Discussion:
[Bug libdw/23752] New: Invalid Address Read problem in dwfl_segment_report_module.c when executing ./eu-stack --core=$POC
wcventure at 126 dot com
2018-10-10 04:01:18 UTC
Permalink
https://sourceware.org/bugzilla/show_bug.cgi?id=23752

Bug ID: 23752
Summary: Invalid Address Read problem in
dwfl_segment_report_module.c when executing ./eu-stack
--core=$POC
Product: elfutils
Version: unspecified
Status: UNCONFIRMED
Severity: normal
Priority: P2
Component: libdw
Assignee: unassigned at sourceware dot org
Reporter: wcventure at 126 dot com
CC: elfutils-devel at sourceware dot org
Target Milestone: ---

Created attachment 11306
--> https://sourceware.org/bugzilla/attachment.cgi?id=11306&action=edit
POC-stack

Hi there,

Our fuzzer caught Invalid Address Read problem in eu-stack of the latest
elfutils-0.174 code base, this inputs will cause the segment faults and I have
confirmed them with address sanitizer too. Please use the "./eu-stack
--core=$POC" or "./eu-stack --core=$POC -abdilmsv" to reproduce the bug. If you
have any questions, please let me know.

The ASAN dumps the stack trace as follows:

ASAN:DEADLYSIGNAL
=================================================================
==9753==ERROR: AddressSanitizer: SEGV on unknown address 0x7f6afb9ac114 (pc
0x7f6afa17a7dc bp 0x7fffc8bb1900 sp 0x7fffc8bb17f0 T0)
==9753==The signal is caused by a READ memory access.
#0 0x7f6afa17a7db in consider_notes
/elfutils-0.174/libdwfl/dwfl_segment_report_module.c:486
#1 0x7f6afa17accc in consider_phdr
/elfutils-0.174/libdwfl/dwfl_segment_report_module.c:529
#2 0x7f6afa176fa2 in dwfl_segment_report_module
/elfutils-0.174/libdwfl/dwfl_segment_report_module.c:590
#3 0x7f6afa185ce0 in dwfl_core_file_report
/elfutils-0.174/libdwfl/core-file.c:541
#4 0x405106 in parse_opt /elfutils-0.174/src/stack.c:590
#5 0x7f6af9a64847 in argp_parse (/lib/x86_64-linux-gnu/libc.so.6+0x114847)
#6 0x4056a7 in main /elfutils-0.174/src/stack.c:690
#7 0x7f6af997082f in __libc_start_main
(/lib/x86_64-linux-gnu/libc.so.6+0x2082f)
#8 0x402308 in _start (/elfutils-0.174/build/bin/eu-stack+0x402308)

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV
/elfutils-0.174/libdwfl/dwfl_segment_report_module.c:486 in consider_notes
==9753==ABORTING
--
You are receiving this mail because:
You are on the CC list for the bug.
mark at klomp dot org
2018-10-14 13:14:47 UTC
Permalink
https://sourceware.org/bugzilla/show_bug.cgi?id=23752

Mark Wielaard <mark at klomp dot org> changed:

What |Removed |Added
----------------------------------------------------------------------------
Status|UNCONFIRMED |ASSIGNED
Last reconfirmed| |2018-10-14
CC| |mark at klomp dot org
Ever confirmed|0 |1

--- Comment #1 from Mark Wielaard <mark at klomp dot org> ---
Replicated under valgrind:

==13295== Invalid read of size 4
==13295== at 0x50825BD: consider_notes (dwfl_segment_report_module.c:486)
==13295== by 0x50825BD: consider_phdr (dwfl_segment_report_module.c:529)
==13295== by 0x50825BD: dwfl_segment_report_module
(dwfl_segment_report_module.c:590)
==13295== by 0x5086149: dwfl_core_file_report@@ELFUTILS_0.158
(core-file.c:541)
==13295== by 0x4026AB: parse_opt (stack.c:590)
==13295== by 0x58B4EB3: group_parse (argp-parse.c:256)
==13295== by 0x58B4EB3: parser_finalize (argp-parse.c:603)
==13295== by 0x58B4EB3: argp_parse (argp-parse.c:921)
==13295== by 0x401C89: main (stack.c:690)
==13295== Address 0x40b4114 is not stack'd, malloc'd or (recently) free'd
--
You are receiving this mail because:
You are on the CC list for the bug.
mark at klomp dot org
2018-10-14 14:49:21 UTC
Permalink
https://sourceware.org/bugzilla/show_bug.cgi?id=23752

--- Comment #2 from Mark Wielaard <mark at klomp dot org> ---
Proposed patch: https://sourceware.org/ml/elfutils-devel/2018-q4/msg00022.html
--
You are receiving this mail because:
You are on the CC list for the bug.
mark at klomp dot org
2018-10-14 15:03:42 UTC
Permalink
https://sourceware.org/bugzilla/show_bug.cgi?id=23752

--- Comment #3 from Mark Wielaard <mark at klomp dot org> ---
*** Bug 23753 has been marked as a duplicate of this bug. ***
--
You are receiving this mail because:
You are on the CC list for the bug.
wcventure at 126 dot com
2018-10-14 16:22:55 UTC
Permalink
https://sourceware.org/bugzilla/show_bug.cgi?id=23752

--- Comment #4 from wcventure <wcventure at 126 dot com> ---
Thanks for paying attention to this problem and proposing to fix it in time.
This bug was discovered by NTU Cyber-Security-Lab, for fuzzing research work.
--
You are receiving this mail because:
You are on the CC list for the bug.
mark at klomp dot org
2018-10-19 22:26:53 UTC
Permalink
https://sourceware.org/bugzilla/show_bug.cgi?id=23752

Mark Wielaard <mark at klomp dot org> changed:

What |Removed |Added
----------------------------------------------------------------------------
Status|ASSIGNED |RESOLVED
Resolution|--- |FIXED

--- Comment #5 from Mark Wielaard <mark at klomp dot org> ---
commit 20f9de9b5f704cec55df92406a50bcbcfca96acd
Author: Mark Wielaard <***@klomp.org>
Date: Sun Oct 14 16:45:48 2018 +0200

libdwfl: Sanity check partial core file data reads.

There were two issues when reading note data from a core file.
We didn't check if the data we already had in a buffer was big
enough. And if we did get the data, we should check if we got
everything, or just a part of the data.

https://sourceware.org/bugzilla/show_bug.cgi?id=23752

Signed-off-by: Mark Wielaard <***@klomp.org>
--
You are receiving this mail because:
You are on the CC list for the bug.
mark at klomp dot org
2018-11-14 11:53:30 UTC
Permalink
https://sourceware.org/bugzilla/show_bug.cgi?id=23752

--- Comment #6 from Mark Wielaard <mark at klomp dot org> ---
For reference this was assigned CVE-2018-18310.
--
You are receiving this mail because:
You are on the CC list for the bug.
Loading...