libdwarf: heap-based buffer overflow in get_attr_value (print_die.c)

Description:
libdwarf is a library to consume and produce DWARF debug information.

A fuzz on an updated version revealed a buffer overflow.

The complete ASan output:

# dwarfdump $FILE
==27395==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x61300000de1c at pc 0x000000528cd3 bp 0x7ffd980a63b0 sp 0x7ffd980a63a8
READ of size 1 at 0x61300000de1c thread T0
    #0 0x528cd2 in get_attr_value /tmp/dwarf-20161021/dwarfdump/print_die.c:4978:21
    #1 0x51e4a4 in print_attribute /tmp/dwarf-20161021/dwarfdump/print_die.c:3357:13
    #2 0x51a651 in print_one_die /tmp/dwarf-20161021/dwarfdump/print_die.c:1458:38
    #3 0x51710c in print_die_and_children_internal /tmp/dwarf-20161021/dwarfdump/print_die.c:1047:36
    #4 0x517c6b in print_die_and_children_internal /tmp/dwarf-20161021/dwarfdump/print_die.c:1142:13
    #5 0x5147cc in print_die_and_children /tmp/dwarf-20161021/dwarfdump/print_die.c:921:5
    #6 0x5147cc in print_one_die_section /tmp/dwarf-20161021/dwarfdump/print_die.c:831
    #7 0x512262 in print_infos /tmp/dwarf-20161021/dwarfdump/print_die.c:371:16
    #8 0x4faafa in process_one_file /tmp/dwarf-20161021/dwarfdump/dwarfdump.c:1371:9
    #9 0x4faafa in main /tmp/dwarf-20161021/dwarfdump/dwarfdump.c:654
    #10 0x7f883beec61f in __libc_start_main /var/tmp/portage/sys-libs/glibc-2.22-r4/work/glibc-2.22/csu/libc-start.c:289
    #11 0x419588 in _start (/usr/bin/dwarfdump-asan+0x419588)

0x61300000de1c is located 0 bytes to the right of 348-byte region [0x61300000dcc0,0x61300000de1c)
allocated by thread T0 here:
    #0 0x4c0ad8 in malloc /var/tmp/portage/sys-devel/llvm-3.8.1-r2/work/llvm-3.8.1.src/projects/compiler-rt/lib/asan/asan_malloc_linux.cc:52
    #1 0x7f883cfc6206 in __libelf_set_rawdata_wrlock /tmp/portage/dev-libs/elfutils-0.166/work/elfutils-0.166/libelf/elf_getdata.c:318

SUMMARY: AddressSanitizer: heap-buffer-overflow /tmp/dwarf-20161021/dwarfdump/print_die.c:4978:21 in get_attr_value
Shadow bytes around the buggy address:
  0x0c267fff9b70: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c267fff9b80: 00 00 00 00 00 00 00 00 00 00 03 fa fa fa fa fa
  0x0c267fff9b90: fa fa fa fa fa fa fa fa 00 00 00 00 00 00 00 00
  0x0c267fff9ba0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c267fff9bb0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x0c267fff9bc0: 00 00 00[04]fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c267fff9bd0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c267fff9be0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c267fff9bf0: 00 00 00 00 00 00 00 00 00 00 00 03 fa fa fa fa
  0x0c267fff9c00: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c267fff9c10: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Heap right redzone:      fb
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack partial redzone:   f4
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==27395==ABORTING

Affected version:
20161021

Fixed version:
20161124

Commit fix:
https://sourceforge.net/p/libdwarf/code/ci/583f8834083b5ef834c497f5b47797e16101a9a6/

Credit:
This bug was discovered by Agostino Sarubbo of Gentoo.

CVE:
N/A

Reproducer:
https://github.com/asarubbo/poc/blob/master/00025-libdwarf-heapoverflow-get_attr_value

Timeline:
2016-11-02: bug discovered and reported to upstream
2016-11-05: upstream released a patch
2016-11-07: blog post about the issue
2016-11-24: upstream released 20161124

Note:
This bug was found with American Fuzzy Lop.

Permalink:

libdwarf: heap-based buffer overflow in get_attr_value (print_die.c)

This entry was posted in advisories, security. Bookmark the permalink.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.