{"id":1388,"date":"2017-02-25T13:14:55","date_gmt":"2017-02-25T11:14:55","guid":{"rendered":"http:\/\/blogs.gentoo.org\/ago\/?p=1388"},"modified":"2017-02-25T13:14:55","modified_gmt":"2017-02-25T11:14:55","slug":"pax-utils-scanelf-out-of-bounds-read-in-scanelf_file_get_symtabs-scanelf-c-2","status":"publish","type":"post","link":"https:\/\/blogs.gentoo.org\/ago\/2017\/02\/25\/pax-utils-scanelf-out-of-bounds-read-in-scanelf_file_get_symtabs-scanelf-c-2\/","title":{"rendered":"pax-utils: scanelf: out of bounds read in scanelf_file_get_symtabs (scanelf.c)"},"content":{"rendered":"<p><strong>Description<\/strong>:<br \/>\n<a href=\"https:\/\/gitweb.gentoo.org\/proj\/pax-utils.git\">pax-utils<\/a> is a set of tools that check files for security relevant properties.<\/p>\n<p>A fuzz on scanelf exposed that the out-of bound read already reported <a href=\"https:\/\/blogs.gentoo.org\/ago\/2017\/02\/01\/pax-utils-scanelf-out-of-bounds-read-in-scanelf_file_get_symtabs-scanelf-c\">here<\/a> was unfixed.<\/p>\n<p>The complete ASan output:<\/p>\n<pre><font size=\"2\"># scanelf -s '*' -axetrnibSDIYZB $FILE\r\n==1093==ERROR: AddressSanitizer: unknown-crash on address 0x7f4ddab2c3a0 at pc 0x000000524a77 bp 0x7fffcd2bc320 sp 0x7fffcd2bc318\r\nREAD of size 4 at 0x7f4ddab2c3a0 thread T0\r\n    #0 0x524a76 in scanelf_file_get_symtabs \/tmp\/portage\/app-misc\/pax-utils-1.2.2\/work\/pax-utils-1.2.2\/scanelf.c:357:3\r\n    #1 0x514af2 in scanelf_file_sym \/tmp\/portage\/app-misc\/pax-utils-1.2.2\/work\/pax-utils-1.2.2\/scanelf.c:1282:2\r\n    #2 0x514af2 in scanelf_elfobj \/tmp\/portage\/app-misc\/pax-utils-1.2.2\/work\/pax-utils-1.2.2\/scanelf.c:1502\r\n    #3 0x5137f8 in scanelf_elf \/tmp\/portage\/app-misc\/pax-utils-1.2.2\/work\/pax-utils-1.2.2\/scanelf.c:1567:8\r\n    #4 0x5137f8 in scanelf_fileat \/tmp\/portage\/app-misc\/pax-utils-1.2.2\/work\/pax-utils-1.2.2\/scanelf.c:1634\r\n    #5 0x512d9b in scanelf_dirat \/tmp\/portage\/app-misc\/pax-utils-1.2.2\/work\/pax-utils-1.2.2\/scanelf.c:1668:10\r\n    #6 0x511d9d in scanelf_dir \/tmp\/portage\/app-misc\/pax-utils-1.2.2\/work\/pax-utils-1.2.2\/scanelf.c:1718:9\r\n    #7 0x511d9d in parseargs \/tmp\/portage\/app-misc\/pax-utils-1.2.2\/work\/pax-utils-1.2.2\/scanelf.c:2228\r\n    #8 0x511d9d in main \/tmp\/portage\/app-misc\/pax-utils-1.2.2\/work\/pax-utils-1.2.2\/scanelf.c:2316\r\n    #9 0x7f4dd9b4e61f in __libc_start_main \/var\/tmp\/portage\/sys-libs\/glibc-2.22-r4\/work\/glibc-2.22\/csu\/libc-start.c:289\r\n    #10 0x419b28 in getenv (\/usr\/bin\/scanelf+0x419b28)\r\n\r\nAddressSanitizer can not describe address in more detail (wild memory access suspected).\r\nSUMMARY: AddressSanitizer: unknown-crash \/tmp\/portage\/app-misc\/pax-utils-1.2.2\/work\/pax-utils-1.2.2\/scanelf.c:357:3 in scanelf_file_get_symtabs\r\nShadow bytes around the buggy address:\r\n  0x0fea3b55d820: fe fe fe fe fe fe fe fe fe fe fe fe fe fe fe fe\r\n  0x0fea3b55d830: fe fe fe fe fe fe fe fe fe fe fe fe fe fe fe fe\r\n  0x0fea3b55d840: fe fe fe fe fe fe fe fe fe fe fe fe fe fe fe fe\r\n  0x0fea3b55d850: fe fe fe fe fe fe fe fe fe fe fe fe fe fe fe fe\r\n  0x0fea3b55d860: fe fe fe fe fe fe fe fe fe fe fe fe fe fe fe fe\r\n=&gt;0x0fea3b55d870: fe fe fe fe[fe]fe fe fe fe fe fe fe fe fe fe fe\r\n  0x0fea3b55d880: fe fe fe fe fe fe fe fe fe fe fe fe fe fe fe fe\r\n  0x0fea3b55d890: fe fe fe fe fe fe fe fe fe fe fe fe fe fe fe fe\r\n  0x0fea3b55d8a0: fe fe fe fe fe fe fe fe fe fe fe fe fe fe fe fe\r\n  0x0fea3b55d8b0: fe fe fe fe fe fe fe fe fe fe fe fe fe fe fe fe\r\n  0x0fea3b55d8c0: fe fe fe fe fe fe fe fe fe fe fe fe fe fe fe fe\r\nShadow byte legend (one shadow byte represents 8 application bytes):\r\n  Addressable:           00\r\n  Partially addressable: 01 02 03 04 05 06 07 \r\n  Heap left redzone:       fa\r\n  Heap right redzone:      fb\r\n  Freed heap region:       fd\r\n  Stack left redzone:      f1\r\n  Stack mid redzone:       f2\r\n  Stack right redzone:     f3\r\n  Stack partial redzone:   f4\r\n  Stack after return:      f5\r\n  Stack use after scope:   f8\r\n  Global redzone:          f9\r\n  Global init order:       f6\r\n  Poisoned by user:        f7\r\n  Container overflow:      fc\r\n  Array cookie:            ac\r\n  Intra object redzone:    bb\r\n  ASan internal:           fe\r\n  Left alloca redzone:     ca\r\n  Right alloca redzone:    cb\r\n==1093==ABORTING\r\n<\/font><\/pre>\n<p><strong>Affected version:<\/strong><br \/>\n1.2.2<\/p>\n<p><strong>Fixed version:<\/strong><br \/>\n1.2.3 (not released atm)<\/p>\n<p><strong>Commit fix:<\/strong><br \/>\n<a href=\"https:\/\/github.com\/gentoo\/pax-utils\/commit\/e577c5b7e230c52e5fc4fa40e4e9014c634b3c1d\">https:\/\/github.com\/gentoo\/pax-utils\/commit\/e577c5b7e230c52e5fc4fa40e4e9014c634b3c1d<\/a><br \/>\n<a href=\"https:\/\/github.com\/gentoo\/pax-utils\/commit\/858939ea6ad63f1acb4ec74bba705c197a67d559\">https:\/\/github.com\/gentoo\/pax-utils\/commit\/858939ea6ad63f1acb4ec74bba705c197a67d559<\/a><\/p>\n<p><strong>Credit:<\/strong><br \/>\nThis bug was discovered by Agostino Sarubbo of Gentoo.<\/p>\n<p><strong>CVE:<\/strong><br \/>\nN\/A<\/p>\n<p><strong>Reproducer:<\/strong><br \/>\n<a href=\"https:\/\/github.com\/asarubbo\/poc\/blob\/master\/00169-pax-utils-scanelf-oobread1\">https:\/\/github.com\/asarubbo\/poc\/blob\/master\/00169-pax-utils-scanelf-oobread1<\/a><\/p>\n<p><strong>Timeline:<\/strong><br \/>\n2017-02-09: bug discovered and reported to upstream<br \/>\n2017-02-11: upstream realeased a patch<br \/>\n2017-02-25: blog post about the issue<\/p>\n<p><strong>Note:<\/strong><br \/>\nThis bug was found with <a href=\"http:\/\/lcamtuf.coredump.cx\/afl\">American Fuzzy Lop<\/a>.<\/p>\n<p><strong>Permalink:<\/strong><br \/>\nhttps:\/\/blogs.gentoo.org\/ago\/2017\/02\/25\/pax-utils-scanelf-out-of-bounds-read-in-scanelf_file_get_symtabs-scanelf-c-2<\/p>\n","protected":false},"excerpt":{"rendered":"<p>Description: pax-utils is a set of tools that check files for security relevant properties. A fuzz on scanelf exposed that the out-of bound read already reported here was unfixed. The complete ASan output: # scanelf -s &#8216;*&#8217; -axetrnibSDIYZB $FILE ==1093==ERROR: &hellip; <a href=\"https:\/\/blogs.gentoo.org\/ago\/2017\/02\/25\/pax-utils-scanelf-out-of-bounds-read-in-scanelf_file_get_symtabs-scanelf-c-2\/\">Continue reading <span class=\"meta-nav\">&rarr;<\/span><\/a><\/p>\n","protected":false},"author":140,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"spay_email":"","jetpack_publicize_message":"","jetpack_is_tweetstorm":false,"jetpack_publicize_feature_enabled":true},"categories":[12,10],"tags":[],"jetpack_publicize_connections":[],"jetpack_featured_media_url":"","jetpack_sharing_enabled":true,"jetpack_shortlink":"https:\/\/wp.me\/p2EaBc-mo","_links":{"self":[{"href":"https:\/\/blogs.gentoo.org\/ago\/wp-json\/wp\/v2\/posts\/1388"}],"collection":[{"href":"https:\/\/blogs.gentoo.org\/ago\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/blogs.gentoo.org\/ago\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/blogs.gentoo.org\/ago\/wp-json\/wp\/v2\/users\/140"}],"replies":[{"embeddable":true,"href":"https:\/\/blogs.gentoo.org\/ago\/wp-json\/wp\/v2\/comments?post=1388"}],"version-history":[{"count":1,"href":"https:\/\/blogs.gentoo.org\/ago\/wp-json\/wp\/v2\/posts\/1388\/revisions"}],"predecessor-version":[{"id":1389,"href":"https:\/\/blogs.gentoo.org\/ago\/wp-json\/wp\/v2\/posts\/1388\/revisions\/1389"}],"wp:attachment":[{"href":"https:\/\/blogs.gentoo.org\/ago\/wp-json\/wp\/v2\/media?parent=1388"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/blogs.gentoo.org\/ago\/wp-json\/wp\/v2\/categories?post=1388"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/blogs.gentoo.org\/ago\/wp-json\/wp\/v2\/tags?post=1388"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}