Bug 23752 - Invalid Address Read problem in dwfl_segment_report_module.c when executing ./eu-stack --core=$POC
Summary: Invalid Address Read problem in dwfl_segment_report_module.c when executing ....
Status: RESOLVED FIXED
Alias: None
Product: elfutils
Classification: Unclassified
Component: libdw (show other bugs)
Version: unspecified
: P2 normal
Target Milestone: ---
Assignee: Not yet assigned to anyone
URL:
Keywords:
: 23753 (view as bug list)
Depends on:
Blocks:
 
Reported: 2018-10-10 09:31 UTC by wcventure
Modified: 2018-11-14 11:53 UTC (History)
2 users (show)

See Also:
Host:
Target:
Build:
Last reconfirmed: 2018-10-14 00:00:00


Attachments
POC-stack (2.14 KB, application/x-executable)
2018-10-10 09:31 UTC, wcventure
Details

Note You need to log in before you can comment on or make changes to this bug.
Description wcventure 2018-10-10 09:31:18 UTC
Created attachment 11306 [details]
POC-stack

Hi there,

Our fuzzer caught Invalid Address Read problem in eu-stack of the latest elfutils-0.174 code base, this inputs will cause the segment faults and I have confirmed them with address sanitizer too. Please use the "./eu-stack --core=$POC" or "./eu-stack --core=$POC -abdilmsv" to reproduce the bug. If you have any questions, please let me know.

The ASAN dumps the stack trace as follows:

ASAN:DEADLYSIGNAL
=================================================================
==9753==ERROR: AddressSanitizer: SEGV on unknown address 0x7f6afb9ac114 (pc 0x7f6afa17a7dc bp 0x7fffc8bb1900 sp 0x7fffc8bb17f0 T0)
==9753==The signal is caused by a READ memory access.
    #0 0x7f6afa17a7db in consider_notes /elfutils-0.174/libdwfl/dwfl_segment_report_module.c:486
    #1 0x7f6afa17accc in consider_phdr /elfutils-0.174/libdwfl/dwfl_segment_report_module.c:529
    #2 0x7f6afa176fa2 in dwfl_segment_report_module /elfutils-0.174/libdwfl/dwfl_segment_report_module.c:590
    #3 0x7f6afa185ce0 in dwfl_core_file_report /elfutils-0.174/libdwfl/core-file.c:541
    #4 0x405106 in parse_opt /elfutils-0.174/src/stack.c:590
    #5 0x7f6af9a64847 in argp_parse (/lib/x86_64-linux-gnu/libc.so.6+0x114847)
    #6 0x4056a7 in main /elfutils-0.174/src/stack.c:690
    #7 0x7f6af997082f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f)
    #8 0x402308 in _start (/elfutils-0.174/build/bin/eu-stack+0x402308)

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV /elfutils-0.174/libdwfl/dwfl_segment_report_module.c:486 in consider_notes
==9753==ABORTING
Comment 1 Mark Wielaard 2018-10-14 13:14:47 UTC
Replicated under valgrind:

==13295== Invalid read of size 4
==13295==    at 0x50825BD: consider_notes (dwfl_segment_report_module.c:486)
==13295==    by 0x50825BD: consider_phdr (dwfl_segment_report_module.c:529)
==13295==    by 0x50825BD: dwfl_segment_report_module (dwfl_segment_report_module.c:590)
==13295==    by 0x5086149: dwfl_core_file_report@@ELFUTILS_0.158 (core-file.c:541)
==13295==    by 0x4026AB: parse_opt (stack.c:590)
==13295==    by 0x58B4EB3: group_parse (argp-parse.c:256)
==13295==    by 0x58B4EB3: parser_finalize (argp-parse.c:603)
==13295==    by 0x58B4EB3: argp_parse (argp-parse.c:921)
==13295==    by 0x401C89: main (stack.c:690)
==13295==  Address 0x40b4114 is not stack'd, malloc'd or (recently) free'd
Comment 2 Mark Wielaard 2018-10-14 14:49:21 UTC
Proposed patch: https://sourceware.org/ml/elfutils-devel/2018-q4/msg00022.html
Comment 3 Mark Wielaard 2018-10-14 15:03:42 UTC
*** Bug 23753 has been marked as a duplicate of this bug. ***
Comment 4 wcventure 2018-10-14 16:22:55 UTC
Thanks for paying attention to this problem and proposing to fix it in time.
This bug was discovered by NTU Cyber-Security-Lab, for fuzzing research work.
Comment 5 Mark Wielaard 2018-10-19 22:26:53 UTC
commit 20f9de9b5f704cec55df92406a50bcbcfca96acd
Author: Mark Wielaard <mark@klomp.org>
Date:   Sun Oct 14 16:45:48 2018 +0200

    libdwfl: Sanity check partial core file data reads.
    
    There were two issues when reading note data from a core file.
    We didn't check if the data we already had in a buffer was big
    enough. And if we did get the data, we should check if we got
    everything, or just a part of the data.
    
    https://sourceware.org/bugzilla/show_bug.cgi?id=23752
    
    Signed-off-by: Mark Wielaard <mark@klomp.org>
Comment 6 Mark Wielaard 2018-11-14 11:53:30 UTC
For reference this was assigned CVE-2018-18310.