[prev in list] [next in list] [prev in thread] [next in thread]
List: oss-security
Subject: [oss-security] CVE Request, Use after free vulnerability in Dwarfdump
From: xiaoqixue_1 <xiaoqixue_1 () 163 ! com>
Date: 2014-12-31 6:09:23
Message-ID: 3549034.71e7.14a9ef6857e.Coremail.xiaoqixue_1 () 163 ! com
[Download RAW message or body]
Hi,
we report a vulnerability in DwarfDump which is shipped
with every release of the SGI MIPS/IRIX C compiler.
we have reported the issue to vendor and linux Bugzilla:
https://bugzilla.redhat.com/show_bug.cgi?id=1177758
the details as follows:
Advisory: Use after free vulnerability in Dwarfdump.
Advisory ID: -
Author : Qixue Xiao , Tao He
Affected Sofware: dwarf-20130126 -- dwarf-20140805 (tested)
Vendor URL: http://www.prevanders.net/dwarf.html
Vendor Status: reported
CVE-ID : -
================================
Vulnerability Description:
================================
There is a UAF(used after free) in dwarf-20130126 and dwarf-20140805, and we have tested the \
two version, so we guess the versions which are between them will be affected too. when an odd \
elf file passed to dwarfdump, it would use an object which have be freed before.
=========================================
Details:
==========================================
if an elf file is passed to dwarfdump, 'dwarf_elf_init' will be called and the 'Dwarf_Debug' \
object will be free in 'dwarf_elf_object_access_finish', if the elf file is not in correct \
format.
--------------------------------
res = dwarf_object_init(binary_interface, errhand, errarg,
ret_dbg, error);
if (res != DW_DLV_OK){
dwarf_elf_object_access_finish(binary_interface);
}
--------------------------------
And the object will be refered again in 'print_error' :
--------------------------
if (obj->object) {
dwarf_elf_object_access_internals_t *internals =
(dwarf_elf_object_access_internals_t *)obj->object;
--------------------------
when debugging it with gdb, the error information as follows:
--------------------------------
/home/xqx/test/dwarf_test/dwarf-20140805/dwarfdump/dwarfdump ERROR: dwarf_elf_init: \
DW_DLE_ELF_STRPTR_ERROR 30 a call to elf_strptr() failed trying to get a section name (30)
CU Name =
CU Producer =
DIE OFF = 0x00000000 GOFF = 0x00000000, Low PC = 0x00000000, High PC = 0x00000000
Program received signal SIGSEGV, Segmentation fault.
0x0000000000436305 in dwarf_finish (dbg=0x1, error=0x7fffffffe030) at \
dwarf_original_elf_init.c:193 193 dwarf_elf_object_access_finish(dbg->de_obj_file);
-----------------------------------------------
====================
Status:
=====================
We have sent email to libdwarf-list@earthlink.net to report it.
==================
references:
==================
http://www.prevanders.net/dwarf.html
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic