Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [day] [month] [year] [list]
Date: Sat, 04 Feb 2017 13:19:37 +0100
From: Agostino Sarubbo <>
Subject: pax-utils: dumpelf: out of bounds read in dump_notes (dumpelf.c)

pax-utils is a set of tools that check files for security relevant properties.

A fuzz on dumpelf an out of bounds read. It was reported to vapier which fixed 
the issue immediately.
Unfortunately I can’t get a symbolized ASan stacktrace, so I will show only 
the useful part of both asan and gdb.
This is not CVE-worthy because of the “READ of size 1” in a command-line tool. 
I’m sharing it because some distro/packagers may want to have the patch 

# dumpelf $FILE
unknown-crash on address 0x7fc30f701000 at pc 0x000000520111 bp 0x7ffdc3db8eb0 
sp 0x7ffdc3db8ea8
READ of size 1 at 0x7fc30f701000 thread T0

#0  dump_notes (B=B@...ry=64, memory=memory@...ry=0x7ffff7ff428c, 
memory_end=0x7ffff7ff42ac, elf=0x60d8e0, elf=0x60d8e0) at dumpelf.c:245
#1  0x0000000000405636 in dump_phdr (elf=elf@...ry=0x60d8e0, 
phdr_void=phdr_void@...ry=0x7ffff7ff4158, phdr_cnt=phdr_cnt@...ry=5) at 
#2  0x0000000000401dd9 in dumpelf (file_cnt=0, filename=) at dumpelf.c:91
#3  parseargs (argv=0x7fffffffe1a8, argc=2) at dumpelf.c:557
#4  main (argc=2, argv=0x7fffffffe1a8) at dumpelf.c:566

Affected version:

Fixed version:

Commit fix:

This bug was discovered by Agostino Sarubbo of Gentoo.


2017-01-30: bug discovered and reported to upstream
2017-02-01: upstream released a patch
2017-02-04: blog post about the issue

This bug was found with American Fuzzy Lop.


Agostino Sarubbo
Gentoo Linux Developer

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ