{"id":659,"date":"2016-10-06T09:43:48","date_gmt":"2016-10-06T07:43:48","guid":{"rendered":"http:\/\/blogs.gentoo.org\/ago\/?p=659"},"modified":"2016-12-01T15:55:13","modified_gmt":"2016-12-01T13:55:13","slug":"libdwarf-heap-based-buffer-overflow-in-_dwarf_get_size_of_val-dwarf_util-c","status":"publish","type":"post","link":"https:\/\/blogs.gentoo.org\/ago\/2016\/10\/06\/libdwarf-heap-based-buffer-overflow-in-_dwarf_get_size_of_val-dwarf_util-c\/","title":{"rendered":"libdwarf: heap-based buffer overflow in _dwarf_get_size_of_val (dwarf_util.c)"},"content":{"rendered":"

Description<\/strong>:
\nlibdwarf<\/a> is a library to consume and produce DWARF debug information.<\/p>\n

A fuzzing revealed an out bounds read,<\/p>\n

The complete ASan output:<\/p>\n

# dwarfdump $FILE\r\n==22886==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x61300000de1c at pc 0x000000462c7c bp 0x7ffe80a3d230 sp 0x7ffe80a3c9e0\r\nREAD of size 1 at 0x61300000de1c thread T0\r\n    #0 0x462c7b in __interceptor_strlen \/var\/tmp\/portage\/sys-devel\/llvm-3.8.1-r2\/work\/llvm-3.8.1.src\/projects\/compiler-rt\/lib\/asan\/asan_interceptors.cc:581\r\n    #1 0x60489f in _dwarf_get_size_of_val \/tmp\/dwarf-20161001\/libdwarf\/dwarf_util.c:267:21\r\n    #2 0x5f2834 in dwarf_attrlist \/tmp\/dwarf-20161001\/libdwarf\/dwarf_query.c:389:27\r\n    #3 0x519ed5 in print_one_die \/tmp\/dwarf-20161001\/dwarfdump\/print_die.c:1409:13\r\n    #4 0x51710c in print_die_and_children_internal \/tmp\/dwarf-20161001\/dwarfdump\/print_die.c:1047:36\r\n    #5 0x517c6b in print_die_and_children_internal \/tmp\/dwarf-20161001\/dwarfdump\/print_die.c:1142:13\r\n    #6 0x5147cc in print_die_and_children \/tmp\/dwarf-20161001\/dwarfdump\/print_die.c:921:5\r\n    #7 0x5147cc in print_one_die_section \/tmp\/dwarf-20161001\/dwarfdump\/print_die.c:831\r\n    #8 0x512262 in print_infos \/tmp\/dwarf-20161001\/dwarfdump\/print_die.c:371:16\r\n    #9 0x4faaea in process_one_file \/tmp\/dwarf-20161001\/dwarfdump\/dwarfdump.c:1371:9\r\n    #10 0x4faaea in main \/tmp\/dwarf-20161001\/dwarfdump\/dwarfdump.c:654\r\n    #11 0x7f7cd096261f in __libc_start_main \/var\/tmp\/portage\/sys-libs\/glibc-2.22-r4\/work\/glibc-2.22\/csu\/libc-start.c:289\r\n    #12 0x419588 in _start (\/usr\/bin\/dwarfdump-asan+0x419588)\r\n\r\n0x61300000de1c is located 0 bytes to the right of 348-byte region [0x61300000dcc0,0x61300000de1c)\r\nallocated by thread T0 here:\r\n    #0 0x4c0ad8 in malloc \/var\/tmp\/portage\/sys-devel\/llvm-3.8.1-r2\/work\/llvm-3.8.1.src\/projects\/compiler-rt\/lib\/asan\/asan_malloc_linux.cc:52\r\n    #1 0x7f7cd1a3c206 in __libelf_set_rawdata_wrlock \/tmp\/portage\/dev-libs\/elfutils-0.166\/work\/elfutils-0.166\/libelf\/elf_getdata.c:318\r\n\r\nSUMMARY: AddressSanitizer: heap-buffer-overflow \/var\/tmp\/portage\/sys-devel\/llvm-3.8.1-r2\/work\/llvm-3.8.1.src\/projects\/compiler-rt\/lib\/asan\/asan_interceptors.cc:581 in __interceptor_strlen\r\nShadow bytes around the buggy address:\r\n  0x0c267fff9b70: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00\r\n  0x0c267fff9b80: 00 00 00 00 00 00 00 00 00 00 03 fa fa fa fa fa\r\n  0x0c267fff9b90: fa fa fa fa fa fa fa fa 00 00 00 00 00 00 00 00\r\n  0x0c267fff9ba0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00\r\n  0x0c267fff9bb0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00\r\n=>0x0c267fff9bc0: 00 00 00[04]fa fa fa fa fa fa fa fa fa fa fa fa\r\n  0x0c267fff9bd0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00\r\n  0x0c267fff9be0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00\r\n  0x0c267fff9bf0: 00 00 00 00 00 00 00 00 00 00 00 03 fa fa fa fa\r\n  0x0c267fff9c00: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa\r\n  0x0c267fff9c10: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa\r\nShadow byte legend (one shadow byte represents 8 application bytes):\r\n  Addressable:           00\r\n  Partially addressable: 01 02 03 04 05 06 07 \r\n  Heap left redzone:       fa\r\n  Heap right redzone:      fb\r\n  Freed heap region:       fd\r\n  Stack left redzone:      f1\r\n  Stack mid redzone:       f2\r\n  Stack right redzone:     f3\r\n  Stack partial redzone:   f4\r\n  Stack after return:      f5\r\n  Stack use after scope:   f8\r\n  Global redzone:          f9\r\n  Global init order:       f6\r\n  Poisoned by user:        f7\r\n  Container overflow:      fc\r\n  Array cookie:            ac\r\n  Intra object redzone:    bb\r\n  ASan internal:           fe\r\n  Left alloca redzone:     ca\r\n  Right alloca redzone:    cb\r\n==22886==ABORTING\r\n<\/font><\/pre>\n
Affected version:<\/strong>
\n20161001 and past<\/p>\n
Fixed version:<\/strong>
\n20161124<\/p>\n
Commit fix:<\/strong>
\nhttps:\/\/sourceforge.net\/p\/libdwarf\/code\/ci\/2d14a7792889e33bc542c28d0f3792964c46214f\/#diff-13<\/a> and then https:\/\/sourceforge.net\/p\/libdwarf\/code\/ci\/efe48cad0693d6994d9a7b561e1c3833b073a624\/#diff-2<\/a> (because of a mistake)<\/p>\n
Credit:<\/strong>
\nThis bug was discovered by Agostino Sarubbo of Gentoo.<\/p>\n
CVE:<\/strong>
\nCVE-2016-8679<\/p>\n
Timeline:<\/strong>
\n2016-10-04: bug discovered
\n2016-10-04: bug reported privately to upstream
\n2016-10-04: upstream realeased a patch
\n2016-10-06: blog post about the issue
\n2016-10-16: CVE Assigned
\n2016-11-24: upstream released 20161124<\/p>\n
Note:<\/strong>
\nThis bug was found with American Fuzzy Lop<\/a>.<\/p>\n
Permalink:<\/strong><\/p>\n
libdwarf: heap-based buffer overflow in _dwarf_get_size_of_val (dwarf_util.c)<\/a><\/p><\/blockquote>\n