Bug ID 1033088
Summary VUL-1: CVE-2017-7611: elfutils: denial of service (heap-based buffer over-read and application crash) via a crafted ELF file
Classification openSUSE
Product openSUSE Distribution
Version Leap 42.2
Hardware Other
OS Other
Status NEW
Severity Normal
Priority P5 - None
Component Security
Assignee security-team@suse.de
Reporter mikhail.kasimov@gmail.com
QA Contact qa-bugs@suse.de
Found By ---
Blocker --- 

Created attachment 720366 [details]
CVE-2017-7611_Reproducer

Ref: https://nvd.nist.gov/vuln/detail/CVE-2017-7611
===================================================
Description

The check_symtab_shndx function in elflint.c in elfutils 0.168 allows remote
attackers to cause a denial of service (heap-based buffer over-read and
application crash) via a crafted ELF file.

Source:  MITRE      Last Modified:  04/09/2017
===================================================

Hyperlink:

[1]
https://blogs.gentoo.org/ago/2017/04/03/elfutils-heap-based-buffer-overflow-in-check_symtab_shndx-elflint-c

[1]:
===================================================
elfutils: heap-based buffer overflow in check_symtab_shndx (elflint.c)
Posted on April 3, 2017 by ago    

Description:
elfutils is a set of libraries/utilities to handle ELF objects (drop in
replacement for libelf).

A fuzz on eu-elflint showed an heap overflow.

The complete ASan output:

# eu-elflint -d $FILE
==14342==ERROR: AddressSanitizer: heap-buffer-overflow on address
0x60200000efd0 at pc 0x0000004267ec bp 0x7ffdf36a7ad0 sp 0x7ffdf36a7ac8
READ of size 4 at 0x60200000efd0 thread T0
    #0 0x4267eb in check_symtab_shndx
/tmp/portage/dev-libs/elfutils-0.168/work/elfutils-0.168/src/elflint.c:1961
    #1 0x4267eb in check_sections
/tmp/portage/dev-libs/elfutils-0.168/work/elfutils-0.168/src/elflint.c:4114
    #2 0x42961f in process_elf_file
/tmp/portage/dev-libs/elfutils-0.168/work/elfutils-0.168/src/elflint.c:4697
    #3 0x42961f in process_file
/tmp/portage/dev-libs/elfutils-0.168/work/elfutils-0.168/src/elflint.c:242
    #4 0x402d33 in main
/tmp/portage/dev-libs/elfutils-0.168/work/elfutils-0.168/src/elflint.c:175
    #5 0x7f625ef4678f in __libc_start_main (/lib64/libc.so.6+0x2078f)
    #6 0x403498 in _start (/usr/bin/eu-elflint+0x403498)

0x60200000efd2 is located 0 bytes to the right of 2-byte region
[0x60200000efd0,0x60200000efd2)
allocated by thread T0 here:
    #0 0x7f6260633288 in malloc
(/usr/lib/gcc/x86_64-pc-linux-gnu/6.3.0/libasan.so.3+0xc2288)
    #1 0x7f626028fb46 in convert_data
/tmp/portage/dev-libs/elfutils-0.168/work/elfutils-0.168/libelf/elf_getdata.c:166
    #2 0x7f626028fb46 in __libelf_set_data_list_rdlock
/tmp/portage/dev-libs/elfutils-0.168/work/elfutils-0.168/libelf/elf_getdata.c:434
    #3 0x7f6260290662 in __elf_getdata_rdlock
/tmp/portage/dev-libs/elfutils-0.168/work/elfutils-0.168/libelf/elf_getdata.c:541
    #4 0x7f6260290776 in elf_getdata
/tmp/portage/dev-libs/elfutils-0.168/work/elfutils-0.168/libelf/elf_getdata.c:559
    #5 0x7f62602bc035 in elf32_getchdr
/tmp/portage/dev-libs/elfutils-0.168/work/elfutils-0.168/libelf/elf32_getchdr.c:72
    #6 0x7f62602bc55c in gelf_getchdr
/tmp/portage/dev-libs/elfutils-0.168/work/elfutils-0.168/libelf/gelf_getchdr.c:52
    #7 0x420edf in check_sections
/tmp/portage/dev-libs/elfutils-0.168/work/elfutils-0.168/src/elflint.c:3911
    #8 0x42961f in process_elf_file
/tmp/portage/dev-libs/elfutils-0.168/work/elfutils-0.168/src/elflint.c:4697
    #9 0x42961f in process_file
/tmp/portage/dev-libs/elfutils-0.168/work/elfutils-0.168/src/elflint.c:242
    #10 0x402d33 in main
/tmp/portage/dev-libs/elfutils-0.168/work/elfutils-0.168/src/elflint.c:175
    #11 0x7f625ef4678f in __libc_start_main (/lib64/libc.so.6+0x2078f)

SUMMARY: AddressSanitizer: heap-buffer-overflow
/tmp/portage/dev-libs/elfutils-0.168/work/elfutils-0.168/src/elflint.c:1961 in
check_symtab_shndx
Shadow bytes around the buggy address:
  0x0c047fff9da0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047fff9db0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047fff9dc0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047fff9dd0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047fff9de0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
=>0x0c047fff9df0: fa fa fa fa fa fa fa fa fa fa[02]fa fa fa 00 01
  0x0c047fff9e00: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047fff9e10: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047fff9e20: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047fff9e30: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047fff9e40: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Heap right redzone:      fb
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack partial redzone:   f4
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==14342==ABORTING

Affected version:
0.168

Fixed version:
0.169 (not released atm)

Commit fix:
https://sourceware.org/ml/elfutils-devel/2017-q1/msg00129.html

Credit:
This bug was discovered by Agostino Sarubbo of Gentoo.

CVE:
N/A

Reproducer:
https://github.com/asarubbo/poc/blob/master/00234-elfutils-heapoverflow-check_symtab_shndx

Timeline:
2017-03-27: bug discovered and reported to upstream
2017-04-04: blog post about the issue

Note:
This bug was found with American Fuzzy Lop.

Permalink:

    elfutils: heap-based buffer overflow in check_symtab_shndx (elflint.c)
===================================================

(open-)SUSE:
https://software.opensuse.org/package/elfutils

0.168 (TW, official repo)
0.158 (42.{1,2}, official repo)


Test-case on 42.2 (version 0.158):
===================================================
k_mikhail@linux-mk500:~> eu-elflint -d
00234-elfutils-heapoverflow-check_symtab_shndx 
e_ident[13] is not zero
e_ident[14] is not zero
e_ident[15] is not zero
unknown machine type 0
unknown object file version
invalid machine flags: 0x38000a
invalid ELF header size: 64
invalid program header size: 37
invalid section header size: 6
only executables, shared objects, and core files can have program headers
cannot get program header entry 0: invalid data
cannot get program header entry 1: invalid data
cannot get program header entry 2: invalid data
cannot get program header entry 3: invalid data
cannot get program header entry 4: invalid data
cannot get program header entry 5: invalid data
cannot get program header entry 6: invalid data
cannot get program header entry 7: invalid data
cannot get program header entry 8: invalid data
cannot get program header entry 9: invalid data
cannot get program header entry 10: invalid data
cannot get program header entry 11: invalid data
cannot get program header entry 12: invalid data
cannot get program header entry 13: invalid data
cannot get program header entry 14: invalid data
cannot get program header entry 15: invalid data
cannot get program header entry 16: invalid data
cannot get program header entry 17: invalid data
cannot get program header entry 18: invalid data
cannot get program header entry 19: invalid data
cannot get program header entry 20: invalid data
cannot get program header entry 21: invalid data
cannot get program header entry 22: invalid data
cannot get program header entry 23: invalid data
cannot get program header entry 24: invalid data
cannot get program header entry 25: invalid data
cannot get program header entry 26: invalid data
cannot get program header entry 27: invalid data
cannot get program header entry 28: invalid data
cannot get program header entry 29: invalid data
cannot get program header entry 30: invalid data
cannot get program header entry 31: invalid data
cannot get program header entry 32: invalid data
cannot get program header entry 33: invalid data
zeroth section has nonzero name
zeroth section has nonzero type
zeroth section has nonzero flags
zeroth section has nonzero address
zeroth section has nonzero offset
zeroth section has nonzero entry size value
zeroth section has nonzero link value while ELF header does not signal overflow
in shstrndx
zeroth section has nonzero link value while ELF header does not signal overflow
in phnum
section [ 1]: invalid name
section [ 1] '<invalid>': size not multiple of entry size
cannot get section header
section [ 1] '<invalid>' has unsupported type 112
section [ 1] '<invalid>' contains unknown flag(s) 0x2000000
section [ 1] '<invalid>': invalid section reference in link value
section [ 2]: invalid name
cannot get section header
section [ 3]: invalid name
cannot get section header
section [ 3] '<invalid>' has unsupported type 68
section [ 3] '<invalid>' contains unknown flag(s) 0x7000000
section [ 3] '<invalid>': invalid section reference in link value
section [ 4]: invalid name
section [ 4] '<invalid>': size not multiple of entry size
cannot get section header
section [ 4] '<invalid>' has unsupported type -960051514
section [ 4] '<invalid>' contains invalid processor-specific flag(s) 0xc0000000
section [ 4] '<invalid>' contains unknown flag(s) 0x6c6c000
section [ 4] '<invalid>': invalid section reference in link value
section [ 4] '<invalid>': invalid section reference in info value
section [ 4] '<invalid>': section with SHF_GROUP flag set not part of a section
group
section [ 4] '<invalid>' has unexpected type -960051514 for an executable
section
section [ 5]: invalid name
section [ 5] '<invalid>': size not multiple of entry size
cannot get section header
section [ 5] '<invalid>' has unsupported type 33554432
section [ 5] '<invalid>': ELF header says this is the section header string
table but type is not SHT_TYPE
section [ 6]: invalid name
section [ 6] '<invalid>': size not multiple of entry size
cannot get section header
section [ 6] '<invalid>' has unsupported type 509607936
section [ 6] '<invalid>': invalid section reference in link value
section [ 6] '<invalid>': invalid section reference in info value
section [ 7]: invalid name
section [ 7] '<invalid>': size not multiple of entry size
cannot get section header
section [ 7] '<invalid>': invalid section reference in link value
section [ 8]: invalid name
cannot get section header
section [ 8] '<invalid>' has unsupported type 289669120
section [ 8] '<invalid>': invalid section reference in link value
section [ 9]: invalid name
cannot get section header
section [ 9] '<invalid>' has unsupported type -445357050
section [ 9] '<invalid>': invalid section reference in link value
section [10]: invalid name
cannot get section header
section [10] '<invalid>' has unsupported type 4096
section [11]: invalid name
section [11] '<invalid>': size not multiple of entry size
cannot get section header
section [11] '<invalid>' has unsupported type 61441
section [11] '<invalid>' contains unknown flag(s) 0x8000000
section [12]: invalid name
section [12] '<invalid>': size not multiple of entry size
cannot get section header
section [12] '<invalid>': invalid section reference in link value
section [12] '<invalid>': nonzero sh_size for NULL section
section [12] '<invalid>': nonzero sh_link for NULL section
section [12] '<invalid>': nonzero sh_addralign for NULL section
section [12] '<invalid>': nonzero sh_entsize for NULL section
section [13]: invalid name
section [13] '<invalid>': size not multiple of entry size
cannot get section header
section [13] '<invalid>' has unsupported type 12140
section [13] '<invalid>' contains invalid processor-specific flag(s) 0x60000000
section [13] '<invalid>' contains unknown flag(s) 0x9623000
section [13] '<invalid>': invalid section reference in link value
section [13] '<invalid>': section with SHF_GROUP flag set not part of a section
group
section [13] '<invalid>' has unexpected type 12140 for an executable section
section [14]: invalid name
cannot get section header
section [14] '<invalid>' has unsupported type 18254
section [14] '<invalid>' contains invalid processor-specific flag(s) 0x50000000
section [14] '<invalid>' contains unknown flag(s) 0x5000000
section [15]: invalid name
cannot get section header
section [15] '<invalid>': invalid section reference in link value
section [15] '<invalid>': relocatable files cannot have hash tables
section [16]: invalid name
cannot get section header
section [16] '<invalid>': nonzero sh_offset for NULL section
section [16] '<invalid>': nonzero sh_size for NULL section
section [17]: invalid name
cannot get section header
section [17] '<invalid>': extended section index section not for symbol table
cannot get data for symbol section
section [17] '<invalid>': entry size does not match Elf32_Word
section [17] '<invalid>': extended index table too small for symbol table
������������ ������������������������������ (core dumped)
===================================================

You are receiving this mail because: