[prev in list] [next in list] [prev in thread] [next in thread]
List: oss-security
Subject: [oss-security] pax-utils: scanelf: out of bounds read in scanelf_file_get_symtabs (scanelf.c)
From: "Agostino Sarubbo" <ago () gentoo ! org>
Date: 2017-02-25 11:23:43
Message-ID: 719404.939885379-sendEmail () localhost
[Download RAW message or body]
------MIME delimiter for sendEmail-167816.381043853
Content-Type: text/plain;
charset="iso-8859-1"
Content-Transfer-Encoding: 7bit
Description:
pax-utils is a set of tools that check files for security relevant properties.
A fuzz on scanelf exposed that the out-of bound read already reported at
https://blogs.gentoo.org/ago/2017/02/01/pax-utils-scanelf-out-of-bounds-read-in-scanelf_file_get_symtabs-scanelf-c \
was unfixed.
The complete ASan output:
# scanelf -s '*' -axetrnibSDIYZB $FILE
==1093==ERROR: AddressSanitizer: unknown-crash on address 0x7f4ddab2c3a0 at pc 0x000000524a77 \
bp 0x7fffcd2bc320 sp 0x7fffcd2bc318 READ of size 4 at 0x7f4ddab2c3a0 thread T0
#0 0x524a76 in scanelf_file_get_symtabs \
/tmp/portage/app-misc/pax-utils-1.2.2/work/pax-utils-1.2.2/scanelf.c:357:3 #1 0x514af2 in \
scanelf_file_sym /tmp/portage/app-misc/pax-utils-1.2.2/work/pax-utils-1.2.2/scanelf.c:1282:2 \
#2 0x514af2 in scanelf_elfobj \
/tmp/portage/app-misc/pax-utils-1.2.2/work/pax-utils-1.2.2/scanelf.c:1502 #3 0x5137f8 in \
scanelf_elf /tmp/portage/app-misc/pax-utils-1.2.2/work/pax-utils-1.2.2/scanelf.c:1567:8 #4 \
0x5137f8 in scanelf_fileat \
/tmp/portage/app-misc/pax-utils-1.2.2/work/pax-utils-1.2.2/scanelf.c:1634 #5 0x512d9b in \
scanelf_dirat /tmp/portage/app-misc/pax-utils-1.2.2/work/pax-utils-1.2.2/scanelf.c:1668:10 #6 \
0x511d9d in scanelf_dir \
/tmp/portage/app-misc/pax-utils-1.2.2/work/pax-utils-1.2.2/scanelf.c:1718:9 #7 0x511d9d in \
parseargs /tmp/portage/app-misc/pax-utils-1.2.2/work/pax-utils-1.2.2/scanelf.c:2228 #8 \
0x511d9d in main /tmp/portage/app-misc/pax-utils-1.2.2/work/pax-utils-1.2.2/scanelf.c:2316 #9 \
0x7f4dd9b4e61f in __libc_start_main \
/var/tmp/portage/sys-libs/glibc-2.22-r4/work/glibc-2.22/csu/libc-start.c:289 #10 0x419b28 in \
getenv (/usr/bin/scanelf+0x419b28)
AddressSanitizer can not describe address in more detail (wild memory access suspected).
SUMMARY: AddressSanitizer: unknown-crash \
/tmp/portage/app-misc/pax-utils-1.2.2/work/pax-utils-1.2.2/scanelf.c:357:3 in \
scanelf_file_get_symtabs Shadow bytes around the buggy address:
0x0fea3b55d820: fe fe fe fe fe fe fe fe fe fe fe fe fe fe fe fe
0x0fea3b55d830: fe fe fe fe fe fe fe fe fe fe fe fe fe fe fe fe
0x0fea3b55d840: fe fe fe fe fe fe fe fe fe fe fe fe fe fe fe fe
0x0fea3b55d850: fe fe fe fe fe fe fe fe fe fe fe fe fe fe fe fe
0x0fea3b55d860: fe fe fe fe fe fe fe fe fe fe fe fe fe fe fe fe
=>0x0fea3b55d870: fe fe fe fe[fe]fe fe fe fe fe fe fe fe fe fe fe
0x0fea3b55d880: fe fe fe fe fe fe fe fe fe fe fe fe fe fe fe fe
0x0fea3b55d890: fe fe fe fe fe fe fe fe fe fe fe fe fe fe fe fe
0x0fea3b55d8a0: fe fe fe fe fe fe fe fe fe fe fe fe fe fe fe fe
0x0fea3b55d8b0: fe fe fe fe fe fe fe fe fe fe fe fe fe fe fe fe
0x0fea3b55d8c0: fe fe fe fe fe fe fe fe fe fe fe fe fe fe fe fe
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Heap right redzone: fb
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack partial redzone: f4
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
==1093==ABORTING
Affected version:
1.2.2
Fixed version:
1.2.3 (not released atm)
Commit fix:
https://github.com/gentoo/pax-utils/commit/e577c5b7e230c52e5fc4fa40e4e9014c634b3c1d
https://github.com/gentoo/pax-utils/commit/858939ea6ad63f1acb4ec74bba705c197a67d559
Credit:
This bug was discovered by Agostino Sarubbo of Gentoo.
CVE:
N/A
Reproducer:
https://github.com/asarubbo/poc/blob/master/00169-pax-utils-scanelf-oobread1
Timeline:
2017-02-09: bug discovered and reported to upstream
2017-02-11: upstream realeased a patch
2017-02-25: blog post about the issue
Note:
This bug was found with American Fuzzy Lop.
Permalink:
https://blogs.gentoo.org/ago/2017/02/25/pax-utils-scanelf-out-of-bounds-read-in-scanelf_file_get_symtabs-scanelf-c-2
--
Agostino Sarubbo
Gentoo Linux Developer
------MIME delimiter for sendEmail-167816.381043853--
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic