Date: Sat, 04 Feb 2017 13:19:37 +0100 From: Agostino Sarubbo <ago@...too.org> To: oss-security@...ts.openwall.com Subject: pax-utils: dumpelf: out of bounds read in dump_notes (dumpelf.c) Description: pax-utils is a set of tools that check files for security relevant properties. A fuzz on dumpelf an out of bounds read. It was reported to vapier which fixed the issue immediately. Unfortunately I can’t get a symbolized ASan stacktrace, so I will show only the useful part of both asan and gdb. This is not CVE-worthy because of the “READ of size 1” in a command-line tool. I’m sharing it because some distro/packagers may want to have the patch aboard. # dumpelf $FILE unknown-crash on address 0x7fc30f701000 at pc 0x000000520111 bp 0x7ffdc3db8eb0 sp 0x7ffdc3db8ea8 READ of size 1 at 0x7fc30f701000 thread T0 (gdb) #0 dump_notes (B=B@...ry=64, memory=memory@...ry=0x7ffff7ff428c, memory_end=0x7ffff7ff42ac, elf=0x60d8e0, elf=0x60d8e0) at dumpelf.c:245 #1 0x0000000000405636 in dump_phdr (elf=elf@...ry=0x60d8e0, phdr_void=phdr_void@...ry=0x7ffff7ff4158, phdr_cnt=phdr_cnt@...ry=5) at dumpelf.c:324 #2 0x0000000000401dd9 in dumpelf (file_cnt=0, filename=) at dumpelf.c:91 #3 parseargs (argv=0x7fffffffe1a8, argc=2) at dumpelf.c:557 #4 main (argc=2, argv=0x7fffffffe1a8) at dumpelf.c:566 Affected version: 1.2.2 Fixed version: N/A Commit fix: https://github.com/gentoo/pax-utils/commit/10a9643d90a1ba6058a66066803fac6cf43f6917 Credit: This bug was discovered by Agostino Sarubbo of Gentoo. Reproducer: https://github.com/asarubbo/poc/blob/master/00142-pax-utils-dumpelf-oob1 Timeline: 2017-01-30: bug discovered and reported to upstream 2017-02-01: upstream released a patch 2017-02-04: blog post about the issue Note: This bug was found with American Fuzzy Lop. Permalink: https://blogs.gentoo.org/ago/2017/02/04/pax-utils-dumpelf-out-of-bounds-read-in-dump_notes-dumpelf-c -- Agostino Sarubbo Gentoo Linux Developer
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Powered by Openwall GNU/*/Linux - Powered by OpenVZ