Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Date: Wed, 09 Nov 2016 15:39:17 +0100
From: Agostino Sarubbo <ago@...too.org>
To: oss-security@...ts.openwall.com
Cc: cve-assign@...re.org
Subject: elfutils: memory allocation failure in allocate_elf (common.h)

If it is suitable for a CVE please assign one. Thanks.

Description:
elfutils is a set of libraries/utilities to handle ELF objects (drop in 
replacement for libelf).

During the fuzz of libdwarf, I noticed a memory allocation failure which 
involves elfutils.
Actually there is a proposed patch on the elfutils mailing list, but nobody 
commented.

The complete ASan output:

# dwarfdump $FILE
==21982==ERROR: AddressSanitizer failed to allocate 0x3401fb3000 
(223371538432) bytes of LargeMmapAllocator (error code: 12)
==21982==Process memory map follows:
        0x000000400000-0x0000006bc000   /usr/bin/dwarfdump-asan
        0x0000008bb000-0x0000008c3000   /usr/bin/dwarfdump-asan
        0x0000008c3000-0x000000900000   /usr/bin/dwarfdump-asan
        0x000000900000-0x0000015a4000
        0x00007fff7000-0x00008fff7000
        0x00008fff7000-0x02008fff7000
        0x02008fff7000-0x10007fff8000
        0x600000000000-0x603000000000
        0x603000000000-0x603000010000
        0x603000010000-0x604000000000
        0x604000000000-0x604000010000
        0x604000010000-0x619000000000
        0x619000000000-0x619000020000
        0x619000020000-0x624000000000
        0x624000000000-0x624000020000
        0x624000020000-0x640000000000
        0x640000000000-0x640000003000
        0x7f9f19d00000-0x7f9f19e00000
        0x7f9f19f00000-0x7f9f1a000000
        0x7f9f1a0a9000-0x7f9f1c3fb000
        0x7f9f1c3fb000-0x7f9f1c58e000   /lib64/libc-2.22.so
        0x7f9f1c58e000-0x7f9f1c78e000   /lib64/libc-2.22.so
        0x7f9f1c78e000-0x7f9f1c792000   /lib64/libc-2.22.so
        0x7f9f1c792000-0x7f9f1c794000   /lib64/libc-2.22.so
        0x7f9f1c794000-0x7f9f1c798000
        0x7f9f1c798000-0x7f9f1c7ae000   /usr/lib64/gcc/x86_64-pc-linux-
gnu/4.9.3/libgcc_s.so.1
        0x7f9f1c7ae000-0x7f9f1c9ad000   /usr/lib64/gcc/x86_64-pc-linux-
gnu/4.9.3/libgcc_s.so.1
        0x7f9f1c9ad000-0x7f9f1c9ae000   /usr/lib64/gcc/x86_64-pc-linux-
gnu/4.9.3/libgcc_s.so.1
        0x7f9f1c9ae000-0x7f9f1c9af000   /usr/lib64/gcc/x86_64-pc-linux-
gnu/4.9.3/libgcc_s.so.1
        0x7f9f1c9af000-0x7f9f1c9b1000   /lib64/libdl-2.22.so
        0x7f9f1c9b1000-0x7f9f1cbb1000   /lib64/libdl-2.22.so
        0x7f9f1cbb1000-0x7f9f1cbb2000   /lib64/libdl-2.22.so
        0x7f9f1cbb2000-0x7f9f1cbb3000   /lib64/libdl-2.22.so
        0x7f9f1cbb3000-0x7f9f1ccb0000   /lib64/libm-2.22.so
        0x7f9f1ccb0000-0x7f9f1ceaf000   /lib64/libm-2.22.so
        0x7f9f1ceaf000-0x7f9f1ceb0000   /lib64/libm-2.22.so
        0x7f9f1ceb0000-0x7f9f1ceb1000   /lib64/libm-2.22.so
        0x7f9f1ceb1000-0x7f9f1ceb7000   /lib64/librt-2.22.so
        0x7f9f1ceb7000-0x7f9f1d0b7000   /lib64/librt-2.22.so
        0x7f9f1d0b7000-0x7f9f1d0b8000   /lib64/librt-2.22.so
        0x7f9f1d0b8000-0x7f9f1d0b9000   /lib64/librt-2.22.so
        0x7f9f1d0b9000-0x7f9f1d0d0000   /lib64/libpthread-2.22.so
        0x7f9f1d0d0000-0x7f9f1d2cf000   /lib64/libpthread-2.22.so
        0x7f9f1d2cf000-0x7f9f1d2d0000   /lib64/libpthread-2.22.so
        0x7f9f1d2d0000-0x7f9f1d2d1000   /lib64/libpthread-2.22.so
        0x7f9f1d2d1000-0x7f9f1d2d5000
        0x7f9f1d2d5000-0x7f9f1d2ea000   /lib64/libz.so.1.2.8
        0x7f9f1d2ea000-0x7f9f1d4e9000   /lib64/libz.so.1.2.8
        0x7f9f1d4e9000-0x7f9f1d4ea000   /lib64/libz.so.1.2.8
        0x7f9f1d4ea000-0x7f9f1d4eb000   /lib64/libz.so.1.2.8
        0x7f9f1d4eb000-0x7f9f1d502000   /usr/lib64/libelf-0.166.so
        0x7f9f1d502000-0x7f9f1d702000   /usr/lib64/libelf-0.166.so
        0x7f9f1d702000-0x7f9f1d703000   /usr/lib64/libelf-0.166.so
        0x7f9f1d703000-0x7f9f1d704000   /usr/lib64/libelf-0.166.so
        0x7f9f1d704000-0x7f9f1d726000   /lib64/ld-2.22.so
        0x7f9f1d8b2000-0x7f9f1d91a000
        0x7f9f1d91a000-0x7f9f1d925000
        0x7f9f1d925000-0x7f9f1d926000   /lib64/ld-2.22.so
        0x7f9f1d926000-0x7f9f1d927000   /lib64/ld-2.22.so
        0x7f9f1d927000-0x7f9f1d928000
        0x7ffc7e844000-0x7ffc7e865000   [stack]
        0x7ffc7e905000-0x7ffc7e907000   [vvar]
        0x7ffc7e907000-0x7ffc7e909000   [vdso]
        0xffffffffff600000-0xffffffffff601000   [vsyscall]
==21982==End of process memory map.
==21982==AddressSanitizer CHECK failed: /var/tmp/portage/sys-devel/llvm-3.8.1-
r2/work/llvm-3.8.1.src/projects/compiler-
rt/lib/sanitizer_common/sanitizer_common.cc:183 "((0 && "unable to mmap")) != 
(0)" (0x0, 0x0)
    #0 0x4ca3ed in __asan::AsanCheckFailed(char const*, int, char const*, 
unsigned long long, unsigned long long) /var/tmp/portage/sys-devel/llvm-3.8.1-
r2/work/llvm-3.8.1.src/projects/compiler-rt/lib/asan/asan_rtl.cc:67
    #1 0x4d0f23 in __sanitizer::CheckFailed(char const*, int, char const*, 
unsigned long long, unsigned long long) /var/tmp/portage/sys-devel/llvm-3.8.1-
r2/work/llvm-3.8.1.src/projects/compiler-
rt/lib/sanitizer_common/sanitizer_common.cc:159
    #2 0x4d1111 in __sanitizer::ReportMmapFailureAndDie(unsigned long, char 
const*, char const*, int, bool) /var/tmp/portage/sys-devel/llvm-3.8.1-
r2/work/llvm-3.8.1.src/projects/compiler-
rt/lib/sanitizer_common/sanitizer_common.cc:183
    #3 0x4da14a in __sanitizer::MmapOrDie(unsigned long, char const*, bool) 
/var/tmp/portage/sys-devel/llvm-3.8.1-
r2/work/llvm-3.8.1.src/projects/compiler-
rt/lib/sanitizer_common/sanitizer_posix.cc:122
    #4 0x42493a in 
__sanitizer::LargeMmapAllocator::Allocate(__sanitizer::AllocatorStats*, 
unsigned long, unsigned long) /var/tmp/portage/sys-devel/llvm-3.8.1-
r2/work/llvm-3.8.1.src/projects/compiler-
rt/lib/asan/../sanitizer_common/sanitizer_allocator.h:1033
    #5 0x42493a in 
__sanitizer::CombinedAllocator<__sanitizer::SizeClassAllocator64<105553116266496ul, 
4398046511104ul, 0ul, __sanitizer::SizeClassMap, 
__asan::AsanMapUnmapCallback>, 
__sanitizer::SizeClassAllocatorLocalCache<__sanitizer::SizeClassAllocator64<105553116266496ul, 
4398046511104ul, 0ul, __sanitizer::SizeClassMap, __asan::AsanMapUnmapCallback> 
>, __sanitizer::LargeMmapAllocator 
>::Allocate(__sanitizer::SizeClassAllocatorLocalCache<__sanitizer::SizeClassAllocator64<105553116266496ul, 
4398046511104ul, 0ul, __sanitizer::SizeClassMap, __asan::AsanMapUnmapCallback> 
>*, unsigned long, unsigned long, bool, bool) /var/tmp/portage/sys-
devel/llvm-3.8.1-r2/work/llvm-3.8.1.src/projects/compiler-
rt/lib/asan/../sanitizer_common/sanitizer_allocator.h:1302
    #6 0x42493a in __asan::Allocator::Allocate(unsigned long, unsigned long, 
__sanitizer::BufferedStackTrace*, __asan::AllocType, bool) 
/var/tmp/portage/sys-devel/llvm-3.8.1-
r2/work/llvm-3.8.1.src/projects/compiler-rt/lib/asan/asan_allocator.cc:368
    #7 0x420003 in __asan::Allocator::Calloc(unsigned long, unsigned long, 
__sanitizer::BufferedStackTrace*) /var/tmp/portage/sys-devel/llvm-3.8.1-
r2/work/llvm-3.8.1.src/projects/compiler-rt/lib/asan/asan_allocator.cc:557
    #8 0x420003 in __asan::asan_calloc(unsigned long, unsigned long, 
__sanitizer::BufferedStackTrace*) /var/tmp/portage/sys-devel/llvm-3.8.1-
r2/work/llvm-3.8.1.src/projects/compiler-rt/lib/asan/asan_allocator.cc:722
    #9 0x4c0c3a in calloc /var/tmp/portage/sys-devel/llvm-3.8.1-
r2/work/llvm-3.8.1.src/projects/compiler-rt/lib/asan/asan_malloc_linux.cc:67
    #10 0x7f9f1d4ee5e0 in allocate_elf /tmp/portage/dev-
libs/elfutils-0.166/work/elfutils-0.166/libelf/common.h:74
    #11 0x7f9f1d4ee5e0 in file_read_elf /tmp/portage/dev-
libs/elfutils-0.166/work/elfutils-0.166/libelf/elf_begin.c:282
    #12 0x7f9f1d4ef2b8 in read_unmmaped_file /tmp/portage/dev-
libs/elfutils-0.166/work/elfutils-0.166/libelf/elf_begin.c:584
    #13 0x7f9f1d4ef2b8 in read_file /tmp/portage/dev-
libs/elfutils-0.166/work/elfutils-0.166/libelf/elf_begin.c:670
    #14 0x4f9676 in main /tmp/dwarf-20161021/dwarfdump/dwarfdump.c:585:11
    #15 0x7f9f1c41b61f in __libc_start_main /var/tmp/portage/sys-
libs/glibc-2.22-r4/work/glibc-2.22/csu/libc-start.c:289
    #16 0x419588 in _start (/usr/bin/dwarfdump-asan+0x419588)

Affected version:
0.166

Fixed version:
N/A

Proposed patch:
https://lists.fedorahosted.org/archives/list/elfutils-devel@lists.fedorahosted.org/message/EJWVY7TMRDEMWPAPNVU3V4MZYG5HANF2/

Credit:
This bug was discovered by Agostino Sarubbo of Gentoo.

CVE:
N/A

Reproducer:
https://github.com/asarubbo/poc/raw/master/00011-elfutils-memalloc-allocate_elf

Timeline:
2016-10-24: bug discovered and reported to upstream
2016-11-04: blog post about the issue

Note:
This bug was found with American Fuzzy Lop.

Permalink:
https://blogs.gentoo.org/ago/2016/11/04/elfutils-memory-allocation-failure-in-allocate_elf-common-h

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.