Ref: https://nvd.nist.gov/vuln/detail/CVE-2017-7608
===================================================
Description
The ebl_object_note_type_name function in eblobjnotetypename.c in elfutils
0.168 allows remote attackers to cause a denial of service (heap-based buffer
over-read and application crash) via a crafted ELF file.
Source: MITRE Last Modified: 04/09/2017
===================================================
Hyperlink:
[1]
https://blogs.gentoo.org/ago/2017/04/03/elfutils-heap-based-buffer-overflow-in-ebl_object_note_type_name-eblobjnotetypename-c
[1]:
===================================================
elfutils: heap-based buffer overflow in ebl_object_note_type_name
(eblobjnotetypename.c)
Posted on April 3, 2017 by ago
Description:
elfutils is a set of libraries/utilities to handle ELF objects (drop in
replacement for libelf).
A fuzz on eu-readelf showed an heap overflow. Will follow a feedback from
upstream:
Nice find. The issue is with notes that have a zero sized name (and also no
descriptor data at the end of a note section).
���The system reserves note information with no name (namesz==0) and with a
zero-length name (name[0]==���\0���) but currently defines no types. All other
names must have at least one non-null character.���
So we must explicitly check for namesz == 0 before using the name data in
the note.
The complete ASan output:
# eu-readelf -a $FILE
==29866==ERROR: AddressSanitizer: heap-buffer-overflow on address
0x60200000ef9c at pc 0x7f910ac17150 bp 0x7fff92f7ed90 sp 0x7fff92f7e540
READ of size 1 at 0x60200000ef9c thread T0
#0 0x7f910ac1714f
(/usr/lib/gcc/x86_64-pc-linux-gnu/6.3.0/libasan.so.3+0x4514f)
#1 0x4f63a7 in ebl_object_note_type_name
/tmp/portage/dev-libs/elfutils-0.168/work/elfutils-0.168/libebl/eblobjnotetypename.c:48
#2 0x461251 in handle_notes_data
/tmp/portage/dev-libs/elfutils-0.168/work/elfutils-0.168/src/readelf.c:9372
#3 0x47209d in handle_notes
/tmp/portage/dev-libs/elfutils-0.168/work/elfutils-0.168/src/readelf.c:9455
#4 0x47209d in process_elf_file
/tmp/portage/dev-libs/elfutils-0.168/work/elfutils-0.168/src/readelf.c:916
#5 0x47ae65 in process_dwflmod
/tmp/portage/dev-libs/elfutils-0.168/work/elfutils-0.168/src/readelf.c:690
#6 0x7f910a730094 in dwfl_getmodules
/tmp/portage/dev-libs/elfutils-0.168/work/elfutils-0.168/libdwfl/dwfl_getmodules.c:82
#7 0x4365f2 in process_file
/tmp/portage/dev-libs/elfutils-0.168/work/elfutils-0.168/src/readelf.c:789
#8 0x405e50 in main
/tmp/portage/dev-libs/elfutils-0.168/work/elfutils-0.168/src/readelf.c:305
#9 0x7f9108d4e78f in __libc_start_main (/lib64/libc.so.6+0x2078f)
#10 0x406cd8 in _start (/usr/bin/eu-readelf+0x406cd8)
0x60200000ef9c is located 0 bytes to the right of 12-byte region
[0x60200000ef90,0x60200000ef9c)
allocated by thread T0 here:
#0 0x7f910ac94288 in malloc
(/usr/lib/gcc/x86_64-pc-linux-gnu/6.3.0/libasan.so.3+0xc2288)
#1 0x7f910a10af48 in convert_data
/tmp/portage/dev-libs/elfutils-0.168/work/elfutils-0.168/libelf/elf_getdata.c:166
#2 0x7f910a10af48 in __libelf_set_data_list_rdlock
/tmp/portage/dev-libs/elfutils-0.168/work/elfutils-0.168/libelf/elf_getdata.c:434
#3 0x7f910a10c9ba in __elf_getdata_rdlock
/tmp/portage/dev-libs/elfutils-0.168/work/elfutils-0.168/libelf/elf_getdata.c:541
#4 0x7f910a10ccae in elf_getdata
/tmp/portage/dev-libs/elfutils-0.168/work/elfutils-0.168/libelf/elf_getdata.c:559
#5 0x471fe7 in handle_notes
/tmp/portage/dev-libs/elfutils-0.168/work/elfutils-0.168/src/readelf.c:9455
#6 0x471fe7 in process_elf_file
/tmp/portage/dev-libs/elfutils-0.168/work/elfutils-0.168/src/readelf.c:916
#7 0x47ae65 in process_dwflmod
/tmp/portage/dev-libs/elfutils-0.168/work/elfutils-0.168/src/readelf.c:690
#8 0x7f910a730094 in dwfl_getmodules
/tmp/portage/dev-libs/elfutils-0.168/work/elfutils-0.168/libdwfl/dwfl_getmodules.c:82
#9 0x4365f2 in process_file
/tmp/portage/dev-libs/elfutils-0.168/work/elfutils-0.168/src/readelf.c:789
#10 0x405e50 in main
/tmp/portage/dev-libs/elfutils-0.168/work/elfutils-0.168/src/readelf.c:305
#11 0x7f9108d4e78f in __libc_start_main (/lib64/libc.so.6+0x2078f)
SUMMARY: AddressSanitizer: heap-buffer-overflow
(/usr/lib/gcc/x86_64-pc-linux-gnu/6.3.0/libasan.so.3+0x4514f)
Shadow bytes around the buggy address:
0x0c047fff9da0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c047fff9db0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c047fff9dc0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c047fff9dd0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c047fff9de0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
=>0x0c047fff9df0: fa fa 00[04]fa fa 00 02 fa fa 00 02 fa fa 00 01
0x0c047fff9e00: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c047fff9e10: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c047fff9e20: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c047fff9e30: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c047fff9e40: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Heap right redzone: fb
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack partial redzone: f4
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
==29866==ABORTING
Affected version:
0.168
Fixed version:
0.169 (not released atm)
Commit fix:
https://sourceware.org/ml/elfutils-devel/2017-q1/msg00111.html
Credit:
This bug was discovered by Agostino Sarubbo of Gentoo.
CVE:
N/A
Reproducer:
https://github.com/asarubbo/poc/blob/master/00226-elfutils-heapoverflow-ebl_object_note_type_name
Timeline:
2017-03-24: bug discovered and reported to upstream
2017-04-04: blog post about the issue
Note:
This bug was found with American Fuzzy Lop.
Permalink:
elfutils: heap-based buffer overflow in ebl_object_note_type_name
(eblobjnotetypename.c)
===================================================
(open-)SUSE:
https://software.opensuse.org/package/elfutils
0.168 (TW, official repo)
0.158 (42.{1,2}, official repo)
Test-case on 42.2 (version 0.158):
===================================================
k_mikhail@linux-mk500:~> eu-readelf -a
00226-elfutils-heapoverflow-ebl_object_note_type_name
ELF Header:
Magic: 7f 45 4c 46 02 02 01 00 00 00 ff f3 00 02 00 3e
Class: ELF64
Data: 2's complement, big endian
Ident Version: 1 (current)
OS/ABI: UNIX - System V
ABI Version: 0
Type: REL (Relocatable file)
Machine: <unknown>
Version: 8339456 (???)
Entry point address: 0x400000
Start of program headers: 4096 (bytes into file)
Start of section headers: 0 (bytes into file)
Flags:
Size of this header: 170 (bytes)
Size of program header entries: 65535 (bytes)
Number of program headers entries: 65535 (0 in [0].sh_info)
Size of section header entries: 26 (bytes)
Number of section headers entries: 89
Section header string table index: 20549
Section Headers:
[Nr] Name Type Addr Off Size ES
Flags Lk Inf Al
[ 0] <corrupt> <unknown>: 33685760 00010000007f4000 00400000
00001000 -281363301707707 AXMSE 0 0 11206655
[ 1] <corrupt> SHT_LOOS+e74005f 00000000760c0004 00000051
e574640600000000 10 OE 0 227 -1099511627776
[ 2] <corrupt> NULL 0000000a00000252 e574640400000000
1e00000000000000 4854678368786145107 M 0 24948 8390820064477214019
[ 3] <corrupt> <unknown>: 1129252352 0000210000004000
4000000000004000 4000000000000008 64424509443 E 0 0 169
[ 4] <corrupt> NOTE 1e00000000000008 00000200 0000000c
4294967299 E 0 0 1835189
[ 5] <corrupt> PREINIT_ARRAY 1e00000000000008 00000000 00000010
25769803779 ME 0 0 186
[ 6] <corrupt> <unknown>: 248 000000e00100007f e001000000 6400f8ffff
601333172976 E -16777212 4 601328975872
[ 7] <corrupt> <unknown>: 37748736 0000002000000000 00000020
7f0000000019 0 WAME 0 -2147483644 -133143986176
[ 8] <corrupt> NULL 000015220000ff80 2e32000000008010
100000011 4294115328 T 1572896 559939584 0
[ 9] <corrupt> RELA 0000000000000000 00000000 00001b00
9007199254804481 E 4 32 6917529027641082368
[10] <corrupt> <unknown>: 5120 0000000700000000 00000000 1d1000000
51774488576 301989888 0 17592186044416
[11] <corrupt> <unknown>: 262148 ff80000000000000 00cc0000
12000000000000 5066549580791808 E 0 0 281324653445376
[12] <corrupt> <unknown>: 524320 0012000000000000 00000000 00170100
1126183374946308 NE 1179648 0 17180131328
[13] <corrupt> <unknown>: -606348325 0000000000000000 00000000
00002d56 29038424883204 OE 393178732 2032165228 7805150906565017600
[14] <corrupt> <unknown>: -606348325 0000000000000000 7f000000
00002d56 29038424883204 OE 544173676 2032165228 7813595155866337280
[15] <corrupt> <unknown>: 1835008 0010000000000000 72289809000003
65010000100000 246429654188032 E 1536 3584 1792
[16] <corrupt> <unknown>: 419436800 f0fff02060000000 17050000001aff
e100000000000000 5066549580791808 0 0 15532020
[17] <corrupt> NULL 7fff000000000000 00000000 00bb0000
3735552 ASIL 1179648 0 0
[18] <corrupt> NULL 0000000000df0000 12000000000000 00000000
0 0 8781824 34359738368
[19] <corrupt> REL fbffffff00000000 001d0000 00000000
103079215104 E 18 1 34359738368
[20] <corrupt> <unknown>: 44 448b642406400000 00000000 a5000000
9007199254740992 WAXMSILNGTE 32767 0 5046272
[21] <corrupt> NULL 000000860c400000 960c2a0000 00000000
3735552 32 0 246423748608000
[22] <corrupt> NULL 0000000000df0000 12000000ffff00 00000000
0 0 8781824 34359738368
[23] <corrupt> REL fbffffff00120000 ffffff7f 00000f00
267280109797376 E 5 59904 1095216660224
[24] <corrupt> STRTAB 0000008806400000 00000000 a5000000
9007199254741003 E 301989888 0 5046272
[25] <corrupt> NULL 000000640c400000 960c2a0000 00000000 0
1048608 0 43012
[26] <corrupt> <unknown>: 2048 0000000000008500 10000000200 0000c800
1152921504607240192 0 1915262985 3300229447680
[27] <corrupt> NULL 0000000040050019 19000000000000
f0fff02060 5348024557502464 SI 0 386203648 7599824371187712
[28] <corrupt> NULL 0000000000000000 00000000 00000000
360287970189639680 E 16384 0 0
[29] <corrupt> <unknown>: 255 0000800000000000 00000000 00000000
1030792151040 E 0 0 1407374883553280
[30] <corrupt> <unknown>: 127 0000000000000000 00000000 00000000 0
0 0 0
[31] <corrupt> NULL 000000009b000000 00000000 00000000
4398046511130 0 536870912 0
[32] <corrupt> <unknown>: -419430400 0000000000000000 00000000
00000000 0 0 0 14090240
[33] <corrupt> NOBITS 0000000000000000 00000000 00000000
-72057594037927936 0 0 144115188092370943
[34] <corrupt> NULL 0500000001000000 800000000000000
1800000000000000 -8645152065946910720 855638016 50331648
144115188075986944
[35] <corrupt> NULL 0000000000000000 e4d0000002000 00000000
0 E 0 0 0
[36] <corrupt> NULL 0000000000000000 00000000 00000000
18017697044365312 0 0 18017971922272256
[37] <corrupt> <unknown>: -16777216 0008000000000000 00000000
00000000 0 E 0 0 0
[38] <corrupt> NULL 0000000000000000 ff000000 00000000
8444249301319680 0 254 -72340172854788096
[39] <corrupt> NULL 1340000000000010 1340000000000000
00000001 0 MS 6144 0 16888498602639360
[40] <corrupt> NULL 0093000000010000 e4ff0000000000
5c00000000 8904020852736 0 0 1677721600
[41] <corrupt> NULL 0000000000000000 80000000000
ffbf0a000000 -19697750811558400 E -399705345 -1460226 -206109505478607
[42] <corrupt> SHT_LOOS+1faffff 4489e24889c731c0 e85cfaffff486354
3388488b0d600f20 1000089583615 WMILNE 4753903 -1107230720 65306575447834634
[43] <corrupt> <unknown>: 759976561 7468742c488b0d3e f2000ba00000100
be010000005a89c7 4910085682967150592 WSIOE 629752868 417908729
-43909498088974199
[44] <corrupt> <unknown>: 568881146 95faffffbf601740 e85bfa24ffba01
174000e95d 209023563464937 SILE -16777281 303513600 -1710528931033381632
[45] <corrupt> <unknown>: -1074915776 000000bef1164000
e92bfeffffba0500 bea7164000e9 -215892208241362427 WXGOE -687996929 -1174077440
53621074331494855
[46] <corrupt> NULL 0000000000000000 00000000 00310000 0
0 0 0
[47] <corrupt> <unknown>: 4194537 00e829faffffba05 bef1164000
e92bfeffffba0500 53621074331494855 IGTE 48807 373293289 -2954924306682544128
[48] <corrupt> <unknown>: 838842885 0000000000000000 00000000
00000000 0 0 3211264 436207616
[49] <corrupt> NULL 0000000000000000 00000040 00000000 0
0 0 0
[50] <corrupt> NULL 0000000000000000 05000000 00000000 0
255 -256 32768
[51] <corrupt> NULL 0000000000050000 000000f0 00000000 0
127 0 0
[52] <corrupt> NULL 0000000000000000 00000000 00000000
-7277816997830721536 0 0 0
[53] <corrupt> NULL 2000000000000000 00000400 1a00000000 0
-419430400 0 0
[54] <corrupt> NULL 0000000000000000 d7000000000000 00000000
0 8 0 0
[55] <corrupt> NULL 0000000000000000 00000000 00000000 0
0 0 0
[56] <corrupt> SHT_LOOS+66f6973 0020000000000000 40000000000
00000000 0 AXSIOE 0 0 0
[57] <corrupt> NULL 007f000000000000 c00000000000000
00000000 0 0 0 0
[58] <corrupt> NULL 0000000000000000 00090000 00000000 0
0 0 0
[59] <corrupt> NULL 0000000000000000 01000000 00000000
1387671635198083088 0 0 8194096
[60] <corrupt> NULL 0000000000000001 00000001 1d00009b
4736662007598565513 W 0 10224640 20405859369820160
[61] <corrupt> GNU_HASH 0000000000000000 00000000 0000001a 0
WME 0 0 0
[62] <corrupt> SHT_LOOS+4000000 0000000000000000 00000000 00000000
0 E 0 0 0
[63] <corrupt> NULL 0000000000000000 00000000 00000000
216172782113783880 0 64 234187180623265856
[64] <corrupt> HASH 0000000000000000 00000000 1000000000 0
E 0 0 0
[65] <corrupt> NULL 0000000000000000 fffc00000000 00000000
0 65536 0 281474976710656
[66] <corrupt> NULL 0000000000000000 01000000 00000000
1387671635198083088 0 0 8194096
[67] <corrupt> NULL 0000000000000001 00000001 1d00009b
4736662007598565513 W 0 10224640 20405859369820160
[68] <corrupt> GNU_HASH 0000000000000000 00000000 0000001a 0
WME 0 0 0
[69] <corrupt> SHT_LOOS+4000000 0000000000000000 00000000 00000000
0 E 0 0 0
[70] <corrupt> NULL 0000000000000000 00000000 00000000
216172782113783880 0 64 234187180623265856
[71] <corrupt> HASH 0000000000000000 00000000 1000000000 0
E 0 0 0
[72] <corrupt> NULL 000c00000000faff ffff000000000000
00000000 0 E 404643840 0 0
[73] <corrupt> NULL 760b400000080000 860b000000000020
b4000000000000d 0 E 0 7188 1459166279268040906
[74] <corrupt> <unknown>: 26 000000000000001a 000000a6
a6a6a6a6a6a6a6a6 -6438275382588823898 E -1499027802 -1499027802
-6438275382588823898
[75] <corrupt> <unknown>: -1499027802 a6a6a6a6a6a6a6a6
a6a6a6a6a6a6a6a6 a6a6a6a6a6a6a6a6 -6438275382588823898 AXSLGTE -1499027802
-1499027802 -6438275382588823898
[76] <corrupt> <unknown>: -1499027802 a6a6a6a6a6a6a6a6
a6a6a6a6a6a6a6a6 a6a6a6a6a6a6a6a6 -6438275382588823898 AXSLGTE -1499027802
-1499027802 -6438275382588823898
[77] <corrupt> <unknown>: -1499027802 a6a6a6a6a6a6a6a6
a6a6a6a6a6a6a6a6 a6a6a6a6a6a6a6a6 -6438275382588823898 AXSLGTE -1499027802
-1499027802 -6438275382588823898
[78] <corrupt> <unknown>: -1499027802 a6a6a6a6a6a6a6a6
a6a6a6a6a6a6a6a6 a6a6a6a6a6a6a6a6 -6438275382588823918 AXSLGTE -1499027802
-1499027802 -6438275382588823898
[79] <corrupt> <unknown>: -1499027802 a6a6a6a6a6a6a6a6
a6a6a6a6a6a6a6a6 a6a6a6a6a6a6a6a6 -6438275382588823898 AXSLGTE -1499027802
-1499027802 -6438275382588823898
[80] <corrupt> <unknown>: -1499027802 a6a6a6a6a6a6a6a6
a6a6a6a6a6a6a6a6 a6a6a6a6a6a6a6a6 -6438275382588823898 AXSLGTE -1499027802
-1499027802 -6438275382588823898
[81] <corrupt> <unknown>: -1499027802 a6a6a6a6a6a6a6a6
a6a6a6a6a6a6a6a6 a6a6a6a6a6a6a6a6 -6438275382588823898 AXSLGTE -1499027802
-1499027802 -6438275382588823898
[82] <corrupt> <unknown>: -1499027802 a6a6a6a6a6a6a6a6
a6a6a6a6a6a6a6a6 a6a6a6a6a6a6a6a6 -6438275382588823898 AXSLGTE -1499027802
-1499027802 -6438275382588823898
[83] <corrupt> <unknown>: -1499027802 a6a6a6a6a6a6a6a6
a6a6a6a6a6a6a6a6 a6a6a6a6a6a6a6a6 -6438275382588823898 AXSLGTE -1499027802
-1499027802 -6438275382588823898
[84] <corrupt> <unknown>: -1499027802 a6a6a6a6a6a6a6a6
a6a6a6a6a6a6a6a6 a6a6a6a6a6a6a6a6 -6438275382588823898 AXSLGTE -1499027802
-1499027802 -6438275382588823898
[85] <corrupt> <unknown>: -1499027802 0000000000000000 00000000
00000000 0 GTE 0 0 9007199254740992
[86] <corrupt> NULL 0000000000000000 8000000000000000
00000000 0 -67108864 0 39687971716202496
[87] <corrupt> NULL 000000080000860b 00200b40 000d0000 7776
0 471077952 13238272
[88] <corrupt> <unknown>: 1769472 5757575757575757 5757575757575757
5757575757575757 0 WAXMINGTE 1465341783 1460142080 1703936
Program Headers:
Type Offset VirtAddr PhysAddr FileSiz MemSiz
Flg Align
Section to Segment mapping:
Segment Sections...
Relocation section [19] '(null)' for section [ 1] '(null)' at offset 0x1d0000
contains 0 entries:
Offset Type Value Name
eu-readelf: memory exhausted
===================================================