Description:
libdwarf is a library to consume and produce DWARF debug information.
A fuzzing revealed an out bounds read,
The complete ASan output:
# dwarfdump $FILE ==22886==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x61300000de1c at pc 0x000000462c7c bp 0x7ffe80a3d230 sp 0x7ffe80a3c9e0 READ of size 1 at 0x61300000de1c thread T0 #0 0x462c7b in __interceptor_strlen /var/tmp/portage/sys-devel/llvm-3.8.1-r2/work/llvm-3.8.1.src/projects/compiler-rt/lib/asan/asan_interceptors.cc:581 #1 0x60489f in _dwarf_get_size_of_val /tmp/dwarf-20161001/libdwarf/dwarf_util.c:267:21 #2 0x5f2834 in dwarf_attrlist /tmp/dwarf-20161001/libdwarf/dwarf_query.c:389:27 #3 0x519ed5 in print_one_die /tmp/dwarf-20161001/dwarfdump/print_die.c:1409:13 #4 0x51710c in print_die_and_children_internal /tmp/dwarf-20161001/dwarfdump/print_die.c:1047:36 #5 0x517c6b in print_die_and_children_internal /tmp/dwarf-20161001/dwarfdump/print_die.c:1142:13 #6 0x5147cc in print_die_and_children /tmp/dwarf-20161001/dwarfdump/print_die.c:921:5 #7 0x5147cc in print_one_die_section /tmp/dwarf-20161001/dwarfdump/print_die.c:831 #8 0x512262 in print_infos /tmp/dwarf-20161001/dwarfdump/print_die.c:371:16 #9 0x4faaea in process_one_file /tmp/dwarf-20161001/dwarfdump/dwarfdump.c:1371:9 #10 0x4faaea in main /tmp/dwarf-20161001/dwarfdump/dwarfdump.c:654 #11 0x7f7cd096261f in __libc_start_main /var/tmp/portage/sys-libs/glibc-2.22-r4/work/glibc-2.22/csu/libc-start.c:289 #12 0x419588 in _start (/usr/bin/dwarfdump-asan+0x419588) 0x61300000de1c is located 0 bytes to the right of 348-byte region [0x61300000dcc0,0x61300000de1c) allocated by thread T0 here: #0 0x4c0ad8 in malloc /var/tmp/portage/sys-devel/llvm-3.8.1-r2/work/llvm-3.8.1.src/projects/compiler-rt/lib/asan/asan_malloc_linux.cc:52 #1 0x7f7cd1a3c206 in __libelf_set_rawdata_wrlock /tmp/portage/dev-libs/elfutils-0.166/work/elfutils-0.166/libelf/elf_getdata.c:318 SUMMARY: AddressSanitizer: heap-buffer-overflow /var/tmp/portage/sys-devel/llvm-3.8.1-r2/work/llvm-3.8.1.src/projects/compiler-rt/lib/asan/asan_interceptors.cc:581 in __interceptor_strlen Shadow bytes around the buggy address: 0x0c267fff9b70: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0c267fff9b80: 00 00 00 00 00 00 00 00 00 00 03 fa fa fa fa fa 0x0c267fff9b90: fa fa fa fa fa fa fa fa 00 00 00 00 00 00 00 00 0x0c267fff9ba0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0c267fff9bb0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 =>0x0c267fff9bc0: 00 00 00[04]fa fa fa fa fa fa fa fa fa fa fa fa 0x0c267fff9bd0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0c267fff9be0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0c267fff9bf0: 00 00 00 00 00 00 00 00 00 00 00 03 fa fa fa fa 0x0c267fff9c00: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c267fff9c10: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa Shadow byte legend (one shadow byte represents 8 application bytes): Addressable: 00 Partially addressable: 01 02 03 04 05 06 07 Heap left redzone: fa Heap right redzone: fb Freed heap region: fd Stack left redzone: f1 Stack mid redzone: f2 Stack right redzone: f3 Stack partial redzone: f4 Stack after return: f5 Stack use after scope: f8 Global redzone: f9 Global init order: f6 Poisoned by user: f7 Container overflow: fc Array cookie: ac Intra object redzone: bb ASan internal: fe Left alloca redzone: ca Right alloca redzone: cb ==22886==ABORTING
Affected version:
20161001 and past
Fixed version:
20161124
Commit fix:
https://sourceforge.net/p/libdwarf/code/ci/2d14a7792889e33bc542c28d0f3792964c46214f/#diff-13 and then https://sourceforge.net/p/libdwarf/code/ci/efe48cad0693d6994d9a7b561e1c3833b073a624/#diff-2 (because of a mistake)
Credit:
This bug was discovered by Agostino Sarubbo of Gentoo.
CVE:
CVE-2016-8679
Timeline:
2016-10-04: bug discovered
2016-10-04: bug reported privately to upstream
2016-10-04: upstream realeased a patch
2016-10-06: blog post about the issue
2016-10-16: CVE Assigned
2016-11-24: upstream released 20161124
Note:
This bug was found with American Fuzzy Lop.
Permalink:
libdwarf: heap-based buffer overflow in _dwarf_get_size_of_val (dwarf_util.c)