Discussion:
[Bug general/23786] New: Divide-by-zero Problem in function arlib_add_symbols() in arlib.c in elfutils-0.174
wcventure at 126 dot com
2018-10-17 08:36:45 UTC
Permalink
https://sourceware.org/bugzilla/show_bug.cgi?id=23786

Bug ID: 23786
Summary: Divide-by-zero Problem in function arlib_add_symbols()
in arlib.c in elfutils-0.174
Product: elfutils
Version: unspecified
Status: UNCONFIRMED
Severity: critical
Priority: P2
Component: general
Assignee: unassigned at sourceware dot org
Reporter: wcventure at 126 dot com
CC: elfutils-devel at sourceware dot org
Target Milestone: ---

Hi,

I found some floating point exception in function arlib_add_symbols() in
arlib.c of the latest elfutils-0.174 code base. I have confirmed them with GDB
and Address Sanitizer.

Here are the POC files. Please use " ./eu-ranlib $POC " to reproduce this bug.
I'll also show you the debugging process. It seems that this is caused by the
divide-by-zero.
int nsyms = shdr->sh_size / shdr->sh_entsize;
I can provide you some testcases to make shdr->sh_entsize = 0. And you can use
the testcases to reproduce the bug. Divide by zero is bad. We need to make a
check before doing division calculation.

--- Comment #1 from wcventure <wcventure at 126 dot com> ---
Created attachment 11336
--> https://sourceware.org/bugzilla/attachment.cgi?id=11336&action=edit
POC1

I have also confirmed them with Address Sanitizer.
The ASAN dumps the stack trace as follows:
ASAN:DEADLYSIGNAL
=================================================================
==2496==ERROR: AddressSanitizer: FPE on unknown address 0x0000004065d8 (pc
0x0000004065d8 bp 0x7ffd4c109620 sp 0x7ffd4c109550 T0)
#0 0x4065d7 in arlib_add_symbols
/media/hjwang/01D3344861A8D2E0/wcventure/Project/elfutils/src/arlib.c:255
#1 0x4029c5 in handle_file
/media/hjwang/01D3344861A8D2E0/wcventure/Project/elfutils/src/ranlib.c:193
#2 0x4029c5 in main
/media/hjwang/01D3344861A8D2E0/wcventure/Project/elfutils/src/ranlib.c:110
#3 0x7fc97b51982f in __libc_start_main
(/lib/x86_64-linux-gnu/libc.so.6+0x2082f)
#4 0x403d28 in _start
(/media/hjwang/01D3344861A8D2E0/wcventure/Project/elfutils/build/bin/eu-ranlib+0x403d28)

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: FPE
/media/hjwang/01D3344861A8D2E0/wcventure/Project/elfutils/src/arlib.c:255 in
arlib_add_symbols
==2496==ABORTING
Aborted
--
You are receiving this mail because:
You are on the CC list for the bug.
wcventure at 126 dot com
2018-10-17 08:38:00 UTC
Permalink
https://sourceware.org/bugzilla/show_bug.cgi?id=23786

--- Comment #2 from wcventure <wcventure at 126 dot com> ---
Created attachment 11337
--> https://sourceware.org/bugzilla/attachment.cgi?id=11337&action=edit
POC2

Please use " ./eu-ranlib $POC " to reproduce this bug. This bug was discovered
by NTU Cyber-Security-Lab, for fuzzing research work. If you have any
questions, please let me know.
--
You are receiving this mail because:
You are on the CC list for the bug.
mark at klomp dot org
2018-10-18 17:03:39 UTC
Permalink
https://sourceware.org/bugzilla/show_bug.cgi?id=23786

Mark Wielaard <mark at klomp dot org> changed:

What |Removed |Added
----------------------------------------------------------------------------
Status|UNCONFIRMED |ASSIGNED
Last reconfirmed| |2018-10-18
CC| |mark at klomp dot org
Ever confirmed|0 |1

--- Comment #3 from Mark Wielaard <mark at klomp dot org> ---
Thanks for the report. Proposed fix posted:
https://sourceware.org/ml/elfutils-devel/2018-q4/msg00055.html
--
You are receiving this mail because:
You are on the CC list for the bug.
mark at klomp dot org
2018-10-19 22:58:32 UTC
Permalink
https://sourceware.org/bugzilla/show_bug.cgi?id=23786

Mark Wielaard <mark at klomp dot org> changed:

What |Removed |Added
----------------------------------------------------------------------------
Status|ASSIGNED |RESOLVED
Resolution|--- |FIXED

--- Comment #4 from Mark Wielaard <mark at klomp dot org> ---
commit 2b16a9be69939822dcafe075413468daac98b327
Author: Mark Wielaard <***@klomp.org>
Date: Thu Oct 18 19:01:52 2018 +0200

arlib: Check that sh_entsize isn't zero.

A bogus ELF file could have sh_entsize as zero. Don't divide by zero,
but just assume there are no symbols in the section.

https://sourceware.org/bugzilla/show_bug.cgi?id=23786

Signed-off-by: Mark Wielaard <***@klomp.org>
--
You are receiving this mail because:
You are on the CC list for the bug.
mark at klomp dot org
2018-11-14 11:50:04 UTC
Permalink
https://sourceware.org/bugzilla/show_bug.cgi?id=23786

--- Comment #5 from Mark Wielaard <mark at klomp dot org> ---
For reference this was assigned CVE-2018-18521.

Note that this bug was not in a generic library, just in the code shared by the
eu-ar and eu-ranlib binaries.
--
You are receiving this mail because:
You are on the CC list for the bug.
mark at klomp dot org
2018-11-14 11:56:05 UTC
Permalink
https://sourceware.org/bugzilla/show_bug.cgi?id=23786

Mark Wielaard <mark at klomp dot org> changed:

What |Removed |Added
----------------------------------------------------------------------------
Component|general |tools
--
You are receiving this mail because:
You are on the CC list for the bug.
Loading...