Bug 23787 - eu-size: Bad handling of ar files inside are files
Summary: eu-size: Bad handling of ar files inside are files
Status: RESOLVED FIXED
Alias: None
Product: elfutils
Classification: Unclassified
Component: tools (show other bugs)
Version: unspecified
: P2 normal
Target Milestone: ---
Assignee: Not yet assigned to anyone
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2018-10-17 12:00 UTC by wcventure
Modified: 2018-11-14 11:54 UTC (History)
2 users (show)

See Also:
Host:
Target:
Build:
Last reconfirmed: 2018-10-18 00:00:00


Attachments
POC1 (1.01 KB, application/x-archive)
2018-10-17 12:00 UTC, wcventure
Details
POC2 (1.01 KB, application/x-archive)
2018-10-17 12:01 UTC, wcventure
Details

Note You need to log in before you can comment on or make changes to this bug.
Description wcventure 2018-10-17 12:00:15 UTC
Created attachment 11338 [details]
POC1

Hi,

Our fuzzer found an Invalid Address Deference problem in function elf_end in libelf the latest elfutils-0.174 code base. I have confirmed them with Address Sanitizer, too.

The function elf_end is called by size.c. Here are the POC files. Please use " ./eu-size $POC " to reproduce this bug. 

The ASAN dumps the stack trace as follows:
ASAN:DEADLYSIGNAL
=================================================================
==21938==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000010 (pc 0x7f1a0efb3cd6 bp 0x7ffd04b5dc40 sp 0x7ffd04b5db50 T0)
==21938==The signal is caused by a READ memory access.
==21938==Hint: address points to the zero page.
    #0 0x7f1a0efb3cd5 in elf_end (/usr/lib/x86_64-linux-gnu/libelf.so.1+0x4cd5)
    #1 0x405aa2 in handle_ar /media/hjwang/01D3344861A8D2E0/wcventure/Project/elfutils/src/size.c:373
    #2 0x401c7a in process_file /media/hjwang/01D3344861A8D2E0/wcventure/Project/elfutils/src/size.c:294
    #3 0x401c7a in main /media/hjwang/01D3344861A8D2E0/wcventure/Project/elfutils/src/size.c:186
    #4 0x7f1a0ec0582f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f)
    #5 0x4029f8 in _start (/media/hjwang/01D3344861A8D2E0/wcventure/Project/elfutils/build/bin/eu-size+0x4029f8)

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV (/usr/lib/x86_64-linux-gnu/libelf.so.1+0x4cd5) in elf_end
==21938==ABORTING
Aborted
Comment 1 wcventure 2018-10-17 12:01:58 UTC
Created attachment 11339 [details]
POC2

Please use " ./eu-size $POC " to reproduce this bug. 

This bug was discovered by NTU Cyber-Security-Lab, for fuzzing research work. If you have any questions, please let me know.
Comment 2 Mark Wielaard 2018-10-18 23:05:45 UTC
Thanks. What is happening is that eu-size can handle ar files inside ar files, but when doing so it closes the (outer) ar file before handling all other entries in it.

Proposed patch: https://sourceware.org/ml/elfutils-devel/2018-q4/msg00057.html
Comment 3 Mark Wielaard 2018-10-19 22:59:22 UTC
commit 22d2d082d57a7470fadc0eae67179553f4919209
Author: Mark Wielaard <mark@klomp.org>
Date:   Thu Oct 18 23:15:48 2018 +0200

    size: Handle recursive ELF ar files.
    
    eu-size didn't handle an ELF ar file that contained an ar file itself
    correctly. handle_ar would recursively call itself but close the ELF
    file before returning. Only close the ELF file at the top-level.
    
    https://sourceware.org/bugzilla/show_bug.cgi?id=23787
    
    Signed-off-by: Mark Wielaard <mark@klomp.org>
Comment 4 Mark Wielaard 2018-11-14 11:45:29 UTC
For reference this was assigned CVE-2018-18520.

Note that the description of the CVE is misleading.
The bug is in eu-size, not in libelf elf_end.