Description:
libdwarf is a library to consume and produce DWARF debug information.
A fuzz with the Undefined Behavior Sanitizer shows a negation that cannot be represented as long long.
The complete UBSan output:
# dwarfdump $FILE dwarf_leb.c:306:19: runtime error: negation of -9223372036854775808 cannot be represented in type 'Dwarf_Signed' (aka 'long long'); cast to an unsigned type to negate this value to itself
Affected version:
20161021
Fixed version:
20161124
Commit fix:
https://sourceforge.net/p/libdwarf/code/ci/4f19e1050cd8e9ddf2cb6caa061ff2fec4c9b5f9/#diff-5
Credit:
This bug was discovered by Agostino Sarubbo of Gentoo.
CVE:
CVE-2016-9558
Reproducer:
https://github.com/asarubbo/poc/blob/master/00050-libdwarf-negate-itself
Timeline:
2016-11-11: bug discovered and reported to upstream
2016-11-11: upstream released a patch
2016-11-19: blog post about the issue
2016-11-23: CVE assigned
2016-11-24: upstream released 20161124
Note:
This bug was found with American Fuzzy Lop.
Permalink:
Pingback: SB17-065: Vulnerability Summary for the Week of February 27, 2017 – sec.uno