{"id":1172,"date":"2017-02-01T11:14:55","date_gmt":"2017-02-01T09:14:55","guid":{"rendered":"http:\/\/blogs.gentoo.org\/ago\/?p=1172"},"modified":"2017-02-01T11:14:55","modified_gmt":"2017-02-01T09:14:55","slug":"pax-utils-scanelf-out-of-bounds-read-in-scanelf_file_get_symtabs-scanelf-c","status":"publish","type":"post","link":"https:\/\/blogs.gentoo.org\/ago\/2017\/02\/01\/pax-utils-scanelf-out-of-bounds-read-in-scanelf_file_get_symtabs-scanelf-c\/","title":{"rendered":"pax-utils: scanelf: out of bounds read in scanelf_file_get_symtabs (scanelf.c)"},"content":{"rendered":"<p><strong>Description<\/strong>:<br \/>\n<a href=\"https:\/\/gitweb.gentoo.org\/proj\/pax-utils.git\">pax-utils<\/a> is a set of tools that check files for security relevant properties.<\/p>\n<p>A fuzz on scanelf exposed an out-of bound read. It was reported to vapier which fixed the issue immediately.<br \/>\nUnfortunately I can&#8217;t get a symbolized ASan stacktrace, so I will show only the useful part of both asan and gdb.<\/p>\n<pre><font size=\"2\"># scanelf -s '*' -axetrnibSDIYZB $FILE\r\n==32758==ERROR: AddressSanitizer: unknown-crash on address 0x7f8f9fa252dc at pc 0x00000053c6a0 bp 0x7ffe93a19910 sp 0x7ffe93a19908 \r\nREAD of size 4 at 0x7f8f9fa252dc thread T0                                                                                                                                                                                                                                      \r\n   #0 0x53c69f  (\/usr\/bin\/scanelf+0x53c69f) \r\n   #1 0x51d649  (\/usr\/bin\/scanelf+0x51d649) \r\n   #2 0x51b97e  (\/usr\/bin\/scanelf+0x51b97e) \r\n   #3 0x51ad43  (\/usr\/bin\/scanelf+0x51ad43) \r\n   #4 0x51922e  (\/usr\/bin\/scanelf+0x51922e) \r\n   #5 0x7f8f9e7fd61f  (\/lib64\/libc.so.6+0x2061f) \r\n   #6 0x41a008  (\/usr\/bin\/scanelf+0x41a008) \r\n\r\n(gdb) bt\r\n#8  0x000000000053c6a0 in scanelf_file_get_symtabs (elf=, sym=0x7fffffffcc00, str=0x7fffffffcc20) at scanelf.c:357\r\n#9  0x000000000051d64a in scanelf_file_sym (elf=0x60700000de60, found_sym=) at scanelf.c:1327\r\n#10 scanelf_elfobj (elf=) at scanelf.c:1547\r\n#11 0x000000000051b97f in scanelf_elf (filename=0x7fffffffe50e \"1.crashes\", fd=, len=) at scanelf.c:1612\r\n#12 scanelf_fileat (dir_fd=, filename=, st_cache=) at scanelf.c:1679\r\n#13 0x000000000051ad44 in scanelf_dirat (dir_fd=, path=) at scanelf.c:1713\r\n#14 0x000000000051922f in scanelf_dir (path=) at scanelf.c:1763\r\n#15 parseargs (argc=5, argv=0x7fffffffe258) at scanelf.c:2273\r\n#16 main (argc=5, argv=) at scanelf.c:2361\r\n<\/font><\/pre>\n<p><strong>Affected version:<\/strong><br \/>\n1.2<\/p>\n<p><strong>Fixed version:<\/strong><br \/>\n1.2.1<\/p>\n<p><strong>Commit fix:<\/strong><br \/>\n<a href=\"https:\/\/github.com\/gentoo\/pax-utils\/commit\/95e5489534ac9e9324c5096286899b688e19ae00\">https:\/\/github.com\/gentoo\/pax-utils\/commit\/95e5489534ac9e9324c5096286899b688e19ae00<\/a><\/p>\n<p><strong>Credit:<\/strong><br \/>\nThis bug was discovered by Agostino Sarubbo of Gentoo.<\/p>\n<p><strong>CVE:<\/strong><br \/>\nN\/A<\/p>\n<p><strong>Reproducer:<\/strong><br \/>\n<a href=\"https:\/\/github.com\/asarubbo\/poc\/blob\/master\/00131-pax-utils-scanelf-oobread-scanelf_file_get_symtabs\">https:\/\/github.com\/asarubbo\/poc\/blob\/master\/00131-pax-utils-scanelf-oobread-scanelf_file_get_symtabs<\/a><\/p>\n<p><strong>Timeline:<\/strong><br \/>\n2017-01-23: bug discovered and reported to upstream<br \/>\n2017-01-24: upstream realeased a patch and 1.2.1<br \/>\n2017-02-01: blog post about the issue<\/p>\n<p><strong>Note:<\/strong><br \/>\nThis bug was found with <a href=\"http:\/\/lcamtuf.coredump.cx\/afl\">American Fuzzy Lop<\/a>.<br \/>\nI&#8217;d suggest to go to 1.2.2 because of a functionality bug(s) in 1.2.1<\/p>\n<p><strong>Permalink:<\/strong><br \/>\nhttps:\/\/blogs.gentoo.org\/ago\/2017\/02\/01\/pax-utils-scanelf-out-of-bounds-read-in-scanelf_file_get_symtabs-scanelf-c<\/p>\n","protected":false},"excerpt":{"rendered":"<p>Description: pax-utils is a set of tools that check files for security relevant properties. A fuzz on scanelf exposed an out-of bound read. It was reported to vapier which fixed the issue immediately. Unfortunately I can&#8217;t get a symbolized ASan &hellip; <a href=\"https:\/\/blogs.gentoo.org\/ago\/2017\/02\/01\/pax-utils-scanelf-out-of-bounds-read-in-scanelf_file_get_symtabs-scanelf-c\/\">Continue reading <span class=\"meta-nav\">&rarr;<\/span><\/a><\/p>\n","protected":false},"author":140,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"spay_email":"","jetpack_publicize_message":"","jetpack_is_tweetstorm":false,"jetpack_publicize_feature_enabled":true},"categories":[12,3,10],"tags":[],"jetpack_publicize_connections":[],"jetpack_featured_media_url":"","jetpack_sharing_enabled":true,"jetpack_shortlink":"https:\/\/wp.me\/p2EaBc-iU","_links":{"self":[{"href":"https:\/\/blogs.gentoo.org\/ago\/wp-json\/wp\/v2\/posts\/1172"}],"collection":[{"href":"https:\/\/blogs.gentoo.org\/ago\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/blogs.gentoo.org\/ago\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/blogs.gentoo.org\/ago\/wp-json\/wp\/v2\/users\/140"}],"replies":[{"embeddable":true,"href":"https:\/\/blogs.gentoo.org\/ago\/wp-json\/wp\/v2\/comments?post=1172"}],"version-history":[{"count":4,"href":"https:\/\/blogs.gentoo.org\/ago\/wp-json\/wp\/v2\/posts\/1172\/revisions"}],"predecessor-version":[{"id":1211,"href":"https:\/\/blogs.gentoo.org\/ago\/wp-json\/wp\/v2\/posts\/1172\/revisions\/1211"}],"wp:attachment":[{"href":"https:\/\/blogs.gentoo.org\/ago\/wp-json\/wp\/v2\/media?parent=1172"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/blogs.gentoo.org\/ago\/wp-json\/wp\/v2\/categories?post=1172"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/blogs.gentoo.org\/ago\/wp-json\/wp\/v2\/tags?post=1172"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}