Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [day] [month] [year] [list]
Date: Wed, 09 Nov 2016 15:45:30 +0100
From: Agostino Sarubbo <ago@...too.org>
To: oss-security@...ts.openwall.com
Cc: cve-assign@...re.org
Subject: libdwarf: memory allocation failure in do_decompress_zlib (dwarf_init_finish.c)

If it is suitable for a CVE please assign one. Thanks.

Description:
libdwarf is a library to consume and produce DWARF debug information.

A fuzz on an updated version revealed a memory allocation failure.

The complete ASan output:

# dwarfdump $FILE
==27994==WARNING: AddressSanitizer failed to allocate 0x62696c2f7273752f bytes 
==27994==AddressSanitizer's allocator is terminating the process instead of 
returning 0 
==27994==If you don't like this behavior set allocator_may_return_null=1 
==27994==AddressSanitizer CHECK failed: /var/tmp/portage/sys-devel/llvm-3.8.1-
r2/work/llvm-3.8.1.src/projects/compiler-
rt/lib/sanitizer_common/sanitizer_allocator.cc:147 "((0)) != (0)" (0x0, 0x0) 
   #0 0x4ca3ed in __asan::AsanCheckFailed(char const*, int, char const*, 
unsigned long long, unsigned long long) /var/tmp/portage/sys-devel/llvm-3.8.1-
r2/work/llvm-3.8.1.src/projects/compiler-rt/lib/asan/asan_rtl.cc:67 
   #1 0x4d0f23 in __sanitizer::CheckFailed(char const*, int, char const*, 
unsigned long long, unsigned long long) /var/tmp/portage/sys-devel/llvm-3.8.1-
r2/work/llvm-3.8.1.src/projects/compiler-
rt/lib/sanitizer_common/sanitizer_common.cc:159 
   #2 0x4cec76 in __sanitizer::ReportAllocatorCannotReturnNull() 
/var/tmp/portage/sys-devel/llvm-3.8.1-
r2/work/llvm-3.8.1.src/projects/compiler-
rt/lib/sanitizer_common/sanitizer_allocator.cc:147 
   #3 0x42204c in 
__sanitizer::CombinedAllocator<__sanitizer::SizeClassAllocator64<105553116266496ul, 
4398046511104ul, 0ul, __sanitizer::SizeClassMap, 
__asan::AsanMapUnmapCallback>, 
__sanitizer::SizeClassAllocatorLocalCache<__sanitizer::SizeClassAllocator64<105553116266496ul, 
4398046511104ul, 0ul, __sanitizer::SizeClassMap, __asan::AsanMapUnmapCallback> 
>, __sanitizer::LargeMmapAllocator >::ReturnNullOrDie() /var/tmp/portage/sys-
devel/llvm-3.8.1-r2/work/llvm-3.8.1.src/projects/compiler-
rt/lib/asan/../sanitizer_common/sanitizer_allocator.h:1317 
   #4 0x42204c in __asan::Allocator::Allocate(unsigned long, unsigned long, 
__sanitizer::BufferedStackTrace*, __asan::AllocType, bool) 
/var/tmp/portage/sys-devel/llvm-3.8.1-
r2/work/llvm-3.8.1.src/projects/compiler-rt/lib/asan/asan_allocator.cc:359 
   #5 0x42204c in __asan::asan_malloc(unsigned long, 
__sanitizer::BufferedStackTrace*) /var/tmp/portage/sys-devel/llvm-3.8.1-
r2/work/llvm-3.8.1.src/projects/compiler-rt/lib/asan/asan_allocator.cc:718 
   #6 0x4c0ab1 in malloc /var/tmp/portage/sys-devel/llvm-3.8.1-
r2/work/llvm-3.8.1.src/projects/compiler-rt/lib/asan/asan_malloc_linux.cc:53 
   #7 0x5b582e in do_decompress_zlib 
/tmp/dwarf-20161021/libdwarf/dwarf_init_finish.c:1085:12 
   #8 0x5b582e in _dwarf_load_section 
/tmp/dwarf-20161021/libdwarf/dwarf_init_finish.c:1159 
   #9 0x5bb479 in dwarf_srcfiles 
/tmp/dwarf-20161021/libdwarf/./dwarf_line.c:336:11 
   #10 0x5145cd in print_one_die_section 
/tmp/dwarf-20161021/dwarfdump/print_die.c:812:28 
   #11 0x512262 in print_infos 
/tmp/dwarf-20161021/dwarfdump/print_die.c:371:16 
   #12 0x4faafa in process_one_file 
/tmp/dwarf-20161021/dwarfdump/dwarfdump.c:1371:9 
   #13 0x4faafa in main /tmp/dwarf-20161021/dwarfdump/dwarfdump.c:654 
   #14 0x7f578f45a61f in __libc_start_main /var/tmp/portage/sys-
libs/glibc-2.22-r4/work/glibc-2.22/csu/libc-start.c:289 
   #15 0x419588 in _start (/usr/bin/dwarfdump-asan+0x419588)

Affected version:
20161021

Fixed version:
N/A

Commit fix:
https://sourceforge.net/p/libdwarf/code/ci/583f8834083b5ef834c497f5b47797e16101a9a6/

Credit:
This bug was discovered by Agostino Sarubbo of Gentoo.

CVE:
N/A

Reproducer:
https://github.com/asarubbo/poc/blob/master/00024-libdwarf-memalloc-do_decompress_zlib

Timeline:
2016-11-02: bug discovered and reported to upstream
2016-11-05: upstream released a patch
2016-11-07: blog post about the issue

Note:
This bug was found with American Fuzzy Lop.

Permalink:
https://blogs.gentoo.org/ago/2016/11/07/libdwarf-memory-allocation-failure-in-do_decompress_zlib-dwarf_init_finish-c

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.