Bug ID | 1033086 |
---|---|
Summary | VUL-1: CVE-2017-7609: denial of service (memory consumption) via a crafted ELF file |
Classification | openSUSE |
Product | openSUSE Distribution |
Version | Leap 42.2 |
Hardware | Other |
OS | Other |
Status | NEW |
Severity | Normal |
Priority | P5 - None |
Component | Security |
Assignee | security-team@suse.de |
Reporter | mikhail.kasimov@gmail.com |
QA Contact | qa-bugs@suse.de |
Found By | --- |
Blocker | --- |
Created attachment 720364 [details] CVE-2017-7609_Reproducer Ref: https://nvd.nist.gov/vuln/detail/CVE-2017-7609 ==================================================== Description elf_compress.c in elfutils 0.168 does not validate the zlib compression factor, which allows remote attackers to cause a denial of service (memory consumption) via a crafted ELF file. Source: MITRE Last Modified: 04/09/2017 ==================================================== Hyperlink: [1] https://blogs.gentoo.org/ago/2017/04/03/elfutils-memory-allocation-failure-in-__libelf_decompress-elf_compress-c [1]: ==================================================== elfutils: memory allocation failure in __libelf_decompress (elf_compress.c) Posted on April 3, 2017 by ago Description: elfutils is a set of libraries/utilities to handle ELF objects (drop in replacement for libelf). A fuzz on eu-readelf showed a memory allocation failure. Will follow a feedback from upstream: That is slightly tricky. We do have to trust the input data to give us the expected output size. We won���t know if that was correct till we decompressed the input. We do actually double check the given output size was correct at the end of the decompression. But we could catch some really bogus sizes before trying to allocate a giant amount of memory and decompressing stuff for nothing (like in this case). The complete ASan output: # eu-readelf -a $FILE ==1927==WARNING: AddressSanitizer failed to allocate 0x280065041580 bytes ==1927==AddressSanitizer's allocator is terminating the process instead of returning 0 ==1927==If you don't like this behavior set allocator_may_return_null=1 ==1927==AddressSanitizer CHECK failed: /tmp/portage/sys-devel/gcc-6.3.0/work/gcc-6.3.0/libsanitizer/sanitizer_common/sanitizer_allocator.cc:145 "((0)) != (0)" (0x0, 0x0) #0 0x7f85fc3a741d (/usr/lib/gcc/x86_64-pc-linux-gnu/6.3.0/libasan.so.3+0xcb41d) #1 0x7f85fc3ad063 in __sanitizer::CheckFailed(char const*, int, char const*, unsigned long long, unsigned long long) (/usr/lib/gcc/x86_64-pc-linux-gnu/6.3.0/libasan.so.3+0xd1063) #2 0x7f85fc3ab226 (/usr/lib/gcc/x86_64-pc-linux-gnu/6.3.0/libasan.so.3+0xcf226) #3 0x7f85fc3016a4 (/usr/lib/gcc/x86_64-pc-linux-gnu/6.3.0/libasan.so.3+0x256a4) #4 0x7f85fc39e265 in malloc (/usr/lib/gcc/x86_64-pc-linux-gnu/6.3.0/libasan.so.3+0xc2265) #5 0x7f85fb88dd1e in __libelf_decompress /tmp/portage/dev-libs/elfutils-0.168/work/elfutils-0.168/libelf/elf_compress.c:214 #6 0x7f85fb88e359 in __libelf_decompress_elf /tmp/portage/dev-libs/elfutils-0.168/work/elfutils-0.168/libelf/elf_compress.c:288 #7 0x7f85fb89132e in elf_compress /tmp/portage/dev-libs/elfutils-0.168/work/elfutils-0.168/libelf/elf_compress.c:479 #8 0x41f933 in handle_hash /tmp/portage/dev-libs/elfutils-0.168/work/elfutils-0.168/src/readelf.c:3327 #9 0x4680f7 in process_elf_file /tmp/portage/dev-libs/elfutils-0.168/work/elfutils-0.168/src/readelf.c:898 #10 0x47ae65 in process_dwflmod /tmp/portage/dev-libs/elfutils-0.168/work/elfutils-0.168/src/readelf.c:690 #11 0x7f85fbe3a094 in dwfl_getmodules /tmp/portage/dev-libs/elfutils-0.168/work/elfutils-0.168/libdwfl/dwfl_getmodules.c:82 #12 0x4365f2 in process_file /tmp/portage/dev-libs/elfutils-0.168/work/elfutils-0.168/src/readelf.c:789 #13 0x405e50 in main /tmp/portage/dev-libs/elfutils-0.168/work/elfutils-0.168/src/readelf.c:305 #14 0x7f85fa45878f in __libc_start_main (/lib64/libc.so.6+0x2078f) #15 0x406cd8 in _start (/usr/bin/eu-readelf+0x406cd8) Affected version: 0.168 Fixed version: 0.169 (not released atm) Commit fix: https://sourceware.org/ml/elfutils-devel/2017-q1/msg00114.html Credit: This bug was discovered by Agostino Sarubbo of Gentoo. CVE: N/A Reproducer: https://github.com/asarubbo/poc/blob/master/00227-elfutils-memallocfailure Timeline: 2017-03-24: bug discovered and reported to upstream 2017-04-04: blog post about the issue Note: This bug was found with American Fuzzy Lop. Permalink: elfutils: memory allocation failure in __libelf_decompress (elf_compress.c) ==================================================== (open-)SUSE: https://software.opensuse.org/package/elfutils 0.168 (TW, official repo) 0.158 (42.{1,2}, official repo) Test-case on 42.2 (version 0.158): =================================================== k_mikhail@linux-mk500:~> eu-readelf -a 00227-elfutils-memallocfailure ELF Header: Magic: 7f 45 4c 46 02 01 01 00 00 00 00 00 00 00 00 00 Class: ELF64 Data: 2's complement, little endian Ident Version: 1 (current) OS/ABI: UNIX - System V ABI Version: 0 Type: EXEC (Executable file) Machine: x86_64 Version: 1 (current) Entry point address: 0x401260 Start of program headers: 0 (bytes into file) Start of section headers: 0 (bytes into file) Flags: Size of this header: 227 (bytes) Size of program header entries: 0 (bytes) Number of program headers entries: 0 Size of section header entries: 0 (bytes) Number of section headers entries: 27 Section header string table index: XINDEX (0 in [0].sh_link) Section Headers: [Nr] Name Type Addr Off Size ES Flags Lk Inf Al [ 0] <corrupt> <unknown>: 65794 00000001003e0002 00401260 00000000 -281359012593664 0 0 974957576192 [ 1] <corrupt> HASH 0000000000400041 00000800 00000230 17179869187 I 560 0 274877906952 [ 2] <corrupt> NULL 0000000000400270 0000001c 0000001c 0 MSIG 1 0 5497558139136 [ 3] <corrupt> NULL 00000000001a4400 001a4400 20000000 1612578816 O 256 1536 1966080 [ 4] <corrupt> NULL 0000000000033800 20000000 60000000200 1612584960 1972224 0 1612584960 [ 5] <corrupt> NULL 0000000000000800 40000000400 00028c00 128 1073908736 0 9663843328 [ 6] <corrupt> NULL 0000046474e55000 0018c800 4018c800 25600 T 1075365888 0 460621590153920512 [ 7] <corrupt> NULL 0000d00000000000 ff00000000000000 0000007f 4096 NGTOE 0 0 10747904 [ 8] <corrupt> <unknown>: 1124 00000000791e0000 601e0000 00020000 11259432928641024 1769472 0 256 [ 9] <corrupt> NULL 0000000000000000 00000000 00000000 2304 2048 0 216172782113795840 [10] <corrupt> NULL 0000000000000000 00000000 212000000aa0000 137438953472 E 0 0 0 [11] <corrupt> NULL 00000012000000df 00000000 00000000 0 2046820352 301989888 70454979071232 [12] <corrupt> <unknown>: 4608 0000000000000090 00000000 12000001020000 9007199259787264 E 0 0 0 [13] <corrupt> NULL 00002c0000000000 e70000000000 00080800 0 8388608 1179648 275064553482 [14] <corrupt> <unknown>: 1114117 0000000000080000 11000000b40000 6020f80018 6299856 ME 270336 0 4503599648407552 [15] <corrupt> NULL 0000000000000000 1480000000000 6020d00018001000 6926879274926346240 AMSIE 0 0 373833953443840 [16] <corrupt> <unknown>: 65794 00000001003e0002 00401260 00000000 -281359012593664 0 0 0 [17] <corrupt> HASH 0000000000400041 00000800 00000230 17179869187 I 560 0 137438953480 [18] <corrupt> NULL 0000000000400270 0000001c 0000001c 1369094286720630784 MSIG 1 0 5497558139136 [19] <corrupt> NULL 00000000001a4400 001a4400 20000000 1612578816 O 256 1536 1966080 [20] <corrupt> NULL 0000000000033800 20000000 60000000200 0 1972224 0 70456256108544 [21] <corrupt> <unknown>: 4608 0000000000000090 00000000 12000001020000 9007199259787264 E 0 0 0 [22] <corrupt> NULL 00002c0000000000 e70000000000 00080800 0 8388608 1179648 275064553482 [23] <corrupt> <unknown>: 1114117 0000000000080000 11000000b40000 6020f80018 6299856 ME 270336 0 4503599648407552 [24] <corrupt> NULL 0000000000000000 1480000000000 6020d00018001000 6926879274926346240 AMSIE 0 0 373833953443840 [25] <corrupt> <unknown>: 65794 00000001003e0002 00401260 00000000 -281359012593664 0 0 0 [26] <corrupt> HASH 0000000000400041 00000800 00000230 17179869187 INOE 560 0 274877906952 eu-readelf: invalid sh_link value in section 1 eu-readelf: invalid sh_link value in section 17 eu-readelf: invalid sh_link value in section 26 ===================================================