[Bug 1033087] New: VUL-1: CVE-2017-7610: elfutils: denial of service (heap-based buffer over-read and application crash) via a crafted ELF file
http://bugzilla.opensuse.org/show_bug.cgi?id=1033087 Bug ID: 1033087 Summary: VUL-1: CVE-2017-7610: elfutils: denial of service (heap-based buffer over-read and application crash) via a crafted ELF file Classification: openSUSE Product: openSUSE Distribution Version: Leap 42.2 Hardware: Other OS: Other Status: NEW Severity: Normal Priority: P5 - None Component: Security Assignee: security-team@suse.de Reporter: mikhail.kasimov@gmail.com QA Contact: qa-bugs@suse.de Found By: --- Blocker: --- Created attachment 720365 --> http://bugzilla.opensuse.org/attachment.cgi?id=720365&action=edit CVE-2017-7610_Reproducer Ref: https://nvd.nist.gov/vuln/detail/CVE-2017-7610 =================================================== Description The check_group function in elflint.c in elfutils 0.168 allows remote attackers to cause a denial of service (heap-based buffer over-read and application crash) via a crafted ELF file. Source: MITRE Last Modified: 04/09/2017 =================================================== Hyperlink: [1] https://blogs.gentoo.org/ago/2017/04/03/elfutils-heap-based-buffer-overflow-... [1]: =================================================== elfutils: heap-based buffer overflow in check_group (elflint.c) Posted on April 3, 2017 by ago Description: elfutils is a set of libraries/utilities to handle ELF objects (drop in replacement for libelf). A fuzz on eu-elflint showed an heap overflow. The complete ASan output: # eu-elflint -d $FILE ==12804==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x60200000efd0 at pc 0x00000041a39f bp 0x7ffee6a331d0 sp 0x7ffee6a331c8 READ of size 4 at 0x60200000efd0 thread T0 #0 0x41a39e in check_group /tmp/portage/dev-libs/elfutils-0.168/work/elfutils-0.168/src/elflint.c:2664 #1 0x420787 in check_sections /tmp/portage/dev-libs/elfutils-0.168/work/elfutils-0.168/src/elflint.c:4132 #2 0x42961f in process_elf_file /tmp/portage/dev-libs/elfutils-0.168/work/elfutils-0.168/src/elflint.c:4697 #3 0x42961f in process_file /tmp/portage/dev-libs/elfutils-0.168/work/elfutils-0.168/src/elflint.c:242 #4 0x402d33 in main /tmp/portage/dev-libs/elfutils-0.168/work/elfutils-0.168/src/elflint.c:175 #5 0x7ff00282678f in __libc_start_main (/lib64/libc.so.6+0x2078f) #6 0x403498 in _start (/usr/bin/eu-elflint+0x403498) 0x60200000efd1 is located 0 bytes to the right of 1-byte region [0x60200000efd0,0x60200000efd1) allocated by thread T0 here: #0 0x7ff003f13288 in malloc (/usr/lib/gcc/x86_64-pc-linux-gnu/6.3.0/libasan.so.3+0xc2288) #1 0x7ff003b6fb46 in convert_data /tmp/portage/dev-libs/elfutils-0.168/work/elfutils-0.168/libelf/elf_getdata.c:166 #2 0x7ff003b6fb46 in __libelf_set_data_list_rdlock /tmp/portage/dev-libs/elfutils-0.168/work/elfutils-0.168/libelf/elf_getdata.c:434 #3 0x7ff003b70662 in __elf_getdata_rdlock /tmp/portage/dev-libs/elfutils-0.168/work/elfutils-0.168/libelf/elf_getdata.c:541 #4 0x7ff003b70776 in elf_getdata /tmp/portage/dev-libs/elfutils-0.168/work/elfutils-0.168/libelf/elf_getdata.c:559 #5 0x420935 in check_scn_group /tmp/portage/dev-libs/elfutils-0.168/work/elfutils-0.168/src/elflint.c:544 #6 0x420935 in check_sections /tmp/portage/dev-libs/elfutils-0.168/work/elfutils-0.168/src/elflint.c:3940 #7 0x42961f in process_elf_file /tmp/portage/dev-libs/elfutils-0.168/work/elfutils-0.168/src/elflint.c:4697 #8 0x42961f in process_file /tmp/portage/dev-libs/elfutils-0.168/work/elfutils-0.168/src/elflint.c:242 #9 0x402d33 in main /tmp/portage/dev-libs/elfutils-0.168/work/elfutils-0.168/src/elflint.c:175 #10 0x7ff00282678f in __libc_start_main (/lib64/libc.so.6+0x2078f) SUMMARY: AddressSanitizer: heap-buffer-overflow /tmp/portage/dev-libs/elfutils-0.168/work/elfutils-0.168/src/elflint.c:2664 in check_group Shadow bytes around the buggy address: 0x0c047fff9da0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c047fff9db0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c047fff9dc0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c047fff9dd0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c047fff9de0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa =>0x0c047fff9df0: fa fa fa fa fa fa 04 fa fa fa[01]fa fa fa 00 01 0x0c047fff9e00: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c047fff9e10: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c047fff9e20: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c047fff9e30: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c047fff9e40: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa Shadow byte legend (one shadow byte represents 8 application bytes): Addressable: 00 Partially addressable: 01 02 03 04 05 06 07 Heap left redzone: fa Heap right redzone: fb Freed heap region: fd Stack left redzone: f1 Stack mid redzone: f2 Stack right redzone: f3 Stack partial redzone: f4 Stack after return: f5 Stack use after scope: f8 Global redzone: f9 Global init order: f6 Poisoned by user: f7 Container overflow: fc Array cookie: ac Intra object redzone: bb ASan internal: fe Left alloca redzone: ca Right alloca redzone: cb ==12804==ABORTING Affected version: 0.168 Fixed version: 0.169 (not released atm) Commit fix: https://sourceware.org/ml/elfutils-devel/2017-q1/msg00137.html Credit: This bug was discovered by Agostino Sarubbo of Gentoo. CVE: N/A Reproducer: https://github.com/asarubbo/poc/blob/master/00247-elfutils-heapoverflow-chec... Timeline: 2017-03-28: bug discovered and reported to upstream 2017-04-04: blog post about the issue Note: This bug was found with American Fuzzy Lop. Permalink: elfutils: heap-based buffer overflow in check_group (elflint.c) =================================================== (open-)SUSE: https://software.opensuse.org/package/elfutils 0.168 (TW, official repo) 0.158 (42.{1,2}, official repo) Test-case on 42.2 (version 0.158): =================================================== k_mikhail@linux-mk500:~> eu-readelf -a 00247-elfutils-heapoverflow-check_group ELF Header: Magic: 7f 45 4c 46 01 02 01 00 00 00 00 00 00 45 4c 46 Class: ELF32 Data: 2's complement, big endian Ident Version: 1 (current) OS/ABI: UNIX - System V ABI Version: 0 Type: REL (Relocatable file) Machine: <unknown> Version: 184549632 (???) Entry point address: 0x6004 Start of program headers: 536870912 (bytes into file) Start of section headers: 64 (bytes into file) Flags: 0x38000a Size of this header: 64 (bytes) Size of program header entries: 37 (bytes) Number of program headers entries: 34 Size of section header entries: 6 (bytes) Number of section headers entries: 0 (48 in [0].sh_size) Section header string table index: 5 Section Headers: [Nr] Name Type Addr Off Size ES Flags Lk Inf Al [ 0] <corrupt> <unknown>: 64 00000030 2000000 000030 3 33554432 62471 0 [ 1] <corrupt> <unknown>: 112 00000070 2400000 000066 28 37748736 28 0 [ 2] <corrupt> PROGBITS 00ffff01 000005 000000 0 0 0 4194304 [ 3] <corrupt> <unknown>: 68 00000044 7000000 000000 16 2097152 1 6 [ 4] <corrupt> PREINIT_ARRAY 00000010 e600000 000030 0 33554432 56 33614336 [ 5] <corrupt> SYMTAB 00000028 e000000 000028 208 AX 241172480 40 241172480 [ 6] <corrupt> <unknown>: 208 00000008 000000 000004 140 570425348 140 33554432 [ 7] <corrupt> <unknown>: 140 00000020 000000 000020 80 0 4 0 [ 8] <corrupt> <unknown>: 24 00000018 6400000 000018 52 104857600 52 0 [ 9] <corrupt> RELA 00000051 e5746406 000000 0 0 0 4294967286 [10] <corrupt> NULL 00000000 000000 000010 16 0 82 3849610244 [11] <corrupt> PREINIT_ARRAY 00000010 e600000 0000f0 1 16777216 240 16777216 [12] <corrupt> <unknown>: 128 43000000 000000 00faff 10 NT 2816 0 0 [13] <corrupt> NULL e1000008 000000 00002f 1970810232 WAXMSILNGT 1818845750 875523172 762079598 [14] <corrupt> <unknown>: 875459439 00000010 f1ffff00 000000 0 X 0 0 0 [15] <corrupt> NULL 06000000 20000000 000000 0 16908288 393237 0 [16] <corrupt> SYMTAB_SHNDX 00000000 000000 000004 305787531 34799616 1310720 11772663 [17] <corrupt> NULL 00000000 000000 000000 0 10027008 1179648 0 [18] <corrupt> NULL 00120000 000000 000000 1179648 0 0 720896 [19] <corrupt> NULL 00000000 2f0000 120000 4294770688 0 0 0 [20] <corrupt> <unknown>: 1179648 00000000 000000 000000 0 8388608 1179648 0 [21] <corrupt> NULL 00120000 000000 000000 1179648 -2147483648 0 2031616 [22] <corrupt> NULL 0000007f 000012 000000 158 0 0 0 [23] <corrupt> NULL 00000000 000000 000034 0 18 0 0 [24] <corrupt> <unknown>: 76 00000000 000000 000000 0 AM 0 23 18 [25] <corrupt> NULL 00000053 000012 000000 122 0 0 0 [26] <corrupt> NULL 00000000 000000 000028 0 18 0 0 [27] <corrupt> SYMTAB_SHNDX 00000000 000000 000000 0 AM 0 -50331558 0 [28] <corrupt> <unknown>: -805158912 00000000 000000 000000 0 50332928 805519360 0 [29] <corrupt> NULL 70034000 000000 000000 2013478912 GT 0 0 50333440 [30] <corrupt> NULL 00000000 3000800 98034000 1701667696 111 1667331177 1869480045 [31] <corrupt> SHT_LOOS+c6c6f63 61726700 73746465 72720067 1819243363 XMSI 1702129520 1952410735 1852244067 [32] <corrupt> SHT_LOOS+e006670 66005f5f 6c696284 5f737461 6250343 XMSIGTO 1920229229 1634299392 1718773093 [33] <corrupt> NULL 00000300 400d002 40000000 768 0 0 0 [34] <corrupt> <unknown>: 1073741824 00000000 000000 000300 0 100691971 1073741824 0 [35] <corrupt> <unknown>: 768 40000000 000000 000000 1073741824 WA 0 768 134256643 [36] <corrupt> NULL 01000000 6000000 100e0000 269380608 0 269377536 0 [37] <corrupt> <unknown>: 805502720 380200ea ffff00 002040 672006144 14811135 -65536 100663296 [38] <corrupt> <unknown>: 672030720 280e6000 000000 d0000000 100663296 0 -132161536 0 [39] <corrupt> NULL c0206000 000000 5000000 3760218112 318767104 0 0 [40] <corrupt> <unknown>: 83886080 00000000 000000 3000964 0 212992 0 0 [41] <corrupt> <unknown>: 50334208 00000000 000000 000000 0 OE 0 50334464 536870912 [42] <corrupt> NULL 000000ee 000000 000000 0 238 0 196634 [43] <corrupt> <unknown>: 452984832 00000000 000000 000000 0 768 469762048 0 [44] <corrupt> NULL 1d000000 000000 000000 503316480 NG 0 0 768 [45] <corrupt> NULL 00000000 000300 1f000000 0 0 0 0 [46] <corrupt> <unknown>: 536870912 00000000 000000 0400f1 0 -16777216 0 0 [47] <corrupt> GROUP 00000000 000041 000001 0 SIGT 1441792 25600 0 Program Headers: Type Offset VirtAddr PhysAddr FileSiz MemSiz Flg Align ??? ??? ??? ??? ??? ??? ??? ??? ??? ??? ??? ??? ??? ??? ??? ??? ??? ??? ??? ??? ??? ??? ??? ??? ??? ??? ??? ??? ??? ??? ??? ??? ??? ??? Invalid symbol table at offset 0xe5746406 =================================================== -- You are receiving this mail because: You are on the CC list for the bug.
http://bugzilla.opensuse.org/show_bug.cgi?id=1033087 Mikhail Kasimov <mikhail.kasimov@gmail.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Alias| |CVE-2017-7610 -- You are receiving this mail because: You are on the CC list for the bug.
participants (1)
-
bugzilla_noreply@novell.com