Discussion:
[Bug libelf/23787] New: Invalid Address Deference problem in function elf_end in libelf the latest elfutils-0.174
wcventure at 126 dot com
2018-10-17 12:00:15 UTC
Permalink
https://sourceware.org/bugzilla/show_bug.cgi?id=23787

Bug ID: 23787
Summary: Invalid Address Deference problem in function elf_end
in libelf the latest elfutils-0.174
Product: elfutils
Version: unspecified
Status: UNCONFIRMED
Severity: normal
Priority: P2
Component: libelf
Assignee: unassigned at sourceware dot org
Reporter: wcventure at 126 dot com
CC: elfutils-devel at sourceware dot org
Target Milestone: ---

Created attachment 11338
--> https://sourceware.org/bugzilla/attachment.cgi?id=11338&action=edit
POC1

Hi,

Our fuzzer found an Invalid Address Deference problem in function elf_end in
libelf the latest elfutils-0.174 code base. I have confirmed them with Address
Sanitizer, too.

The function elf_end is called by size.c. Here are the POC files. Please use "
./eu-size $POC " to reproduce this bug.

The ASAN dumps the stack trace as follows:
ASAN:DEADLYSIGNAL
=================================================================
==21938==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000010 (pc
0x7f1a0efb3cd6 bp 0x7ffd04b5dc40 sp 0x7ffd04b5db50 T0)
==21938==The signal is caused by a READ memory access.
==21938==Hint: address points to the zero page.
#0 0x7f1a0efb3cd5 in elf_end (/usr/lib/x86_64-linux-gnu/libelf.so.1+0x4cd5)
#1 0x405aa2 in handle_ar
/media/hjwang/01D3344861A8D2E0/wcventure/Project/elfutils/src/size.c:373
#2 0x401c7a in process_file
/media/hjwang/01D3344861A8D2E0/wcventure/Project/elfutils/src/size.c:294
#3 0x401c7a in main
/media/hjwang/01D3344861A8D2E0/wcventure/Project/elfutils/src/size.c:186
#4 0x7f1a0ec0582f in __libc_start_main
(/lib/x86_64-linux-gnu/libc.so.6+0x2082f)
#5 0x4029f8 in _start
(/media/hjwang/01D3344861A8D2E0/wcventure/Project/elfutils/build/bin/eu-size+0x4029f8)

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV (/usr/lib/x86_64-linux-gnu/libelf.so.1+0x4cd5)
in elf_end
==21938==ABORTING
Aborted
--
You are receiving this mail because:
You are on the CC list for the bug.
wcventure at 126 dot com
2018-10-17 12:01:58 UTC
Permalink
https://sourceware.org/bugzilla/show_bug.cgi?id=23787

--- Comment #1 from wcventure <wcventure at 126 dot com> ---
Created attachment 11339
--> https://sourceware.org/bugzilla/attachment.cgi?id=11339&action=edit
POC2

Please use " ./eu-size $POC " to reproduce this bug.

This bug was discovered by NTU Cyber-Security-Lab, for fuzzing research work.
If you have any questions, please let me know.
--
You are receiving this mail because:
You are on the CC list for the bug.
mark at klomp dot org
2018-10-18 23:05:45 UTC
Permalink
https://sourceware.org/bugzilla/show_bug.cgi?id=23787

Mark Wielaard <mark at klomp dot org> changed:

What |Removed |Added
----------------------------------------------------------------------------
Status|UNCONFIRMED |ASSIGNED
Last reconfirmed| |2018-10-18
CC| |mark at klomp dot org
Summary|Invalid Address Deference |eu-size: Bad handling of ar
|problem in function elf_end |files inside are files
|in libelf the latest |
|elfutils-0.174 |
Ever confirmed|0 |1

--- Comment #2 from Mark Wielaard <mark at klomp dot org> ---
Thanks. What is happening is that eu-size can handle ar files inside ar files,
but when doing so it closes the (outer) ar file before handling all other
entries in it.

Proposed patch: https://sourceware.org/ml/elfutils-devel/2018-q4/msg00057.html
--
You are receiving this mail because:
You are on the CC list for the bug.
mark at klomp dot org
2018-10-19 22:59:22 UTC
Permalink
https://sourceware.org/bugzilla/show_bug.cgi?id=23787

Mark Wielaard <mark at klomp dot org> changed:

What |Removed |Added
----------------------------------------------------------------------------
Status|ASSIGNED |RESOLVED
Resolution|--- |FIXED

--- Comment #3 from Mark Wielaard <mark at klomp dot org> ---
commit 22d2d082d57a7470fadc0eae67179553f4919209
Author: Mark Wielaard <***@klomp.org>
Date: Thu Oct 18 23:15:48 2018 +0200

size: Handle recursive ELF ar files.

eu-size didn't handle an ELF ar file that contained an ar file itself
correctly. handle_ar would recursively call itself but close the ELF
file before returning. Only close the ELF file at the top-level.

https://sourceware.org/bugzilla/show_bug.cgi?id=23787

Signed-off-by: Mark Wielaard <***@klomp.org>
--
You are receiving this mail because:
You are on the CC list for the bug.
mark at klomp dot org
2018-11-14 11:45:29 UTC
Permalink
https://sourceware.org/bugzilla/show_bug.cgi?id=23787

--- Comment #4 from Mark Wielaard <mark at klomp dot org> ---
For reference this was assigned CVE-2018-18520.

Note that the description of the CVE is misleading.
The bug is in eu-size, not in libelf elf_end.
--
You are receiving this mail because:
You are on the CC list for the bug.
mark at klomp dot org
2018-11-14 06:24:50 UTC
Permalink
https://sourceware.org/bugzilla/show_bug.cgi?id=23787

Mark Wielaard <mark at klomp dot org> changed:

What |Removed |Added
----------------------------------------------------------------------------
Component|libelf |tools
--
You are receiving this mail because:
You are on the CC list for the bug.
Loading...