'[oss-security] CVE Request, Use after free vulnerability in Dwarfdump'

[prev in list] [next in list] [prev in thread] [next in thread] 

List:       oss-security
Subject:    [oss-security] CVE Request, Use after free vulnerability in Dwarfdump
From:       xiaoqixue_1 <xiaoqixue_1 () 163 ! com>
Date:       2014-12-31 6:09:23
Message-ID: 3549034.71e7.14a9ef6857e.Coremail.xiaoqixue_1 () 163 ! com
[Download RAW message or body]



Hi, 

we report a vulnerability in DwarfDump which is shipped
with every release of the SGI MIPS/IRIX C compiler.
we have reported the issue to vendor and linux Bugzilla:

https://bugzilla.redhat.com/show_bug.cgi?id=1177758



the details as follows:  

Advisory: Use after free vulnerability in Dwarfdump. 
Advisory ID: -
Author : Qixue Xiao , Tao He
Affected Sofware:  dwarf-20130126 -- dwarf-20140805 (tested)
Vendor URL: http://www.prevanders.net/dwarf.html
Vendor Status:  reported
CVE-ID : -

================================
Vulnerability Description:
================================

There is a UAF(used after free) in  dwarf-20130126 and dwarf-20140805, and we have tested the \
two version, so we guess the versions which are between them will be affected too.  when an odd \
elf file passed to dwarfdump, it would use an object which have be freed before.

=========================================
Details: 
==========================================


if an elf file is passed to dwarfdump, 'dwarf_elf_init' will be called and the 'Dwarf_Debug' \
object will be free in 'dwarf_elf_object_access_finish',  if the elf file is not in correct \
format.

--------------------------------
res = dwarf_object_init(binary_interface, errhand, errarg,
        ret_dbg, error);
    if (res != DW_DLV_OK){
        dwarf_elf_object_access_finish(binary_interface);
    }
--------------------------------

And the object will be refered again in 'print_error' :

--------------------------
    if (obj->object) {
        dwarf_elf_object_access_internals_t *internals =
            (dwarf_elf_object_access_internals_t *)obj->object;
--------------------------


when debugging it with gdb, the error information as follows:

--------------------------------
/home/xqx/test/dwarf_test/dwarf-20140805/dwarfdump/dwarfdump ERROR:  dwarf_elf_init:  \
DW_DLE_ELF_STRPTR_ERROR 30 a  call to elf_strptr() failed trying to get a section name (30)

CU Name = 
CU Producer = 
DIE OFF = 0x00000000 GOFF = 0x00000000, Low PC = 0x00000000, High PC = 0x00000000

Program received signal SIGSEGV, Segmentation fault.
0x0000000000436305 in dwarf_finish (dbg=0x1, error=0x7fffffffe030) at \
dwarf_original_elf_init.c:193 193         dwarf_elf_object_access_finish(dbg->de_obj_file);
-----------------------------------------------

====================
Status:
=====================

We have sent email to libdwarf-list@earthlink.net to report it.


==================
references:
==================

http://www.prevanders.net/dwarf.html


[prev in list] [next in list] [prev in thread] [next in thread]
Configure | About | News | Add a list | Sponsored by KoreLogic