Bug 22976 - global-buffer-overflow in ebl_dynamic_tag_name (libebl/ebldynamictagname.c)
Summary: global-buffer-overflow in ebl_dynamic_tag_name (libebl/ebldynamictagname.c)
Alias: None
Product: elfutils
Classification: Unclassified
Component: general (show other bugs)
Version: unspecified
: P2 normal
Target Milestone: ---
Assignee: Not yet assigned to anyone
Depends on:
Reported: 2018-03-16 14:33 UTC by probefuzzer
Modified: 2018-03-31 12:22 UTC (History)
3 users (show)

See Also:
Last reconfirmed: 2018-03-16 00:00:00

poc (3.40 KB, application/octet-stream)
2018-03-16 14:33 UTC, probefuzzer

Note You need to log in before you can comment on or make changes to this bug.
Description probefuzzer 2018-03-16 14:33:39 UTC
Created attachment 10899 [details]

On latest version (elfutils-0.170) and master branch of elfutils:
there is a global-buffer-overflow in ebl_dynamic_tag_name function of (libebl/ebldynamictagname.c), which can be triggered by the POC below. 

To reproduce the issue, compile elfutils with asan and run: ./bin/eu-readelf -a $POC

==13884==ERROR: AddressSanitizer: global-buffer-overflow on address 0x0000006c18d0 at pc 0x00000048e6b4 bp 0x7fffffffc5c0 sp 0x7fffffffc5b8
READ of size 8 at 0x0000006c18d0 thread T0
    #0 0x48e6b3 in ebl_dynamic_tag_name /u/xw48/GreedyFuzzing/product/elfutils/master-test/src/libebl/ebldynamictagname.c:59
    #1 0x47602b in handle_dynamic /u/xw48/GreedyFuzzing/product/elfutils/master-test/src/src/readelf.c:1708
    #2 0x47602b in print_dynamic /u/xw48/GreedyFuzzing/product/elfutils/master-test/src/src/readelf.c:1813
    #3 0x47602b in process_elf_file /u/xw48/GreedyFuzzing/product/elfutils/master-test/src/src/readelf.c:911
    #4 0x479fde in process_dwflmod /u/xw48/GreedyFuzzing/product/elfutils/master-test/src/src/readelf.c:707
    #5 0x7fe8230dc22c in dwfl_getmodules /u/xw48/GreedyFuzzing/product/elfutils/master-test/src/libdwfl/dwfl_getmodules.c:86
    #6 0x412568 in process_file /u/xw48/GreedyFuzzing/product/elfutils/master-test/src/src/readelf.c:806
    #7 0x4059f3 in main /u/xw48/GreedyFuzzing/product/elfutils/master-test/src/src/readelf.c:322
    #8 0x7fe8229b5c04 in __libc_start_main (/lib64/libc.so.6+0x21c04)
    #9 0x406493  (/home/xw48/GreedyFuzzing/product/elfutils/master-test/exe_asan/bin/eu-readelf+0x406493)
Comment 1 Mark Wielaard 2018-03-16 18:45:50 UTC
Thanks. The issue is that there is a new standard SYMTAB_SHNDX which we got through the new elf.h, but didn't handle in ebldynamictagname.c.

To fix this, and to prevent this from happening in the future I proposed the following patch:

commit 92581d7eb483cb039e60112b0a03a04c2ffa4df4
Author: Mark Wielaard <mark@klomp.org>
Date:   Fri Mar 16 19:42:17 2018 +0100

    libebl: Handle SYMTAB_SHNDX in ebl_dynamic_tag_name.
    SYMTAB_SHNDX was introduced when elf.h was imported, but not yet handled
    in ebl_dynamic_tag_name. Handle it and add an eu_static_assert to make
    sure stdtags always contains DT_NUM entries.
    Signed-off-by: Mark Wielaard <mark@klomp.org>

Comment 2 Mark Wielaard 2018-03-20 21:48:21 UTC
Pushed to master
Comment 3 Mark Wielaard 2018-03-26 12:17:24 UTC
I noticed there is a CVE linked to this bug report:

Note that this bug was NOT in a released version of elfutils.
It was introduced by the import of elf.h by:

 commit 88f3d2daa107b09fdba376a82bce7ed534c93645
 Author: Mark Wielaard <mark@klomp.org>
 Date:   Sat Feb 17 00:23:19 2018 +0100
     libelf: Sync elf.h from glibc.
     Signed-off-by: Mark Wielaard <mark@klomp.org>

This was done after 0.170 was released.

But that commit was backported into the Fedora elfutils package as part of the elfutils-0.170-elf_sync.patch to add some other non-related PowerPC improvements.