{"id":1173,"date":"2017-02-01T11:14:49","date_gmt":"2017-02-01T09:14:49","guid":{"rendered":"http:\/\/blogs.gentoo.org\/ago\/?p=1173"},"modified":"2017-02-01T11:14:49","modified_gmt":"2017-02-01T09:14:49","slug":"pax-utils-scanelf-out-of-bounds-read-in-scanelf_file_textrel-scanelf-c","status":"publish","type":"post","link":"https:\/\/blogs.gentoo.org\/ago\/2017\/02\/01\/pax-utils-scanelf-out-of-bounds-read-in-scanelf_file_textrel-scanelf-c\/","title":{"rendered":"pax-utils: scanelf: out of bounds read in scanelf_file_textrel (scanelf.c)"},"content":{"rendered":"<p><strong>Description<\/strong>:<br \/>\n<a href=\"https:\/\/gitweb.gentoo.org\/proj\/pax-utils.git\">pax-utils<\/a> is a set of tools that check files for security relevant properties.<\/p>\n<p>A fuzz on scanelf exposed an out-of bound read. It was reported to vapier which fixed the issue immediately.<br \/>\nUnfortunately I can&#8217;t get a symbolized ASan stacktrace, so I will show only the useful part of both asan and gdb.<\/p>\n<pre><font size=\"2\"># scanelf -s '*' -axetrnibSDIYZB $FILE\r\n==1853==ERROR: AddressSanitizer: unknown-crash on address 0x7f4099d25008 at pc 0x00000053586e bp 0x7fff335cb8b0 sp 0x7fff335cb8a8\r\nREAD of size 8 at 0x7f4099d25008 thread T0\r\n    #0 0x53586d  (\/usr\/bin\/scanelf+0x53586d)\r\n    #1 0x51f526  (\/usr\/bin\/scanelf+0x51f526)\r\n    #2 0x51b97e  (\/usr\/bin\/scanelf+0x51b97e)\r\n    #3 0x51ad43  (\/usr\/bin\/scanelf+0x51ad43)\r\n    #4 0x51922e  (\/usr\/bin\/scanelf+0x51922e)\r\n    #5 0x7f4098afd61f  (\/lib64\/libc.so.6+0x2061f)\r\n    #6 0x41a008  (\/usr\/bin\/scanelf+0x41a008) \r\n\r\n(gdb) bt\r\n#8  0x000000000053586e in scanelf_file_textrel (elf=, found_textrel=) at scanelf.c:560\r\n#9  0x000000000051f527 in scanelf_elfobj (elf=) at scanelf.c:1536\r\n#10 0x000000000051b97f in scanelf_elf (filename=0x7fffffffe50e \"\/tmp\/afl\/scanelf\/report\/crashes\/2.crashes\", fd=, len=) at scanelf.c:1612\r\n#11 scanelf_fileat (dir_fd=, filename=, st_cache=) at scanelf.c:1679\r\n#12 0x000000000051ad44 in scanelf_dirat (dir_fd=, path=) at scanelf.c:1713\r\n#13 0x000000000051922f in scanelf_dir (path=) at scanelf.c:1763\r\n#14 parseargs (argc=5, argv=0x7fffffffe258) at scanelf.c:2273\r\n#15 main (argc=5, argv=) at scanelf.c:2361\r\n<\/font><\/pre>\n<p><strong>Affected version:<\/strong><br \/>\n1.2<\/p>\n<p><strong>Fixed version:<\/strong><br \/>\n1.2.1<\/p>\n<p><strong>Commit fix:<\/strong><br \/>\n<a href=\"https:\/\/github.com\/gentoo\/pax-utils\/commit\/95e5489534ac9e9324c5096286899b688e19ae00\">https:\/\/github.com\/gentoo\/pax-utils\/commit\/95e5489534ac9e9324c5096286899b688e19ae00<\/a><\/p>\n<p><strong>Credit:<\/strong><br \/>\nThis bug was discovered by Agostino Sarubbo of Gentoo.<\/p>\n<p><strong>CVE:<\/strong><br \/>\nN\/A<\/p>\n<p><strong>Reproducer:<\/strong><br \/>\n<a href=\"https:\/\/github.com\/asarubbo\/poc\/blob\/master\/00132-pax-utils-scanelf-oobread-scanelf_file_textrel\">https:\/\/github.com\/asarubbo\/poc\/blob\/master\/00132-pax-utils-scanelf-oobread-scanelf_file_textrel<\/a><\/p>\n<p><strong>Timeline:<\/strong><br \/>\n2017-01-23: bug discovered and reported to upstream<br \/>\n2017-01-24: upstream realeased a patch and 1.2.1<br \/>\n2017-02-01: blog post about the issue<\/p>\n<p><strong>Note:<\/strong><br \/>\nThis bug was found with <a href=\"http:\/\/lcamtuf.coredump.cx\/afl\">American Fuzzy Lop<\/a>.<br \/>\nI&#8217;d suggest to go to 1.2.2 because of a functionality bug(s) in 1.2.1<\/p>\n<p><strong>Permalink:<\/strong><br \/>\nhttps:\/\/blogs.gentoo.org\/ago\/2017\/02\/01\/pax-utils-scanelf-out-of-bounds-read-in-scanelf_file_textrel-scanelf-c<\/p>\n","protected":false},"excerpt":{"rendered":"<p>Description: pax-utils is a set of tools that check files for security relevant properties. A fuzz on scanelf exposed an out-of bound read. It was reported to vapier which fixed the issue immediately. Unfortunately I can&#8217;t get a symbolized ASan &hellip; <a href=\"https:\/\/blogs.gentoo.org\/ago\/2017\/02\/01\/pax-utils-scanelf-out-of-bounds-read-in-scanelf_file_textrel-scanelf-c\/\">Continue reading <span class=\"meta-nav\">&rarr;<\/span><\/a><\/p>\n","protected":false},"author":140,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"spay_email":"","jetpack_publicize_message":"","jetpack_is_tweetstorm":false,"jetpack_publicize_feature_enabled":true},"categories":[12,3,10],"tags":[],"jetpack_publicize_connections":[],"jetpack_featured_media_url":"","jetpack_sharing_enabled":true,"jetpack_shortlink":"https:\/\/wp.me\/p2EaBc-iV","_links":{"self":[{"href":"https:\/\/blogs.gentoo.org\/ago\/wp-json\/wp\/v2\/posts\/1173"}],"collection":[{"href":"https:\/\/blogs.gentoo.org\/ago\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/blogs.gentoo.org\/ago\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/blogs.gentoo.org\/ago\/wp-json\/wp\/v2\/users\/140"}],"replies":[{"embeddable":true,"href":"https:\/\/blogs.gentoo.org\/ago\/wp-json\/wp\/v2\/comments?post=1173"}],"version-history":[{"count":5,"href":"https:\/\/blogs.gentoo.org\/ago\/wp-json\/wp\/v2\/posts\/1173\/revisions"}],"predecessor-version":[{"id":1210,"href":"https:\/\/blogs.gentoo.org\/ago\/wp-json\/wp\/v2\/posts\/1173\/revisions\/1210"}],"wp:attachment":[{"href":"https:\/\/blogs.gentoo.org\/ago\/wp-json\/wp\/v2\/media?parent=1173"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/blogs.gentoo.org\/ago\/wp-json\/wp\/v2\/categories?post=1173"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/blogs.gentoo.org\/ago\/wp-json\/wp\/v2\/tags?post=1173"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}