Bug ID 1033087
Summary VUL-1: CVE-2017-7610: elfutils: denial of service (heap-based buffer over-read and application crash) via a crafted ELF file
Classification openSUSE
Product openSUSE Distribution
Version Leap 42.2
Hardware Other
OS Other
Status NEW
Severity Normal
Priority P5 - None
Component Security
Assignee security-team@suse.de
Reporter mikhail.kasimov@gmail.com
QA Contact qa-bugs@suse.de
Found By ---
Blocker --- 

Created attachment 720365 [details]
CVE-2017-7610_Reproducer

Ref: https://nvd.nist.gov/vuln/detail/CVE-2017-7610
===================================================
Description

The check_group function in elflint.c in elfutils 0.168 allows remote attackers
to cause a denial of service (heap-based buffer over-read and application
crash) via a crafted ELF file.

Source:  MITRE      Last Modified:  04/09/2017
===================================================

Hyperlink:

[1]
https://blogs.gentoo.org/ago/2017/04/03/elfutils-heap-based-buffer-overflow-in-check_group-elflint-c

[1]:
===================================================
elfutils: heap-based buffer overflow in check_group (elflint.c)
Posted on April 3, 2017 by ago    

Description:
elfutils is a set of libraries/utilities to handle ELF objects (drop in
replacement for libelf).

A fuzz on eu-elflint showed an heap overflow.

The complete ASan output:

# eu-elflint -d $FILE
==12804==ERROR: AddressSanitizer: heap-buffer-overflow on address
0x60200000efd0 at pc 0x00000041a39f bp 0x7ffee6a331d0 sp 0x7ffee6a331c8
READ of size 4 at 0x60200000efd0 thread T0
    #0 0x41a39e in check_group
/tmp/portage/dev-libs/elfutils-0.168/work/elfutils-0.168/src/elflint.c:2664
    #1 0x420787 in check_sections
/tmp/portage/dev-libs/elfutils-0.168/work/elfutils-0.168/src/elflint.c:4132
    #2 0x42961f in process_elf_file
/tmp/portage/dev-libs/elfutils-0.168/work/elfutils-0.168/src/elflint.c:4697
    #3 0x42961f in process_file
/tmp/portage/dev-libs/elfutils-0.168/work/elfutils-0.168/src/elflint.c:242
    #4 0x402d33 in main
/tmp/portage/dev-libs/elfutils-0.168/work/elfutils-0.168/src/elflint.c:175
    #5 0x7ff00282678f in __libc_start_main (/lib64/libc.so.6+0x2078f)
    #6 0x403498 in _start (/usr/bin/eu-elflint+0x403498)

0x60200000efd1 is located 0 bytes to the right of 1-byte region
[0x60200000efd0,0x60200000efd1)
allocated by thread T0 here:
    #0 0x7ff003f13288 in malloc
(/usr/lib/gcc/x86_64-pc-linux-gnu/6.3.0/libasan.so.3+0xc2288)
    #1 0x7ff003b6fb46 in convert_data
/tmp/portage/dev-libs/elfutils-0.168/work/elfutils-0.168/libelf/elf_getdata.c:166
    #2 0x7ff003b6fb46 in __libelf_set_data_list_rdlock
/tmp/portage/dev-libs/elfutils-0.168/work/elfutils-0.168/libelf/elf_getdata.c:434
    #3 0x7ff003b70662 in __elf_getdata_rdlock
/tmp/portage/dev-libs/elfutils-0.168/work/elfutils-0.168/libelf/elf_getdata.c:541
    #4 0x7ff003b70776 in elf_getdata
/tmp/portage/dev-libs/elfutils-0.168/work/elfutils-0.168/libelf/elf_getdata.c:559
    #5 0x420935 in check_scn_group
/tmp/portage/dev-libs/elfutils-0.168/work/elfutils-0.168/src/elflint.c:544
    #6 0x420935 in check_sections
/tmp/portage/dev-libs/elfutils-0.168/work/elfutils-0.168/src/elflint.c:3940
    #7 0x42961f in process_elf_file
/tmp/portage/dev-libs/elfutils-0.168/work/elfutils-0.168/src/elflint.c:4697
    #8 0x42961f in process_file
/tmp/portage/dev-libs/elfutils-0.168/work/elfutils-0.168/src/elflint.c:242
    #9 0x402d33 in main
/tmp/portage/dev-libs/elfutils-0.168/work/elfutils-0.168/src/elflint.c:175
    #10 0x7ff00282678f in __libc_start_main (/lib64/libc.so.6+0x2078f)

SUMMARY: AddressSanitizer: heap-buffer-overflow
/tmp/portage/dev-libs/elfutils-0.168/work/elfutils-0.168/src/elflint.c:2664 in
check_group
Shadow bytes around the buggy address:
  0x0c047fff9da0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047fff9db0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047fff9dc0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047fff9dd0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047fff9de0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
=>0x0c047fff9df0: fa fa fa fa fa fa 04 fa fa fa[01]fa fa fa 00 01
  0x0c047fff9e00: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047fff9e10: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047fff9e20: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047fff9e30: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047fff9e40: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Heap right redzone:      fb
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack partial redzone:   f4
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==12804==ABORTING

Affected version:
0.168

Fixed version:
0.169 (not released atm)

Commit fix:
https://sourceware.org/ml/elfutils-devel/2017-q1/msg00137.html

Credit:
This bug was discovered by Agostino Sarubbo of Gentoo.

CVE:
N/A

Reproducer:
https://github.com/asarubbo/poc/blob/master/00247-elfutils-heapoverflow-check_group

Timeline:
2017-03-28: bug discovered and reported to upstream
2017-04-04: blog post about the issue

Note:
This bug was found with American Fuzzy Lop.

Permalink:

    elfutils: heap-based buffer overflow in check_group (elflint.c)
===================================================

(open-)SUSE:
https://software.opensuse.org/package/elfutils

0.168 (TW, official repo)
0.158 (42.{1,2}, official repo)

Test-case on 42.2 (version 0.158):
===================================================
k_mikhail@linux-mk500:~> eu-readelf -a 00247-elfutils-heapoverflow-check_group 
ELF Header:
  Magic:   7f 45 4c 46 01 02 01 00 00 00 00 00 00 45 4c 46
  Class:                             ELF32
  Data:                              2's complement, big endian
  Ident Version:                     1 (current)
  OS/ABI:                            UNIX - System V
  ABI Version:                       0
  Type:                              REL (Relocatable file)
  Machine:                           <unknown>
  Version:                           184549632 (???)
  Entry point address:               0x6004
  Start of program headers:          536870912 (bytes into file)
  Start of section headers:          64 (bytes into file)
  Flags:                             0x38000a
  Size of this header:               64 (bytes)
  Size of program header entries:    37 (bytes)
  Number of program headers entries: 34
  Size of section header entries:    6 (bytes)
  Number of section headers entries: 0 (48 in [0].sh_size)
  Section header string table index: 5

Section Headers:
[Nr] Name                 Type         Addr     Off    Size   ES Flags Lk Inf
Al
[ 0] <corrupt>            <unknown>: 64 00000030 2000000 000030  3      
33554432 62471  0
[ 1] <corrupt>            <unknown>: 112 00000070 2400000 000066 28      
37748736  28  0
[ 2] <corrupt>            PROGBITS     00ffff01 000005 000000  0        0   0
4194304
[ 3] <corrupt>            <unknown>: 68 00000044 7000000 000000 16      
2097152   1  6
[ 4] <corrupt>            PREINIT_ARRAY 00000010 e600000 000030  0      
33554432  56 33614336
[ 5] <corrupt>            SYMTAB       00000028 e000000 000028 208 AX   
241172480  40 241172480
[ 6] <corrupt>            <unknown>: 208 00000008 000000 000004 140      
570425348 140 33554432
[ 7] <corrupt>            <unknown>: 140 00000020 000000 000020 80        0   4
 0
[ 8] <corrupt>            <unknown>: 24 00000018 6400000 000018 52      
104857600  52  0
[ 9] <corrupt>            RELA         00000051 e5746406 000000  0        0   0
4294967286
[10] <corrupt>            NULL         00000000 000000 000010 16        0  82
3849610244
[11] <corrupt>            PREINIT_ARRAY 00000010 e600000 0000f0  1      
16777216 240 16777216
[12] <corrupt>            <unknown>: 128 43000000 000000 00faff 10 NT    2816  
0  0
[13] <corrupt>            NULL         e1000008 000000 00002f 1970810232
WAXMSILNGT 1818845750 875523172 762079598
[14] <corrupt>            <unknown>: 875459439 00000010 f1ffff00 000000  0 X   
  0   0  0
[15] <corrupt>            NULL         06000000 20000000 000000  0      
16908288 393237  0
[16] <corrupt>            SYMTAB_SHNDX 00000000 000000 000004 305787531      
34799616 1310720 11772663
[17] <corrupt>            NULL         00000000 000000 000000  0       10027008
1179648  0
[18] <corrupt>            NULL         00120000 000000 000000 1179648        0 
 0 720896
[19] <corrupt>            NULL         00000000 2f0000 120000 4294770688       
0   0  0
[20] <corrupt>            <unknown>: 1179648 00000000 000000 000000  0      
8388608 1179648  0
[21] <corrupt>            NULL         00120000 000000 000000 1179648      
-2147483648   0 2031616
[22] <corrupt>            NULL         0000007f 000012 000000 158        0   0 
0
[23] <corrupt>            NULL         00000000 000000 000034  0       18   0 
0
[24] <corrupt>            <unknown>: 76 00000000 000000 000000  0 AM     0  23
18
[25] <corrupt>            NULL         00000053 000012 000000 122        0   0 
0
[26] <corrupt>            NULL         00000000 000000 000028  0       18   0 
0
[27] <corrupt>            SYMTAB_SHNDX 00000000 000000 000000  0 AM     0
-50331558  0
[28] <corrupt>            <unknown>: -805158912 00000000 000000 000000  0      
50332928 805519360  0
[29] <corrupt>            NULL         70034000 000000 000000 2013478912 GT    
0   0 50333440
[30] <corrupt>            NULL         00000000 3000800 98034000 1701667696    
  111 1667331177 1869480045
[31] <corrupt>            SHT_LOOS+c6c6f63 61726700 73746465 72720067
1819243363 XMSI  1702129520 1952410735 1852244067
[32] <corrupt>            SHT_LOOS+e006670 66005f5f 6c696284 5f737461 6250343
XMSIGTO 1920229229 1634299392 1718773093
[33] <corrupt>            NULL         00000300 400d002 40000000 768        0  
0  0
[34] <corrupt>            <unknown>: 1073741824 00000000 000000 000300  0      
100691971 1073741824  0
[35] <corrupt>            <unknown>: 768 40000000 000000 000000 1073741824 WA  
  0 768 134256643
[36] <corrupt>            NULL         01000000 6000000 100e0000 269380608     
  0 269377536  0
[37] <corrupt>            <unknown>: 805502720 380200ea ffff00 002040 672006144
      14811135 -65536 100663296
[38] <corrupt>            <unknown>: 672030720 280e6000 000000 d0000000
100663296        0 -132161536  0
[39] <corrupt>            NULL         c0206000 000000 5000000 3760218112      
318767104   0  0
[40] <corrupt>            <unknown>: 83886080 00000000 000000 3000964  0      
212992   0  0
[41] <corrupt>            <unknown>: 50334208 00000000 000000 000000  0 OE    
0 50334464 536870912
[42] <corrupt>            NULL         000000ee 000000 000000  0       238   0
196634
[43] <corrupt>            <unknown>: 452984832 00000000 000000 000000  0      
768 469762048  0
[44] <corrupt>            NULL         1d000000 000000 000000 503316480 NG    
0   0 768
[45] <corrupt>            NULL         00000000 000300 1f000000  0        0   0
 0
[46] <corrupt>            <unknown>: 536870912 00000000 000000 0400f1  0      
-16777216   0  0
[47] <corrupt>            GROUP        00000000 000041 000001  0 SIGT  1441792
25600  0

Program Headers:
  Type           Offset   VirtAddr   PhysAddr   FileSiz  MemSiz   Flg Align
  ???
  ???
  ???
  ???
  ???
  ???
  ???
  ???
  ???
  ???
  ???
  ???
  ???
  ???
  ???
  ???
  ???
  ???
  ???
  ???
  ???
  ???
  ???
  ???
  ???
  ???
  ???
  ???
  ???
  ???
  ???
  ???
  ???
  ???

Invalid symbol table at offset 0xe5746406
===================================================

You are receiving this mail because: