Bug 23787 - eu-size: Bad handling of ar files inside are files
Summary: eu-size: Bad handling of ar files inside are files
Alias: None
Product: elfutils
Classification: Unclassified
Component: tools (show other bugs)
Version: unspecified
: P2 normal
Target Milestone: ---
Assignee: Not yet assigned to anyone
Depends on:
Reported: 2018-10-17 12:00 UTC by wcventure
Modified: 2020-05-11 08:00 UTC (History)
19 users (show)

See Also:
Last reconfirmed: 2018-10-18 00:00:00

POC1 (1.01 KB, application/x-archive)
2018-10-17 12:00 UTC, wcventure
POC2 (1.01 KB, application/x-archive)
2018-10-17 12:01 UTC, wcventure

Note You need to log in before you can comment on or make changes to this bug.
Description wcventure 2018-10-17 12:00:15 UTC
Created attachment 11338 [details]


Our fuzzer found an Invalid Address Deference problem in function elf_end in libelf the latest elfutils-0.174 code base. I have confirmed them with Address Sanitizer, too.

The function elf_end is called by size.c. Here are the POC files. Please use " ./eu-size $POC " to reproduce this bug. 

The ASAN dumps the stack trace as follows:
==21938==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000010 (pc 0x7f1a0efb3cd6 bp 0x7ffd04b5dc40 sp 0x7ffd04b5db50 T0)
==21938==The signal is caused by a READ memory access.
==21938==Hint: address points to the zero page.
    #0 0x7f1a0efb3cd5 in elf_end (/usr/lib/x86_64-linux-gnu/libelf.so.1+0x4cd5)
    #1 0x405aa2 in handle_ar /media/hjwang/01D3344861A8D2E0/wcventure/Project/elfutils/src/size.c:373
    #2 0x401c7a in process_file /media/hjwang/01D3344861A8D2E0/wcventure/Project/elfutils/src/size.c:294
    #3 0x401c7a in main /media/hjwang/01D3344861A8D2E0/wcventure/Project/elfutils/src/size.c:186
    #4 0x7f1a0ec0582f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f)
    #5 0x4029f8 in _start (/media/hjwang/01D3344861A8D2E0/wcventure/Project/elfutils/build/bin/eu-size+0x4029f8)

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV (/usr/lib/x86_64-linux-gnu/libelf.so.1+0x4cd5) in elf_end
Comment 1 wcventure 2018-10-17 12:01:58 UTC
Created attachment 11339 [details]

Please use " ./eu-size $POC " to reproduce this bug. 

This bug was discovered by NTU Cyber-Security-Lab, for fuzzing research work. If you have any questions, please let me know.
Comment 2 Mark Wielaard 2018-10-18 23:05:45 UTC
Thanks. What is happening is that eu-size can handle ar files inside ar files, but when doing so it closes the (outer) ar file before handling all other entries in it.

Proposed patch: https://sourceware.org/ml/elfutils-devel/2018-q4/msg00057.html
Comment 3 Mark Wielaard 2018-10-19 22:59:22 UTC
commit 22d2d082d57a7470fadc0eae67179553f4919209
Author: Mark Wielaard <mark@klomp.org>
Date:   Thu Oct 18 23:15:48 2018 +0200

    size: Handle recursive ELF ar files.
    eu-size didn't handle an ELF ar file that contained an ar file itself
    correctly. handle_ar would recursively call itself but close the ELF
    file before returning. Only close the ELF file at the top-level.
    Signed-off-by: Mark Wielaard <mark@klomp.org>
Comment 4 Mark Wielaard 2018-11-14 11:45:29 UTC
For reference this was assigned CVE-2018-18520.

Note that the description of the CVE is misleading.
The bug is in eu-size, not in libelf elf_end.
Comment 5 zain david 2019-07-23 04:15:37 UTC Comment hidden (spam)
Comment 6 My Grandy 2019-11-26 02:19:55 UTC Comment hidden (spam)
Comment 7 My Grandy 2019-11-26 02:20:29 UTC Comment hidden (spam)
Comment 8 Kaitlyn John 2020-01-21 11:42:51 UTC Comment hidden (spam)
Comment 9 daki 2020-02-12 12:45:33 UTC Comment hidden (spam)
Comment 10 Apizoid 2020-02-19 08:35:12 UTC Comment hidden (spam)
Comment 11 Bartan Muhman 2020-02-22 10:53:00 UTC Comment hidden (spam)
Comment 12 Princezz 2020-03-10 12:36:39 UTC Comment hidden (spam)
Comment 13 Bartan Muhman 2020-03-12 09:43:41 UTC Comment hidden (spam)
Comment 14 Bartan Muhman 2020-03-16 15:23:34 UTC Comment hidden (spam)
Comment 15 viren 2020-03-28 05:17:57 UTC Comment hidden (spam)
Comment 17 andrew 2020-04-01 13:07:03 UTC Comment hidden (spam)
Comment 18 Steven Smith 2020-04-01 13:09:53 UTC Comment hidden (spam)
Comment 19 Lakudra 2020-04-06 18:11:16 UTC Comment hidden (spam)
Comment 20 bubbleshort1 2020-04-06 20:24:21 UTC Comment hidden (spam)
Comment 21 bubbleshort1 2020-04-06 20:26:30 UTC Comment hidden (spam)
Comment 22 Lucille F. Parham 2020-04-15 07:17:37 UTC Comment hidden (spam)
Comment 23 Martinking 2020-04-17 22:45:46 UTC Comment hidden (spam)
Comment 24 iutek 2020-04-19 17:57:16 UTC Comment hidden (spam)
Comment 25 GBWhatsApp 2020-04-22 11:30:40 UTC Comment hidden (spam)
Comment 26 claire 2020-04-28 04:31:17 UTC Comment hidden (spam)
Comment 27 claire 2020-04-28 04:32:10 UTC Comment hidden (spam)
Comment 28 simpson joshua 2020-05-11 08:00:58 UTC Comment hidden (spam)