Description:
libdwarf is a library to consume and produce DWARF debug information.
A fuzz on an updated version revealed a memory allocation failure.
The complete ASan output:
# dwarfdump $FILE ==27994==WARNING: AddressSanitizer failed to allocate 0x62696c2f7273752f bytes ==27994==AddressSanitizer's allocator is terminating the process instead of returning 0 ==27994==If you don't like this behavior set allocator_may_return_null=1 ==27994==AddressSanitizer CHECK failed: /var/tmp/portage/sys-devel/llvm-3.8.1-r2/work/llvm-3.8.1.src/projects/compiler-rt/lib/sanitizer_common/sanitizer_allocator.cc:147 "((0)) != (0)" (0x0, 0x0) #0 0x4ca3ed in __asan::AsanCheckFailed(char const*, int, char const*, unsigned long long, unsigned long long) /var/tmp/portage/sys-devel/llvm-3.8.1-r2/work/llvm-3.8.1.src/projects/compiler-rt/lib/asan/asan_rtl.cc:67 #1 0x4d0f23 in __sanitizer::CheckFailed(char const*, int, char const*, unsigned long long, unsigned long long) /var/tmp/portage/sys-devel/llvm-3.8.1-r2/work/llvm-3.8.1.src/projects/compiler-rt/lib/sanitizer_common/sanitizer_common.cc:159 #2 0x4cec76 in __sanitizer::ReportAllocatorCannotReturnNull() /var/tmp/portage/sys-devel/llvm-3.8.1-r2/work/llvm-3.8.1.src/projects/compiler-rt/lib/sanitizer_common/sanitizer_allocator.cc:147 #3 0x42204c in __sanitizer::CombinedAllocator<__sanitizer::SizeClassAllocator64<105553116266496ul, 4398046511104ul, 0ul, __sanitizer::SizeClassMap, __asan::AsanMapUnmapCallback>, __sanitizer::SizeClassAllocatorLocalCache<__sanitizer::SizeClassAllocator64<105553116266496ul, 4398046511104ul, 0ul, __sanitizer::SizeClassMap, __asan::AsanMapUnmapCallback> >, __sanitizer::LargeMmapAllocator >::ReturnNullOrDie() /var/tmp/portage/sys-devel/llvm-3.8.1-r2/work/llvm-3.8.1.src/projects/compiler-rt/lib/asan/../sanitizer_common/sanitizer_allocator.h:1317 #4 0x42204c in __asan::Allocator::Allocate(unsigned long, unsigned long, __sanitizer::BufferedStackTrace*, __asan::AllocType, bool) /var/tmp/portage/sys-devel/llvm-3.8.1-r2/work/llvm-3.8.1.src/projects/compiler-rt/lib/asan/asan_allocator.cc:359 #5 0x42204c in __asan::asan_malloc(unsigned long, __sanitizer::BufferedStackTrace*) /var/tmp/portage/sys-devel/llvm-3.8.1-r2/work/llvm-3.8.1.src/projects/compiler-rt/lib/asan/asan_allocator.cc:718 #6 0x4c0ab1 in malloc /var/tmp/portage/sys-devel/llvm-3.8.1-r2/work/llvm-3.8.1.src/projects/compiler-rt/lib/asan/asan_malloc_linux.cc:53 #7 0x5b582e in do_decompress_zlib /tmp/dwarf-20161021/libdwarf/dwarf_init_finish.c:1085:12 #8 0x5b582e in _dwarf_load_section /tmp/dwarf-20161021/libdwarf/dwarf_init_finish.c:1159 #9 0x5bb479 in dwarf_srcfiles /tmp/dwarf-20161021/libdwarf/./dwarf_line.c:336:11 #10 0x5145cd in print_one_die_section /tmp/dwarf-20161021/dwarfdump/print_die.c:812:28 #11 0x512262 in print_infos /tmp/dwarf-20161021/dwarfdump/print_die.c:371:16 #12 0x4faafa in process_one_file /tmp/dwarf-20161021/dwarfdump/dwarfdump.c:1371:9 #13 0x4faafa in main /tmp/dwarf-20161021/dwarfdump/dwarfdump.c:654 #14 0x7f578f45a61f in __libc_start_main /var/tmp/portage/sys-libs/glibc-2.22-r4/work/glibc-2.22/csu/libc-start.c:289 #15 0x419588 in _start (/usr/bin/dwarfdump-asan+0x419588)
Affected version:
20161021
Fixed version:
20161124
Commit fix:
https://sourceforge.net/p/libdwarf/code/ci/583f8834083b5ef834c497f5b47797e16101a9a6/
Credit:
This bug was discovered by Agostino Sarubbo of Gentoo.
CVE:
N/A
Reproducer:
https://github.com/asarubbo/poc/blob/master/00024-libdwarf-memalloc-do_decompress_zlib
Timeline:
2016-11-02: bug discovered and reported to upstream
2016-11-05: upstream released a patch
2016-11-07: blog post about the issue
2016-11-24: upstream released 20161124
Note:
This bug was found with American Fuzzy Lop.
Permalink:
libdwarf: memory allocation failure in do_decompress_zlib (dwarf_init_finish.c)