Bug 23786 - Divide-by-zero Problem in function arlib_add_symbols() in arlib.c in elfutils-0.174
Summary: Divide-by-zero Problem in function arlib_add_symbols() in arlib.c in elfutils...
Status: RESOLVED FIXED
Alias: None
Product: elfutils
Classification: Unclassified
Component: tools (show other bugs)
Version: unspecified
: P2 critical
Target Milestone: ---
Assignee: Not yet assigned to anyone
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2018-10-17 08:25 UTC by wcventure
Modified: 2018-11-14 11:56 UTC (History)
2 users (show)

See Also:
Host:
Target:
Build:
Last reconfirmed: 2018-10-18 00:00:00


Attachments
POC1 (1.01 KB, application/x-archive)
2018-10-17 08:36 UTC, wcventure
Details
POC2 (1.01 KB, application/x-archive)
2018-10-17 08:38 UTC, wcventure
Details

Note You need to log in before you can comment on or make changes to this bug.
Description wcventure 2018-10-17 08:25:53 UTC
Hi,

I found some floating point exception in function arlib_add_symbols() in arlib.c of the latest elfutils-0.174 code base. I have confirmed them with GDB and Address Sanitizer.

Here are the POC files. Please use " ./eu-ranlib $POC " to reproduce this bug. I'll also show you the debugging process. It seems that this is caused by the divide-by-zero. 

In arlib.c:255, there exist a division calculation:

> int nsyms = shdr->sh_size / shdr->sh_entsize;

I can provide you some testcases to make shdr->sh_entsize = 0. And you can use the testcases to reproduce the bug. Divide by zero is bad. We need to make a check before doing division calculation.
Comment 1 wcventure 2018-10-17 08:36:45 UTC
Created attachment 11336 [details]
POC1

I have also confirmed them with Address Sanitizer.
The ASAN dumps the stack trace as follows:
ASAN:DEADLYSIGNAL
=================================================================
==2496==ERROR: AddressSanitizer: FPE on unknown address 0x0000004065d8 (pc 0x0000004065d8 bp 0x7ffd4c109620 sp 0x7ffd4c109550 T0)
    #0 0x4065d7 in arlib_add_symbols /media/hjwang/01D3344861A8D2E0/wcventure/Project/elfutils/src/arlib.c:255
    #1 0x4029c5 in handle_file /media/hjwang/01D3344861A8D2E0/wcventure/Project/elfutils/src/ranlib.c:193
    #2 0x4029c5 in main /media/hjwang/01D3344861A8D2E0/wcventure/Project/elfutils/src/ranlib.c:110
    #3 0x7fc97b51982f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f)
    #4 0x403d28 in _start (/media/hjwang/01D3344861A8D2E0/wcventure/Project/elfutils/build/bin/eu-ranlib+0x403d28)

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: FPE /media/hjwang/01D3344861A8D2E0/wcventure/Project/elfutils/src/arlib.c:255 in arlib_add_symbols
==2496==ABORTING
Aborted
Comment 2 wcventure 2018-10-17 08:38:00 UTC
Created attachment 11337 [details]
POC2

Please use " ./eu-ranlib $POC " to reproduce this bug. This bug was discovered by NTU Cyber-Security-Lab, for fuzzing research work. If you have any questions, please let me know.
Comment 3 Mark Wielaard 2018-10-18 17:03:39 UTC
Thanks for the report. Proposed fix posted:
https://sourceware.org/ml/elfutils-devel/2018-q4/msg00055.html
Comment 4 Mark Wielaard 2018-10-19 22:58:32 UTC
commit 2b16a9be69939822dcafe075413468daac98b327
Author: Mark Wielaard <mark@klomp.org>
Date:   Thu Oct 18 19:01:52 2018 +0200

    arlib: Check that sh_entsize isn't zero.
    
    A bogus ELF file could have sh_entsize as zero. Don't divide by zero,
    but just assume there are no symbols in the section.
    
    https://sourceware.org/bugzilla/show_bug.cgi?id=23786
    
    Signed-off-by: Mark Wielaard <mark@klomp.org>
Comment 5 Mark Wielaard 2018-11-14 11:50:04 UTC
For reference this was assigned CVE-2018-18521.

Note that this bug was not in a generic library, just in the code shared by the eu-ar and eu-ranlib binaries.