oss-sec mailing list archives
libdwarf: heap-based buffer overflow in _dwarf_get_abbrev_for_code (dwarf_util.c)
From: Agostino Sarubbo <ago () gentoo org>
Date: Sat, 08 Oct 2016 22:16:25 +0200
Description: libdwarf is a library to consume and produce DWARF debug information. A fuzzing revealed an out bounds read, The complete ASan output: # dwarfdump $FILE ==30323==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x611000005a00 at pc 0x000000606e87 bp 0x7ffe35e5e5b0 sp 0x7ffe35e5e5a8 READ of size 1 at 0x611000005a00 thread T0 #0 0x606e86 in _dwarf_get_abbrev_for_code /tmp/dwarf-20161001/libdwarf/dwarf_util.c:624:43 #1 0x576086 in dwarf_siblingof_b /tmp/dwarf-20161001/libdwarf/dwarf_die_deliv.c:1628:12 #2 0x517e73 in print_die_and_children_internal /tmp/dwarf-20161001/dwarfdump/print_die.c:1163:17 #3 0x517c6b in print_die_and_children_internal /tmp/dwarf-20161001/dwarfdump/print_die.c:1142:13 #4 0x5147cc in print_die_and_children /tmp/dwarf-20161001/dwarfdump/print_die.c:921:5 #5 0x5147cc in print_one_die_section /tmp/dwarf-20161001/dwarfdump/print_die.c:831 #6 0x512262 in print_infos /tmp/dwarf-20161001/dwarfdump/print_die.c:371:16 #7 0x4faaea in process_one_file /tmp/dwarf-20161001/dwarfdump/dwarfdump.c:1371:9 #8 0x4faaea in main /tmp/dwarf-20161001/dwarfdump/dwarfdump.c:654 #9 0x7f5912c2361f in __libc_start_main /var/tmp/portage/sys- libs/glibc-2.22-r4/work/glibc-2.22/csu/libc-start.c:289 #10 0x419588 in _start (/usr/bin/dwarfdump-asan+0x419588) 0x611000005a00 is located 0 bytes to the right of 256-byte region [0x611000005900,0x611000005a00) allocated by thread T0 here: #0 0x4c0ad8 in malloc /var/tmp/portage/sys-devel/llvm-3.8.1- r2/work/llvm-3.8.1.src/projects/compiler-rt/lib/asan/asan_malloc_linux.cc:52 #1 0x7f5913cfd206 in __libelf_set_rawdata_wrlock /tmp/portage/dev- libs/elfutils-0.166/work/elfutils-0.166/libelf/elf_getdata.c:318 SUMMARY: AddressSanitizer: heap-buffer-overflow /tmp/dwarf-20161001/libdwarf/dwarf_util.c:624:43 in _dwarf_get_abbrev_for_code Shadow bytes around the buggy address: 0x0c227fff8af0: fa fa fa fa fa fa fa fa fd fd fd fd fd fd fd fd 0x0c227fff8b00: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd 0x0c227fff8b10: fd fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c227fff8b20: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0c227fff8b30: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 =>0x0c227fff8b40:[fa]fa fa fa fa fa fa fa 00 00 00 00 00 00 00 00 0x0c227fff8b50: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0c227fff8b60: 00 fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c227fff8b70: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0c227fff8b80: 00 00 00 00 00 00 00 00 00 fa fa fa fa fa fa fa 0x0c227fff8b90: fa fa fa fa fa fa fa fa 00 00 00 00 00 00 00 00 Shadow byte legend (one shadow byte represents 8 application bytes): Addressable: 00 Partially addressable: 01 02 03 04 05 06 07 Heap left redzone: fa Heap right redzone: fb Freed heap region: fd Stack left redzone: f1 Stack mid redzone: f2 Stack right redzone: f3 Stack partial redzone: f4 Stack after return: f5 Stack use after scope: f8 Global redzone: f9 Global init order: f6 Poisoned by user: f7 Container overflow: fc Array cookie: ac Intra object redzone: bb ASan internal: fe Left alloca redzone: ca Right alloca redzone: cb ==30323==ABORTING Affected version: 20161001 and past Fixed version: N/A Commit fix: https://sourceforge.net/p/libdwarf/code/ci/268c1f18d1d28612af3b72d7c670076b1b88e51c/tree/libdwarf/dwarf_util.c?diff=0b28b923c3bd9827d1d904feed2abadde4fa5de2 Credit: This bug was discovered by Agostino Sarubbo of Gentoo. Timeline: 2016-10-03: bug discovered 2016-10-03: bug reported privately to upstream 2016-10-03: upstream realeased a patch 2016-10-04: blog post about the issue Note: This bug was found with American Fuzzy Lop. Permalink: https://blogs.gentoo.org/ago/2016/10/04/libdwarf-heap-based-buffer-overflow-in-_dwarf_get_abbrev_for_code-dwarf_util-c/
Current thread:
- libdwarf: heap-based buffer overflow in _dwarf_get_abbrev_for_code (dwarf_util.c) Agostino Sarubbo (Oct 08)