Created attachment 11338 [details]
Our fuzzer found an Invalid Address Deference problem in function elf_end in libelf the latest elfutils-0.174 code base. I have confirmed them with Address Sanitizer, too.
The function elf_end is called by size.c. Here are the POC files. Please use " ./eu-size $POC " to reproduce this bug.
The ASAN dumps the stack trace as follows:
==21938==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000010 (pc 0x7f1a0efb3cd6 bp 0x7ffd04b5dc40 sp 0x7ffd04b5db50 T0)
==21938==The signal is caused by a READ memory access.
==21938==Hint: address points to the zero page.
#0 0x7f1a0efb3cd5 in elf_end (/usr/lib/x86_64-linux-gnu/libelf.so.1+0x4cd5)
#1 0x405aa2 in handle_ar /media/hjwang/01D3344861A8D2E0/wcventure/Project/elfutils/src/size.c:373
#2 0x401c7a in process_file /media/hjwang/01D3344861A8D2E0/wcventure/Project/elfutils/src/size.c:294
#3 0x401c7a in main /media/hjwang/01D3344861A8D2E0/wcventure/Project/elfutils/src/size.c:186
#4 0x7f1a0ec0582f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f)
#5 0x4029f8 in _start (/media/hjwang/01D3344861A8D2E0/wcventure/Project/elfutils/build/bin/eu-size+0x4029f8)
AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV (/usr/lib/x86_64-linux-gnu/libelf.so.1+0x4cd5) in elf_end
Created attachment 11339 [details]
Please use " ./eu-size $POC " to reproduce this bug.
This bug was discovered by NTU Cyber-Security-Lab, for fuzzing research work. If you have any questions, please let me know.
Thanks. What is happening is that eu-size can handle ar files inside ar files, but when doing so it closes the (outer) ar file before handling all other entries in it.
Proposed patch: https://sourceware.org/ml/elfutils-devel/2018-q4/msg00057.html
Author: Mark Wielaard <email@example.com>
Date: Thu Oct 18 23:15:48 2018 +0200
size: Handle recursive ELF ar files.
eu-size didn't handle an ELF ar file that contained an ar file itself
correctly. handle_ar would recursively call itself but close the ELF
file before returning. Only close the ELF file at the top-level.
Signed-off-by: Mark Wielaard <firstname.lastname@example.org>
For reference this was assigned CVE-2018-18520.
Note that the description of the CVE is misleading.
The bug is in eu-size, not in libelf elf_end.