Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [day] [month] [year] [list]
Date: Sat, 04 Feb 2017 13:20:51 +0100
From: Agostino Sarubbo <ago@...too.org>
To: oss-security@...ts.openwall.com
Subject: pax-utils: dumpelf: two invalid memory read in dumpelf.c

Description:
pax-utils is a set of tools that check files for security relevant properties.

A fuzz on scanelf exposed two invalid memory read. They was reported to vapier 
which fixed the issue immediately.
Unfortunately I can’t get a symbolized ASan stacktrace, so I will show only 
the useful part of both asan and gdb.

# dumpelf $FILE
  SEGV on unknown address 0x7f8d94dc9e28 (pc 0x00000051efc6 bp 0x7ffe15ddbfa0 
sp 0x7ffe15ddbf60 T0)
==31647==The signal is caused by a READ memory access.

(gdb)
#0  0x00000000004067f7 in dump_dyn (dyn_void=dyn_void@...ry=0x7ff5f7ff6e28, 
dyn_cnt=dyn_cnt@...ry=0, elf=0x60d8e0, elf=0x60d8e0) at dumpelf.c:486
#1  0x0000000000401e24 in dumpelf (file_cnt=0, filename=) at dumpelf.c:146
#2  parseargs (argv=0x7fffffffe1a8, argc=2) at dumpelf.c:557
#3  main (argc=2, argv=0x7fffffffe1a8) at dumpelf.c:566

Reproducer:
https://github.com/asarubbo/poc/blob/master/00140-pax-utils-dumpelf-invalidread-dump_dyn

# dumpelf $FILE
SEGV on unknown address 0x6360e1292000 (pc 0x00000051fba9 bp 0x7ffeef817f20 sp 
0x7ffeef817ec0 T0)
==8213==The signal is caused by a READ memory access.

(gdb)
#0  dump_notes (B=B@...ry=64, memory=memory@...ry=0x63fff7ff5000, 
memory_end=0x6414f7ff5000, elf=0x60d8e0, elf=0x60d8e0) at dumpelf.c:228
#1  0x0000000000405636 in dump_phdr (elf=elf@...ry=0x60d8e0, 
phdr_void=phdr_void@...ry=0x7ffff7ff50f0, phdr_cnt=phdr_cnt@...ry=1) at 
dumpelf.c:324
#2  0x0000000000401dd9 in dumpelf (file_cnt=0, filename=) at dumpelf.c:91
#3  parseargs (argv=0x7fffffffe1a8, argc=2) at dumpelf.c:557
#4  main (argc=2, argv=0x7fffffffe1a8) at dumpelf.c:566

Reproducer:
https://github.com/asarubbo/poc/blob/master/00141-pax-utils-dumpelf-invalidread-dump_notes

Affected version:
1.2.2

Fixed version:
N/A

Commit fix:
https://github.com/gentoo/pax-utils/commit/18ded0e30ee5a84260cceb80d818b9c21ade4c76

Credit:
This bug was discovered by Agostino Sarubbo of Gentoo.

CVE:
N/A

Timeline:
2017-01-30: bug discovered and reported to upstream
2017-02-01: upstream released a patch
2017-02-04: blog post about the issue

Note:
This bug was found with American Fuzzy Lop.

Permalink:
https://blogs.gentoo.org/ago/2017/02/04/pax-utils-dumpelf-two-invalid-memory-read-in-dumpelf-c

-- 
Agostino Sarubbo
Gentoo Linux Developer

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ