Description:
elfutils is a set of libraries/utilities to handle ELF objects (drop in replacement for libelf).
During the fuzz of libdwarf, I noticed a memory allocation failure which involves elfutils.
To have a double-check, the bug was first reported to the libdwarf maintainer and then to the elfutils maintainer. Actually there is a proposed patch on the elfutils mailing list, but nobody commented.
EDIT: The patch has been committed, see below.
The complete ASan output:
# dwarfdump $FILE ==30083==ERROR: AddressSanitizer failed to allocate 0x8000003000 (549755826176) bytes of LargeMmapAllocator (error code: 12) ==30083==Process memory map follows: 0x000000400000-0x0000006bb000 /usr/bin/dwarfdump-asan 0x0000008ba000-0x0000008c2000 /usr/bin/dwarfdump-asan 0x0000008c2000-0x0000008ff000 /usr/bin/dwarfdump-asan 0x0000008ff000-0x0000015a3000 0x00007fff7000-0x00008fff7000 0x00008fff7000-0x02008fff7000 0x02008fff7000-0x10007fff8000 0x600000000000-0x602000000000 0x602000000000-0x602000010000 0x602000010000-0x603000000000 0x603000000000-0x603000010000 0x603000010000-0x604000000000 0x604000000000-0x604000010000 0x604000010000-0x607000000000 0x607000000000-0x607000010000 0x607000010000-0x611000000000 0x611000000000-0x611000010000 0x611000010000-0x612000000000 0x612000000000-0x612000010000 0x612000010000-0x613000000000 0x613000000000-0x613000010000 0x613000010000-0x614000000000 0x614000000000-0x614000020000 0x614000020000-0x619000000000 0x619000000000-0x619000020000 0x619000020000-0x61c000000000 0x61c000000000-0x61c000020000 0x61c000020000-0x61d000000000 0x61d000000000-0x61d000020000 0x61d000020000-0x624000000000 0x624000000000-0x624000020000 0x624000020000-0x625000000000 0x625000000000-0x625000020000 0x625000020000-0x640000000000 0x640000000000-0x640000003000 0x7f0afdc00000-0x7f0afdd00000 0x7f0afde00000-0x7f0afdf00000 0x7f0afdff0000-0x7f0b00342000 0x7f0b00342000-0x7f0b004d5000 /lib64/libc-2.22.so 0x7f0b004d5000-0x7f0b006d5000 /lib64/libc-2.22.so 0x7f0b006d5000-0x7f0b006d9000 /lib64/libc-2.22.so 0x7f0b006d9000-0x7f0b006db000 /lib64/libc-2.22.so 0x7f0b006db000-0x7f0b006df000 0x7f0b006df000-0x7f0b006f5000 /usr/lib64/gcc/x86_64-pc-linux-gnu/4.9.3/libgcc_s.so.1 0x7f0b006f5000-0x7f0b008f4000 /usr/lib64/gcc/x86_64-pc-linux-gnu/4.9.3/libgcc_s.so.1 0x7f0b008f4000-0x7f0b008f5000 /usr/lib64/gcc/x86_64-pc-linux-gnu/4.9.3/libgcc_s.so.1 0x7f0b008f5000-0x7f0b008f6000 /usr/lib64/gcc/x86_64-pc-linux-gnu/4.9.3/libgcc_s.so.1 0x7f0b008f6000-0x7f0b008f8000 /lib64/libdl-2.22.so 0x7f0b008f8000-0x7f0b00af8000 /lib64/libdl-2.22.so 0x7f0b00af8000-0x7f0b00af9000 /lib64/libdl-2.22.so 0x7f0b00af9000-0x7f0b00afa000 /lib64/libdl-2.22.so 0x7f0b00afa000-0x7f0b00bf7000 /lib64/libm-2.22.so 0x7f0b00bf7000-0x7f0b00df6000 /lib64/libm-2.22.so 0x7f0b00df6000-0x7f0b00df7000 /lib64/libm-2.22.so 0x7f0b00df7000-0x7f0b00df8000 /lib64/libm-2.22.so 0x7f0b00df8000-0x7f0b00dfe000 /lib64/librt-2.22.so 0x7f0b00dfe000-0x7f0b00ffe000 /lib64/librt-2.22.so 0x7f0b00ffe000-0x7f0b00fff000 /lib64/librt-2.22.so 0x7f0b00fff000-0x7f0b01000000 /lib64/librt-2.22.so 0x7f0b01000000-0x7f0b01017000 /lib64/libpthread-2.22.so 0x7f0b01017000-0x7f0b01216000 /lib64/libpthread-2.22.so 0x7f0b01216000-0x7f0b01217000 /lib64/libpthread-2.22.so 0x7f0b01217000-0x7f0b01218000 /lib64/libpthread-2.22.so 0x7f0b01218000-0x7f0b0121c000 0x7f0b0121c000-0x7f0b01231000 /lib64/libz.so.1.2.8 0x7f0b01231000-0x7f0b01430000 /lib64/libz.so.1.2.8 0x7f0b01430000-0x7f0b01431000 /lib64/libz.so.1.2.8 0x7f0b01431000-0x7f0b01432000 /lib64/libz.so.1.2.8 0x7f0b01432000-0x7f0b01449000 /usr/lib64/libelf-0.166.so 0x7f0b01449000-0x7f0b01649000 /usr/lib64/libelf-0.166.so 0x7f0b01649000-0x7f0b0164a000 /usr/lib64/libelf-0.166.so 0x7f0b0164a000-0x7f0b0164b000 /usr/lib64/libelf-0.166.so 0x7f0b0164b000-0x7f0b0166d000 /lib64/ld-2.22.so 0x7f0b017f7000-0x7f0b01860000 0x7f0b01860000-0x7f0b0186c000 0x7f0b0186c000-0x7f0b0186d000 /lib64/ld-2.22.so 0x7f0b0186d000-0x7f0b0186e000 /lib64/ld-2.22.so 0x7f0b0186e000-0x7f0b0186f000 0x7ffff2f19000-0x7ffff2f3a000 [stack] 0x7ffff2f3d000-0x7ffff2f3f000 [vvar] 0x7ffff2f3f000-0x7ffff2f41000 [vdso] 0xffffffffff600000-0xffffffffff601000 [vsyscall] ==30083==End of process memory map. ==30083==AddressSanitizer CHECK failed: /var/tmp/portage/sys-devel/llvm-3.8.1-r2/work/llvm-3.8.1.src/projects/compiler-rt/lib/sanitizer_common/sanitizer_common.cc:183 "((0 && "unable to mmap")) != (0)" (0x0, 0x0) #0 0x4ca3ed in __asan::AsanCheckFailed(char const*, int, char const*, unsigned long long, unsigned long long) /var/tmp/portage/sys-devel/llvm-3.8.1-r2/work/llvm-3.8.1.src/projects/compiler-rt/lib/asan/asan_rtl.cc:67 #1 0x4d0f23 in __sanitizer::CheckFailed(char const*, int, char const*, unsigned long long, unsigned long long) /var/tmp/portage/sys-devel/llvm-3.8.1-r2/work/llvm-3.8.1.src/projects/compiler-rt/lib/sanitizer_common/sanitizer_common.cc:159 #2 0x4d1111 in __sanitizer::ReportMmapFailureAndDie(unsigned long, char const*, char const*, int, bool) /var/tmp/portage/sys-devel/llvm-3.8.1-r2/work/llvm-3.8.1.src/projects/compiler-rt/lib/sanitizer_common/sanitizer_common.cc:183 #3 0x4da14a in __sanitizer::MmapOrDie(unsigned long, char const*, bool) /var/tmp/portage/sys-devel/llvm-3.8.1-r2/work/llvm-3.8.1.src/projects/compiler-rt/lib/sanitizer_common/sanitizer_posix.cc:122 #4 0x4224df in __sanitizer::LargeMmapAllocator::Allocate(__sanitizer::AllocatorStats*, unsigned long, unsigned long) /var/tmp/portage/sys-devel/llvm-3.8.1-r2/work/llvm-3.8.1.src/projects/compiler-rt/lib/asan/../sanitizer_common/sanitizer_allocator.h:1033 #5 0x4224df in __sanitizer::CombinedAllocator<__sanitizer::SizeClassAllocator64<105553116266496ul, 4398046511104ul, 0ul, __sanitizer::SizeClassMap, __asan::AsanMapUnmapCallback>, __sanitizer::SizeClassAllocatorLocalCache<__sanitizer::SizeClassAllocator64<105553116266496ul, 4398046511104ul, 0ul, __sanitizer::SizeClassMap, __asan::AsanMapUnmapCallback> >, __sanitizer::LargeMmapAllocator >::Allocate(__sanitizer::SizeClassAllocatorLocalCache<__sanitizer::SizeClassAllocator64<105553116266496ul, 4398046511104ul, 0ul, __sanitizer::SizeClassMap, __asan::AsanMapUnmapCallback> >*, unsigned long, unsigned long, bool, bool) /var/tmp/portage/sys-devel/llvm-3.8.1-r2/work/llvm-3.8.1.src/projects/compiler-rt/lib/asan/../sanitizer_common/sanitizer_allocator.h:1302 #6 0x4224df in __asan::Allocator::Allocate(unsigned long, unsigned long, __sanitizer::BufferedStackTrace*, __asan::AllocType, bool) /var/tmp/portage/sys-devel/llvm-3.8.1-r2/work/llvm-3.8.1.src/projects/compiler-rt/lib/asan/asan_allocator.cc:368 #7 0x4224df in __asan::asan_malloc(unsigned long, __sanitizer::BufferedStackTrace*) /var/tmp/portage/sys-devel/llvm-3.8.1-r2/work/llvm-3.8.1.src/projects/compiler-rt/lib/asan/asan_allocator.cc:718 #8 0x4c0ab1 in malloc /var/tmp/portage/sys-devel/llvm-3.8.1-r2/work/llvm-3.8.1.src/projects/compiler-rt/lib/asan/asan_malloc_linux.cc:53 #9 0x7f0b0143c206 in __libelf_set_rawdata_wrlock /tmp/portage/dev-libs/elfutils-0.166/work/elfutils-0.166/libelf/elf_getdata.c:318 #10 0x7f0b0143c5db in __elf_getdata_rdlock /tmp/portage/dev-libs/elfutils-0.166/work/elfutils-0.166/libelf/elf_getdata.c:521 #11 0x580659 in dwarf_elf_object_access_load_section /tmp/dwarf-20161001/libdwarf/dwarf_elf_access.c:1312:16 #12 0x5b5142 in _dwarf_load_section /tmp/dwarf-20161001/libdwarf/dwarf_init_finish.c:1139:11 #13 0x6082ae in _dwarf_load_debug_info /tmp/dwarf-20161001/libdwarf/dwarf_util.c:855:11 #14 0x57043f in _dwarf_next_cu_header_internal /tmp/dwarf-20161001/libdwarf/dwarf_die_deliv.c:819:32 #15 0x572fcd in dwarf_next_cu_header_d /tmp/dwarf-20161001/libdwarf/dwarf_die_deliv.c:629:15 #16 0x512f4f in print_one_die_section /tmp/dwarf-20161001/dwarfdump/print_die.c:660:16 #17 0x512262 in print_infos /tmp/dwarf-20161001/dwarfdump/print_die.c:371:16 #18 0x4faaea in process_one_file /tmp/dwarf-20161001/dwarfdump/dwarfdump.c:1371:9 #19 0x4faaea in main /tmp/dwarf-20161001/dwarfdump/dwarfdump.c:654 #20 0x7f0b0036261f in __libc_start_main /var/tmp/portage/sys-libs/glibc-2.22-r4/work/glibc-2.22/csu/libc-start.c:289 #21 0x419588 in _start (/usr/bin/dwarfdump-asan+0x419588)
Affected version:
0.166
Fixed version:
0.168
Proposed patch:
https://lists.fedorahosted.org/archives/list/elfutils-devel@lists.fedorahosted.org/thread/Q4LE47FPEVRZANMV6JE2NMHYO4H5MHGJ/
Commit Fix:
https://git.fedorahosted.org/cgit/elfutils.git/commit/?id=09ec02ec7f7e6913d10943148e2a898264345b07
Credit:
This bug was discovered by Agostino Sarubbo of Gentoo.
CVE:
CVE-2016-10255
Reproducer:
https://github.com/asarubbo/poc/blob/master/00031-elfutils-memalloc-__libelf_set_rawdata_wrlock
Timeline:
2016-10-03: bug discovered
2016-10-21: bug reported to upstream
2016-11-04: blog post about the issue
2016-11-10: upstream committed the proposed patch
2016-12-27: upstream released 0.168
2017-03-22: CVE assigned
Note:
This bug was found with American Fuzzy Lop.
Permalink:
elfutils: memory allocation failure in __libelf_set_rawdata_wrlock (elf_getdata.c)