http://bugzilla.suse.com/show_bug.cgi?id=1001132 Bug ID: 1001132 Summary: VUL-1: CVE-2016-7510: libdwarf: Out-of-bounds read in read_line_table_program Classification: openSUSE Product: openSUSE Distribution Version: Leap 42.1 Hardware: Other OS: Other Status: NEW Severity: Minor Priority: P5 - None Component: Security Assignee: dmueller@suse.com Reporter: abergmann@suse.com QA Contact: qa-bugs@suse.de Found By: Security Response Team Blocker: --- https://www.prevanders.net/libdwarf-20160923.tar.gz bugxml/data.txt id: DW201609-003 cve: CVE-2016-7410 datereported: 20160913 reportedby: https://marc.info/?l=oss-security&m=147391785920048&w=2 vulnerability: libdwarf 20160613 heap-buffer-overflow product: libdwarf description: With AddressSanitizer, we found a Heap-Buffer-overflow in the latest release version of dwarfdump. The crash output is as follows: <pre> See also: https://marc.info/?l=oss-security&m=147378394815872&w=2 The testcase poc is from this web page. </pre> <pre> ==17411==ERROR: AddressSanitizer: heap-buffer-overflow on address 0xf3808904 at pc 0x80a6f76 bp 0xffb95e78 sp 0xffb95a5c READ of size 4 at 0xf3808904 thread T0 ==17411==WARNING: Trying to symbolize code, but external symbolizer is not initialized! #0 0x80a6f75 in __interceptor_memcpy ??:? #1 0x8426c3b in _dwarf_read_loc_section /home/starlab/fuzzing/dwarf-20160613/libdwarf/./dwarf_loc.c:919 #2 0x84250e2 in _dwarf_get_loclist_count /home/starlab/fuzzing/dwarf-20160613/libdwarf/./dwarf_loc.c:970 #3 0x8438826 in dwarf_get_loclist_c /home/starlab/fuzzing/dwarf-20160613/libdwarf/./dwarf_loc2.c:551 #4 0x81a1be8 in get_location_list /home/starlab/fuzzing/dwarf-20160613/dwarfdump/print_die.c:3523 #5 0x816e1a2 in print_attribute </pre> _dwarf_get_loclist_header_start() is not cautious about values in the header being absurdly large. Unclear as yet if this is the problem but it is a potential problem (fixed for next release). <pre> Address Sanitizer in gcc reproduces the report. In _dwarf_read_loc_section() the simple calculation of loc_section_end was wrong, so end-of section was incorrect for the local reads. With that fixed we get DW_DLE_READ_LITTLEENDIAN_ERROR when libdwarf attempts to read off end of section. id: DW201609-003 cve: CVE-2016-7410 datereported: 20160913 reportedby: https://marc.info/?l=oss-security&m=147391785920048&w=2 vulnerability: libdwarf 20160613 heap-buffer-overflow product: libdwarf description: With AddressSanitizer, we found a Heap-Buffer-overflow in the latest release version of dwarfdump. The crash output is as follows: <pre> See also: https://marc.info/?l=oss-security&m=147378394815872&w=2 The testcase poc is from this web page. </pre> <pre> ==17411==ERROR: AddressSanitizer: heap-buffer-overflow on address 0xf3808904 at pc 0x80a6f76 bp 0xffb95e78 sp 0xffb95a5c READ of size 4 at 0xf3808904 thread T0 ==17411==WARNING: Trying to symbolize code, but external symbolizer is not initialized! #0 0x80a6f75 in __interceptor_memcpy ??:? #1 0x8426c3b in _dwarf_read_loc_section /home/starlab/fuzzing/dwarf-20160613/libdwarf/./dwarf_loc.c:919 #2 0x84250e2 in _dwarf_get_loclist_count /home/starlab/fuzzing/dwarf-20160613/libdwarf/./dwarf_loc.c:970 #3 0x8438826 in dwarf_get_loclist_c /home/starlab/fuzzing/dwarf-20160613/libdwarf/./dwarf_loc2.c:551 #4 0x81a1be8 in get_location_list /home/starlab/fuzzing/dwarf-20160613/dwarfdump/print_die.c:3523 #5 0x816e1a2 in print_attribute </pre> _dwarf_get_loclist_header_start() is not cautious about values in the header being absurdly large. Unclear as yet if this is the problem but it is a potential problem (fixed for next release). <pre> Address Sanitizer in gcc reproduces the report. In _dwarf_read_loc_section() the simple calculation of loc_section_end was wrong, so end-of section was incorrect for the local reads. With that fixed we get DW_DLE_READ_LITTLEENDIAN_ERROR when libdwarf attempts to read off end of section. </pre> datefixed: references: regressiontests/DW201609-003/poc gitfixid: 3767305debcba8bd7e1c483ae48c509d25399252 tarrelease: endrec: References: https://www.prevanders.net/dwarf.html#releases https://bugzilla.redhat.com/show_bug.cgi?id=1378718 http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-7510 -- You are receiving this mail because: You are on the CC list for the bug.