http://bugzilla.opensuse.org/show_bug.cgi?id=1033088 Bug ID: 1033088 Summary: VUL-1: CVE-2017-7611: elfutils: denial of service (heap-based buffer over-read and application crash) via a crafted ELF file Classification: openSUSE Product: openSUSE Distribution Version: Leap 42.2 Hardware: Other OS: Other Status: NEW Severity: Normal Priority: P5 - None Component: Security Assignee: security-team@suse.de Reporter: mikhail.kasimov@gmail.com QA Contact: qa-bugs@suse.de Found By: --- Blocker: --- Created attachment 720366 --> http://bugzilla.opensuse.org/attachment.cgi?id=720366&action=edit CVE-2017-7611_Reproducer Ref: https://nvd.nist.gov/vuln/detail/CVE-2017-7611 =================================================== Description The check_symtab_shndx function in elflint.c in elfutils 0.168 allows remote attackers to cause a denial of service (heap-based buffer over-read and application crash) via a crafted ELF file. Source: MITRE Last Modified: 04/09/2017 =================================================== Hyperlink: [1] https://blogs.gentoo.org/ago/2017/04/03/elfutils-heap-based-buffer-overflow-... [1]: =================================================== elfutils: heap-based buffer overflow in check_symtab_shndx (elflint.c) Posted on April 3, 2017 by ago Description: elfutils is a set of libraries/utilities to handle ELF objects (drop in replacement for libelf). A fuzz on eu-elflint showed an heap overflow. The complete ASan output: # eu-elflint -d $FILE ==14342==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x60200000efd0 at pc 0x0000004267ec bp 0x7ffdf36a7ad0 sp 0x7ffdf36a7ac8 READ of size 4 at 0x60200000efd0 thread T0 #0 0x4267eb in check_symtab_shndx /tmp/portage/dev-libs/elfutils-0.168/work/elfutils-0.168/src/elflint.c:1961 #1 0x4267eb in check_sections /tmp/portage/dev-libs/elfutils-0.168/work/elfutils-0.168/src/elflint.c:4114 #2 0x42961f in process_elf_file /tmp/portage/dev-libs/elfutils-0.168/work/elfutils-0.168/src/elflint.c:4697 #3 0x42961f in process_file /tmp/portage/dev-libs/elfutils-0.168/work/elfutils-0.168/src/elflint.c:242 #4 0x402d33 in main /tmp/portage/dev-libs/elfutils-0.168/work/elfutils-0.168/src/elflint.c:175 #5 0x7f625ef4678f in __libc_start_main (/lib64/libc.so.6+0x2078f) #6 0x403498 in _start (/usr/bin/eu-elflint+0x403498) 0x60200000efd2 is located 0 bytes to the right of 2-byte region [0x60200000efd0,0x60200000efd2) allocated by thread T0 here: #0 0x7f6260633288 in malloc (/usr/lib/gcc/x86_64-pc-linux-gnu/6.3.0/libasan.so.3+0xc2288) #1 0x7f626028fb46 in convert_data /tmp/portage/dev-libs/elfutils-0.168/work/elfutils-0.168/libelf/elf_getdata.c:166 #2 0x7f626028fb46 in __libelf_set_data_list_rdlock /tmp/portage/dev-libs/elfutils-0.168/work/elfutils-0.168/libelf/elf_getdata.c:434 #3 0x7f6260290662 in __elf_getdata_rdlock /tmp/portage/dev-libs/elfutils-0.168/work/elfutils-0.168/libelf/elf_getdata.c:541 #4 0x7f6260290776 in elf_getdata /tmp/portage/dev-libs/elfutils-0.168/work/elfutils-0.168/libelf/elf_getdata.c:559 #5 0x7f62602bc035 in elf32_getchdr /tmp/portage/dev-libs/elfutils-0.168/work/elfutils-0.168/libelf/elf32_getchdr.c:72 #6 0x7f62602bc55c in gelf_getchdr /tmp/portage/dev-libs/elfutils-0.168/work/elfutils-0.168/libelf/gelf_getchdr.c:52 #7 0x420edf in check_sections /tmp/portage/dev-libs/elfutils-0.168/work/elfutils-0.168/src/elflint.c:3911 #8 0x42961f in process_elf_file /tmp/portage/dev-libs/elfutils-0.168/work/elfutils-0.168/src/elflint.c:4697 #9 0x42961f in process_file /tmp/portage/dev-libs/elfutils-0.168/work/elfutils-0.168/src/elflint.c:242 #10 0x402d33 in main /tmp/portage/dev-libs/elfutils-0.168/work/elfutils-0.168/src/elflint.c:175 #11 0x7f625ef4678f in __libc_start_main (/lib64/libc.so.6+0x2078f) SUMMARY: AddressSanitizer: heap-buffer-overflow /tmp/portage/dev-libs/elfutils-0.168/work/elfutils-0.168/src/elflint.c:1961 in check_symtab_shndx Shadow bytes around the buggy address: 0x0c047fff9da0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c047fff9db0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c047fff9dc0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c047fff9dd0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c047fff9de0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa =>0x0c047fff9df0: fa fa fa fa fa fa fa fa fa fa[02]fa fa fa 00 01 0x0c047fff9e00: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c047fff9e10: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c047fff9e20: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c047fff9e30: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c047fff9e40: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa Shadow byte legend (one shadow byte represents 8 application bytes): Addressable: 00 Partially addressable: 01 02 03 04 05 06 07 Heap left redzone: fa Heap right redzone: fb Freed heap region: fd Stack left redzone: f1 Stack mid redzone: f2 Stack right redzone: f3 Stack partial redzone: f4 Stack after return: f5 Stack use after scope: f8 Global redzone: f9 Global init order: f6 Poisoned by user: f7 Container overflow: fc Array cookie: ac Intra object redzone: bb ASan internal: fe Left alloca redzone: ca Right alloca redzone: cb ==14342==ABORTING Affected version: 0.168 Fixed version: 0.169 (not released atm) Commit fix: https://sourceware.org/ml/elfutils-devel/2017-q1/msg00129.html Credit: This bug was discovered by Agostino Sarubbo of Gentoo. CVE: N/A Reproducer: https://github.com/asarubbo/poc/blob/master/00234-elfutils-heapoverflow-chec... Timeline: 2017-03-27: bug discovered and reported to upstream 2017-04-04: blog post about the issue Note: This bug was found with American Fuzzy Lop. Permalink: elfutils: heap-based buffer overflow in check_symtab_shndx (elflint.c) =================================================== (open-)SUSE: https://software.opensuse.org/package/elfutils 0.168 (TW, official repo) 0.158 (42.{1,2}, official repo) Test-case on 42.2 (version 0.158): =================================================== k_mikhail@linux-mk500:~> eu-elflint -d 00234-elfutils-heapoverflow-check_symtab_shndx e_ident[13] is not zero e_ident[14] is not zero e_ident[15] is not zero unknown machine type 0 unknown object file version invalid machine flags: 0x38000a invalid ELF header size: 64 invalid program header size: 37 invalid section header size: 6 only executables, shared objects, and core files can have program headers cannot get program header entry 0: invalid data cannot get program header entry 1: invalid data cannot get program header entry 2: invalid data cannot get program header entry 3: invalid data cannot get program header entry 4: invalid data cannot get program header entry 5: invalid data cannot get program header entry 6: invalid data cannot get program header entry 7: invalid data cannot get program header entry 8: invalid data cannot get program header entry 9: invalid data cannot get program header entry 10: invalid data cannot get program header entry 11: invalid data cannot get program header entry 12: invalid data cannot get program header entry 13: invalid data cannot get program header entry 14: invalid data cannot get program header entry 15: invalid data cannot get program header entry 16: invalid data cannot get program header entry 17: invalid data cannot get program header entry 18: invalid data cannot get program header entry 19: invalid data cannot get program header entry 20: invalid data cannot get program header entry 21: invalid data cannot get program header entry 22: invalid data cannot get program header entry 23: invalid data cannot get program header entry 24: invalid data cannot get program header entry 25: invalid data cannot get program header entry 26: invalid data cannot get program header entry 27: invalid data cannot get program header entry 28: invalid data cannot get program header entry 29: invalid data cannot get program header entry 30: invalid data cannot get program header entry 31: invalid data cannot get program header entry 32: invalid data cannot get program header entry 33: invalid data zeroth section has nonzero name zeroth section has nonzero type zeroth section has nonzero flags zeroth section has nonzero address zeroth section has nonzero offset zeroth section has nonzero entry size value zeroth section has nonzero link value while ELF header does not signal overflow in shstrndx zeroth section has nonzero link value while ELF header does not signal overflow in phnum section [ 1]: invalid name section [ 1] '<invalid>': size not multiple of entry size cannot get section header section [ 1] '<invalid>' has unsupported type 112 section [ 1] '<invalid>' contains unknown flag(s) 0x2000000 section [ 1] '<invalid>': invalid section reference in link value section [ 2]: invalid name cannot get section header section [ 3]: invalid name cannot get section header section [ 3] '<invalid>' has unsupported type 68 section [ 3] '<invalid>' contains unknown flag(s) 0x7000000 section [ 3] '<invalid>': invalid section reference in link value section [ 4]: invalid name section [ 4] '<invalid>': size not multiple of entry size cannot get section header section [ 4] '<invalid>' has unsupported type -960051514 section [ 4] '<invalid>' contains invalid processor-specific flag(s) 0xc0000000 section [ 4] '<invalid>' contains unknown flag(s) 0x6c6c000 section [ 4] '<invalid>': invalid section reference in link value section [ 4] '<invalid>': invalid section reference in info value section [ 4] '<invalid>': section with SHF_GROUP flag set not part of a section group section [ 4] '<invalid>' has unexpected type -960051514 for an executable section section [ 5]: invalid name section [ 5] '<invalid>': size not multiple of entry size cannot get section header section [ 5] '<invalid>' has unsupported type 33554432 section [ 5] '<invalid>': ELF header says this is the section header string table but type is not SHT_TYPE section [ 6]: invalid name section [ 6] '<invalid>': size not multiple of entry size cannot get section header section [ 6] '<invalid>' has unsupported type 509607936 section [ 6] '<invalid>': invalid section reference in link value section [ 6] '<invalid>': invalid section reference in info value section [ 7]: invalid name section [ 7] '<invalid>': size not multiple of entry size cannot get section header section [ 7] '<invalid>': invalid section reference in link value section [ 8]: invalid name cannot get section header section [ 8] '<invalid>' has unsupported type 289669120 section [ 8] '<invalid>': invalid section reference in link value section [ 9]: invalid name cannot get section header section [ 9] '<invalid>' has unsupported type -445357050 section [ 9] '<invalid>': invalid section reference in link value section [10]: invalid name cannot get section header section [10] '<invalid>' has unsupported type 4096 section [11]: invalid name section [11] '<invalid>': size not multiple of entry size cannot get section header section [11] '<invalid>' has unsupported type 61441 section [11] '<invalid>' contains unknown flag(s) 0x8000000 section [12]: invalid name section [12] '<invalid>': size not multiple of entry size cannot get section header section [12] '<invalid>': invalid section reference in link value section [12] '<invalid>': nonzero sh_size for NULL section section [12] '<invalid>': nonzero sh_link for NULL section section [12] '<invalid>': nonzero sh_addralign for NULL section section [12] '<invalid>': nonzero sh_entsize for NULL section section [13]: invalid name section [13] '<invalid>': size not multiple of entry size cannot get section header section [13] '<invalid>' has unsupported type 12140 section [13] '<invalid>' contains invalid processor-specific flag(s) 0x60000000 section [13] '<invalid>' contains unknown flag(s) 0x9623000 section [13] '<invalid>': invalid section reference in link value section [13] '<invalid>': section with SHF_GROUP flag set not part of a section group section [13] '<invalid>' has unexpected type 12140 for an executable section section [14]: invalid name cannot get section header section [14] '<invalid>' has unsupported type 18254 section [14] '<invalid>' contains invalid processor-specific flag(s) 0x50000000 section [14] '<invalid>' contains unknown flag(s) 0x5000000 section [15]: invalid name cannot get section header section [15] '<invalid>': invalid section reference in link value section [15] '<invalid>': relocatable files cannot have hash tables section [16]: invalid name cannot get section header section [16] '<invalid>': nonzero sh_offset for NULL section section [16] '<invalid>': nonzero sh_size for NULL section section [17]: invalid name cannot get section header section [17] '<invalid>': extended section index section not for symbol table cannot get data for symbol section section [17] '<invalid>': entry size does not match Elf32_Word section [17] '<invalid>': extended index table too small for symbol table Ошибка сегментирования (core dumped) =================================================== -- You are receiving this mail because: You are on the CC list for the bug.