Created attachment 720364 [details]
CVE-2017-7609_Reproducer
Ref: https://nvd.nist.gov/vuln/detail/CVE-2017-7609
====================================================
Description
elf_compress.c in elfutils 0.168 does not validate the zlib compression factor,
which allows remote attackers to cause a denial of service (memory consumption)
via a crafted ELF file.
Source: MITRE Last Modified: 04/09/2017
====================================================
Hyperlink:
[1]
https://blogs.gentoo.org/ago/2017/04/03/elfutils-memory-allocation-failure-in-__libelf_decompress-elf_compress-c
[1]:
====================================================
elfutils: memory allocation failure in __libelf_decompress (elf_compress.c)
Posted on April 3, 2017 by ago
Description:
elfutils is a set of libraries/utilities to handle ELF objects (drop in
replacement for libelf).
A fuzz on eu-readelf showed a memory allocation failure. Will follow a feedback
from upstream:
That is slightly tricky. We do have to trust the input data to give us the
expected output size. We won���t know if that was correct till we decompressed
the input. We do actually double check the given output size was correct at the
end of the decompression. But we could catch some really bogus sizes before
trying to allocate a giant amount of memory and decompressing stuff for nothing
(like in this case).
The complete ASan output:
# eu-readelf -a $FILE
==1927==WARNING: AddressSanitizer failed to allocate 0x280065041580 bytes
==1927==AddressSanitizer's allocator is terminating the process instead of
returning 0
==1927==If you don't like this behavior set allocator_may_return_null=1
==1927==AddressSanitizer CHECK failed:
/tmp/portage/sys-devel/gcc-6.3.0/work/gcc-6.3.0/libsanitizer/sanitizer_common/sanitizer_allocator.cc:145
"((0)) != (0)" (0x0, 0x0)
#0 0x7f85fc3a741d
(/usr/lib/gcc/x86_64-pc-linux-gnu/6.3.0/libasan.so.3+0xcb41d)
#1 0x7f85fc3ad063 in __sanitizer::CheckFailed(char const*, int, char
const*, unsigned long long, unsigned long long)
(/usr/lib/gcc/x86_64-pc-linux-gnu/6.3.0/libasan.so.3+0xd1063)
#2 0x7f85fc3ab226
(/usr/lib/gcc/x86_64-pc-linux-gnu/6.3.0/libasan.so.3+0xcf226)
#3 0x7f85fc3016a4
(/usr/lib/gcc/x86_64-pc-linux-gnu/6.3.0/libasan.so.3+0x256a4)
#4 0x7f85fc39e265 in malloc
(/usr/lib/gcc/x86_64-pc-linux-gnu/6.3.0/libasan.so.3+0xc2265)
#5 0x7f85fb88dd1e in __libelf_decompress
/tmp/portage/dev-libs/elfutils-0.168/work/elfutils-0.168/libelf/elf_compress.c:214
#6 0x7f85fb88e359 in __libelf_decompress_elf
/tmp/portage/dev-libs/elfutils-0.168/work/elfutils-0.168/libelf/elf_compress.c:288
#7 0x7f85fb89132e in elf_compress
/tmp/portage/dev-libs/elfutils-0.168/work/elfutils-0.168/libelf/elf_compress.c:479
#8 0x41f933 in handle_hash
/tmp/portage/dev-libs/elfutils-0.168/work/elfutils-0.168/src/readelf.c:3327
#9 0x4680f7 in process_elf_file
/tmp/portage/dev-libs/elfutils-0.168/work/elfutils-0.168/src/readelf.c:898
#10 0x47ae65 in process_dwflmod
/tmp/portage/dev-libs/elfutils-0.168/work/elfutils-0.168/src/readelf.c:690
#11 0x7f85fbe3a094 in dwfl_getmodules
/tmp/portage/dev-libs/elfutils-0.168/work/elfutils-0.168/libdwfl/dwfl_getmodules.c:82
#12 0x4365f2 in process_file
/tmp/portage/dev-libs/elfutils-0.168/work/elfutils-0.168/src/readelf.c:789
#13 0x405e50 in main
/tmp/portage/dev-libs/elfutils-0.168/work/elfutils-0.168/src/readelf.c:305
#14 0x7f85fa45878f in __libc_start_main (/lib64/libc.so.6+0x2078f)
#15 0x406cd8 in _start (/usr/bin/eu-readelf+0x406cd8)
Affected version:
0.168
Fixed version:
0.169 (not released atm)
Commit fix:
https://sourceware.org/ml/elfutils-devel/2017-q1/msg00114.html
Credit:
This bug was discovered by Agostino Sarubbo of Gentoo.
CVE:
N/A
Reproducer:
https://github.com/asarubbo/poc/blob/master/00227-elfutils-memallocfailure
Timeline:
2017-03-24: bug discovered and reported to upstream
2017-04-04: blog post about the issue
Note:
This bug was found with American Fuzzy Lop.
Permalink:
elfutils: memory allocation failure in __libelf_decompress (elf_compress.c)
====================================================
(open-)SUSE:
https://software.opensuse.org/package/elfutils
0.168 (TW, official repo)
0.158 (42.{1,2}, official repo)
Test-case on 42.2 (version 0.158):
===================================================
k_mikhail@linux-mk500:~> eu-readelf -a 00227-elfutils-memallocfailure
ELF Header:
Magic: 7f 45 4c 46 02 01 01 00 00 00 00 00 00 00 00 00
Class: ELF64
Data: 2's complement, little endian
Ident Version: 1 (current)
OS/ABI: UNIX - System V
ABI Version: 0
Type: EXEC (Executable file)
Machine: x86_64
Version: 1 (current)
Entry point address: 0x401260
Start of program headers: 0 (bytes into file)
Start of section headers: 0 (bytes into file)
Flags:
Size of this header: 227 (bytes)
Size of program header entries: 0 (bytes)
Number of program headers entries: 0
Size of section header entries: 0 (bytes)
Number of section headers entries: 27
Section header string table index: XINDEX (0 in [0].sh_link)
Section Headers:
[Nr] Name Type Addr Off Size ES
Flags Lk Inf Al
[ 0] <corrupt> <unknown>: 65794 00000001003e0002 00401260 00000000
-281359012593664 0 0 974957576192
[ 1] <corrupt> HASH 0000000000400041 00000800 00000230
17179869187 I 560 0 274877906952
[ 2] <corrupt> NULL 0000000000400270 0000001c 0000001c 0
MSIG 1 0 5497558139136
[ 3] <corrupt> NULL 00000000001a4400 001a4400 20000000
1612578816 O 256 1536 1966080
[ 4] <corrupt> NULL 0000000000033800 20000000 60000000200
1612584960 1972224 0 1612584960
[ 5] <corrupt> NULL 0000000000000800 40000000400 00028c00
128 1073908736 0 9663843328
[ 6] <corrupt> NULL 0000046474e55000 0018c800 4018c800 25600
T 1075365888 0 460621590153920512
[ 7] <corrupt> NULL 0000d00000000000 ff00000000000000
0000007f 4096 NGTOE 0 0 10747904
[ 8] <corrupt> <unknown>: 1124 00000000791e0000 601e0000 00020000
11259432928641024 1769472 0 256
[ 9] <corrupt> NULL 0000000000000000 00000000 00000000 2304
2048 0 216172782113795840
[10] <corrupt> NULL 0000000000000000 00000000
212000000aa0000 137438953472 E 0 0 0
[11] <corrupt> NULL 00000012000000df 00000000 00000000 0
2046820352 301989888 70454979071232
[12] <corrupt> <unknown>: 4608 0000000000000090 00000000
12000001020000 9007199259787264 E 0 0 0
[13] <corrupt> NULL 00002c0000000000 e70000000000 00080800
0 8388608 1179648 275064553482
[14] <corrupt> <unknown>: 1114117 0000000000080000 11000000b40000
6020f80018 6299856 ME 270336 0 4503599648407552
[15] <corrupt> NULL 0000000000000000 1480000000000
6020d00018001000 6926879274926346240 AMSIE 0 0 373833953443840
[16] <corrupt> <unknown>: 65794 00000001003e0002 00401260 00000000
-281359012593664 0 0 0
[17] <corrupt> HASH 0000000000400041 00000800 00000230
17179869187 I 560 0 137438953480
[18] <corrupt> NULL 0000000000400270 0000001c 0000001c
1369094286720630784 MSIG 1 0 5497558139136
[19] <corrupt> NULL 00000000001a4400 001a4400 20000000
1612578816 O 256 1536 1966080
[20] <corrupt> NULL 0000000000033800 20000000 60000000200 0
1972224 0 70456256108544
[21] <corrupt> <unknown>: 4608 0000000000000090 00000000
12000001020000 9007199259787264 E 0 0 0
[22] <corrupt> NULL 00002c0000000000 e70000000000 00080800
0 8388608 1179648 275064553482
[23] <corrupt> <unknown>: 1114117 0000000000080000 11000000b40000
6020f80018 6299856 ME 270336 0 4503599648407552
[24] <corrupt> NULL 0000000000000000 1480000000000
6020d00018001000 6926879274926346240 AMSIE 0 0 373833953443840
[25] <corrupt> <unknown>: 65794 00000001003e0002 00401260 00000000
-281359012593664 0 0 0
[26] <corrupt> HASH 0000000000400041 00000800 00000230
17179869187 INOE 560 0 274877906952
eu-readelf: invalid sh_link value in section 1
eu-readelf: invalid sh_link value in section 17
eu-readelf: invalid sh_link value in section 26
===================================================