Date:   Wed Jan 16 12:25:57 2019 +0100
> 
>     libelf: Correct overflow check in note_xlate.
> 
>     We want to make sure the note_len doesn't overflow and becomes shorter
>     than the note header. But the namesz and descsz checks got the note header
>     size wrong). Replace the wrong constant (8) with a sizeof cvt_Nhdr (12).
> 
>     https://sourceware.org/bugzilla/show_bug.cgi?id=24084
> 
>     Signed-off-by: Mark Wielaard <mark@klomp.org>

The ASAN dumps the stack trace as follows:

> =================================================================
> ==17493==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x6100000003fc at pc 0x7fa8ef1fc077 bp 0x7ffebd930000 sp 0x7ffebd92fff0
> READ of size 1 at 0x6100000003fc thread T0
>     #0 0x7fa8ef1fc076 in read_srclines /elfutils/libdw/dwarf_getsrclines.c:474
>     #1 0x7fa8ef1fd149 in __libdw_getsrclines /elfutils/libdw/dwarf_getsrclines.c:1118
>     #2 0x7fa8ef1fdefc in dwarf_getsrclines /elfutils/libdw/dwarf_getsrclines.c:1208
>     #3 0x7fa8ef20a146 in dwarf_getsrcfiles /elfutils/libdw/dwarf_getsrcfiles.c:92
>     #4 0x407f71 in get_local_names /elfutils/src/nm.c:644
>     #5 0x407f71 in show_symbols /elfutils/src/nm.c:1285
>     #6 0x40ef63 in handle_elf /elfutils/src/nm.c:1578
>     #7 0x403964 in process_file /elfutils/src/nm.c:374
>     #8 0x403964 in main /elfutils/src/nm.c:249
>     #9 0x7fa8ee5a282f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f)
>     #10 0x404608 in _start (/elfutils/build/bin/eu-nm+0x404608)
> 
> 0x6100000003fc is located 0 bytes to the right of 188-byte region [0x610000000340,0x6100000003fc)
> allocated by thread T0 here:
>     #0 0x7fa8ef682b90 in __interceptor_malloc (/usr/lib/x86_64-linux-gnu/libasan.so.4+0xdeb90)
>     #1 0x7fa8eef3a08f in convert_data /elfutils/libelf/elf_getdata.c:157
>     #2 0x7fa8eef3a08f in __libelf_set_data_list_rdlock /elfutils/libelf/elf_getdata.c:447
> 
> SUMMARY: AddressSanitizer: heap-buffer-overflow /elfutils/libdw/dwarf_getsrclines.c:474 in read_srclines
> Shadow bytes around the buggy address:
>   0x0c207fff8020: fa fa fa fa fa fa fa fa 00 00 00 00 00 00 00 00
>   0x0c207fff8030: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
>   0x0c207fff8040: fa fa fa fa fa fa fa fa 00 00 00 00 00 00 00 00
>   0x0c207fff8050: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
>   0x0c207fff8060: fa fa fa fa fa fa fa fa 00 00 00 00 00 00 00 00
> =>0x0c207fff8070: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00[04]
>   0x0c207fff8080: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
>   0x0c207fff8090: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
>   0x0c207fff80a0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
>   0x0c207fff80b0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
>   0x0c207fff80c0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
> Shadow byte legend (one shadow byte represents 8 application bytes):
>   Addressable:           00
>   Partially addressable: 01 02 03 04 05 06 07 
>   Heap left redzone:       fa
>   Freed heap region:       fd
>   Stack left redzone:      f1
>   Stack mid redzone:       f2
>   Stack right redzone:     f3
>   Stack after return:      f5
>   Stack use after scope:   f8
>   Global redzone:          f9
>   Global init order:       f6
>   Poisoned by user:        f7
>   Container overflow:      fc
>   Array cookie:            ac
>   Intra object redzone:    bb
>   ASan internal:           fe
>   Left alloca redzone:     ca
>   Right alloca redzone:    cb
> ==17493==ABORTING
Comment 1 wcventure 2019-01-18 11:17:19 UTC 
Created attachment 11543 [details]
POC2
Comment 2 wcventure 2019-01-18 11:17:46 UTC 
Created attachment 11544 [details]
POC3
Comment 3 Mark Wielaard 2019-01-20 21:27:08 UTC 
Nice find. Replicated using valgrind on the reproducers.

We would assume the dir and file tables were properly terminated by a NUL byte. But if that wasn't actually there we could read one byte past the end of the data buffer. A similar issue was in readelf.c (although it is harder to trigger since readlelf has more sanity checks before it can get to this point).

Proposed fix:
https://sourceware.org/ml/elfutils-devel/2019-q1/msg00068.html
Comment 4 Mark Wielaard 2019-01-22 17:16:54 UTC 
commit 2562759d6fe5b364fe224852e64e8bda39eb2e35
Author: Mark Wielaard <mark@klomp.org>
Date:   Sun Jan 20 22:10:18 2019 +0100

    libdw: Check terminating NUL byte in dwarf_getsrclines for dir/file table.
    
    For DWARF version < 5 the .debug_line directory and file tables consist
    of a terminating NUL byte after all strings. The code used to just skip
    this without checking it actually existed. This could case a spurious
    read past the end of data.
    
    Fix the same issue in readelf.
    
    https://sourceware.org/bugzilla/show_bug.cgi?id=24102
    
    Signed-off-by: Mark Wielaard <mark@klomp.org>

Pushed to master.
Comment 5 Mark Wielaard 2019-01-31 14:46:11 UTC 
Apparently this bug got assigned CVE-2019-7149