{"id":1587,"date":"2017-04-03T17:27:29","date_gmt":"2017-04-03T15:27:29","guid":{"rendered":"http:\/\/blogs.gentoo.org\/ago\/?p=1587"},"modified":"2017-04-10T09:29:33","modified_gmt":"2017-04-10T07:29:33","slug":"elfutils-memory-allocation-failure-in-__libelf_decompress-elf_compress-c","status":"publish","type":"post","link":"https:\/\/blogs.gentoo.org\/ago\/2017\/04\/03\/elfutils-memory-allocation-failure-in-__libelf_decompress-elf_compress-c\/","title":{"rendered":"elfutils: memory allocation failure in __libelf_decompress (elf_compress.c)"},"content":{"rendered":"<p><strong>Description<\/strong>:<br \/>\n<a href=\"https:\/\/sourceware.org\/elfutils\/\">elfutils<\/a> is a set of libraries\/utilities to handle ELF objects (drop in replacement for libelf).<\/p>\n<p>A fuzz on eu-readelf showed a memory allocation failure. Will follow a feedback from upstream:<\/p>\n<blockquote><p>That is slightly tricky. We do have to trust the input data to give us the expected output size. We won&#8217;t know if that was correct till we decompressed the input. We do actually double check the given output size was correct at the end of the decompression. But we could catch some really bogus sizes before trying to allocate a giant amount of memory and decompressing stuff for nothing (like in this case).<\/p><\/blockquote>\n<p>The complete ASan output:<\/p>\n<pre><font size=\"2\"># eu-readelf -a $FILE\r\n==1927==WARNING: AddressSanitizer failed to allocate 0x280065041580 bytes\r\n==1927==AddressSanitizer's allocator is terminating the process instead of returning 0\r\n==1927==If you don't like this behavior set allocator_may_return_null=1\r\n==1927==AddressSanitizer CHECK failed: \/tmp\/portage\/sys-devel\/gcc-6.3.0\/work\/gcc-6.3.0\/libsanitizer\/sanitizer_common\/sanitizer_allocator.cc:145 \"((0)) != (0)\" (0x0, 0x0)\r\n    #0 0x7f85fc3a741d  (\/usr\/lib\/gcc\/x86_64-pc-linux-gnu\/6.3.0\/libasan.so.3+0xcb41d)\r\n    #1 0x7f85fc3ad063 in __sanitizer::CheckFailed(char const*, int, char const*, unsigned long long, unsigned long long) (\/usr\/lib\/gcc\/x86_64-pc-linux-gnu\/6.3.0\/libasan.so.3+0xd1063)\r\n    #2 0x7f85fc3ab226  (\/usr\/lib\/gcc\/x86_64-pc-linux-gnu\/6.3.0\/libasan.so.3+0xcf226)\r\n    #3 0x7f85fc3016a4  (\/usr\/lib\/gcc\/x86_64-pc-linux-gnu\/6.3.0\/libasan.so.3+0x256a4)\r\n    #4 0x7f85fc39e265 in malloc (\/usr\/lib\/gcc\/x86_64-pc-linux-gnu\/6.3.0\/libasan.so.3+0xc2265)\r\n    #5 0x7f85fb88dd1e in __libelf_decompress \/tmp\/portage\/dev-libs\/elfutils-0.168\/work\/elfutils-0.168\/libelf\/elf_compress.c:214\r\n    #6 0x7f85fb88e359 in __libelf_decompress_elf \/tmp\/portage\/dev-libs\/elfutils-0.168\/work\/elfutils-0.168\/libelf\/elf_compress.c:288\r\n    #7 0x7f85fb89132e in elf_compress \/tmp\/portage\/dev-libs\/elfutils-0.168\/work\/elfutils-0.168\/libelf\/elf_compress.c:479\r\n    #8 0x41f933 in handle_hash \/tmp\/portage\/dev-libs\/elfutils-0.168\/work\/elfutils-0.168\/src\/readelf.c:3327\r\n    #9 0x4680f7 in process_elf_file \/tmp\/portage\/dev-libs\/elfutils-0.168\/work\/elfutils-0.168\/src\/readelf.c:898\r\n    #10 0x47ae65 in process_dwflmod \/tmp\/portage\/dev-libs\/elfutils-0.168\/work\/elfutils-0.168\/src\/readelf.c:690\r\n    #11 0x7f85fbe3a094 in dwfl_getmodules \/tmp\/portage\/dev-libs\/elfutils-0.168\/work\/elfutils-0.168\/libdwfl\/dwfl_getmodules.c:82\r\n    #12 0x4365f2 in process_file \/tmp\/portage\/dev-libs\/elfutils-0.168\/work\/elfutils-0.168\/src\/readelf.c:789\r\n    #13 0x405e50 in main \/tmp\/portage\/dev-libs\/elfutils-0.168\/work\/elfutils-0.168\/src\/readelf.c:305\r\n    #14 0x7f85fa45878f in __libc_start_main (\/lib64\/libc.so.6+0x2078f)\r\n    #15 0x406cd8 in _start (\/usr\/bin\/eu-readelf+0x406cd8)\r\n<\/font><\/pre>\n<p><strong>Affected version:<\/strong><br \/>\n0.168<\/p>\n<p><strong>Fixed version:<\/strong><br \/>\n0.169 (not released atm)<\/p>\n<p><strong>Commit fix:<\/strong><br \/>\n<a href=\"https:\/\/sourceware.org\/ml\/elfutils-devel\/2017-q1\/msg00114.html\">https:\/\/sourceware.org\/ml\/elfutils-devel\/2017-q1\/msg00114.html<\/a><\/p>\n<p><strong>Credit:<\/strong><br \/>\nThis bug was discovered by Agostino Sarubbo of Gentoo.<\/p>\n<p><strong>CVE:<\/strong><br \/>\nCVE-2017-7609<\/p>\n<p><strong>Reproducer:<\/strong><br \/>\n<a href=\"https:\/\/github.com\/asarubbo\/poc\/blob\/master\/00227-elfutils-memallocfailure\">https:\/\/github.com\/asarubbo\/poc\/blob\/master\/00227-elfutils-memallocfailure<\/a><\/p>\n<p><strong>Timeline:<\/strong><br \/>\n2017-03-24: bug discovered and reported to upstream<br \/>\n2017-04-04: blog post about the issue<br \/>\n2017-04-09: CVE assigned<\/p>\n<p><strong>Note:<\/strong><br \/>\nThis bug was found with <a href=\"http:\/\/lcamtuf.coredump.cx\/afl\">American Fuzzy Lop<\/a>.<\/p>\n<p><strong>Permalink:<\/strong><\/p>\n<blockquote data-secret=\"RazKzUF2mG\" class=\"wp-embedded-content\"><p><a href=\"http:\/\/blogs.gentoo.org\/ago\/2017\/04\/03\/elfutils-memory-allocation-failure-in-__libelf_decompress-elf_compress-c\/\">elfutils: memory allocation failure in __libelf_decompress (elf_compress.c)<\/a><\/p><\/blockquote>\n<p><iframe class=\"wp-embedded-content\" sandbox=\"allow-scripts\" security=\"restricted\" style=\"position: absolute; clip: rect(1px, 1px, 1px, 1px);\" src=\"http:\/\/blogs.gentoo.org\/ago\/2017\/04\/03\/elfutils-memory-allocation-failure-in-__libelf_decompress-elf_compress-c\/embed\/#?secret=RazKzUF2mG\" data-secret=\"RazKzUF2mG\" width=\"600\" height=\"338\" title=\"&#8220;elfutils: memory allocation failure in __libelf_decompress (elf_compress.c)&#8221; &#8212; agostino&#039;s blog\" frameborder=\"0\" marginwidth=\"0\" marginheight=\"0\" scrolling=\"no\"><\/iframe><\/p>\n","protected":false},"excerpt":{"rendered":"<p>Description: elfutils is a set of libraries\/utilities to handle ELF objects (drop in replacement for libelf). A fuzz on eu-readelf showed a memory allocation failure. Will follow a feedback from upstream: That is slightly tricky. We do have to trust &hellip; <a href=\"https:\/\/blogs.gentoo.org\/ago\/2017\/04\/03\/elfutils-memory-allocation-failure-in-__libelf_decompress-elf_compress-c\/\">Continue reading <span class=\"meta-nav\">&rarr;<\/span><\/a><\/p>\n","protected":false},"author":140,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"spay_email":"","jetpack_publicize_message":"","jetpack_is_tweetstorm":false,"jetpack_publicize_feature_enabled":true},"categories":[12,10],"tags":[],"jetpack_publicize_connections":[],"jetpack_featured_media_url":"","jetpack_sharing_enabled":true,"jetpack_shortlink":"https:\/\/wp.me\/p2EaBc-pB","_links":{"self":[{"href":"https:\/\/blogs.gentoo.org\/ago\/wp-json\/wp\/v2\/posts\/1587"}],"collection":[{"href":"https:\/\/blogs.gentoo.org\/ago\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/blogs.gentoo.org\/ago\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/blogs.gentoo.org\/ago\/wp-json\/wp\/v2\/users\/140"}],"replies":[{"embeddable":true,"href":"https:\/\/blogs.gentoo.org\/ago\/wp-json\/wp\/v2\/comments?post=1587"}],"version-history":[{"count":2,"href":"https:\/\/blogs.gentoo.org\/ago\/wp-json\/wp\/v2\/posts\/1587\/revisions"}],"predecessor-version":[{"id":1620,"href":"https:\/\/blogs.gentoo.org\/ago\/wp-json\/wp\/v2\/posts\/1587\/revisions\/1620"}],"wp:attachment":[{"href":"https:\/\/blogs.gentoo.org\/ago\/wp-json\/wp\/v2\/media?parent=1587"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/blogs.gentoo.org\/ago\/wp-json\/wp\/v2\/categories?post=1587"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/blogs.gentoo.org\/ago\/wp-json\/wp\/v2\/tags?post=1587"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}