https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=41240
https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=40896
https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=40895
https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=40802
https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=40801
https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=40799
https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=40627
https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=40729
https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=40731
https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=40674#c6
https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=40673
https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=40671
https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=40669
https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=40663
This should be visible after redhat makes it public. Filed on bugzilla.redhat 23 November 2021. bugzilla.redhat.com/show_bug.cgi?id=2026000
Unable to enter in bugzilla.redhat.com so CVE can be completed by Fedora (as CNA) as dwarfdump is not part of Fedora
This should be visible after redhat makes it public. Filed on bugzilla.redhat 22 November 2021. bugzilla.redhat.com/show_bug.cgi?id=2025694
seehttps://bugzilla.redhat.com/show_bug.cgi?id=1465756 for contact information of those finding the bug. Fabian Wolff sent email and provided the link to the web page.
Fix date is irrelevant, libdwarf no longer uses libelf.A portion of sanitizer output with Ubuntu 14.04: ==180133==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x60d00000cff1 at pc 0x0000004476f4 bp 0x7fff87dd7dd0 sp 0x7fff87dd7590 READ of size 8 at 0x60d00000cff1 thread T0 #0 0x4476f3 in __interceptor_strncmp (/home/ubuntu/subjects/ build-asan/libdwarf/dwarfdump/dwarfdump+0x4476f3) #1 0x7992ae in this_section_dwarf_relevant /home/ubuntu/subjects/ build-asan/libdwarf/libdwarf/dwarf_init_finish.c:608:13 #2 0x781064 in _dwarf_setup /home/ubuntu/subjects/ build-asan/libdwarf/libdwarf/dwarf_init_finish.c:722:14 #3 0x77d59c in dwarf_object_init /home/ubuntu/subjects/ build-asan/libdwarf/libdwarf/dwarf_init_finish.c:922:20 With Ubuntu 16.04 libelf dwarfdump gets: ERROR: dwarf_elf_init: DW_DLE_ELF_STRPTR_ERROR (30) a call to elf_strptr() failed trying to get a section name
A portion of sanitizer output with Ubuntu 14.04: ==180130==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x61100000589c at pc 0x0000006cab95 bp 0x7fff749aab10 sp 0x7fff749aab08 READ of size 1 at 0x61100000589c thread T0 #0 0x6cab94 in dwarf_formsdata /home/ubuntu/subjects/ build-asan/libdwarf/libdwarf/dwarf_form.c:937:9 #1 0x567daf in get_small_encoding_integer_and_name /home/ubuntu/subjects/ build-asan/libdwarf/dwarfdump/print_die.c:1533:16 #2 0x562f28 in get_attr_value /home/ubuntu/subjects/ build-asan/libdwarf/dwarfdump/print_die.c:5030:24 #3 0x555f86 in print_attribute /home/ubuntu/subjects/ build-asan/libdwarf/dwarfdump/print_die.c:3357:13 After fixes applied dwarfdump says: ERROR: dwarf_attrlist: DW_DLE_DW_DLE_ATTR_OUTSIDE_SECTION(281)
A portion of sanitizer output with Ubuntu 14.04: ==180112==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x60800000bf72 at pc 0x00000084dd52 bp 0x7ffc12136fd0 sp 0x7ffc12136fc8 READ of size 1 at 0x60800000bf72 thread T0 #0 0x84dd51 in _dwarf_read_loc_expr_op /home/ubuntu/subjects/ build-asan/libdwarf/libdwarf/./dwarf_loc.c:250:9 #1 0x841f16 in _dwarf_get_locdesc_c /home/ubuntu/subjects/ build-asan/libdwarf/libdwarf/./dwarf_loc2.c:109:15 #2 0x837d08 in dwarf_get_loclist_c /home/ubuntu/subjects/ build-asan/libdwarf/libdwarf/./dwarf_loc2.c:685:18 #3 0x57dff2 in get_location_list /home/ubuntu/subjects/ build-asan/libdwarf/dwarfdump/print_die.c:3812:16 After fixes applied dwarfdump says: ERROR: dwarf_get_loclist_c: DW_DLE_LOCEXPR_OFF_SECTION_END (343) Corrupt dwarf
A portion of sanitizer output with Ubuntu 14.04: ==180109==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x60b00000b000 at pc 0x00000048fd12 bp 0x7fff4ad31ef0 sp 0x7fff4ad316b0 READ of size 16 at 0x60b00000b000 thread T0 #0 0x48fd11 in __interceptor_strlen (/home/ubuntu/ subjects/build-asan/libdwarf/dwarfdump/dwarfdump+0x48fd11) #1 0x7a84a4 in set_up_section /home/ubuntu/ subjects/build-asan/libdwarf/libdwarf/dwarf_init_finish.c:285:27 #2 0x79aaa5 in enter_section_in_de_debug_sections_array /home/ubuntu/ subjects/build-asan/libdwarf/libdwarf/dwarf_init_finish.c:355:5 #3 0x78170b in _dwarf_setup /home/ubuntu/ subjects/build-asan/libdwarf/libdwarf/dwarf_init_finish.c:746:19 With Ubuntu 16.04 libelf one gets: ERROR: dwarf_elf_init: DW_DLE_ELF_STRPTR_ERROR (30) a call to elf_strptr() failed trying to get a section name
With Ubuntu 16.04 libelf one gets: ERROR: dwarf_elf_init: DW_DLE_ELF_STRPTR_ERROR (30) a call to elf_strptr() failed trying to get a section name Fix date is irrelevant, libdwarf no longer uses libelf.==180106==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x60f00000ef09 at pc 0x000000447300 bp 0x7ffc667dce10 sp 0x7ffc667dc5d0 READ of size 4 at 0x60f00000ef09 thread T0 #0 0x4472ff in __interceptor_strcmp (/home/ubuntu/ subjects/build-asan/libdwarf/dwarfdump/dwarfdump+0x4472ff) #1 0x79938f in this_section_dwarf_relevant /home/ubuntu/ subjects/build-asan/libdwarf/libdwarf/dwarf_init_finish.c:612:12 #2 0x781064 in _dwarf_setup /home/ubuntu/ subjects/build-asan/libdwarf/libdwarf/dwarf_init_finish.c:722:14 #3 0x77d59c in dwarf_object_init /home/ubuntu/ subjects/build-asan/libdwarf/libdwarf/dwarf_init_finish.c:922:20 #4 0x899d4f in dwarf_elf_init_file_ownership /
A portion of sanitizer output: .debug_line: line number info for a single cu ==180103==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x610000007ffc at pc 0x0000007b0f5b bp 0x7ffe06bbf510 sp 0x7ffe06bbf508 READ of size 1 at 0x610000007ffc thread T0 #0 0x7b0f5a in _dwarf_decode_s_leb128_chk /home/ubuntu/ subjects/build-asan/libdwarf/libdwarf/dwarf_leb.c:304:9 #1 0x7e753e in read_line_table_program /home/ubuntu/ subjects/build-asan/libdwarf/libdwarf/./ dwarf_line_table_reader_common.c:1167:17 #2 0x7d7fe3 in _dwarf_internal_srclines /home/ubuntu/ subjects/build-asan/libdwarf/libdwarf/./dwarf_line.c:690:15 #3 0x7f9dbb in dwarf_srclines_b /home/ubuntu/ subjects/build-asan/libdwarf/libdwarf/./dwarf_line.c:944:12 #4 0x5caaa5 in print_line_numbers_this_cu /home/ubuntu/ subjects/build-asan/libdwarf/dwarfdump/print_lines.c:762:16 After fix applied one gets: ERROR: dwarf_srclines: DW_DLE_LEB_IMPROPER (329) Runs off end of section or CU
A portion of sanitizer output: LOCAL_SYMBOLS: < 1><0x0000002f> DW_TAG_subprogram ==180088==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x60800000bf72 at pc 0x0000006cab95 bp 0x7fff31425830 sp 0x7fff31425828 READ of size 1 at 0x60800000bf72 thread T0 #0 0x6cab94 in dwarf_formsdata /home/ubuntu/subjects/ build-asan/libdwarf/libdwarf/dwarf_form.c:937:9 #1 0x567daf in get_small_encoding_integer_and_name /home/ ubuntu/subjects/build-asan/libdwarf/dwarfdump/print_die.c:1533:16 #2 0x576f38 in check_for_type_unsigned /home/ubuntu/ subjects/build-asan/libdwarf/dwarfdump/print_die.c:4301:11 #3 0x56ad8c in formxdata_print_value /home/ubuntu/ subjects/build-asan/libdwarf/dwarfdump/print_die.c:4374:39 #4 0x5643be in get_attr_value /home/ubuntu/ subjects/build-asan/libdwarf/dwarfdump/print_die.c:5140:24 #5 0x555f86 in print_attribute /home/ubuntu/subjects/build ... After fixes applied dwarfdump gets: ERROR: dwarf_attrlist: DW_DLE_DW_DLE_ATTR_OUTSIDE_SECTION(281)
Fixed in gentoo libelf by Agostino Sarubbo.blogs.gentoo.org/ago/2016/11/04/elfutils-memory-allocation-failure-in-allocate_elf-common-h/ www.openwall.com/lists/oss-security/2017/03/22/2
Fixed in gentoo libelf by Agostino Sarubbo.bugzilla.redhat.com/show_bug.cgi?id=1387584 www.openwall.com/lists/oss-security/2017/03/22/1 blogs.gentoo.org/ago/2016/11/04/elfutils-memory-allocation-failure-in-__libelf_set_rawdata_wrlock-elf_getdata-c/
For the orignal bug report seeheap-buffer-overflow in dwarf_util.c:208 for val_ptr # Version bb9a3492ac5713bed9cf3ae58ddb7afa6e9e98f8 (in regression tests here named heap_buf_overflow.o) # ASAN Output <0> tag: 17 DW_TAG_compile_unit name: "strstrnocase.c" FORM 0xe "DW_FORM_strp" <1> tag: 46 DW_TAG_subprogram name: "is_strstrnocase" FORM 0xe "DW_FORM_strp" ================= ==1666==ERROR: AddressSanitizer: heap-buffer-overflow on address 0xb5846db9 at p c 0x080b3a1b bp 0xbfa75d18 sp 0xbfa75d08 READ of size 1 at 0xb5846db9 thread T0 #0 0x80b3a1a in _dwarf_get_size_of_val /home/puzzor/libdwarf-code/ libdwarf/dwarf_util.c:208 #1 0x8056602 in _dwarf_next_die_info_ptr /home/puzzor/libdwarf-code/ libdwarf/dwarf_die_deliv.c:1353 #2 0x8057f4b in dwarf_child /home/puzzor/libdwarf-code/libdwarf/ dwarf_die_de liv.c:1688 #3 0x804b5fa in get_die_and_siblings simplereader.c:637 #4 0x804b65c in get_die_and_siblings simplereader.c:643 #5 0x804b3f3 in read_cu_list simplereader.c:611 #6 0x804aeae in main simplereader.c:533 #7 0xb6ffe275 in __libc_start_main (/lib/i386-linux-gnu/libc.so.6+0x18275) #8 0x80491c0 (/home/puzzor/libdwarf-code/dwarfexample/simplereader+ 0x80491c 0) 0xb5846db9 is located 0 bytes to the right of 249-byte region [0xb5846cc0,0xb5846db9) allocated by thread T0 here: #0 0xb727fae4 in __interceptor_malloc (/usr/lib/i386-linux-gnu/libasan.so. 3+ 0xc3ae4) #1 0xb71a9b98 (/usr/lib/i386-linux-gnu/libelf.so.1+0x9b98)
https://sourceforge.net/p/libdwarf/bugs/5/
0x61300000de1c is located 0 bytes to the right of 348-byte region [0x61300000dcc0,0x61300000de1c) allocated by thread T0 here: #0 0x4c0ad8 in malloc /var/tmp/portage/sys-devel/llvm-3.8.1- r2/work/llvm-3.8.1.src/projects/compiler-rt/lib/asan/asan_malloc_linux.cc:52 #1 0x7f883cfc6206 in __libelf_set_rawdata_wrlock /tmp/portage/dev- libs/elfutils-0.166/work/elfutils-0.166/libelf/elf_getdata.c:318
==27994==WARNING: AddressSanitizer failed to allocate 0x62696c2f7273752f bytes ==27994==AddressSanitizer's allocator is terminating the process instead of returning 0 ... #6 0x4c0ab1 in malloc /var/tmp/portage/sys-devel/llvm-3.8.1- #8 0x5b582e in _dwarf_load_section #9 0x5bb479 in dwarf_srcfiles #10 0x5145cd in print_one_die_section
www.securityfocus.com/bid/93601 blogs.gentoo.org/ago/2016/10/06/libdwarf-heap-based- buffer-overflow-in-_dwarf_get_size_of_val-dwarf_util-c/
bugzilla.redhat.com/show_bug.cgi?id=1385690 www.securityfocus.com/bid/93592 Duplicate of CVE-2016-8681
bugzilla.redhat.com/show_bug.cgi?id=1385690 www.securityfocus.com/bid/93592 Duplicate of CVE-2016-8680
https://bugzilla.redhat.com/show_bug.cgi?id=1377015 https://sourceforge.net/p/libdwarf/bugs/4/
# Address Sanitizer Output ==27763==ERROR: AddressSanitizer: heap-buffer-overflow on address 0xf4603f84 at pc 0x8408ede bp 0xffff6518 sp 0xffff6510 READ of size 1 at 0xf4603f84 thread T0 #0 0x8408edd in read_line_table_program /home/puzzor/test-fuzzing/code/libdwarf/./dwarf_line_table_reader_common.c:1433 #1 0x83f716c in _dwarf_internal_srclines /home/puzzor/test-fuzzing/code/libdwarf/./dwarf_line.c:690 #2 0x841436c in dwarf_srclines_b /home/puzzor/test-fuzzing/code/libdwarf/./dwarf_line.c:944 #3 0x81fbc28 in print_line_numbers_this_cu /home/puzzor/test-fuzzing/code/dwarfdump/print_lines.c:763 #4 0x815c191 in print_one_die_section /home/puzzor/test-fuzzing/code/dwarfdump/print_die.c:850 #5 0x81565c1 in print_infos /home/puzzor/test-fuzzing/code/dwarfdump
See also: https://marc.info/?l=oss-security&m=147378394815872&w=2 The testcase poc is from this web page.
_dwarf_get_loclist_header_start() is not cautious about values in the header being absurdly large. Unclear as yet if this is the problem but it is a potential problem (fixed for next release).==17411==ERROR: AddressSanitizer: heap-buffer-overflow on address 0xf3808904 at pc 0x80a6f76 bp 0xffb95e78 sp 0xffb95a5c READ of size 4 at 0xf3808904 thread T0 ==17411==WARNING: Trying to symbolize code, but external symbolizer is not initialized! #0 0x80a6f75 in __interceptor_memcpy ??:? #1 0x8426c3b in _dwarf_read_loc_section /home/starlab/fuzzing/dwarf-20160613/libdwarf/./dwarf_loc.c:919 #2 0x84250e2 in _dwarf_get_loclist_count /home/starlab/fuzzing/dwarf-20160613/libdwarf/./dwarf_loc.c:970 #3 0x8438826 in dwarf_get_loclist_c /home/starlab/fuzzing/dwarf-20160613/libdwarf/./dwarf_loc2.c:551 #4 0x81a1be8 in get_location_list /home/starlab/fuzzing/dwarf-20160613/dwarfdump/print_die.c:3523 #5 0x816e1a2 in print_attribute
Address Sanitizer in gcc reproduces the report. In _dwarf_read_loc_section() the simple calculation of loc_section_end was wrong, so end-of section was incorrect for the local reads. With that fixed we get DW_DLE_READ_LITTLEENDIAN_ERROR when libdwarf attempts to read off end of section.
See https://sourceforge.net/p/libdwarf/bugs/3/
_dwarf_make_CU_Context() is insufficiently cautious about the length of a CU being absurd. Unclear as yet if this is the problem but it is a problem and is fixed for next release.==6825== ERROR: AddressSanitizer: SEGV on unknown address 0x0583903c (pc 0xb61f1a98 sp 0xbfa388b4 bp 0xbfa38d08 T0) AddressSanitizer can not provide additional info. #1 0xb61e3c0b (/usr/lib/i386-linux-gnu/libasan.so.0+0xdc0b) #2 0x80a21b1 in _dwarf_get_size_of_val /home/fuzzing/fuzzing/dwarf-20160613/libdwarf/dwarf_util.c:210 #3 0x8054214 in _dwarf_next_die_info_ptr /home/fuzzing/fuzzing/dwarf-20160613/libdwarf/dwarf_die_deliv.c:1340 #4 0x80557a5 in dwarf_child /home/fuzzing/fuzzing/dwarf-20160613/libdwarf/dwarf_die_deliv.c:1640 #5 0x804b23f in get_die_and_siblings /home/fuzzing/fuzzing/dwarf-20160613/dwarfexample/./simplereader.c:573
see https://sourceforge.net/p/libdwarf/bugs/2/
==8054==ERROR: AddressSanitizer: heap-buffer-overflow on address 0xf4c027ab at pc 0x819e4a4 bp 0xff88eb38 sp 0xff88eb30 READ of size 1 at 0xf4c027ab thread T0 #0 0x819e4a3 in dwarf_siblingof_b /home/starlab/fuzzing/dwarf-20160613/libdwarf/dwarf_die_deliv.c:1533 #1 0x8116201 in print_die_and_children_internal /home/starlab/fuzzing/dwarf-20160613/dwarfdump/print_die.c:1157 Bug report on sourceforge.net bug list for libdwarf. The bad pointer dereference is due to libdwarf not noticing that the DWARF in that file is corrupt. In addition The code was not noticing that it could dereference a pointer that pointed out of bounds in the end-sibling-list loop.
The example from the bug report (DW201609-001-poc) has the same problem. dwarfdump now reports DW_DLE_SIBLING_LIST_IMPROPER on both test2.o and DW201609-001-poc.
bugzilla.redhat.com/show_bug.cgi?id=1330237 www.openwall.com/lists/oss-security/2016/05/24/1 www.openwall.com/lists/oss-security/2016/05/25/1
202 } 203 if (dirno > 0 && fe->fi_dir_index > 0) { 204 inc_dir_name = (char *) line_context->lc_include_directories[ 205 fe->fi_dir_index - 1]; 206 incdirnamelen = strlen(inc_dir_name); <- $pc 207 } 208 full_name = (char *) _dwarf_get_alloc(dbg, #0 create_fullest_file_path (dbg=<optimized out>, fe=0x68d510, line_context=0x68c4f0, name_ptr_out=<optimized out>, error=0x7fffffffe2b8) at ./dwarf_line.c:206 #1 0x00007ffff7b6d3f9 in dwarf_filename (context=<optimized out>, fileno_in=<optimized out>, ret_filename=0x7fffffffe280, error=0x7fffffffe2b8) at ./dwarf_line.c:1418 #2 dwarf_linesrc (line=<optimized out>, ret_linesrc=<optimized out>, error=<optimized out>) at ./dwarf_line.c:1436
1742 Dwarf_Off off2 = 0; 1743 Dwarf_Small *dataptr = 0; 1744 1745 dbg = context->cc_dbg; 1746 dataptr = context->cc_is_info? dbg->de_debug_info.dss_data: <- $pc 1747 dbg->de_debug_types.dss_data; 1748 off2 = context->cc_debug_offset; 1749 info_start = dataptr + off2; 1750 info_end = info_start + context->cc_length + #0 _dwarf_calculate_info_section_end_ptr (context=context@entry=0x0) at dwarf_query.c:1746 #1 0x00002aaaaace307d in _dwarf_extract_string_offset_via_str_offsets (dbg=dbg@entry=0x655a70, info_data_ptr=0x6629f0 "", attrnum=attrnum@entry=121, attrform=attrform@entry=26, cu_context=0x0, str_sect_offset_out=str_sect_offset_out@entry=0x7fffffffd718, error=error@entry=0x7fffffffd878) at dwarf_form.c:1099 #2 0x00002aaaaacf4ed7 in dwarf_get_macro_defundef (macro_context=macro_context@entry=0x65b790, op_number=op_number@entry=1, line_number=line_number@entry=0x7fffffffd858, index=index@entry=0x7fffffffd860, offset=offset@entry=0x7fffffffd868, forms_count=forms_count@entry=0x7fffffffd7ce, macro_string=macro_string@entry=0x7fffffffd870, error=error@entry=0x7fffffffd878) at dwarf_macro5.c:557 ------ _dwarf_calculate_info_section_end_ptr (context=context@entry=0x0) at dwarf_query.c:1746 1746 dataptr = context->cc_is_info? dbg->de_debug_info.dss_data: gef> p/x $rdi $4 = 0x0
1297 } 1298 len = len_in; 1299 endpoint = instp + len; 1300 for (; len > 0;) { 1301 unsigned char ibyte = *instp; <- $pc 1302 int top = ibyte & 0xc0; 1303 int bottom = ibyte & 0x3f; 1304 int delta = 0; 1305 int reg = 0; #0 print_frame_inst_bytes (dbg=dbg@entry=0x655ca0, cie_init_inst=<optimized out>, len_in=<optimized out>, data_alignment_factor=-4, code_alignment_factor=4, addr_size=addr_size@entry=4, offset_size=4, version=3, config_data=config_data@entry=0x63cda0 <g_config_file_data>) at print_frames.c:1301 #1 0x000000000041b70c in print_one_cie (dbg=dbg@entry=0x655ca0, cie=<optimized out>, cie_index=cie_index@entry=2, address_size=<optimized out>, config_data=config_data@entry=0x63cda0 <g_config_file_data>) at print_frames.c:1161 #2 0x000000000041cf52 in print_frames (dbg=0x655ca0, print_debug_frame=print_debug_frame@entry=1, print_eh_frame=0, config_data=config_data@entry=0x63cda0 <g_config_file_data>) at print_frames.c:2229 gef> p/x $r13 $1 = 0x4bcad8 gef> p/x *$r13 Cannot access memory at address 0x4bcad8
1294 for (; len > 0;) { 1295 unsigned char ibyte = *instp; <- $pc 1296 int top = ibyte & 0xc0; #0 print_frame_inst_bytes (dbg=dbg@entry=0x654c80, cie_init_inst=<optimized out>, len=503715, data_alignment_factor=-4, code_alignment_factor=1, addr_size=addr_size@entry=4, offset_size=4, version=3, config_data=config_data@entry=0x63bda0 <g_config_file_data>) at print_frames.c:1295 #1 0x000000000041b64c in print_one_cie (dbg=dbg@entry=0x654c80, cie=<optimized out>, cie_index=cie_index@entry=1, address_size=<optimized out>, config_data= config_data@entry=0x63bda0 <g_config_file_data>) at print_frames.c:1161 #2 0x000000000041ce92 in print_frames (dbg=0x654c80, print_debug_frame=print_debug_frame@entry=1, print_eh_frame=0, config_data=config_data@entry=0x63bda0 <g_config_file_data>) at print_frames.c:2209 gef> x/10x $r13 0x5e7981: Cannot access memory at address 0x5e7981 gef> p/x $r13 $14 = 0x5e7981
#0 dwarf_get_xu_hash_entry (xuhdr=xuhdr@entry=0x657360, index=index@entry=2897626028, hash_value= hash_value@entry=0x7fffffffd5b0, index_to_sections=index_to_sections@entry=0x7fffffffd5a8, err=err@entry=0x7fffffffdb08) at dwarf_xu_index.c:211 #1 0x00002aaaaacfd05e in _dwarf_search_fission_for_key ( dbg=0x654a50, error=0x7fffffffdb08, percu_index_out=<synthetic pointer>, key_in=0x7fffffffd670, xuhdr=0x657360) at dwarf_xu_index.c:363 #2 dwarf_get_debugfission_for_key (dbg=dbg@entry=0x654a50, key=key@entry=0x7fffffffd670, key_type=key_type@entry=0x2aaaaad15e2a "tu", percu_out=percu_out@entry=0x65a830, error=error@entry=0x7fffffffdb08) at dwarf_xu_index.c:577
#0 print_exprloc_content (dbg=dbg@entry=0x654ea0, die=die@entry=0x65b110, attrib=attrib@entry=0x65b590, esbp=esbp@entry=0x7fffffffcef0, showhextoo=1) at print_die.c:4182 #1 0x0000000000412fb1 in get_attr_value (dbg=dbg@entry=0x654ea0, tag=<optimized out>, die=die@entry=0x65b110, dieprint_cu_goffset=dieprint_cu_goffset@entry=11, attrib=attrib@entry=0x65b590, srcfiles=srcfiles@entry=0x0, cnt=cnt@entry=0, esbp=esbp@entry=0x7fffffffcef0, show_form=0, local_verbose=0) at print_die.c:4972
https://bugzilla.redhat.com/show_bug.cgi?id=1332149
https://bugzilla.redhat.com/show_bug.cgi?id=1332148
https://bugzilla.redhat.com/show_bug.cgi?id=1332145
backtrace: #0 dwarf_dealloc (dbg=dbg@entry=0x655f30, space=0xa0, alloc_type=alloc_type@entry=1) at dwarf_alloc.c:477 #1 0x00002aaaaacf3296 in dealloc_srcfiles (dbg=0x655f30, srcfiles=0x66b8f0, srcfiles_count=17) at dwarf_macro5.c:1025 #2 0x00002aaaaacf50e6 in dealloc_srcfiles (srcfiles_count=<optimized out>, srcfiles=<optimized out>, dbg=<optimized out>) at dwarf_macro5.c:1021 ----- gef> p &r->rd_dbg $14 = (void **) 0x90
https://bugzilla.redhat.com/show_bug.cgi?id=1332144
A crafted ELF file may lead to a large offset value, which bigger than the size of target_section heap chunk, then this WRITE_UNALIGNED() function will write the value of &outval out of the heap chunk. offset is a 64bit unsigned int value, so this is more than a heap overflow bug, but also a Out-of-Bound write bug. So WRITE_UNALIGNED() need more strictly checking to prevent this.WRITE_UNALIGNED(dbg,target_section + offset, &outval,sizeof(outval),reloc_size);
https://bugzilla.redhat.com/show_bug.cgi?id=1332141
valgrind ./dwarfdump -ka aw.elf ==5358== Memcheck, a memory error detector ==5358== Copyright (C) 2002-2013, and GNU GPL'd, by Julian Seward et al. ==5358== Using Valgrind-3.10.1 and LibVEX; rerun with -h for copyright info ==5358== Command: ../../llvm-codes/dwarf-20151114/dwarfdump/dwarfdump -ka aw.elf ==5358== ==5358== Invalid write of size 8 ==5358== at 0x40DA25: get_abbrev_array_info (in /home/xqx/test/libdwarf-test/llvm-codes/dwarf-20151114/dwarfdump/dwarfdump) ==5358== by 0x40FD92: print_one_die_section (in /home/xqx/test/libdwarf-test/llvm-codes/dwarf-20151114/dwarfdump/dwarfdump) www.openwall.com/lists/oss-security/2016/01/19/9 www.openwall.com/lists/oss-security/2016/01/25/3
*** DWARF CHECK: DW_DLE_DEBUG_FRAME_LENGTH_NOT_MULTIPLE len=0x00000010, len size=0x00000004, extn size=0x00000000, totl length=0x00000014, addr size=0x00000008, mod=0x00000004 must be zero in cie, offset 0x00000000. *** 7 ==53495== Invalid read of size 2 1 ==53495== at 0x4C2F7E0: memcpy@@GLIBC_2.14 (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so) 2 ==53495== by 0x43287F: dwarf_read_cie_fde_prefix (dwarf_frame2.c:934) 3 ==53495== by 0x431305: _dwarf_get_fde_list_internal (dwarf_frame2.c:268) 4 ==53495== by 0x42EB5F: dwarf_get_fde_list_eh (dwarf_frame.c:1101) 5 ==53495== by 0x41BABE: print_frames (print_frames.c:1835) 6 ==53495== by 0x40485B: process_one_file (dwarfdump.c:1323) 7 ==53495== by 0x403529: main (dwarfdump.c:630) www.openwall.com/lists/oss-security/2016/01/19/3 www.openwall.com/lists/oss-security/2016/05/28/8
bugzilla.redhat.com/show_bug.cgi?id=1291299 www.openwall.com/lists/oss-security/2015/12/10/3
bugzilla.redhat.com/show_bug.cgi?id=1294264 www.openwall.com/lists/oss-security/2016/01/07/11
bugzilla.redhat.com/show_bug.cgi?id=1177758 www.openwall.com/lists/oss-security/2014/12/31/3 www.openwall.com/lists/oss-security/2015/01/03/14