oss-sec mailing list archives
pax-utils: scanelf: out of bounds read in scanelf_file_get_symtabs (scanelf.c)
From: "Agostino Sarubbo" <ago () gentoo org>
Date: Sat, 25 Feb 2017 11:23:43 +0000
Description: pax-utils is a set of tools that check files for security relevant properties. A fuzz on scanelf exposed that the out-of bound read already reported at https://blogs.gentoo.org/ago/2017/02/01/pax-utils-scanelf-out-of-bounds-read-in-scanelf_file_get_symtabs-scanelf-c was unfixed. The complete ASan output: # scanelf -s '*' -axetrnibSDIYZB $FILE ==1093==ERROR: AddressSanitizer: unknown-crash on address 0x7f4ddab2c3a0 at pc 0x000000524a77 bp 0x7fffcd2bc320 sp 0x7fffcd2bc318 READ of size 4 at 0x7f4ddab2c3a0 thread T0 #0 0x524a76 in scanelf_file_get_symtabs /tmp/portage/app-misc/pax-utils-1.2.2/work/pax-utils-1.2.2/scanelf.c:357:3 #1 0x514af2 in scanelf_file_sym /tmp/portage/app-misc/pax-utils-1.2.2/work/pax-utils-1.2.2/scanelf.c:1282:2 #2 0x514af2 in scanelf_elfobj /tmp/portage/app-misc/pax-utils-1.2.2/work/pax-utils-1.2.2/scanelf.c:1502 #3 0x5137f8 in scanelf_elf /tmp/portage/app-misc/pax-utils-1.2.2/work/pax-utils-1.2.2/scanelf.c:1567:8 #4 0x5137f8 in scanelf_fileat /tmp/portage/app-misc/pax-utils-1.2.2/work/pax-utils-1.2.2/scanelf.c:1634 #5 0x512d9b in scanelf_dirat /tmp/portage/app-misc/pax-utils-1.2.2/work/pax-utils-1.2.2/scanelf.c:1668:10 #6 0x511d9d in scanelf_dir /tmp/portage/app-misc/pax-utils-1.2.2/work/pax-utils-1.2.2/scanelf.c:1718:9 #7 0x511d9d in parseargs /tmp/portage/app-misc/pax-utils-1.2.2/work/pax-utils-1.2.2/scanelf.c:2228 #8 0x511d9d in main /tmp/portage/app-misc/pax-utils-1.2.2/work/pax-utils-1.2.2/scanelf.c:2316 #9 0x7f4dd9b4e61f in __libc_start_main /var/tmp/portage/sys-libs/glibc-2.22-r4/work/glibc-2.22/csu/libc-start.c:289 #10 0x419b28 in getenv (/usr/bin/scanelf+0x419b28) AddressSanitizer can not describe address in more detail (wild memory access suspected). SUMMARY: AddressSanitizer: unknown-crash /tmp/portage/app-misc/pax-utils-1.2.2/work/pax-utils-1.2.2/scanelf.c:357:3 in scanelf_file_get_symtabs Shadow bytes around the buggy address: 0x0fea3b55d820: fe fe fe fe fe fe fe fe fe fe fe fe fe fe fe fe 0x0fea3b55d830: fe fe fe fe fe fe fe fe fe fe fe fe fe fe fe fe 0x0fea3b55d840: fe fe fe fe fe fe fe fe fe fe fe fe fe fe fe fe 0x0fea3b55d850: fe fe fe fe fe fe fe fe fe fe fe fe fe fe fe fe 0x0fea3b55d860: fe fe fe fe fe fe fe fe fe fe fe fe fe fe fe fe =>0x0fea3b55d870: fe fe fe fe[fe]fe fe fe fe fe fe fe fe fe fe fe 0x0fea3b55d880: fe fe fe fe fe fe fe fe fe fe fe fe fe fe fe fe 0x0fea3b55d890: fe fe fe fe fe fe fe fe fe fe fe fe fe fe fe fe 0x0fea3b55d8a0: fe fe fe fe fe fe fe fe fe fe fe fe fe fe fe fe 0x0fea3b55d8b0: fe fe fe fe fe fe fe fe fe fe fe fe fe fe fe fe 0x0fea3b55d8c0: fe fe fe fe fe fe fe fe fe fe fe fe fe fe fe fe Shadow byte legend (one shadow byte represents 8 application bytes): Addressable: 00 Partially addressable: 01 02 03 04 05 06 07 Heap left redzone: fa Heap right redzone: fb Freed heap region: fd Stack left redzone: f1 Stack mid redzone: f2 Stack right redzone: f3 Stack partial redzone: f4 Stack after return: f5 Stack use after scope: f8 Global redzone: f9 Global init order: f6 Poisoned by user: f7 Container overflow: fc Array cookie: ac Intra object redzone: bb ASan internal: fe Left alloca redzone: ca Right alloca redzone: cb ==1093==ABORTING Affected version: 1.2.2 Fixed version: 1.2.3 (not released atm) Commit fix: https://github.com/gentoo/pax-utils/commit/e577c5b7e230c52e5fc4fa40e4e9014c634b3c1d https://github.com/gentoo/pax-utils/commit/858939ea6ad63f1acb4ec74bba705c197a67d559 Credit: This bug was discovered by Agostino Sarubbo of Gentoo. CVE: N/A Reproducer: https://github.com/asarubbo/poc/blob/master/00169-pax-utils-scanelf-oobread1 Timeline: 2017-02-09: bug discovered and reported to upstream 2017-02-11: upstream realeased a patch 2017-02-25: blog post about the issue Note: This bug was found with American Fuzzy Lop. Permalink: https://blogs.gentoo.org/ago/2017/02/25/pax-utils-scanelf-out-of-bounds-read-in-scanelf_file_get_symtabs-scanelf-c-2 -- Agostino Sarubbo Gentoo Linux Developer
Current thread:
- pax-utils: scanelf: out of bounds read in scanelf_file_get_symtabs (scanelf.c) Agostino Sarubbo (Feb 01)
- <Possible follow-ups>
- pax-utils: scanelf: out of bounds read in scanelf_file_get_symtabs (scanelf.c) Agostino Sarubbo (Feb 25)