http://bugzilla.opensuse.org/show_bug.cgi?id=1033090 Bug ID: 1033090 Summary: VUL-1: CVE-2017-7613: elfutils: denial of service (memory consumption) via a crafted ELF file Classification: openSUSE Product: openSUSE Distribution Version: Leap 42.2 Hardware: Other OS: Other Status: NEW Severity: Normal Priority: P5 - None Component: Security Assignee: security-team@suse.de Reporter: mikhail.kasimov@gmail.com QA Contact: qa-bugs@suse.de Found By: --- Blocker: --- Created attachment 720368 --> http://bugzilla.opensuse.org/attachment.cgi?id=720368&action=edit CVE-2017-7613_Reproducer Ref: https://nvd.nist.gov/vuln/detail/CVE-2017-7613 =================================================== Description elflint.c in elfutils 0.168 does not validate the number of sections and the number of segments, which allows remote attackers to cause a denial of service (memory consumption) via a crafted ELF file. Source: MITRE Last Modified: 04/09/2017 =================================================== Hyperlink: [1] https://blogs.gentoo.org/ago/2017/04/03/elfutils-memory-allocation-failure-i... [1]: =================================================== elfutils: memory allocation failure in xcalloc (xmalloc.c) Posted on April 3, 2017 by ago Description: elfutils is a set of libraries/utilities to handle ELF objects (drop in replacement for libelf). A fuzz on eu-elflint showed a memory allocation failure. The interestin ASan output: # eu-elflint -d $FILE ==5053==AddressSanitizer CHECK failed: /tmp/portage/sys-devel/gcc-6.3.0/work/gcc-6.3.0/libsanitizer/sanitizer_common/sanitizer_common.cc:180 "((0 && "unable to mmap")) != (0)" (0x0, 0x0) #0 0x7faa2335941d (/usr/lib/gcc/x86_64-pc-linux-gnu/6.3.0/libasan.so.3+0xcb41d) #1 0x7faa2335f063 in __sanitizer::CheckFailed(char const*, int, char const*, unsigned long long, unsigned long long) (/usr/lib/gcc/x86_64-pc-linux-gnu/6.3.0/libasan.so.3+0xd1063) #2 0x7faa2335f24d (/usr/lib/gcc/x86_64-pc-linux-gnu/6.3.0/libasan.so.3+0xd124d) #3 0x7faa23368c52 (/usr/lib/gcc/x86_64-pc-linux-gnu/6.3.0/libasan.so.3+0xdac52) #4 0x7faa232ba0b9 (/usr/lib/gcc/x86_64-pc-linux-gnu/6.3.0/libasan.so.3+0x2c0b9) #5 0x7faa232b249b (/usr/lib/gcc/x86_64-pc-linux-gnu/6.3.0/libasan.so.3+0x2449b) #6 0x7faa2335040a in calloc (/usr/lib/gcc/x86_64-pc-linux-gnu/6.3.0/libasan.so.3+0xc240a) #7 0x431b8d in xcalloc /tmp/portage/dev-libs/elfutils-0.168/work/elfutils-0.168/lib/xmalloc.c:64 #8 0x41f0bb in check_sections /tmp/portage/dev-libs/elfutils-0.168/work/elfutils-0.168/src/elflint.c:3680 #9 0x42961f in process_elf_file /tmp/portage/dev-libs/elfutils-0.168/work/elfutils-0.168/src/elflint.c:4697 #10 0x42961f in process_file /tmp/portage/dev-libs/elfutils-0.168/work/elfutils-0.168/src/elflint.c:242 #11 0x402d33 in main /tmp/portage/dev-libs/elfutils-0.168/work/elfutils-0.168/src/elflint.c:175 #12 0x7faa21c6378f in __libc_start_main (/lib64/libc.so.6+0x2078f) #13 0x403498 in _start (/usr/bin/eu-elflint+0x403498) Affected version: 0.168 Fixed version: 0.169 (not released atm) Commit fix: https://sourceware.org/ml/elfutils-devel/2017-q1/msg00133.html Credit: This bug was discovered by Agostino Sarubbo of Gentoo. CVE: N/A Reproducer: https://github.com/asarubbo/poc/blob/master/00236-elfutils-memallocfailure Timeline: 2017-03-27: bug discovered and reported to upstream 2017-04-04: blog post about the issue Note: This bug was found with American Fuzzy Lop. Permalink: elfutils: memory allocation failure in xcalloc (xmalloc.c) =================================================== (open-)SUSE: https://software.opensuse.org/package/elfutils 0.168 (TW, official repo) 0.158 (42.{1,2}, official repo) Test-case on 42.2 (version 0.158): =================================================== k_mikhail@linux-mk500:~> eu-elflint -d 00236-elfutils-memallocfailure e_ident[14] is not zero e_ident[15] is not zero unknown object file type 0 invalid program header offset invalid machine flags: 0x40001a invalid ELF header size: 56 invalid program header size: -1 invalid section header size: 27 zeroth section has nonzero name zeroth section has nonzero type zeroth section has nonzero flags zeroth section has nonzero offset zeroth section has nonzero align value zeroth section has nonzero entry size value zeroth section has nonzero link value while ELF header does not signal overflow in shstrndx eu-elflint: memory exhausted =================================================== -- You are receiving this mail because: You are on the CC list for the bug.