Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [thread-next>] [day] [month] [year] [list] 
Date: Wed, 09 Nov 2016 15:38:04 +0100
From: Agostino Sarubbo <ago@...too.org>
To: oss-security@...ts.openwall.com
Cc: cve-assign@...re.org
Subject: elfutils: memory allocation failure in __libelf_set_rawdata_wrlock (elf_getdata.c)

If it is suitable for a CVE please assign one. Thanks.

Description:
elfutils is a set of libraries/utilities to handle ELF objects (drop in 
replacement for libelf).

During the fuzz of libdwarf, I noticed a memory allocation failure which 
involves elfutils.
To have a double-check, the bug was first reported to the libdwarf maintainer 
and then to the elfutils maintainer. Actually there is a proposed patch on the 
elfutils mailing list, but nobody commented.

The complete ASan output:

# dwarfdump $FILE
==30083==ERROR: AddressSanitizer failed to allocate 0x8000003000 
(549755826176) bytes of LargeMmapAllocator (error code: 12)
==30083==Process memory map follows:
	0x000000400000-0x0000006bb000	/usr/bin/dwarfdump-asan
	0x0000008ba000-0x0000008c2000	/usr/bin/dwarfdump-asan
	0x0000008c2000-0x0000008ff000	/usr/bin/dwarfdump-asan
	0x0000008ff000-0x0000015a3000	
	0x00007fff7000-0x00008fff7000	
	0x00008fff7000-0x02008fff7000	
	0x02008fff7000-0x10007fff8000	
	0x600000000000-0x602000000000	
	0x602000000000-0x602000010000	
	0x602000010000-0x603000000000	
	0x603000000000-0x603000010000	
	0x603000010000-0x604000000000	
	0x604000000000-0x604000010000	
	0x604000010000-0x607000000000	
	0x607000000000-0x607000010000	
	0x607000010000-0x611000000000	
	0x611000000000-0x611000010000	
	0x611000010000-0x612000000000	
	0x612000000000-0x612000010000	
	0x612000010000-0x613000000000	
	0x613000000000-0x613000010000	
	0x613000010000-0x614000000000	
	0x614000000000-0x614000020000	
	0x614000020000-0x619000000000	
	0x619000000000-0x619000020000	
	0x619000020000-0x61c000000000	
	0x61c000000000-0x61c000020000	
	0x61c000020000-0x61d000000000	
	0x61d000000000-0x61d000020000	
	0x61d000020000-0x624000000000	
	0x624000000000-0x624000020000	
	0x624000020000-0x625000000000	
	0x625000000000-0x625000020000	
	0x625000020000-0x640000000000	
	0x640000000000-0x640000003000	
	0x7f0afdc00000-0x7f0afdd00000	
	0x7f0afde00000-0x7f0afdf00000	
	0x7f0afdff0000-0x7f0b00342000	
	0x7f0b00342000-0x7f0b004d5000	/lib64/libc-2.22.so
	0x7f0b004d5000-0x7f0b006d5000	/lib64/libc-2.22.so
	0x7f0b006d5000-0x7f0b006d9000	/lib64/libc-2.22.so
	0x7f0b006d9000-0x7f0b006db000	/lib64/libc-2.22.so
	0x7f0b006db000-0x7f0b006df000	
	0x7f0b006df000-0x7f0b006f5000	/usr/lib64/gcc/x86_64-pc-linux-
gnu/4.9.3/libgcc_s.so.1
	0x7f0b006f5000-0x7f0b008f4000	/usr/lib64/gcc/x86_64-pc-linux-
gnu/4.9.3/libgcc_s.so.1
	0x7f0b008f4000-0x7f0b008f5000	/usr/lib64/gcc/x86_64-pc-linux-
gnu/4.9.3/libgcc_s.so.1
	0x7f0b008f5000-0x7f0b008f6000	/usr/lib64/gcc/x86_64-pc-linux-
gnu/4.9.3/libgcc_s.so.1
	0x7f0b008f6000-0x7f0b008f8000	/lib64/libdl-2.22.so
	0x7f0b008f8000-0x7f0b00af8000	/lib64/libdl-2.22.so
	0x7f0b00af8000-0x7f0b00af9000	/lib64/libdl-2.22.so
	0x7f0b00af9000-0x7f0b00afa000	/lib64/libdl-2.22.so
	0x7f0b00afa000-0x7f0b00bf7000	/lib64/libm-2.22.so
	0x7f0b00bf7000-0x7f0b00df6000	/lib64/libm-2.22.so
	0x7f0b00df6000-0x7f0b00df7000	/lib64/libm-2.22.so
	0x7f0b00df7000-0x7f0b00df8000	/lib64/libm-2.22.so
	0x7f0b00df8000-0x7f0b00dfe000	/lib64/librt-2.22.so
	0x7f0b00dfe000-0x7f0b00ffe000	/lib64/librt-2.22.so
	0x7f0b00ffe000-0x7f0b00fff000	/lib64/librt-2.22.so
	0x7f0b00fff000-0x7f0b01000000	/lib64/librt-2.22.so
	0x7f0b01000000-0x7f0b01017000	/lib64/libpthread-2.22.so
	0x7f0b01017000-0x7f0b01216000	/lib64/libpthread-2.22.so
	0x7f0b01216000-0x7f0b01217000	/lib64/libpthread-2.22.so
	0x7f0b01217000-0x7f0b01218000	/lib64/libpthread-2.22.so
	0x7f0b01218000-0x7f0b0121c000	
	0x7f0b0121c000-0x7f0b01231000	/lib64/libz.so.1.2.8
	0x7f0b01231000-0x7f0b01430000	/lib64/libz.so.1.2.8
	0x7f0b01430000-0x7f0b01431000	/lib64/libz.so.1.2.8
	0x7f0b01431000-0x7f0b01432000	/lib64/libz.so.1.2.8
	0x7f0b01432000-0x7f0b01449000	/usr/lib64/libelf-0.166.so
	0x7f0b01449000-0x7f0b01649000	/usr/lib64/libelf-0.166.so
	0x7f0b01649000-0x7f0b0164a000	/usr/lib64/libelf-0.166.so
	0x7f0b0164a000-0x7f0b0164b000	/usr/lib64/libelf-0.166.so
	0x7f0b0164b000-0x7f0b0166d000	/lib64/ld-2.22.so
	0x7f0b017f7000-0x7f0b01860000	
	0x7f0b01860000-0x7f0b0186c000	
	0x7f0b0186c000-0x7f0b0186d000	/lib64/ld-2.22.so
	0x7f0b0186d000-0x7f0b0186e000	/lib64/ld-2.22.so
	0x7f0b0186e000-0x7f0b0186f000	
	0x7ffff2f19000-0x7ffff2f3a000	[stack]
	0x7ffff2f3d000-0x7ffff2f3f000	[vvar]
	0x7ffff2f3f000-0x7ffff2f41000	[vdso]
	0xffffffffff600000-0xffffffffff601000	[vsyscall]
==30083==End of process memory map.
==30083==AddressSanitizer CHECK failed: /var/tmp/portage/sys-devel/llvm-3.8.1-
r2/work/llvm-3.8.1.src/projects/compiler-
rt/lib/sanitizer_common/sanitizer_common.cc:183 "((0 && "unable to mmap")) != 
(0)" (0x0, 0x0)
    #0 0x4ca3ed in __asan::AsanCheckFailed(char const*, int, char const*, 
unsigned long long, unsigned long long) /var/tmp/portage/sys-devel/llvm-3.8.1-
r2/work/llvm-3.8.1.src/projects/compiler-rt/lib/asan/asan_rtl.cc:67
    #1 0x4d0f23 in __sanitizer::CheckFailed(char const*, int, char const*, 
unsigned long long, unsigned long long) /var/tmp/portage/sys-devel/llvm-3.8.1-
r2/work/llvm-3.8.1.src/projects/compiler-
rt/lib/sanitizer_common/sanitizer_common.cc:159
    #2 0x4d1111 in __sanitizer::ReportMmapFailureAndDie(unsigned long, char 
const*, char const*, int, bool) /var/tmp/portage/sys-devel/llvm-3.8.1-
r2/work/llvm-3.8.1.src/projects/compiler-
rt/lib/sanitizer_common/sanitizer_common.cc:183
    #3 0x4da14a in __sanitizer::MmapOrDie(unsigned long, char const*, bool) 
/var/tmp/portage/sys-devel/llvm-3.8.1-
r2/work/llvm-3.8.1.src/projects/compiler-
rt/lib/sanitizer_common/sanitizer_posix.cc:122
    #4 0x4224df in 
__sanitizer::LargeMmapAllocator::Allocate(__sanitizer::AllocatorStats*, 
unsigned long, unsigned long) /var/tmp/portage/sys-devel/llvm-3.8.1-
r2/work/llvm-3.8.1.src/projects/compiler-
rt/lib/asan/../sanitizer_common/sanitizer_allocator.h:1033
    #5 0x4224df in 
__sanitizer::CombinedAllocator<__sanitizer::SizeClassAllocator64<105553116266496ul, 
4398046511104ul, 0ul, __sanitizer::SizeClassMap, 
__asan::AsanMapUnmapCallback>, 
__sanitizer::SizeClassAllocatorLocalCache<__sanitizer::SizeClassAllocator64<105553116266496ul, 
4398046511104ul, 0ul, __sanitizer::SizeClassMap, __asan::AsanMapUnmapCallback> 
>, __sanitizer::LargeMmapAllocator 
>::Allocate(__sanitizer::SizeClassAllocatorLocalCache<__sanitizer::SizeClassAllocator64<105553116266496ul, 
4398046511104ul, 0ul, __sanitizer::SizeClassMap, __asan::AsanMapUnmapCallback> 
>*, unsigned long, unsigned long, bool, bool) /var/tmp/portage/sys-
devel/llvm-3.8.1-r2/work/llvm-3.8.1.src/projects/compiler-
rt/lib/asan/../sanitizer_common/sanitizer_allocator.h:1302
    #6 0x4224df in __asan::Allocator::Allocate(unsigned long, unsigned long, 
__sanitizer::BufferedStackTrace*, __asan::AllocType, bool) 
/var/tmp/portage/sys-devel/llvm-3.8.1-
r2/work/llvm-3.8.1.src/projects/compiler-rt/lib/asan/asan_allocator.cc:368
    #7 0x4224df in __asan::asan_malloc(unsigned long, 
__sanitizer::BufferedStackTrace*) /var/tmp/portage/sys-devel/llvm-3.8.1-
r2/work/llvm-3.8.1.src/projects/compiler-rt/lib/asan/asan_allocator.cc:718
    #8 0x4c0ab1 in malloc /var/tmp/portage/sys-devel/llvm-3.8.1-
r2/work/llvm-3.8.1.src/projects/compiler-rt/lib/asan/asan_malloc_linux.cc:53
    #9 0x7f0b0143c206 in __libelf_set_rawdata_wrlock /tmp/portage/dev-
libs/elfutils-0.166/work/elfutils-0.166/libelf/elf_getdata.c:318
    #10 0x7f0b0143c5db in __elf_getdata_rdlock /tmp/portage/dev-
libs/elfutils-0.166/work/elfutils-0.166/libelf/elf_getdata.c:521
    #11 0x580659 in dwarf_elf_object_access_load_section 
/tmp/dwarf-20161001/libdwarf/dwarf_elf_access.c:1312:16
    #12 0x5b5142 in _dwarf_load_section 
/tmp/dwarf-20161001/libdwarf/dwarf_init_finish.c:1139:11
    #13 0x6082ae in _dwarf_load_debug_info 
/tmp/dwarf-20161001/libdwarf/dwarf_util.c:855:11
    #14 0x57043f in _dwarf_next_cu_header_internal 
/tmp/dwarf-20161001/libdwarf/dwarf_die_deliv.c:819:32
    #15 0x572fcd in dwarf_next_cu_header_d 
/tmp/dwarf-20161001/libdwarf/dwarf_die_deliv.c:629:15
    #16 0x512f4f in print_one_die_section 
/tmp/dwarf-20161001/dwarfdump/print_die.c:660:16
    #17 0x512262 in print_infos 
/tmp/dwarf-20161001/dwarfdump/print_die.c:371:16
    #18 0x4faaea in process_one_file 
/tmp/dwarf-20161001/dwarfdump/dwarfdump.c:1371:9
    #19 0x4faaea in main /tmp/dwarf-20161001/dwarfdump/dwarfdump.c:654
    #20 0x7f0b0036261f in __libc_start_main /var/tmp/portage/sys-
libs/glibc-2.22-r4/work/glibc-2.22/csu/libc-start.c:289
    #21 0x419588 in _start (/usr/bin/dwarfdump-asan+0x419588)

Affected version:
0.166

Fixed version:
N/A

Proposed patch:
https://lists.fedorahosted.org/archives/list/elfutils-devel@lists.fedorahosted.org/thread/Q4LE47FPEVRZANMV6JE2NMHYO4H5MHGJ/

Credit:
This bug was discovered by Agostino Sarubbo of Gentoo.

CVE:
N/A

Reproducer:
https://github.com/asarubbo/poc/blob/master/00031-elfutils-memalloc-__libelf_set_rawdata_wrlock

Timeline:
2016-10-03: bug discovered
2016-10-21: bug reported to upstream
2016-11-04: blog post about the issue

Note:
This bug was found with American Fuzzy Lop.

Permalink:
https://blogs.gentoo.org/ago/2016/11/04/elfutils-memory-allocation-failure-in-__libelf_set_rawdata_wrlock-elf_getdata-c

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.