http://bugzilla.opensuse.org/show_bug.cgi?id=1023611 Bug ID: 1023611 Summary: VUL-0: pax-utils: dumpelf: two invalid memory read in dumpelf.c Classification: openSUSE Product: openSUSE Distribution Version: Leap 42.3 Hardware: Other OS: Other Status: NEW Severity: Normal Priority: P5 - None Component: Security Assignee: security-team@suse.de Reporter: mikhail.kasimov@gmail.com QA Contact: qa-bugs@suse.de Found By: --- Blocker: --- Ref: http://seclists.org/oss-sec/2017/q1/310 ============================================= Description: pax-utils is a set of tools that check files for security relevant properties. A fuzz on scanelf exposed two invalid memory read. They was reported to vapier which fixed the issue immediately. Unfortunately I can’t get a symbolized ASan stacktrace, so I will show only the useful part of both asan and gdb. # dumpelf $FILE SEGV on unknown address 0x7f8d94dc9e28 (pc 0x00000051efc6 bp 0x7ffe15ddbfa0 sp 0x7ffe15ddbf60 T0) ==31647==The signal is caused by a READ memory access. (gdb) #0 0x00000000004067f7 in dump_dyn (dyn_void=dyn_void@entry=0x7ff5f7ff6e28, dyn_cnt=dyn_cnt@entry=0, elf=0x60d8e0, elf=0x60d8e0) at dumpelf.c:486 #1 0x0000000000401e24 in dumpelf (file_cnt=0, filename=) at dumpelf.c:146 #2 parseargs (argv=0x7fffffffe1a8, argc=2) at dumpelf.c:557 #3 main (argc=2, argv=0x7fffffffe1a8) at dumpelf.c:566 Reproducer: https://github.com/asarubbo/poc/blob/master/00140-pax-utils-dumpelf-invalidr... # dumpelf $FILE SEGV on unknown address 0x6360e1292000 (pc 0x00000051fba9 bp 0x7ffeef817f20 sp 0x7ffeef817ec0 T0) ==8213==The signal is caused by a READ memory access. (gdb) #0 dump_notes (B=B@entry=64, memory=memory@entry=0x63fff7ff5000, memory_end=0x6414f7ff5000, elf=0x60d8e0, elf=0x60d8e0) at dumpelf.c:228 #1 0x0000000000405636 in dump_phdr (elf=elf@entry=0x60d8e0, phdr_void=phdr_void@entry=0x7ffff7ff50f0, phdr_cnt=phdr_cnt@entry=1) at dumpelf.c:324 #2 0x0000000000401dd9 in dumpelf (file_cnt=0, filename=) at dumpelf.c:91 #3 parseargs (argv=0x7fffffffe1a8, argc=2) at dumpelf.c:557 #4 main (argc=2, argv=0x7fffffffe1a8) at dumpelf.c:566 Reproducer: https://github.com/asarubbo/poc/blob/master/00141-pax-utils-dumpelf-invalidr... Affected version: 1.2.2 Fixed version: N/A Commit fix: https://github.com/gentoo/pax-utils/commit/18ded0e30ee5a84260cceb80d818b9c21... Credit: This bug was discovered by Agostino Sarubbo of Gentoo. CVE: N/A Timeline: 2017-01-30: bug discovered and reported to upstream 2017-02-01: upstream released a patch 2017-02-04: blog post about the issue Note: This bug was found with American Fuzzy Lop. Permalink: https://blogs.gentoo.org/ago/2017/02/04/pax-utils-dumpelf-two-invalid-memory... -- Agostino Sarubbo Gentoo Linux Developer ============================================= -- You are receiving this mail because: You are on the CC list for the bug.