Bug 24103 - dwfl_segment_report_module doesn't check whether the dyn data read from core file is truncated
Summary: dwfl_segment_report_module doesn't check whether the dyn data read from core ...
Status: RESOLVED FIXED
Alias: None
Product: elfutils
Classification: Unclassified
Component: libdw (show other bugs)
Version: unspecified
: P2 normal
Target Milestone: ---
Assignee: Not yet assigned to anyone
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2019-01-18 11:32 UTC by wcventure
Modified: 2019-01-31 14:45 UTC (History)
2 users (show)

See Also:
Host:
Target:
Build:
Last reconfirmed: 2019-01-20 00:00:00


Attachments
POC1 (3.73 KB, application/x-executable)
2019-01-18 11:32 UTC, wcventure
Details
POC2 (3.73 KB, application/x-executable)
2019-01-18 11:32 UTC, wcventure
Details

Note You need to log in before you can comment on or make changes to this bug.
Description wcventure 2019-01-18 11:32:03 UTC
Created attachment 11545 [details]
POC1

Different from Bug 24081 and Bug 24089. This error occur in function elf64_xlatetom.

Please use the "eu-stack --core=$POC"to reproduce the bug.


$git log

> commit e65d91d21cb09d83b001fef9435e576ba447db32
> Author: Mark Wielaard <mark@klomp.org>
> Date:   Wed Jan 16 12:25:57 2019 +0100
> 
>     libelf: Correct overflow check in note_xlate.
> 
>     We want to make sure the note_len doesn't overflow and becomes shorter
>     than the note header. But the namesz and descsz checks got the note header
>     size wrong). Replace the wrong constant (8) with a sizeof cvt_Nhdr (12).
> 
>     https://sourceware.org/bugzilla/show_bug.cgi?id=24084
> 
>     Signed-off-by: Mark Wielaard <mark@klomp.org>


The ASAN dumps the stack trace as follows:

> =================================================================
> ==7964==ERROR: AddressSanitizer: unknown-crash on address 0x7f5eace16000 at pc 0x7f5eabd97e2b bp 0x7ffc6b0f0680 sp 0x7ffc6b0efe28
> READ of size 983520 at 0x7f5eace16000 thread T0
>     #0 0x7f5eabd97e2a in memmove (/usr/lib/x86_64-linux-gnu/libasan.so.4+0x7ae2a)
>     #1 0x7f5eaba8e510 in memmove /usr/include/x86_64-linux-gnu/bits/string3.h:59
>     #2 0x7f5eaba8e510 in elf64_xlatetom /home/wencheng/Experiment/elfutils/libelf/elf32_xlatetom.c:100
>     #3 0x7f5eab7d6e6b in dwfl_segment_report_module /home/wencheng/Experiment/elfutils/libdwfl/dwfl_segment_report_module.c:807
>     #4 0x7f5eab7ef0dd in dwfl_core_file_report /home/wencheng/Experiment/elfutils/libdwfl/core-file.c:543
>     #5 0x4033a3 in parse_opt /home/wencheng/Experiment/elfutils/src/stack.c:590
>     #6 0x7f5eab013847 in argp_parse (/lib/x86_64-linux-gnu/libc.so.6+0x114847)
>     #7 0x402860 in main /home/wencheng/Experiment/elfutils/src/stack.c:690
>     #8 0x7f5eaaf1f82f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f)
>     #9 0x4030d8 in _start (/home/wencheng/Experiment/elfutils/build/bin/eu-stack+0x4030d8)
> 
> Address 0x7f5eace16000 is a wild pointer.
> SUMMARY: AddressSanitizer: unknown-crash (/usr/lib/x86_64-linux-gnu/libasan.so.4+0x7ae2a) in memmove
> Shadow bytes around the buggy address:
>   0x0fec559babb0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
>   0x0fec559babc0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
>   0x0fec559babd0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
>   0x0fec559babe0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
>   0x0fec559babf0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
> =>0x0fec559bac00:[fe]fe fe fe fe fe fe fe fe fe fe fe fe fe fe fe
>   0x0fec559bac10: fe fe fe fe fe fe fe fe fe fe fe fe fe fe fe fe
>   0x0fec559bac20: fe fe fe fe fe fe fe fe fe fe fe fe fe fe fe fe
>   0x0fec559bac30: fe fe fe fe fe fe fe fe fe fe fe fe fe fe fe fe
>   0x0fec559bac40: fe fe fe fe fe fe fe fe fe fe fe fe fe fe fe fe
>   0x0fec559bac50: fe fe fe fe fe fe fe fe fe fe fe fe fe fe fe fe
> Shadow byte legend (one shadow byte represents 8 application bytes):
>   Addressable:           00
>   Partially addressable: 01 02 03 04 05 06 07 
>   Heap left redzone:       fa
>   Freed heap region:       fd
>   Stack left redzone:      f1
>   Stack mid redzone:       f2
>   Stack right redzone:     f3
>   Stack after return:      f5
>   Stack use after scope:   f8
>   Global redzone:          f9
>   Global init order:       f6
>   Poisoned by user:        f7
>   Container overflow:      fc
>   Array cookie:            ac
>   Intra object redzone:    bb
>   ASan internal:           fe
>   Left alloca redzone:     ca
>   Right alloca redzone:    cb
> ==7964==ABORTING
Comment 1 wcventure 2019-01-18 11:32:14 UTC
Created attachment 11546 [details]
POC2
Comment 2 Mark Wielaard 2019-01-20 22:08:48 UTC
Thanks. Replicated under valgrind.
This is similar to https://sourceware.org/bugzilla/show_bug.cgi?id=23752

We need to check if we got all the dynamic data we expected from the file.
Proposed patch:
https://sourceware.org/ml/elfutils-devel/2019-q1/msg00070.html
Comment 3 Mark Wielaard 2019-01-22 16:44:32 UTC
commit da5c5336a1eaf519de246f7d9f0f5585e1d4ac59
Author: Mark Wielaard <mark@klomp.org>
Date:   Sun Jan 20 23:05:56 2019 +0100

    libdwfl: Sanity check partial core file dyn data read.
    
    When reading the dyn data from the core file check if we got everything,
    or just part of the data.
    
    https://sourceware.org/bugzilla/show_bug.cgi?id=24103
    
    Signed-off-by: Mark Wielaard <mark@klomp.org>

Pushed to master.
Comment 4 Mark Wielaard 2019-01-31 14:45:51 UTC
Apparently this bug got assigned CVE-2019-7150