Bug 23787 - eu-size: Bad handling of ar files inside are files
Summary: eu-size: Bad handling of ar files inside are files
Status: RESOLVED FIXED
Alias: None
Product: elfutils
Classification: Unclassified
Component: tools (show other bugs)
Version: unspecified
: P2 normal
Target Milestone: ---
Assignee: Not yet assigned to anyone
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2018-10-17 12:00 UTC by wcventure
Modified: 2021-09-28 12:58 UTC (History)
20 users (show)

See Also:
Host:
Target:
Build:
Last reconfirmed: 2018-10-18 00:00:00


Attachments
POC1 (1.01 KB, application/x-archive)
2018-10-17 12:00 UTC, wcventure
Details
POC2 (1.01 KB, application/x-archive)
2018-10-17 12:01 UTC, wcventure
Details

Note You need to log in before you can comment on or make changes to this bug.
Description wcventure 2018-10-17 12:00:15 UTC
Created attachment 11338 [details]
POC1

Hi,

Our fuzzer found an Invalid Address Deference problem in function elf_end in libelf the latest elfutils-0.174 code base. I have confirmed them with Address Sanitizer, too.

The function elf_end is called by size.c. Here are the POC files. Please use " ./eu-size $POC " to reproduce this bug. 

The ASAN dumps the stack trace as follows:
ASAN:DEADLYSIGNAL
=================================================================
==21938==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000010 (pc 0x7f1a0efb3cd6 bp 0x7ffd04b5dc40 sp 0x7ffd04b5db50 T0)
==21938==The signal is caused by a READ memory access.
==21938==Hint: address points to the zero page.
    #0 0x7f1a0efb3cd5 in elf_end (/usr/lib/x86_64-linux-gnu/libelf.so.1+0x4cd5)
    #1 0x405aa2 in handle_ar /media/hjwang/01D3344861A8D2E0/wcventure/Project/elfutils/src/size.c:373
    #2 0x401c7a in process_file /media/hjwang/01D3344861A8D2E0/wcventure/Project/elfutils/src/size.c:294
    #3 0x401c7a in main /media/hjwang/01D3344861A8D2E0/wcventure/Project/elfutils/src/size.c:186
    #4 0x7f1a0ec0582f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f)
    #5 0x4029f8 in _start (/media/hjwang/01D3344861A8D2E0/wcventure/Project/elfutils/build/bin/eu-size+0x4029f8)

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV (/usr/lib/x86_64-linux-gnu/libelf.so.1+0x4cd5) in elf_end
==21938==ABORTING
Aborted
Comment 1 wcventure 2018-10-17 12:01:58 UTC
Created attachment 11339 [details]
POC2

Please use " ./eu-size $POC " to reproduce this bug. 

This bug was discovered by NTU Cyber-Security-Lab, for fuzzing research work. If you have any questions, please let me know.
Comment 2 Mark Wielaard 2018-10-18 23:05:45 UTC
Thanks. What is happening is that eu-size can handle ar files inside ar files, but when doing so it closes the (outer) ar file before handling all other entries in it.

Proposed patch: https://sourceware.org/ml/elfutils-devel/2018-q4/msg00057.html
Comment 3 Mark Wielaard 2018-10-19 22:59:22 UTC
commit 22d2d082d57a7470fadc0eae67179553f4919209
Author: Mark Wielaard <mark@klomp.org>
Date:   Thu Oct 18 23:15:48 2018 +0200

    size: Handle recursive ELF ar files.
    
    eu-size didn't handle an ELF ar file that contained an ar file itself
    correctly. handle_ar would recursively call itself but close the ELF
    file before returning. Only close the ELF file at the top-level.
    
    https://sourceware.org/bugzilla/show_bug.cgi?id=23787
    
    Signed-off-by: Mark Wielaard <mark@klomp.org>
Comment 4 Mark Wielaard 2018-11-14 11:45:29 UTC
For reference this was assigned CVE-2018-18520.

Note that the description of the CVE is misleading.
The bug is in eu-size, not in libelf elf_end.
Comment 5 zain david 2019-07-23 04:15:37 UTC Comment hidden (spam)
Comment 6 My Grandy 2019-11-26 02:19:55 UTC Comment hidden (spam)
Comment 7 My Grandy 2019-11-26 02:20:29 UTC Comment hidden (spam)
Comment 8 Kaitlyn John 2020-01-21 11:42:51 UTC Comment hidden (spam)
Comment 9 daki 2020-02-12 12:45:33 UTC Comment hidden (spam)
Comment 10 Apizoid 2020-02-19 08:35:12 UTC Comment hidden (spam)
Comment 11 Bartan Muhman 2020-02-22 10:53:00 UTC Comment hidden (spam)
Comment 12 Princezz 2020-03-10 12:36:39 UTC Comment hidden (spam)
Comment 13 Bartan Muhman 2020-03-12 09:43:41 UTC Comment hidden (spam)
Comment 14 Bartan Muhman 2020-03-16 15:23:34 UTC Comment hidden (spam)
Comment 15 viren 2020-03-28 05:17:57 UTC Comment hidden (spam)
Comment 17 andrew 2020-04-01 13:07:03 UTC Comment hidden (spam)
Comment 18 Steven Smith 2020-04-01 13:09:53 UTC Comment hidden (spam)
Comment 19 Lakudra 2020-04-06 18:11:16 UTC Comment hidden (spam)
Comment 20 bubbleshort1 2020-04-06 20:24:21 UTC Comment hidden (spam)
Comment 21 bubbleshort1 2020-04-06 20:26:30 UTC Comment hidden (spam)
Comment 22 Lucille F. Parham 2020-04-15 07:17:37 UTC Comment hidden (spam)
Comment 23 Martinking 2020-04-17 22:45:46 UTC Comment hidden (spam)
Comment 24 iutek 2020-04-19 17:57:16 UTC Comment hidden (spam)
Comment 25 GBWhatsApp 2020-04-22 11:30:40 UTC Comment hidden (spam)
Comment 26 claire 2020-04-28 04:31:17 UTC Comment hidden (spam)
Comment 27 claire 2020-04-28 04:32:10 UTC Comment hidden (spam)
Comment 28 simpson joshua 2020-05-11 08:00:58 UTC Comment hidden (spam)
Comment 29 Vahid 2020-06-06 09:57:56 UTC Comment hidden (spam)
Comment 31 John Collin 2020-08-12 02:01:28 UTC Comment hidden (spam)
Comment 32 PinoyTVTambayan 2020-08-25 10:05:27 UTC Comment hidden (spam)
Comment 33 Ikechukwu ike 2020-09-08 06:09:56 UTC Comment hidden (spam)
Comment 34 Ibra 2020-09-20 01:00:21 UTC Comment hidden (spam)
Comment 35 shahid anwar 2020-09-28 08:14:56 UTC Comment hidden (spam)
Comment 36 shahid anwar 2020-09-28 08:17:52 UTC Comment hidden (spam)
Comment 37 zara khan 2020-09-28 08:22:06 UTC Comment hidden (spam)
Comment 38 Poonam Singh 2020-10-08 20:48:38 UTC Comment hidden (spam)
Comment 39 vanessa786 2020-10-26 06:54:27 UTC Comment hidden (spam)
Comment 40 Jack Die 2020-12-02 05:45:37 UTC Comment hidden (spam)
Comment 41 peterjohnee1 2020-12-03 01:52:26 UTC Comment hidden (spam)
Comment 42 thegioisofa 2020-12-16 03:01:36 UTC Comment hidden (spam)
Comment 43 amez365 2021-02-09 13:32:43 UTC Comment hidden (spam)
Comment 44 norman stance 2021-02-17 15:51:37 UTC Comment hidden (spam)
Comment 45 Rudnoselis 2021-02-19 12:39:21 UTC Comment hidden (spam)
Comment 46 Slavynskas 2021-02-19 14:12:18 UTC Comment hidden (spam)
Comment 47 tcgplayer 2021-05-21 06:10:48 UTC Comment hidden (spam)
Comment 48 sohbetnet 2021-05-21 09:57:17 UTC Comment hidden (spam)
Comment 49 Martin Luther 2021-06-20 07:44:07 UTC Comment hidden (spam)
Comment 50 Martin Luther 2021-07-14 06:17:20 UTC Comment hidden (spam)
Comment 51 Martin Luther 2021-07-14 06:18:14 UTC Comment hidden (spam)
Comment 52 wewex23189 2021-07-18 13:19:05 UTC Comment hidden (spam)
Comment 55 kevinsezer 2021-07-28 18:58:35 UTC Comment hidden (spam)
Comment 56 intuisyz Technology 2021-08-03 07:49:12 UTC Comment hidden (spam)
Comment 59 sillasims 2021-08-26 10:48:57 UTC Comment hidden (spam)
Comment 60 sikeneg139@rebation.com 2021-09-11 20:06:29 UTC Comment hidden (spam)
Comment 61 sikeneg139@rebation.com 2021-09-11 20:07:41 UTC Comment hidden (spam)
Comment 62 namboru 2021-09-15 02:16:28 UTC Comment hidden (spam)
Comment 63 Mobile Campus 2021-09-28 12:58:32 UTC Comment hidden (spam)