oss-sec mailing list archives
Re:[oss-security] Re: Buffer Overflow in lha compression utility
From: xiaoqixue_1 <xiaoqixue_1 () 163 com>
Date: Tue, 19 Jan 2016 20:46:10 +0800 (CST)
an out of bound read is found in libdwarf -20151114. please see attachment for poc. the result of valgrind as follows: ============================== =========================== *** DWARF CHECK: DW_DLE_DEBUG_FRAME_LENGTH_NOT_MULTIPLE len=0x00000010, len size=0x00000004, extn size=0x00000000, totl length=0x00000014, addr size=0x00000008, mod=0x00000004 must be zero in cie, offset 0x00000000. *** 7 ==53495== Invalid read of size 2 1 ==53495== at 0x4C2F7E0: memcpy@@GLIBC_2.14 (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so) 2 ==53495== by 0x43287F: dwarf_read_cie_fde_prefix (dwarf_frame2.c:934) 3 ==53495== by 0x431305: _dwarf_get_fde_list_internal (dwarf_frame2.c:268) 4 ==53495== by 0x42EB5F: dwarf_get_fde_list_eh (dwarf_frame.c:1101) 5 ==53495== by 0x41BABE: print_frames (print_frames.c:1835) 6 ==53495== by 0x40485B: process_one_file (dwarfdump.c:1323) 7 ==53495== by 0x403529: main (dwarfdump.c:630) 8 ==53495== Address 0x548b3c0 is 0 bytes inside a block of size 1 alloc'd 9 ==53495== at 0x4C2AB80: malloc (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so) 10 ==53495== by 0x4E40600: ??? (in /usr/lib/x86_64-linux-gnu/libelf-0.158.so) 11 ==53495== by 0x4E40873: ??? (in /usr/lib/x86_64-linux-gnu/libelf-0.158.so) 12 ==53495== by 0x42A0E1: dwarf_elf_object_access_load_section (dwarf_elf_access.c:1230) 13 ==53495== by 0x437715: _dwarf_load_section (dwarf_init_finish.c:1072) 14 ==53495== by 0x42EAEB: dwarf_get_fde_list_eh (dwarf_frame.c:1096) 15 ==53495== by 0x41BABE: print_frames (print_frames.c:1835) 16 ==53495== by 0x40485B: process_one_file (dwarfdump.c:1323) 17 ==53495== by 0x403529: main (dwarfdump.c:630) 18 ==53495== The vulnerability is found by Qixue Xiao, at Tsinghua University.
Attachment:
awbug5.elf
Description:
Current thread:
- Buffer Overflow in lha compression utility Paris Zoumpouloglou (Jan 18)
- Re: Buffer Overflow in lha compression utility cve-assign (Jan 18)
- Re:[oss-security] Re: Buffer Overflow in lha compression utility xiaoqixue_1 (Jan 19)
- Re: an out of bound read is found in libdwarf -20151114 cve-assign (Jan 28)
- a bug in gif2rgb.c in giflib-5.1.2 xiaoqixue_1 (Jan 26)
- Re: a bug in gif2rgb.c in giflib-5.1.2 cve-assign (Jan 26)
- Re:[oss-security] Re: a bug in gif2rgb.c in giflib-5.1.2 xiaoqixue_1 (Jan 28)
- Re:[oss-security] Re: Buffer Overflow in lha compression utility xiaoqixue_1 (Jan 19)
- Re: Buffer Overflow in lha compression utility cve-assign (Jan 18)