oss-sec mailing list archives

Previous By Date Next
Previous By Thread Next

Re: CVE request: Multiple vunerabilities in libdwarf & dwarfdump

From: Solar Designer <solar () openwall com>
Date: Tue, 24 May 2016 11:51:13 +0300
Hi,

On oss-security it is strongly preferred that actual content (rather
than just links) be included in the postings for long-term archival,
as long as the message doesn't exceed 200 KB (including MIME overhead).

On Tue, May 24, 2016 at 04:01:42PM +0800, Yue Liu wrote:

There are multiple vunerabilities in libdwarf&dwarfdump which were
discovered by Yue Liu(lieanu <liuyue0310 () gmail com>) and Qixue Xiao.

Vulnerabilities DW201605-001 to DW201605-019 in
https://www.prevanders.net/dwarfbug.html


I've attached the current content of the above web page to this message,
as text/plain.


And anther one https://bugzilla.redhat.com/show_bug.cgi?id=1330237


Here it is:

---
Description of problem:
There is a NULL pointer dereference bug in libdwarf-20160115 and latest git code.

The bug is at file dwarf_leb.c:147
 143             byte_length++;
 144             if (byte_length > BYTESLEBMAX) {
 145                 /*  Erroneous input. What to do?
 146                     Abort? Return error? Just stop here?*/
 147                 *leb128_length = BYTESLEBMAX;               <- $pc
 148                 return number;
 149             }
 150         }

which triggered by dwarf_form.c:918
 913             *return_sval = (Dwarf_Signed) ret_value;
 914             return DW_DLV_OK;
 915             }
 916
 917         case DW_FORM_sdata:
 918             ret_value =
 919                 (_dwarf_decode_s_leb128(attr->ar_debug_ptr, NULL));
 920             *return_sval = ret_value;
 921             return DW_DLV_OK;
 922

Version-Release number of selected component (if applicable):
Tested in libdwarf-20160115 and latest git code
---


All vulnerabilities have been fixed in upstream.

POC: https://sourceforge.net/p/libdwarf/regressiontests/ci/master/tree/liu/


Unfortunately, some of the PoCs are a bit too large to attach.  While
the above directory is ~110 KB under tar.xz, the PoC attached to Red Hat
Bugzilla Bug 1330237 is ~150 KB under xz.

So let's keep just the vulnerability detail in here for now.

One of the reasons why I am posting this is to provide an example of
what content to include in oss-security postings going forward.  Also,
it's a call for smaller PoCs (for further occasions; no need to rework
these PoCs now), so that those could be included as well.

Alexander

Attachment: dwarfbug.txt
Description:

Previous By Date Next
Previous By Thread Next

Current thread: