http://bugzilla.opensuse.org/show_bug.cgi?id=1033089 Bug ID: 1033089 Summary: VUL-1: CVE-2017-7612: elfutils: denial of service (heap-based buffer over-read and application crash) via a crafted ELF file Classification: openSUSE Product: openSUSE Distribution Version: Leap 42.2 Hardware: Other OS: Other Status: NEW Severity: Normal Priority: P5 - None Component: Security Assignee: security-team@suse.de Reporter: mikhail.kasimov@gmail.com QA Contact: qa-bugs@suse.de Found By: --- Blocker: --- Created attachment 720367 --> http://bugzilla.opensuse.org/attachment.cgi?id=720367&action=edit CVE-2017-7612_Reproducer Ref: https://nvd.nist.gov/vuln/detail/CVE-2017-7612 ==================================================== Description The check_sysv_hash function in elflint.c in elfutils 0.168 allows remote attackers to cause a denial of service (heap-based buffer over-read and application crash) via a crafted ELF file. Source: MITRE Last Modified: 04/09/2017 ==================================================== Hyperlink: [1] https://blogs.gentoo.org/ago/2017/04/03/elfutils-heap-based-buffer-overflow-... [1]: ==================================================== elfutils: heap-based buffer overflow in check_sysv_hash (elflint.c) Posted on April 3, 2017 by ago Description: elfutils is a set of libraries/utilities to handle ELF objects (drop in replacement for libelf). A fuzz on eu-elflint showed an heap overflow. The complete ASan output: # eu-elflint -d $FILE ==14428==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x60b00000aff4 at pc 0x00000040b36b bp 0x7ffe1e25ef20 sp 0x7ffe1e25ef18 READ of size 4 at 0x60b00000aff4 thread T0 #0 0x40b36a in check_sysv_hash /tmp/portage/dev-libs/elfutils-0.168/work/elfutils-0.168/src/elflint.c:2020 #1 0x40b36a in check_hash /tmp/portage/dev-libs/elfutils-0.168/work/elfutils-0.168/src/elflint.c:2315 #2 0x422e73 in check_sections /tmp/portage/dev-libs/elfutils-0.168/work/elfutils-0.168/src/elflint.c:4118 #3 0x42961f in process_elf_file /tmp/portage/dev-libs/elfutils-0.168/work/elfutils-0.168/src/elflint.c:4697 #4 0x42961f in process_file /tmp/portage/dev-libs/elfutils-0.168/work/elfutils-0.168/src/elflint.c:242 #5 0x402d33 in main /tmp/portage/dev-libs/elfutils-0.168/work/elfutils-0.168/src/elflint.c:175 #6 0x7f7a318a878f in __libc_start_main (/lib64/libc.so.6+0x2078f) #7 0x403498 in _start (/usr/bin/eu-elflint+0x403498) 0x60b00000aff7 is located 0 bytes to the right of 103-byte region [0x60b00000af90,0x60b00000aff7) allocated by thread T0 here: #0 0x7f7a32f95288 in malloc (/usr/lib/gcc/x86_64-pc-linux-gnu/6.3.0/libasan.so.3+0xc2288) #1 0x7f7a32bf1b46 in convert_data /tmp/portage/dev-libs/elfutils-0.168/work/elfutils-0.168/libelf/elf_getdata.c:166 #2 0x7f7a32bf1b46 in __libelf_set_data_list_rdlock /tmp/portage/dev-libs/elfutils-0.168/work/elfutils-0.168/libelf/elf_getdata.c:434 #3 0x7f7a32bf2662 in __elf_getdata_rdlock /tmp/portage/dev-libs/elfutils-0.168/work/elfutils-0.168/libelf/elf_getdata.c:541 #4 0x7f7a32bf2776 in elf_getdata /tmp/portage/dev-libs/elfutils-0.168/work/elfutils-0.168/libelf/elf_getdata.c:559 #5 0x7f7a32c1e035 in elf32_getchdr /tmp/portage/dev-libs/elfutils-0.168/work/elfutils-0.168/libelf/elf32_getchdr.c:72 #6 0x7f7a32c1e55c in gelf_getchdr /tmp/portage/dev-libs/elfutils-0.168/work/elfutils-0.168/libelf/gelf_getchdr.c:52 #7 0x420edf in check_sections /tmp/portage/dev-libs/elfutils-0.168/work/elfutils-0.168/src/elflint.c:3911 #8 0x42961f in process_elf_file /tmp/portage/dev-libs/elfutils-0.168/work/elfutils-0.168/src/elflint.c:4697 #9 0x42961f in process_file /tmp/portage/dev-libs/elfutils-0.168/work/elfutils-0.168/src/elflint.c:242 #10 0x402d33 in main /tmp/portage/dev-libs/elfutils-0.168/work/elfutils-0.168/src/elflint.c:175 #11 0x7f7a318a878f in __libc_start_main (/lib64/libc.so.6+0x2078f) SUMMARY: AddressSanitizer: heap-buffer-overflow /tmp/portage/dev-libs/elfutils-0.168/work/elfutils-0.168/src/elflint.c:2020 in check_sysv_hash Shadow bytes around the buggy address: 0x0c167fff95a0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c167fff95b0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c167fff95c0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c167fff95d0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c167fff95e0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa =>0x0c167fff95f0: fa fa 00 00 00 00 00 00 00 00 00 00 00 00[07]fa 0x0c167fff9600: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c167fff9610: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c167fff9620: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c167fff9630: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c167fff9640: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa Shadow byte legend (one shadow byte represents 8 application bytes): Addressable: 00 Partially addressable: 01 02 03 04 05 06 07 Heap left redzone: fa Heap right redzone: fb Freed heap region: fd Stack left redzone: f1 Stack mid redzone: f2 Stack right redzone: f3 Stack partial redzone: f4 Stack after return: f5 Stack use after scope: f8 Global redzone: f9 Global init order: f6 Poisoned by user: f7 Container overflow: fc Array cookie: ac Intra object redzone: bb ASan internal: fe Left alloca redzone: ca Right alloca redzone: cb ==14428==ABORTING Affected version: 0.168 Fixed version: 0.169 (not released atm) Commit fix: https://sourceware.org/ml/elfutils-devel/2017-q1/msg00131.html Credit: This bug was discovered by Agostino Sarubbo of Gentoo. CVE: N/A Reproducer: https://github.com/asarubbo/poc/blob/master/00235-elfutils-heapoverflow-chec... Timeline: 2017-03-27: bug discovered and reported to upstream 2017-04-04: blog post about the issue Note: This bug was found with American Fuzzy Lop. Permalink: elfutils: heap-based buffer overflow in check_sysv_hash (elflint.c) ==================================================== (open-)SUSE: https://software.opensuse.org/package/elfutils 0.168 (TW, official repo) 0.158 (42.{1,2}, official repo) Test-case on 42.2 (version 0.158): ==================================================== k_mikhail@linux-mk500:~> eu-elflint -d 00235-elfutils-heapoverflow-check_sysv_hash e_ident[13] is not zero e_ident[14] is not zero e_ident[15] is not zero unknown object file type 258 unknown machine type 256 unknown object file version invalid machine flags: 0x38000a invalid ELF header size: 64 invalid program header size: 37 invalid section header size: 6 only executables, shared objects, and core files can have program headers cannot get program header entry 0: invalid data cannot get program header entry 1: invalid data cannot get program header entry 2: invalid data cannot get program header entry 3: invalid data cannot get program header entry 4: invalid data cannot get program header entry 5: invalid data cannot get program header entry 6: invalid data cannot get program header entry 7: invalid data cannot get program header entry 8: invalid data cannot get program header entry 9: invalid data cannot get program header entry 10: invalid data cannot get program header entry 11: invalid data cannot get program header entry 12: invalid data cannot get program header entry 13: invalid data cannot get program header entry 14: invalid data cannot get program header entry 15: invalid data cannot get program header entry 16: invalid data cannot get program header entry 17: invalid data cannot get program header entry 18: invalid data cannot get program header entry 19: invalid data cannot get program header entry 20: invalid data cannot get program header entry 21: invalid data cannot get program header entry 22: invalid data cannot get program header entry 23: invalid data cannot get program header entry 24: invalid data cannot get program header entry 25: invalid data cannot get program header entry 26: invalid data cannot get program header entry 27: invalid data cannot get program header entry 28: invalid data cannot get program header entry 29: invalid data cannot get program header entry 30: invalid data cannot get program header entry 31: invalid data cannot get program header entry 32: invalid data cannot get program header entry 33: invalid data zeroth section has nonzero name zeroth section has nonzero type zeroth section has nonzero flags zeroth section has nonzero address zeroth section has nonzero offset zeroth section has nonzero entry size value zeroth section has nonzero link value while ELF header does not signal overflow in shstrndx zeroth section has nonzero link value while ELF header does not signal overflow in phnum section [ 1]: invalid name cannot get section header section [ 1] '<invalid>' has unsupported type 112 section [ 1] '<invalid>' contains unknown flag(s) 0x2000000 section [ 1] '<invalid>': invalid section reference in link value section [ 2]: invalid name cannot get section header section [ 3]: invalid name cannot get section header section [ 3] '<invalid>' has unsupported type 68 section [ 3] '<invalid>' contains unknown flag(s) 0x7000000 section [ 3] '<invalid>': invalid section reference in link value section [ 4]: invalid name cannot get section header section [ 4] '<invalid>' contains unknown flag(s) 0xe600000 section [ 4] '<invalid>': invalid section reference in link value section [ 5]: invalid name section [ 5] '<invalid>': size not multiple of entry size cannot get section header section [ 5] '<invalid>': invalid section reference in link value section [ 5] '<invalid>' has unexpected type 2 for an executable section section [ 5] '<invalid>': alloc flag set but section not in any loaded segment section [ 5] '<invalid>': ELF header says this is the section header string table but type is not SHT_TYPE section [ 5] '<invalid>': cannot get section data section [ 6]: invalid name section [ 6] '<invalid>': size not multiple of entry size cannot get section header section [ 6] '<invalid>' has unsupported type 208 section [ 6] '<invalid>' contains unknown flag(s) 0x1000000 section [ 7]: invalid name section [ 7] '<invalid>': size not multiple of entry size cannot get section header section [ 7] '<invalid>' has unsupported type 140 section [ 7] '<invalid>' contains unknown flag(s) 0x2400000 section [ 8]: invalid name section [ 8] '<invalid>': size not multiple of entry size cannot get section header section [ 8] '<invalid>' has unsupported type 24 section [ 8] '<invalid>' contains unknown flag(s) 0x6000000 section [ 8] '<invalid>': invalid section reference in link value section [ 9]: invalid name cannot get section header section [ 9] '<invalid>' has unsupported type 327684 section [10]: invalid name cannot get section header section [10] '<invalid>' contains unknown flag(s) 0x400000 section [10] '<invalid>': nonzero sh_flags for NULL section section [10] '<invalid>': nonzero sh_offset for NULL section section [10] '<invalid>': nonzero sh_size for NULL section section [10] '<invalid>': nonzero sh_info for NULL section section [11]: invalid name cannot get section header section [11] '<invalid>' contains invalid processor-specific flag(s) 0x50000000 section [11] '<invalid>' contains unknown flag(s) 0x2e57000 section [11] '<invalid>': invalid section reference in link value section [11] '<invalid>' has unexpected type 0 for an executable section section [11] '<invalid>': nonzero sh_name for NULL section section [11] '<invalid>': nonzero sh_flags for NULL section section [11] '<invalid>': nonzero sh_addr for NULL section section [11] '<invalid>': nonzero sh_offset for NULL section section [11] '<invalid>': nonzero sh_link for NULL section section [11] '<invalid>': nonzero sh_addralign for NULL section section [12]: invalid name cannot get section header section [12] '<invalid>' contains invalid processor-specific flag(s) 0xf0000000 section [12] '<invalid>' contains unknown flag(s) 0x10000 section [12] '<invalid>': invalid section reference in link value section [12] '<invalid>': nonzero sh_name for NULL section section [12] '<invalid>': nonzero sh_flags for NULL section section [12] '<invalid>': nonzero sh_offset for NULL section section [12] '<invalid>': nonzero sh_link for NULL section section [12] '<invalid>': nonzero sh_info for NULL section section [13]: invalid name cannot get section header section [13] '<invalid>': nonzero sh_addralign for NULL section section [14]: invalid name section [14] '<invalid>': size not multiple of entry size cannot get section header section [14] '<invalid>' has unsupported type 909389676 section [14] '<invalid>' contains invalid processor-specific flag(s) 0x60000000 section [14] '<invalid>' contains unknown flag(s) 0x42d6808 section [14] '<invalid>': invalid section reference in link value section [14] '<invalid>': invalid section reference in info value section [15]: invalid name cannot get section header section [15] '<invalid>' contains unknown flag(s) 0x2000000 section [15] '<invalid>': invalid section reference in link value section [15] '<invalid>': nonzero sh_name for NULL section section [15] '<invalid>': nonzero sh_flags for NULL section section [15] '<invalid>': nonzero sh_addr for NULL section section [15] '<invalid>': nonzero sh_offset for NULL section section [15] '<invalid>': nonzero sh_link for NULL section section [15] '<invalid>': nonzero sh_info for NULL section section [15] '<invalid>': nonzero sh_addralign for NULL section section [15] '<invalid>': nonzero sh_entsize for NULL section section [16]: invalid name cannot get section header section [16] '<invalid>' has unsupported type 1026 section [16] '<invalid>' contains invalid processor-specific flag(s) 0x10000000 section [16] '<invalid>' contains unknown flag(s) 0x3000000 section [17]: invalid name cannot get section header section [17] '<invalid>' contains invalid processor-specific flag(s) 0x90000000 section [17] '<invalid>' contains unknown flag(s) 0x9000000 section [17] '<invalid>': nonzero sh_flags for NULL section section [17] '<invalid>': nonzero sh_addr for NULL section section [17] '<invalid>': nonzero sh_addralign for NULL section section [17] '<invalid>': nonzero sh_entsize for NULL section section [18]: invalid name cannot get section header section [18] '<invalid>': nonzero sh_offset for NULL section section [18] '<invalid>': nonzero sh_size for NULL section section [19]: invalid name cannot get section header section [19] '<invalid>' has unsupported type 301989888 section [19] '<invalid>': invalid section reference in link value section [20]: invalid name cannot get section header section [20] '<invalid>' contains invalid processor-specific flag(s) 0x80000000 section [20] '<invalid>': nonzero sh_flags for NULL section section [20] '<invalid>': nonzero sh_addr for NULL section section [20] '<invalid>': nonzero sh_addralign for NULL section section [20] '<invalid>': nonzero sh_entsize for NULL section section [21]: invalid name cannot get section header section [21] '<invalid>': nonzero sh_offset for NULL section section [21] '<invalid>': nonzero sh_size for NULL section section [22]: invalid name cannot get section header section [22] '<invalid>' has unsupported type 301989888 section [22] '<invalid>': invalid section reference in link value section [23]: invalid name cannot get section header section [23] '<invalid>' contains invalid processor-specific flag(s) 0x90000000 section [23] '<invalid>' contains unknown flag(s) 0xe000000 section [23] '<invalid>': nonzero sh_flags for NULL section section [23] '<invalid>': nonzero sh_addr for NULL section section [23] '<invalid>': nonzero sh_addralign for NULL section section [23] '<invalid>': nonzero sh_entsize for NULL section section [24]: invalid name cannot get section header section [24] '<invalid>': invalid section reference in link value section [24] '<invalid>': nonzero sh_offset for NULL section section [24] '<invalid>': nonzero sh_size for NULL section section [24] '<invalid>': nonzero sh_link for NULL section section [25]: invalid name cannot get section header section [25] '<invalid>' has unsupported type 301989888 section [25] '<invalid>': invalid section reference in link value section [26]: invalid name cannot get section header section [26] '<invalid>' contains invalid processor-specific flag(s) 0x70000000 section [26] '<invalid>' contains unknown flag(s) 0xa000000 section [26] '<invalid>': nonzero sh_flags for NULL section section [26] '<invalid>': nonzero sh_addr for NULL section section [26] '<invalid>': nonzero sh_addralign for NULL section section [26] '<invalid>': nonzero sh_entsize for NULL section section [27]: invalid name cannot get section header section [27] '<invalid>': nonzero sh_offset for NULL section section [27] '<invalid>': nonzero sh_size for NULL section section [28]: invalid name cannot get section header section [28] '<invalid>' has unsupported type 285218816 section [28] '<invalid>' contains invalid processor-specific flag(s) 0xc0000000 section [28] '<invalid>' contains unknown flag(s) 0x206000 section [28] '<invalid>': invalid section reference in link value section [29]: invalid name section [29] '<invalid>': size not multiple of entry size cannot get section header section [29] '<invalid>' contains unknown flag(s) 0x6c6800 section [29] '<invalid>': invalid section reference in link value section [29] '<invalid>': invalid section reference in info value section [29] '<invalid>': alloc flag set but section not in any loaded segment section [29] '<invalid>': nonzero sh_name for NULL section section [29] '<invalid>': nonzero sh_flags for NULL section section [29] '<invalid>': nonzero sh_addr for NULL section section [29] '<invalid>': nonzero sh_offset for NULL section section [29] '<invalid>': nonzero sh_size for NULL section section [29] '<invalid>': nonzero sh_link for NULL section section [29] '<invalid>': nonzero sh_info for NULL section section [29] '<invalid>': nonzero sh_addralign for NULL section section [29] '<invalid>': nonzero sh_entsize for NULL section section [30]: invalid name section [30] '<invalid>': size not multiple of entry size cannot get section header section [30] '<invalid>' has unsupported type 1685417984 section [30] '<invalid>' contains invalid processor-specific flag(s) 0x70000000 section [30] '<invalid>' contains unknown flag(s) 0x657000 section [30] '<invalid>': invalid section reference in link value section [30] '<invalid>': invalid section reference in info value section [30] '<invalid>': section with SHF_GROUP flag set not part of a section group section [30] '<invalid>': alloc flag set but section not in any loaded segment section [31]: invalid name section [31] '<invalid>': size not multiple of entry size cannot get section header section [31] '<invalid>' has unsupported type 1835363683 section [31] '<invalid>' contains invalid processor-specific flag(s) 0x70000000 section [31] '<invalid>' contains unknown flag(s) 0x790008 section [31] '<invalid>': invalid section reference in link value section [31] '<invalid>': invalid section reference in info value section [31] '<invalid>' has unexpected type 1835363683 for an executable section section [31] '<invalid>' is both executable and writable section [32]: invalid name section [32] '<invalid>': size not multiple of entry size cannot get section header section [32] '<invalid>' has unsupported type 1668050803 section [32] '<invalid>' contains invalid processor-specific flag(s) 0x60000000 section [32] '<invalid>' contains unknown flag(s) 0x5006800 section [32] '<invalid>': invalid section reference in link value section [32] '<invalid>': invalid section reference in info value section [32] '<invalid>': section with SHF_GROUP flag set not part of a section group section [33]: invalid name section [33] '<invalid>': size not multiple of entry size cannot get section header section [33] '<invalid>' has unsupported type 1694523231 section [33] '<invalid>' contains invalid processor-specific flag(s) 0x60000000 section [33] '<invalid>' contains unknown flag(s) 0x76d6808 section [33] '<invalid>': invalid section reference in link value section [33] '<invalid>': invalid section reference in info value section [33] '<invalid>': section with SHF_GROUP flag set not part of a section group section [33] '<invalid>' has unexpected type 1694523231 for an executable section section [33] '<invalid>': alloc flag set but section not in any loaded segment section [34]: invalid name section [34] '<invalid>': size not multiple of entry size cannot get section header section [34] '<invalid>' has unsupported type 512 section [34] '<invalid>' contains unknown flag(s) 0x2000000 section [34] '<invalid>': section with SHF_GROUP flag set not part of a section group section [35]: invalid name cannot get section header section [35] '<invalid>' contains unknown flag(s) 0x20000 section [36]: invalid name section [36] '<invalid>': size not multiple of entry size cannot get section header section [36] '<invalid>' has unsupported type 131256 section [36] '<invalid>' contains unknown flag(s) 0x8 section [36] '<invalid>': alloc flag set but section not in any loaded segment section [37]: invalid name cannot get section header section [37] '<invalid>' contains unknown flag(s) 0x7800 section [37] '<invalid>': invalid section reference in link value section [37] '<invalid>': section with SHF_GROUP flag set not part of a section group section [37] '<invalid>': cannot get section data section [38]: invalid name cannot get section header section [38] '<invalid>' has unsupported type 6176 section [38] '<invalid>' contains invalid processor-specific flag(s) 0x60000000 section [39]: invalid name section [39] '<invalid>': size not multiple of entry size cannot get section header section [39] '<invalid>': invalid section reference in link value section [39] '<invalid>': nonzero sh_name for NULL section section [39] '<invalid>': nonzero sh_addr for NULL section section [39] '<invalid>': nonzero sh_offset for NULL section section [39] '<invalid>': nonzero sh_size for NULL section section [39] '<invalid>': nonzero sh_link for NULL section section [39] '<invalid>': nonzero sh_entsize for NULL section section [40]: invalid name cannot get section header section [40] '<invalid>' has unsupported type 1792 section [40] '<invalid>': invalid section reference in link value section [41]: invalid name cannot get section header section [41] '<invalid>' has unsupported type 16416 section [41] '<invalid>' contains invalid processor-specific flag(s) 0x60000000 section [42]: invalid name section [42] '<invalid>': size not multiple of entry size cannot get section header section [42] '<invalid>': invalid section reference in link value section [42] '<invalid>': nonzero sh_name for NULL section section [42] '<invalid>': nonzero sh_addr for NULL section section [42] '<invalid>': nonzero sh_offset for NULL section section [42] '<invalid>': nonzero sh_size for NULL section section [42] '<invalid>': nonzero sh_link for NULL section section [42] '<invalid>': nonzero sh_entsize for NULL section section [43]: invalid name cannot get section header section [43] '<invalid>' has unsupported type 1792 section [43] '<invalid>' contains unknown flag(s) 0xde0800 section [43] '<invalid>': invalid section reference in link value section [44]: invalid name cannot get section header section [44] '<invalid>' has unsupported type 26656 section [44] '<invalid>' contains invalid processor-specific flag(s) 0x60000000 section [45]: invalid name cannot get section header section [45] '<invalid>': cannot get section data section [46]: invalid name cannot get section header section [46] '<invalid>' has unsupported type 218103808 section [46] '<invalid>' contains unknown flag(s) 0x8 section [46] '<invalid>': invalid section reference in link value section [46] '<invalid>' has unexpected type 218103808 for an executable section section [46] '<invalid>': alloc flag set but section not in any loaded segment section [47]: invalid name cannot get section header section [47] '<invalid>' contains unknown flag(s) 0x7000000 section [47] '<invalid>': invalid section reference in link value section [47] '<invalid>': nonzero sh_name for NULL section section [47] '<invalid>': nonzero sh_flags for NULL section section [47] '<invalid>': nonzero sh_addr for NULL section section [47] '<invalid>': nonzero sh_link for NULL section section [47] '<invalid>': nonzero sh_addralign for NULL section section [47] '<invalid>': nonzero sh_entsize for NULL section ==================================================== -- You are receiving this mail because: You are on the CC list for the bug.