Bug 22976 - global-buffer-overflow in ebl_dynamic_tag_name (libebl/ebldynamictagname.c)
Summary: global-buffer-overflow in ebl_dynamic_tag_name (libebl/ebldynamictagname.c)
Status: RESOLVED FIXED
Alias: None
Product: elfutils
Classification: Unclassified
Component: general (show other bugs)
Version: unspecified
: P2 normal
Target Milestone: ---
Assignee: Not yet assigned to anyone
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2018-03-16 14:33 UTC by probefuzzer
Modified: 2018-03-31 12:22 UTC (History)
3 users (show)

See Also:
Host:
Target:
Build:
Last reconfirmed: 2018-03-16 00:00:00

Attachments
poc (3.40 KB, application/octet-stream)
2018-03-16 14:33 UTC, probefuzzer 		Details
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description probefuzzer 2018-03-16 14:33:39 UTC 
Created attachment 10899 [details]
poc

On latest version (elfutils-0.170) and master branch of elfutils:
there is a global-buffer-overflow in ebl_dynamic_tag_name function of (libebl/ebldynamictagname.c), which can be triggered by the POC below. 

To reproduce the issue, compile elfutils with asan and run: ./bin/eu-readelf -a $POC

==13884==ERROR: AddressSanitizer: global-buffer-overflow on address 0x0000006c18d0 at pc 0x00000048e6b4 bp 0x7fffffffc5c0 sp 0x7fffffffc5b8
READ of size 8 at 0x0000006c18d0 thread T0
    #0 0x48e6b3 in ebl_dynamic_tag_name /u/xw48/GreedyFuzzing/product/elfutils/master-test/src/libebl/ebldynamictagname.c:59
    #1 0x47602b in handle_dynamic /u/xw48/GreedyFuzzing/product/elfutils/master-test/src/src/readelf.c:1708
    #2 0x47602b in print_dynamic /u/xw48/GreedyFuzzing/product/elfutils/master-test/src/src/readelf.c:1813
    #3 0x47602b in process_elf_file /u/xw48/GreedyFuzzing/product/elfutils/master-test/src/src/readelf.c:911
    #4 0x479fde in process_dwflmod /u/xw48/GreedyFuzzing/product/elfutils/master-test/src/src/readelf.c:707
    #5 0x7fe8230dc22c in dwfl_getmodules /u/xw48/GreedyFuzzing/product/elfutils/master-test/src/libdwfl/dwfl_getmodules.c:86
    #6 0x412568 in process_file /u/xw48/GreedyFuzzing/product/elfutils/master-test/src/src/readelf.c:806
    #7 0x4059f3 in main /u/xw48/GreedyFuzzing/product/elfutils/master-test/src/src/readelf.c:322
    #8 0x7fe8229b5c04 in __libc_start_main (/lib64/libc.so.6+0x21c04)
    #9 0x406493  (/home/xw48/GreedyFuzzing/product/elfutils/master-test/exe_asan/bin/eu-readelf+0x406493)
Comment 1 Mark Wielaard 2018-03-16 18:45:50 UTC 
Thanks. The issue is that there is a new standard SYMTAB_SHNDX which we got through the new elf.h, but didn't handle in ebldynamictagname.c.

To fix this, and to prevent this from happening in the future I proposed the following patch:

commit 92581d7eb483cb039e60112b0a03a04c2ffa4df4
Author: Mark Wielaard <mark@klomp.org>
Date:   Fri Mar 16 19:42:17 2018 +0100

    libebl: Handle SYMTAB_SHNDX in ebl_dynamic_tag_name.
    
    SYMTAB_SHNDX was introduced when elf.h was imported, but not yet handled
    in ebl_dynamic_tag_name. Handle it and add an eu_static_assert to make
    sure stdtags always contains DT_NUM entries.
    
    https://sourceware.org/bugzilla/show_bug.cgi?id=22976
    
    Signed-off-by: Mark Wielaard <mark@klomp.org>

https://sourceware.org/ml/elfutils-devel/2018-q1/msg00078.html
Comment 2 Mark Wielaard 2018-03-20 21:48:21 UTC 
Pushed to master
Comment 3 Mark Wielaard 2018-03-26 12:17:24 UTC 
I noticed there is a CVE linked to this bug report:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-8769

Note that this bug was NOT in a released version of elfutils.
It was introduced by the import of elf.h by:

 commit 88f3d2daa107b09fdba376a82bce7ed534c93645
 Author: Mark Wielaard <mark@klomp.org>
 Date:   Sat Feb 17 00:23:19 2018 +0100
 
     libelf: Sync elf.h from glibc.
     
     Signed-off-by: Mark Wielaard <mark@klomp.org>

This was done after 0.170 was released.

But that commit was backported into the Fedora elfutils package as part of the elfutils-0.170-elf_sync.patch to add some other non-related PowerPC improvements.