Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Date: Wed, 09 Nov 2016 15:38:04 +0100
From: Agostino Sarubbo <ago@...too.org>
To: oss-security@...ts.openwall.com
Cc: cve-assign@...re.org
Subject: elfutils: memory allocation failure in __libelf_set_rawdata_wrlock (elf_getdata.c)

If it is suitable for a CVE please assign one. Thanks.

Description:
elfutils is a set of libraries/utilities to handle ELF objects (drop in 
replacement for libelf).

During the fuzz of libdwarf, I noticed a memory allocation failure which 
involves elfutils.
To have a double-check, the bug was first reported to the libdwarf maintainer 
and then to the elfutils maintainer. Actually there is a proposed patch on the 
elfutils mailing list, but nobody commented.

The complete ASan output:

# dwarfdump $FILE
==30083==ERROR: AddressSanitizer failed to allocate 0x8000003000 
(549755826176) bytes of LargeMmapAllocator (error code: 12)
==30083==Process memory map follows:
	0x000000400000-0x0000006bb000	/usr/bin/dwarfdump-asan
	0x0000008ba000-0x0000008c2000	/usr/bin/dwarfdump-asan
	0x0000008c2000-0x0000008ff000	/usr/bin/dwarfdump-asan
	0x0000008ff000-0x0000015a3000	
	0x00007fff7000-0x00008fff7000	
	0x00008fff7000-0x02008fff7000	
	0x02008fff7000-0x10007fff8000	
	0x600000000000-0x602000000000	
	0x602000000000-0x602000010000	
	0x602000010000-0x603000000000	
	0x603000000000-0x603000010000	
	0x603000010000-0x604000000000	
	0x604000000000-0x604000010000	
	0x604000010000-0x607000000000	
	0x607000000000-0x607000010000	
	0x607000010000-0x611000000000	
	0x611000000000-0x611000010000	
	0x611000010000-0x612000000000	
	0x612000000000-0x612000010000	
	0x612000010000-0x613000000000	
	0x613000000000-0x613000010000	
	0x613000010000-0x614000000000	
	0x614000000000-0x614000020000	
	0x614000020000-0x619000000000	
	0x619000000000-0x619000020000	
	0x619000020000-0x61c000000000	
	0x61c000000000-0x61c000020000	
	0x61c000020000-0x61d000000000	
	0x61d000000000-0x61d000020000	
	0x61d000020000-0x624000000000	
	0x624000000000-0x624000020000	
	0x624000020000-0x625000000000	
	0x625000000000-0x625000020000	
	0x625000020000-0x640000000000	
	0x640000000000-0x640000003000	
	0x7f0afdc00000-0x7f0afdd00000	
	0x7f0afde00000-0x7f0afdf00000	
	0x7f0afdff0000-0x7f0b00342000	
	0x7f0b00342000-0x7f0b004d5000	/lib64/libc-2.22.so
	0x7f0b004d5000-0x7f0b006d5000	/lib64/libc-2.22.so
	0x7f0b006d5000-0x7f0b006d9000	/lib64/libc-2.22.so
	0x7f0b006d9000-0x7f0b006db000	/lib64/libc-2.22.so
	0x7f0b006db000-0x7f0b006df000	
	0x7f0b006df000-0x7f0b006f5000	/usr/lib64/gcc/x86_64-pc-linux-
gnu/4.9.3/libgcc_s.so.1
	0x7f0b006f5000-0x7f0b008f4000	/usr/lib64/gcc/x86_64-pc-linux-
gnu/4.9.3/libgcc_s.so.1
	0x7f0b008f4000-0x7f0b008f5000	/usr/lib64/gcc/x86_64-pc-linux-
gnu/4.9.3/libgcc_s.so.1
	0x7f0b008f5000-0x7f0b008f6000	/usr/lib64/gcc/x86_64-pc-linux-
gnu/4.9.3/libgcc_s.so.1
	0x7f0b008f6000-0x7f0b008f8000	/lib64/libdl-2.22.so
	0x7f0b008f8000-0x7f0b00af8000	/lib64/libdl-2.22.so
	0x7f0b00af8000-0x7f0b00af9000	/lib64/libdl-2.22.so
	0x7f0b00af9000-0x7f0b00afa000	/lib64/libdl-2.22.so
	0x7f0b00afa000-0x7f0b00bf7000	/lib64/libm-2.22.so
	0x7f0b00bf7000-0x7f0b00df6000	/lib64/libm-2.22.so
	0x7f0b00df6000-0x7f0b00df7000	/lib64/libm-2.22.so
	0x7f0b00df7000-0x7f0b00df8000	/lib64/libm-2.22.so
	0x7f0b00df8000-0x7f0b00dfe000	/lib64/librt-2.22.so
	0x7f0b00dfe000-0x7f0b00ffe000	/lib64/librt-2.22.so
	0x7f0b00ffe000-0x7f0b00fff000	/lib64/librt-2.22.so
	0x7f0b00fff000-0x7f0b01000000	/lib64/librt-2.22.so
	0x7f0b01000000-0x7f0b01017000	/lib64/libpthread-2.22.so
	0x7f0b01017000-0x7f0b01216000	/lib64/libpthread-2.22.so
	0x7f0b01216000-0x7f0b01217000	/lib64/libpthread-2.22.so
	0x7f0b01217000-0x7f0b01218000	/lib64/libpthread-2.22.so
	0x7f0b01218000-0x7f0b0121c000	
	0x7f0b0121c000-0x7f0b01231000	/lib64/libz.so.1.2.8
	0x7f0b01231000-0x7f0b01430000	/lib64/libz.so.1.2.8
	0x7f0b01430000-0x7f0b01431000	/lib64/libz.so.1.2.8
	0x7f0b01431000-0x7f0b01432000	/lib64/libz.so.1.2.8
	0x7f0b01432000-0x7f0b01449000	/usr/lib64/libelf-0.166.so
	0x7f0b01449000-0x7f0b01649000	/usr/lib64/libelf-0.166.so
	0x7f0b01649000-0x7f0b0164a000	/usr/lib64/libelf-0.166.so
	0x7f0b0164a000-0x7f0b0164b000	/usr/lib64/libelf-0.166.so
	0x7f0b0164b000-0x7f0b0166d000	/lib64/ld-2.22.so
	0x7f0b017f7000-0x7f0b01860000	
	0x7f0b01860000-0x7f0b0186c000	
	0x7f0b0186c000-0x7f0b0186d000	/lib64/ld-2.22.so
	0x7f0b0186d000-0x7f0b0186e000	/lib64/ld-2.22.so
	0x7f0b0186e000-0x7f0b0186f000	
	0x7ffff2f19000-0x7ffff2f3a000	[stack]
	0x7ffff2f3d000-0x7ffff2f3f000	[vvar]
	0x7ffff2f3f000-0x7ffff2f41000	[vdso]
	0xffffffffff600000-0xffffffffff601000	[vsyscall]
==30083==End of process memory map.
==30083==AddressSanitizer CHECK failed: /var/tmp/portage/sys-devel/llvm-3.8.1-
r2/work/llvm-3.8.1.src/projects/compiler-
rt/lib/sanitizer_common/sanitizer_common.cc:183 "((0 && "unable to mmap")) != 
(0)" (0x0, 0x0)
    #0 0x4ca3ed in __asan::AsanCheckFailed(char const*, int, char const*, 
unsigned long long, unsigned long long) /var/tmp/portage/sys-devel/llvm-3.8.1-
r2/work/llvm-3.8.1.src/projects/compiler-rt/lib/asan/asan_rtl.cc:67
    #1 0x4d0f23 in __sanitizer::CheckFailed(char const*, int, char const*, 
unsigned long long, unsigned long long) /var/tmp/portage/sys-devel/llvm-3.8.1-
r2/work/llvm-3.8.1.src/projects/compiler-
rt/lib/sanitizer_common/sanitizer_common.cc:159
    #2 0x4d1111 in __sanitizer::ReportMmapFailureAndDie(unsigned long, char 
const*, char const*, int, bool) /var/tmp/portage/sys-devel/llvm-3.8.1-
r2/work/llvm-3.8.1.src/projects/compiler-
rt/lib/sanitizer_common/sanitizer_common.cc:183
    #3 0x4da14a in __sanitizer::MmapOrDie(unsigned long, char const*, bool) 
/var/tmp/portage/sys-devel/llvm-3.8.1-
r2/work/llvm-3.8.1.src/projects/compiler-
rt/lib/sanitizer_common/sanitizer_posix.cc:122
    #4 0x4224df in 
__sanitizer::LargeMmapAllocator::Allocate(__sanitizer::AllocatorStats*, 
unsigned long, unsigned long) /var/tmp/portage/sys-devel/llvm-3.8.1-
r2/work/llvm-3.8.1.src/projects/compiler-
rt/lib/asan/../sanitizer_common/sanitizer_allocator.h:1033
    #5 0x4224df in 
__sanitizer::CombinedAllocator<__sanitizer::SizeClassAllocator64<105553116266496ul, 
4398046511104ul, 0ul, __sanitizer::SizeClassMap, 
__asan::AsanMapUnmapCallback>, 
__sanitizer::SizeClassAllocatorLocalCache<__sanitizer::SizeClassAllocator64<105553116266496ul, 
4398046511104ul, 0ul, __sanitizer::SizeClassMap, __asan::AsanMapUnmapCallback> 
>, __sanitizer::LargeMmapAllocator 
>::Allocate(__sanitizer::SizeClassAllocatorLocalCache<__sanitizer::SizeClassAllocator64<105553116266496ul, 
4398046511104ul, 0ul, __sanitizer::SizeClassMap, __asan::AsanMapUnmapCallback> 
>*, unsigned long, unsigned long, bool, bool) /var/tmp/portage/sys-
devel/llvm-3.8.1-r2/work/llvm-3.8.1.src/projects/compiler-
rt/lib/asan/../sanitizer_common/sanitizer_allocator.h:1302
    #6 0x4224df in __asan::Allocator::Allocate(unsigned long, unsigned long, 
__sanitizer::BufferedStackTrace*, __asan::AllocType, bool) 
/var/tmp/portage/sys-devel/llvm-3.8.1-
r2/work/llvm-3.8.1.src/projects/compiler-rt/lib/asan/asan_allocator.cc:368
    #7 0x4224df in __asan::asan_malloc(unsigned long, 
__sanitizer::BufferedStackTrace*) /var/tmp/portage/sys-devel/llvm-3.8.1-
r2/work/llvm-3.8.1.src/projects/compiler-rt/lib/asan/asan_allocator.cc:718
    #8 0x4c0ab1 in malloc /var/tmp/portage/sys-devel/llvm-3.8.1-
r2/work/llvm-3.8.1.src/projects/compiler-rt/lib/asan/asan_malloc_linux.cc:53
    #9 0x7f0b0143c206 in __libelf_set_rawdata_wrlock /tmp/portage/dev-
libs/elfutils-0.166/work/elfutils-0.166/libelf/elf_getdata.c:318
    #10 0x7f0b0143c5db in __elf_getdata_rdlock /tmp/portage/dev-
libs/elfutils-0.166/work/elfutils-0.166/libelf/elf_getdata.c:521
    #11 0x580659 in dwarf_elf_object_access_load_section 
/tmp/dwarf-20161001/libdwarf/dwarf_elf_access.c:1312:16
    #12 0x5b5142 in _dwarf_load_section 
/tmp/dwarf-20161001/libdwarf/dwarf_init_finish.c:1139:11
    #13 0x6082ae in _dwarf_load_debug_info 
/tmp/dwarf-20161001/libdwarf/dwarf_util.c:855:11
    #14 0x57043f in _dwarf_next_cu_header_internal 
/tmp/dwarf-20161001/libdwarf/dwarf_die_deliv.c:819:32
    #15 0x572fcd in dwarf_next_cu_header_d 
/tmp/dwarf-20161001/libdwarf/dwarf_die_deliv.c:629:15
    #16 0x512f4f in print_one_die_section 
/tmp/dwarf-20161001/dwarfdump/print_die.c:660:16
    #17 0x512262 in print_infos 
/tmp/dwarf-20161001/dwarfdump/print_die.c:371:16
    #18 0x4faaea in process_one_file 
/tmp/dwarf-20161001/dwarfdump/dwarfdump.c:1371:9
    #19 0x4faaea in main /tmp/dwarf-20161001/dwarfdump/dwarfdump.c:654
    #20 0x7f0b0036261f in __libc_start_main /var/tmp/portage/sys-
libs/glibc-2.22-r4/work/glibc-2.22/csu/libc-start.c:289
    #21 0x419588 in _start (/usr/bin/dwarfdump-asan+0x419588)

Affected version:
0.166

Fixed version:
N/A

Proposed patch:
https://lists.fedorahosted.org/archives/list/elfutils-devel@...ts.fedorahosted.org/thread/Q4LE47FPEVRZANMV6JE2NMHYO4H5MHGJ/

Credit:
This bug was discovered by Agostino Sarubbo of Gentoo.

CVE:
N/A

Reproducer:
https://github.com/asarubbo/poc/blob/master/00031-elfutils-memalloc-__libelf_set_rawdata_wrlock

Timeline:
2016-10-03: bug discovered
2016-10-21: bug reported to upstream
2016-11-04: blog post about the issue

Note:
This bug was found with American Fuzzy Lop.

Permalink:
https://blogs.gentoo.org/ago/2016/11/04/elfutils-memory-allocation-failure-in-__libelf_set_rawdata_wrlock-elf_getdata-c

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ