{"id":2348,"date":"2017-10-24T10:09:59","date_gmt":"2017-10-24T08:09:59","guid":{"rendered":"http:\/\/blogs.gentoo.org\/ago\/?p=2348"},"modified":"2017-10-27T22:24:07","modified_gmt":"2017-10-27T20:24:07","slug":"binutils-null-pointer-dereference-in-concat_filename-dwarf2-c-incomplete-fix-for-cve-2017-15023","status":"publish","type":"post","link":"https:\/\/blogs.gentoo.org\/ago\/2017\/10\/24\/binutils-null-pointer-dereference-in-concat_filename-dwarf2-c-incomplete-fix-for-cve-2017-15023\/","title":{"rendered":"binutils: NULL pointer dereference in concat_filename (dwarf2.c) (INCOMPLETE FIX FOR CVE-2017-15023)"},"content":{"rendered":"<p><strong>Description<\/strong>:<br \/>\n<a href=\"https:\/\/sourceware.org\/binutils\/\">binutils<\/a> is a set of tools necessary to build programs.<\/p>\n<p>The commit fix for this issue says:<\/p>\n<blockquote><p>The PR22200 fuzzer testcase found one way to put NULLs into .debug_line file tables.  PR22205 finds another.<br \/>\nSo mitre considers this an incomplete fix.<\/p><\/blockquote>\n<p>The complete ASan output of the issue:<\/p>\n<pre><font size=\"2\"># nm -A -a -l -S -s --special-syms --synthetic --with-symbol-versions -D $FILE\r\n==19042==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc 0x0000006a76a6 bp 0x7ffde0afde30 sp 0x7ffde0afde00 T0)\r\n==19042==The signal is caused by a READ memory access.\r\n==19042==Hint: address points to the zero page.\r\n    #0 0x6a76a5 in concat_filename \/var\/tmp\/portage\/sys-devel\/binutils-9999\/work\/binutils\/bfd\/dwarf2.c:1601:8\r\n    #1 0x696ff3 in decode_line_info \/var\/tmp\/portage\/sys-devel\/binutils-9999\/work\/binutils\/bfd\/dwarf2.c:2265:44\r\n    #2 0x6a2d36 in comp_unit_maybe_decode_line_info \/var\/tmp\/portage\/sys-devel\/binutils-9999\/work\/binutils\/bfd\/dwarf2.c:3651:26\r\n    #3 0x6a2d36 in comp_unit_find_line \/var\/tmp\/portage\/sys-devel\/binutils-9999\/work\/binutils\/bfd\/dwarf2.c:3686\r\n    #4 0x6a0369 in _bfd_dwarf2_find_nearest_line \/var\/tmp\/portage\/sys-devel\/binutils-9999\/work\/binutils\/bfd\/dwarf2.c:4798:11\r\n    #5 0x5f332e in _bfd_elf_find_line \/var\/tmp\/portage\/sys-devel\/binutils-9999\/work\/binutils\/bfd\/elf.c:8695:10\r\n    #6 0x5176a3 in print_symbol \/var\/tmp\/portage\/sys-devel\/binutils-9999\/work\/binutils\/binutils\/nm.c:1003:9\r\n    #7 0x514e4d in print_symbols \/var\/tmp\/portage\/sys-devel\/binutils-9999\/work\/binutils\/binutils\/nm.c:1084:7\r\n    #8 0x514e4d in display_rel_file \/var\/tmp\/portage\/sys-devel\/binutils-9999\/work\/binutils\/binutils\/nm.c:1200\r\n    #9 0x510976 in display_file \/var\/tmp\/portage\/sys-devel\/binutils-9999\/work\/binutils\/binutils\/nm.c:1318:7\r\n    #10 0x50f4ce in main \/var\/tmp\/portage\/sys-devel\/binutils-9999\/work\/binutils\/binutils\/nm.c:1792:12\r\n    #11 0x7f6c6d793680 in __libc_start_main \/var\/tmp\/portage\/sys-libs\/glibc-2.23-r4\/work\/glibc-2.23\/csu\/..\/csu\/libc-start.c:289\r\n    #12 0x41a638 in chmod (\/usr\/x86_64-pc-linux-gnu\/binutils-bin\/git\/nm+0x41a638)\r\n\r\nAddressSanitizer can not provide additional info.\r\nSUMMARY: AddressSanitizer: SEGV \/var\/tmp\/portage\/sys-devel\/binutils-9999\/work\/binutils\/bfd\/dwarf2.c:1601:8 in concat_filename\r\n==19042==ABORTING\r\n<\/font><\/pre>\n<p><strong>Affected version:<\/strong><br \/>\n2.29.51.20170925 and maybe past releases<\/p>\n<p><strong>Fixed version:<\/strong><br \/>\nN\/A<\/p>\n<p><strong>Commit fix:<\/strong><br \/>\n<a href=\"https:\/\/sourceware.org\/git\/gitweb.cgi?p=binutils-gdb.git;h=a54018b72d75abf2e74bf36016702da06399c1d9\">https:\/\/sourceware.org\/git\/gitweb.cgi?p=binutils-gdb.git;h=a54018b72d75abf2e74bf36016702da06399c1d9<\/a><\/p>\n<p><strong>Credit:<\/strong><br \/>\nThis bug was discovered by Agostino Sarubbo of Gentoo.<\/p>\n<p><strong>CVE:<\/strong><br \/>\nCVE-2017-15939<\/p>\n<p><strong>Reproducer:<\/strong><br \/>\n<a href=\"https:\/\/github.com\/asarubbo\/poc\/blob\/master\/00380-binutils-NULLptr-concat_filename\">https:\/\/github.com\/asarubbo\/poc\/blob\/master\/00380-binutils-NULLptr-concat_filename<\/a><\/p>\n<p><strong>Timeline:<\/strong><br \/>\n2017-09-25: bug discovered and reported to upstream<br \/>\n2017-09-26: upstream released a patch<br \/>\n2017-10-24: blog post about the issue<br \/>\n2017-10-27: CVE assigned<\/p>\n<p><strong>Note:<\/strong><br \/>\nThis bug was found with <a href=\"http:\/\/lcamtuf.coredump.cx\/afl\">American Fuzzy Lop<\/a>.<br \/>\nThis bug was identified with bare metal servers donated by <a href=\"https:\/\/www.packet.net\/\">Packet<\/a>. This work is also supported by the <a href=\"https:\/\/www.coreinfrastructure.org\">Core Infrastructure Initiative<\/a>.<\/p>\n<p><strong>Permalink:<\/strong><\/p>\n<blockquote class=\"wp-embedded-content\" data-secret=\"E9dHLtfcmF\"><p><a href=\"http:\/\/blogs.gentoo.org\/ago\/2017\/10\/24\/binutils-null-pointer-dereference-in-concat_filename-dwarf2-c-incomplete-fix-for-cve-2017-15023\/\">binutils: NULL pointer dereference in concat_filename (dwarf2.c) (INCOMPLETE FIX FOR CVE-2017-15023)<\/a><\/p><\/blockquote>\n<p><iframe class=\"wp-embedded-content\" sandbox=\"allow-scripts\" security=\"restricted\" style=\"position: absolute; clip: rect(1px, 1px, 1px, 1px);\" src=\"http:\/\/blogs.gentoo.org\/ago\/2017\/10\/24\/binutils-null-pointer-dereference-in-concat_filename-dwarf2-c-incomplete-fix-for-cve-2017-15023\/embed\/#?secret=E9dHLtfcmF\" data-secret=\"E9dHLtfcmF\" width=\"600\" height=\"338\" title=\"&#8220;binutils: NULL pointer dereference in concat_filename (dwarf2.c) (INCOMPLETE FIX FOR CVE-2017-15023)&#8221; &#8212; agostino&#039;s blog\" frameborder=\"0\" marginwidth=\"0\" marginheight=\"0\" scrolling=\"no\"><\/iframe><\/p>\n","protected":false},"excerpt":{"rendered":"<p>Description: binutils is a set of tools necessary to build programs. The commit fix for this issue says: The PR22200 fuzzer testcase found one way to put NULLs into .debug_line file tables. PR22205 finds another. So mitre considers this an &hellip; <a href=\"https:\/\/blogs.gentoo.org\/ago\/2017\/10\/24\/binutils-null-pointer-dereference-in-concat_filename-dwarf2-c-incomplete-fix-for-cve-2017-15023\/\">Continue reading <span class=\"meta-nav\">&rarr;<\/span><\/a><\/p>\n","protected":false},"author":140,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"spay_email":"","jetpack_publicize_message":"","jetpack_is_tweetstorm":false,"jetpack_publicize_feature_enabled":true},"categories":[12,10],"tags":[],"jetpack_publicize_connections":[],"jetpack_featured_media_url":"","jetpack_sharing_enabled":true,"jetpack_shortlink":"https:\/\/wp.me\/p2EaBc-BS","_links":{"self":[{"href":"https:\/\/blogs.gentoo.org\/ago\/wp-json\/wp\/v2\/posts\/2348"}],"collection":[{"href":"https:\/\/blogs.gentoo.org\/ago\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/blogs.gentoo.org\/ago\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/blogs.gentoo.org\/ago\/wp-json\/wp\/v2\/users\/140"}],"replies":[{"embeddable":true,"href":"https:\/\/blogs.gentoo.org\/ago\/wp-json\/wp\/v2\/comments?post=2348"}],"version-history":[{"count":4,"href":"https:\/\/blogs.gentoo.org\/ago\/wp-json\/wp\/v2\/posts\/2348\/revisions"}],"predecessor-version":[{"id":2364,"href":"https:\/\/blogs.gentoo.org\/ago\/wp-json\/wp\/v2\/posts\/2348\/revisions\/2364"}],"wp:attachment":[{"href":"https:\/\/blogs.gentoo.org\/ago\/wp-json\/wp\/v2\/media?parent=2348"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/blogs.gentoo.org\/ago\/wp-json\/wp\/v2\/categories?post=2348"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/blogs.gentoo.org\/ago\/wp-json\/wp\/v2\/tags?post=2348"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}