{"id":793,"date":"2016-11-04T17:04:09","date_gmt":"2016-11-04T15:04:09","guid":{"rendered":"http:\/\/blogs.gentoo.org\/ago\/?p=793"},"modified":"2017-03-22T12:13:16","modified_gmt":"2017-03-22T10:13:16","slug":"elfutils-memory-allocation-failure-in-__libelf_set_rawdata_wrlock-elf_getdata-c","status":"publish","type":"post","link":"https:\/\/blogs.gentoo.org\/ago\/2016\/11\/04\/elfutils-memory-allocation-failure-in-__libelf_set_rawdata_wrlock-elf_getdata-c\/","title":{"rendered":"elfutils: memory allocation failure in __libelf_set_rawdata_wrlock (elf_getdata.c)"},"content":{"rendered":"<p><strong>Description<\/strong>:<br \/>\n<a href=\"https:\/\/fedorahosted.org\/elfutils\/\">elfutils<\/a> is a set of libraries\/utilities to handle ELF objects (drop in replacement for libelf).<\/p>\n<p>During the fuzz of libdwarf, I noticed a memory allocation failure which involves elfutils.<br \/>\nTo have a double-check, the bug was first reported to the libdwarf maintainer and then to the elfutils maintainer. Actually there is a proposed patch on the elfutils mailing list, but nobody commented.<br \/>\nEDIT: The patch has been committed, see below.<\/p>\n<p>The complete ASan output:<\/p>\n<pre><font size=\"2\"># dwarfdump $FILE\r\n==30083==ERROR: AddressSanitizer failed to allocate 0x8000003000 (549755826176) bytes of LargeMmapAllocator (error code: 12)\r\n==30083==Process memory map follows:\r\n\t0x000000400000-0x0000006bb000\t\/usr\/bin\/dwarfdump-asan\r\n\t0x0000008ba000-0x0000008c2000\t\/usr\/bin\/dwarfdump-asan\r\n\t0x0000008c2000-0x0000008ff000\t\/usr\/bin\/dwarfdump-asan\r\n\t0x0000008ff000-0x0000015a3000\t\r\n\t0x00007fff7000-0x00008fff7000\t\r\n\t0x00008fff7000-0x02008fff7000\t\r\n\t0x02008fff7000-0x10007fff8000\t\r\n\t0x600000000000-0x602000000000\t\r\n\t0x602000000000-0x602000010000\t\r\n\t0x602000010000-0x603000000000\t\r\n\t0x603000000000-0x603000010000\t\r\n\t0x603000010000-0x604000000000\t\r\n\t0x604000000000-0x604000010000\t\r\n\t0x604000010000-0x607000000000\t\r\n\t0x607000000000-0x607000010000\t\r\n\t0x607000010000-0x611000000000\t\r\n\t0x611000000000-0x611000010000\t\r\n\t0x611000010000-0x612000000000\t\r\n\t0x612000000000-0x612000010000\t\r\n\t0x612000010000-0x613000000000\t\r\n\t0x613000000000-0x613000010000\t\r\n\t0x613000010000-0x614000000000\t\r\n\t0x614000000000-0x614000020000\t\r\n\t0x614000020000-0x619000000000\t\r\n\t0x619000000000-0x619000020000\t\r\n\t0x619000020000-0x61c000000000\t\r\n\t0x61c000000000-0x61c000020000\t\r\n\t0x61c000020000-0x61d000000000\t\r\n\t0x61d000000000-0x61d000020000\t\r\n\t0x61d000020000-0x624000000000\t\r\n\t0x624000000000-0x624000020000\t\r\n\t0x624000020000-0x625000000000\t\r\n\t0x625000000000-0x625000020000\t\r\n\t0x625000020000-0x640000000000\t\r\n\t0x640000000000-0x640000003000\t\r\n\t0x7f0afdc00000-0x7f0afdd00000\t\r\n\t0x7f0afde00000-0x7f0afdf00000\t\r\n\t0x7f0afdff0000-0x7f0b00342000\t\r\n\t0x7f0b00342000-0x7f0b004d5000\t\/lib64\/libc-2.22.so\r\n\t0x7f0b004d5000-0x7f0b006d5000\t\/lib64\/libc-2.22.so\r\n\t0x7f0b006d5000-0x7f0b006d9000\t\/lib64\/libc-2.22.so\r\n\t0x7f0b006d9000-0x7f0b006db000\t\/lib64\/libc-2.22.so\r\n\t0x7f0b006db000-0x7f0b006df000\t\r\n\t0x7f0b006df000-0x7f0b006f5000\t\/usr\/lib64\/gcc\/x86_64-pc-linux-gnu\/4.9.3\/libgcc_s.so.1\r\n\t0x7f0b006f5000-0x7f0b008f4000\t\/usr\/lib64\/gcc\/x86_64-pc-linux-gnu\/4.9.3\/libgcc_s.so.1\r\n\t0x7f0b008f4000-0x7f0b008f5000\t\/usr\/lib64\/gcc\/x86_64-pc-linux-gnu\/4.9.3\/libgcc_s.so.1\r\n\t0x7f0b008f5000-0x7f0b008f6000\t\/usr\/lib64\/gcc\/x86_64-pc-linux-gnu\/4.9.3\/libgcc_s.so.1\r\n\t0x7f0b008f6000-0x7f0b008f8000\t\/lib64\/libdl-2.22.so\r\n\t0x7f0b008f8000-0x7f0b00af8000\t\/lib64\/libdl-2.22.so\r\n\t0x7f0b00af8000-0x7f0b00af9000\t\/lib64\/libdl-2.22.so\r\n\t0x7f0b00af9000-0x7f0b00afa000\t\/lib64\/libdl-2.22.so\r\n\t0x7f0b00afa000-0x7f0b00bf7000\t\/lib64\/libm-2.22.so\r\n\t0x7f0b00bf7000-0x7f0b00df6000\t\/lib64\/libm-2.22.so\r\n\t0x7f0b00df6000-0x7f0b00df7000\t\/lib64\/libm-2.22.so\r\n\t0x7f0b00df7000-0x7f0b00df8000\t\/lib64\/libm-2.22.so\r\n\t0x7f0b00df8000-0x7f0b00dfe000\t\/lib64\/librt-2.22.so\r\n\t0x7f0b00dfe000-0x7f0b00ffe000\t\/lib64\/librt-2.22.so\r\n\t0x7f0b00ffe000-0x7f0b00fff000\t\/lib64\/librt-2.22.so\r\n\t0x7f0b00fff000-0x7f0b01000000\t\/lib64\/librt-2.22.so\r\n\t0x7f0b01000000-0x7f0b01017000\t\/lib64\/libpthread-2.22.so\r\n\t0x7f0b01017000-0x7f0b01216000\t\/lib64\/libpthread-2.22.so\r\n\t0x7f0b01216000-0x7f0b01217000\t\/lib64\/libpthread-2.22.so\r\n\t0x7f0b01217000-0x7f0b01218000\t\/lib64\/libpthread-2.22.so\r\n\t0x7f0b01218000-0x7f0b0121c000\t\r\n\t0x7f0b0121c000-0x7f0b01231000\t\/lib64\/libz.so.1.2.8\r\n\t0x7f0b01231000-0x7f0b01430000\t\/lib64\/libz.so.1.2.8\r\n\t0x7f0b01430000-0x7f0b01431000\t\/lib64\/libz.so.1.2.8\r\n\t0x7f0b01431000-0x7f0b01432000\t\/lib64\/libz.so.1.2.8\r\n\t0x7f0b01432000-0x7f0b01449000\t\/usr\/lib64\/libelf-0.166.so\r\n\t0x7f0b01449000-0x7f0b01649000\t\/usr\/lib64\/libelf-0.166.so\r\n\t0x7f0b01649000-0x7f0b0164a000\t\/usr\/lib64\/libelf-0.166.so\r\n\t0x7f0b0164a000-0x7f0b0164b000\t\/usr\/lib64\/libelf-0.166.so\r\n\t0x7f0b0164b000-0x7f0b0166d000\t\/lib64\/ld-2.22.so\r\n\t0x7f0b017f7000-0x7f0b01860000\t\r\n\t0x7f0b01860000-0x7f0b0186c000\t\r\n\t0x7f0b0186c000-0x7f0b0186d000\t\/lib64\/ld-2.22.so\r\n\t0x7f0b0186d000-0x7f0b0186e000\t\/lib64\/ld-2.22.so\r\n\t0x7f0b0186e000-0x7f0b0186f000\t\r\n\t0x7ffff2f19000-0x7ffff2f3a000\t[stack]\r\n\t0x7ffff2f3d000-0x7ffff2f3f000\t[vvar]\r\n\t0x7ffff2f3f000-0x7ffff2f41000\t[vdso]\r\n\t0xffffffffff600000-0xffffffffff601000\t[vsyscall]\r\n==30083==End of process memory map.\r\n==30083==AddressSanitizer CHECK failed: \/var\/tmp\/portage\/sys-devel\/llvm-3.8.1-r2\/work\/llvm-3.8.1.src\/projects\/compiler-rt\/lib\/sanitizer_common\/sanitizer_common.cc:183 \"((0 &amp;&amp; \"unable to mmap\")) != (0)\" (0x0, 0x0)\r\n    #0 0x4ca3ed in __asan::AsanCheckFailed(char const*, int, char const*, unsigned long long, unsigned long long) \/var\/tmp\/portage\/sys-devel\/llvm-3.8.1-r2\/work\/llvm-3.8.1.src\/projects\/compiler-rt\/lib\/asan\/asan_rtl.cc:67\r\n    #1 0x4d0f23 in __sanitizer::CheckFailed(char const*, int, char const*, unsigned long long, unsigned long long) \/var\/tmp\/portage\/sys-devel\/llvm-3.8.1-r2\/work\/llvm-3.8.1.src\/projects\/compiler-rt\/lib\/sanitizer_common\/sanitizer_common.cc:159\r\n    #2 0x4d1111 in __sanitizer::ReportMmapFailureAndDie(unsigned long, char const*, char const*, int, bool) \/var\/tmp\/portage\/sys-devel\/llvm-3.8.1-r2\/work\/llvm-3.8.1.src\/projects\/compiler-rt\/lib\/sanitizer_common\/sanitizer_common.cc:183\r\n    #3 0x4da14a in __sanitizer::MmapOrDie(unsigned long, char const*, bool) \/var\/tmp\/portage\/sys-devel\/llvm-3.8.1-r2\/work\/llvm-3.8.1.src\/projects\/compiler-rt\/lib\/sanitizer_common\/sanitizer_posix.cc:122\r\n    #4 0x4224df in __sanitizer::LargeMmapAllocator::Allocate(__sanitizer::AllocatorStats*, unsigned long, unsigned long) \/var\/tmp\/portage\/sys-devel\/llvm-3.8.1-r2\/work\/llvm-3.8.1.src\/projects\/compiler-rt\/lib\/asan\/..\/sanitizer_common\/sanitizer_allocator.h:1033\r\n    #5 0x4224df in __sanitizer::CombinedAllocator&lt;__sanitizer::SizeClassAllocator64&lt;105553116266496ul, 4398046511104ul, 0ul, __sanitizer::SizeClassMap, __asan::AsanMapUnmapCallback&gt;, __sanitizer::SizeClassAllocatorLocalCache&lt;__sanitizer::SizeClassAllocator64&lt;105553116266496ul, 4398046511104ul, 0ul, __sanitizer::SizeClassMap, __asan::AsanMapUnmapCallback&gt; &gt;, __sanitizer::LargeMmapAllocator &gt;::Allocate(__sanitizer::SizeClassAllocatorLocalCache&lt;__sanitizer::SizeClassAllocator64&lt;105553116266496ul, 4398046511104ul, 0ul, __sanitizer::SizeClassMap, __asan::AsanMapUnmapCallback&gt; &gt;*, unsigned long, unsigned long, bool, bool) \/var\/tmp\/portage\/sys-devel\/llvm-3.8.1-r2\/work\/llvm-3.8.1.src\/projects\/compiler-rt\/lib\/asan\/..\/sanitizer_common\/sanitizer_allocator.h:1302\r\n    #6 0x4224df in __asan::Allocator::Allocate(unsigned long, unsigned long, __sanitizer::BufferedStackTrace*, __asan::AllocType, bool) \/var\/tmp\/portage\/sys-devel\/llvm-3.8.1-r2\/work\/llvm-3.8.1.src\/projects\/compiler-rt\/lib\/asan\/asan_allocator.cc:368\r\n    #7 0x4224df in __asan::asan_malloc(unsigned long, __sanitizer::BufferedStackTrace*) \/var\/tmp\/portage\/sys-devel\/llvm-3.8.1-r2\/work\/llvm-3.8.1.src\/projects\/compiler-rt\/lib\/asan\/asan_allocator.cc:718\r\n    #8 0x4c0ab1 in malloc \/var\/tmp\/portage\/sys-devel\/llvm-3.8.1-r2\/work\/llvm-3.8.1.src\/projects\/compiler-rt\/lib\/asan\/asan_malloc_linux.cc:53\r\n    #9 0x7f0b0143c206 in __libelf_set_rawdata_wrlock \/tmp\/portage\/dev-libs\/elfutils-0.166\/work\/elfutils-0.166\/libelf\/elf_getdata.c:318\r\n    #10 0x7f0b0143c5db in __elf_getdata_rdlock \/tmp\/portage\/dev-libs\/elfutils-0.166\/work\/elfutils-0.166\/libelf\/elf_getdata.c:521\r\n    #11 0x580659 in dwarf_elf_object_access_load_section \/tmp\/dwarf-20161001\/libdwarf\/dwarf_elf_access.c:1312:16\r\n    #12 0x5b5142 in _dwarf_load_section \/tmp\/dwarf-20161001\/libdwarf\/dwarf_init_finish.c:1139:11\r\n    #13 0x6082ae in _dwarf_load_debug_info \/tmp\/dwarf-20161001\/libdwarf\/dwarf_util.c:855:11\r\n    #14 0x57043f in _dwarf_next_cu_header_internal \/tmp\/dwarf-20161001\/libdwarf\/dwarf_die_deliv.c:819:32\r\n    #15 0x572fcd in dwarf_next_cu_header_d \/tmp\/dwarf-20161001\/libdwarf\/dwarf_die_deliv.c:629:15\r\n    #16 0x512f4f in print_one_die_section \/tmp\/dwarf-20161001\/dwarfdump\/print_die.c:660:16\r\n    #17 0x512262 in print_infos \/tmp\/dwarf-20161001\/dwarfdump\/print_die.c:371:16\r\n    #18 0x4faaea in process_one_file \/tmp\/dwarf-20161001\/dwarfdump\/dwarfdump.c:1371:9\r\n    #19 0x4faaea in main \/tmp\/dwarf-20161001\/dwarfdump\/dwarfdump.c:654\r\n    #20 0x7f0b0036261f in __libc_start_main \/var\/tmp\/portage\/sys-libs\/glibc-2.22-r4\/work\/glibc-2.22\/csu\/libc-start.c:289\r\n    #21 0x419588 in _start (\/usr\/bin\/dwarfdump-asan+0x419588)\r\n<\/font><\/pre>\n<p><strong>Affected version:<\/strong><br \/>\n0.166<\/p>\n<p><strong>Fixed version:<\/strong><br \/>\n0.168<\/p>\n<p><strong>Proposed patch:<\/strong><br \/>\n<a href=\"https:\/\/lists.fedorahosted.org\/archives\/list\/elfutils-devel@lists.fedorahosted.org\/thread\/Q4LE47FPEVRZANMV6JE2NMHYO4H5MHGJ\/\">https:\/\/lists.fedorahosted.org\/archives\/list\/elfutils-devel@lists.fedorahosted.org\/thread\/Q4LE47FPEVRZANMV6JE2NMHYO4H5MHGJ\/<\/a><\/p>\n<p><strong>Commit Fix:<\/strong><br \/>\n<a href=\"https:\/\/git.fedorahosted.org\/cgit\/elfutils.git\/commit\/?id=09ec02ec7f7e6913d10943148e2a898264345b07\">https:\/\/git.fedorahosted.org\/cgit\/elfutils.git\/commit\/?id=09ec02ec7f7e6913d10943148e2a898264345b07<\/a><\/p>\n<p><strong>Credit:<\/strong><br \/>\nThis bug was discovered by Agostino Sarubbo of Gentoo.<\/p>\n<p><strong>CVE:<\/strong><br \/>\nCVE-2016-10255<\/p>\n<p><strong>Reproducer:<\/strong><br \/>\n<a href=\"https:\/\/github.com\/asarubbo\/poc\/blob\/master\/00031-elfutils-memalloc-__libelf_set_rawdata_wrlock\">https:\/\/github.com\/asarubbo\/poc\/blob\/master\/00031-elfutils-memalloc-__libelf_set_rawdata_wrlock<\/a><\/p>\n<p><strong>Timeline:<\/strong><br \/>\n2016-10-03: bug discovered<br \/>\n2016-10-21: bug reported to upstream<br \/>\n2016-11-04: blog post about the issue<br \/>\n2016-11-10: upstream committed the proposed patch<br \/>\n2016-12-27: upstream released 0.168<br \/>\n2017-03-22: CVE assigned<\/p>\n<p><strong>Note:<\/strong><br \/>\nThis bug was found with <a href=\"http:\/\/lcamtuf.coredump.cx\/afl\">American Fuzzy Lop<\/a>.<\/p>\n<p><strong>Permalink:<\/strong><\/p>\n<blockquote data-secret=\"gI5T0s5L0u\" class=\"wp-embedded-content\"><p><a href=\"http:\/\/blogs.gentoo.org\/ago\/2016\/11\/04\/elfutils-memory-allocation-failure-in-__libelf_set_rawdata_wrlock-elf_getdata-c\/\">elfutils: memory allocation failure in __libelf_set_rawdata_wrlock (elf_getdata.c)<\/a><\/p><\/blockquote>\n<p><iframe class=\"wp-embedded-content\" sandbox=\"allow-scripts\" security=\"restricted\" style=\"position: absolute; clip: rect(1px, 1px, 1px, 1px);\" src=\"http:\/\/blogs.gentoo.org\/ago\/2016\/11\/04\/elfutils-memory-allocation-failure-in-__libelf_set_rawdata_wrlock-elf_getdata-c\/embed\/#?secret=gI5T0s5L0u\" data-secret=\"gI5T0s5L0u\" width=\"600\" height=\"338\" title=\"&#8220;elfutils: memory allocation failure in __libelf_set_rawdata_wrlock (elf_getdata.c)&#8221; &#8212; agostino&#039;s blog\" frameborder=\"0\" marginwidth=\"0\" marginheight=\"0\" scrolling=\"no\"><\/iframe><\/p>\n","protected":false},"excerpt":{"rendered":"<p>Description: elfutils is a set of libraries\/utilities to handle ELF objects (drop in replacement for libelf). During the fuzz of libdwarf, I noticed a memory allocation failure which involves elfutils. To have a double-check, the bug was first reported to &hellip; <a href=\"https:\/\/blogs.gentoo.org\/ago\/2016\/11\/04\/elfutils-memory-allocation-failure-in-__libelf_set_rawdata_wrlock-elf_getdata-c\/\">Continue reading <span class=\"meta-nav\">&rarr;<\/span><\/a><\/p>\n","protected":false},"author":140,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"spay_email":"","jetpack_publicize_message":"","jetpack_is_tweetstorm":false,"jetpack_publicize_feature_enabled":true},"categories":[12,10],"tags":[],"jetpack_publicize_connections":[],"jetpack_featured_media_url":"","jetpack_sharing_enabled":true,"jetpack_shortlink":"https:\/\/wp.me\/p2EaBc-cN","_links":{"self":[{"href":"https:\/\/blogs.gentoo.org\/ago\/wp-json\/wp\/v2\/posts\/793"}],"collection":[{"href":"https:\/\/blogs.gentoo.org\/ago\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/blogs.gentoo.org\/ago\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/blogs.gentoo.org\/ago\/wp-json\/wp\/v2\/users\/140"}],"replies":[{"embeddable":true,"href":"https:\/\/blogs.gentoo.org\/ago\/wp-json\/wp\/v2\/comments?post=793"}],"version-history":[{"count":9,"href":"https:\/\/blogs.gentoo.org\/ago\/wp-json\/wp\/v2\/posts\/793\/revisions"}],"predecessor-version":[{"id":1504,"href":"https:\/\/blogs.gentoo.org\/ago\/wp-json\/wp\/v2\/posts\/793\/revisions\/1504"}],"wp:attachment":[{"href":"https:\/\/blogs.gentoo.org\/ago\/wp-json\/wp\/v2\/media?parent=793"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/blogs.gentoo.org\/ago\/wp-json\/wp\/v2\/categories?post=793"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/blogs.gentoo.org\/ago\/wp-json\/wp\/v2\/tags?post=793"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}