oss-sec mailing list archives
CVE request -libdwarf 20160613 heap-buffer-overflow
From: vul@724safe <vul () 724safe com>
Date: Wed, 14 Sep 2016 00:22:43 +0800
Hello, A heap-buffer-overflow was found in the latest libdward 20160613 version. [Introduction] The DWARF Debugging Information Format is of interest to programmers working on compilers and debuggers (and anyone interested in reading or writing DWARF information). It was developed by a committee (known as the PLSIG at the time) starting around 1991. Starting around 1991 SGI got involved with the committee and then developed the libdwarf and dwarfdump tools for SGI-internal use and as part of SGI IRIX developer tools. From around 1993 dwarfdump and libdwarf were shipped (as an executable and archive respectively, not source) with every release of the SGI MIPS/IRIX C compiler. In 1994 (I think the correct year) SGI agreed (at my request) to open-source libdwarf (and in 1999 to open-source dwarfdump) so anyone could use them. [Version] libdwarf-20160613.tar.gz [Vulnerability] With AddressSanitizer, we found a Heap-Buffer-overflow in the latest release version of dwarfdump. The crash output is as follows: ==17411==ERROR: AddressSanitizer: heap-buffer-overflow on address 0xf3808904 at pc 0x80a6f76 bp 0xffb95e78 sp 0xffb95a5c READ of size 4 at 0xf3808904 thread T0 ==17411==WARNING: Trying to symbolize code, but external symbolizer is not initialized! #0 0x80a6f75 in __interceptor_memcpy ??:? #1 0x8426c3b in _dwarf_read_loc_section /home/starlab/fuzzing/dwarf-20160613/libdwarf/./dwarf_loc.c:919 #2 0x84250e2 in _dwarf_get_loclist_count /home/starlab/fuzzing/dwarf-20160613/libdwarf/./dwarf_loc.c:970 #3 0x8438826 in dwarf_get_loclist_c /home/starlab/fuzzing/dwarf-20160613/libdwarf/./dwarf_loc2.c:551 #4 0x81a1be8 in get_location_list /home/starlab/fuzzing/dwarf-20160613/dwarfdump/print_die.c:3523 #5 0x816e1a2 in print_attribute /home/starlab/fuzzing/dwarf-20160613/dwarfdump/print_die.c:2456 #6 0x81684ac in print_one_die /home/starlab/fuzzing/dwarf-20160613/dwarfdump/print_die.c:1452 #7 0x816047c in print_die_and_children_internal /home/starlab/fuzzing/dwarf-20160613/dwarfdump/print_die.c:1041 #8 0x8161c86 in print_die_and_children_internal /home/starlab/fuzzing/dwarf-20160613/dwarfdump/print_die.c:1136 #9 0x8161c86 in print_die_and_children_internal /home/starlab/fuzzing/dwarf-20160613/dwarfdump/print_die.c:1136 #10 0x8161c86 in print_die_and_children_internal /home/starlab/fuzzing/dwarf-20160613/dwarfdump/print_die.c:1136 #11 0x815dd57 in print_die_and_children /home/starlab/fuzzing/dwarf-20160613/dwarfdump/print_die.c:915 #12 0x815b75c in print_one_die_section /home/starlab/fuzzing/dwarf-20160613/dwarfdump/print_die.c:825 #13 0x81564d1 in print_infos /home/starlab/fuzzing/dwarf-20160613/dwarfdump/print_die.c:371 #14 0x80eed18 in process_one_file /home/starlab/fuzzing/dwarf-20160613/dwarfdump/dwarfdump.c:1352 #15 0x80e66fa in main /home/starlab/fuzzing/dwarf-20160613/dwarfdump/dwarfdump.c:645 #16 0xf7553af2 in __libc_start_main ??:? #17 0x80d23e4 in _start ??:? 0xf3808904 is located 0 bytes to the right of 34052-byte region [0xf3800400,0xf3808904) allocated by thread T0 here: #0 0x80bb011 in __interceptor_malloc ??:? #1 0xf7780517 in elf_rawdata ??:? SUMMARY: AddressSanitizer: heap-buffer-overflow ??:0 ?? Shadow bytes around the buggy address: 0x3e7010d0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x3e7010e0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x3e7010f0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x3e701100: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x3e701110: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 =>0x3e701120:[04]fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x3e701130: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x3e701140: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x3e701150: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x3e701160: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x3e701170: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa Shadow byte legend (one shadow byte represents 8 application bytes): Addressable: 00 Partially addressable: 01 02 03 04 05 06 07 Heap left redzone: fa Heap right redzone: fb Freed heap region: fd Stack left redzone: f1 Stack mid redzone: f2 Stack right redzone: f3 Stack partial redzone: f4 Stack after return: f5 Stack use after scope: f8 Global redzone: f9 Global init order: f6 Poisoned by user: f7 ASan internal: fe ==17411==ABORTING [Reproduce] Reproduce the problem by run "./dwarfdump poc" [POC] poc file is in the attachement This vulnerability was foud by F4B3CD@STARLAB Best regards, STARLAB
Attachment:
poc
Description:
Current thread:
- CVE request -libdwarf 20160613 heap-buffer-overflow vul (Sep 13)
- Re: CVE request -libdwarf 20160613 heap-buffer-overflow cve-assign (Sep 14)
- Re: CVE request -libdwarf 20160613 heap-buffer-overflow Agostino Sarubbo (Sep 15)