[prev in list] [next in list] [prev in thread] [next in thread] 

List:       oss-security
Subject:    [oss-security] pax-utils: scanelf: out of bounds read in scanelf_file_get_symtabs (scanelf.c)
From:       "Agostino Sarubbo" <ago () gentoo ! org>
Date:       2017-02-25 11:23:43
Message-ID: 719404.939885379-sendEmail () localhost
[Download RAW message or body]

------MIME delimiter for sendEmail-167816.381043853
Content-Type: text/plain;
        charset="iso-8859-1"
Content-Transfer-Encoding: 7bit

Description:
pax-utils is a set of tools that check files for security relevant properties.

A fuzz on scanelf exposed that the out-of bound read already reported at 
https://blogs.gentoo.org/ago/2017/02/01/pax-utils-scanelf-out-of-bounds-read-in-scanelf_file_get_symtabs-scanelf-c \
was unfixed.

The complete ASan output:

# scanelf -s '*' -axetrnibSDIYZB $FILE
==1093==ERROR: AddressSanitizer: unknown-crash on address 0x7f4ddab2c3a0 at pc 0x000000524a77 \
bp 0x7fffcd2bc320 sp 0x7fffcd2bc318 READ of size 4 at 0x7f4ddab2c3a0 thread T0
    #0 0x524a76 in scanelf_file_get_symtabs \
/tmp/portage/app-misc/pax-utils-1.2.2/work/pax-utils-1.2.2/scanelf.c:357:3  #1 0x514af2 in \
scanelf_file_sym /tmp/portage/app-misc/pax-utils-1.2.2/work/pax-utils-1.2.2/scanelf.c:1282:2  \
#2 0x514af2 in scanelf_elfobj \
/tmp/portage/app-misc/pax-utils-1.2.2/work/pax-utils-1.2.2/scanelf.c:1502  #3 0x5137f8 in \
scanelf_elf /tmp/portage/app-misc/pax-utils-1.2.2/work/pax-utils-1.2.2/scanelf.c:1567:8  #4 \
0x5137f8 in scanelf_fileat \
/tmp/portage/app-misc/pax-utils-1.2.2/work/pax-utils-1.2.2/scanelf.c:1634  #5 0x512d9b in \
scanelf_dirat /tmp/portage/app-misc/pax-utils-1.2.2/work/pax-utils-1.2.2/scanelf.c:1668:10  #6 \
0x511d9d in scanelf_dir \
/tmp/portage/app-misc/pax-utils-1.2.2/work/pax-utils-1.2.2/scanelf.c:1718:9  #7 0x511d9d in \
parseargs /tmp/portage/app-misc/pax-utils-1.2.2/work/pax-utils-1.2.2/scanelf.c:2228  #8 \
0x511d9d in main /tmp/portage/app-misc/pax-utils-1.2.2/work/pax-utils-1.2.2/scanelf.c:2316  #9 \
0x7f4dd9b4e61f in __libc_start_main \
/var/tmp/portage/sys-libs/glibc-2.22-r4/work/glibc-2.22/csu/libc-start.c:289  #10 0x419b28 in \
getenv (/usr/bin/scanelf+0x419b28)

AddressSanitizer can not describe address in more detail (wild memory access suspected).
SUMMARY: AddressSanitizer: unknown-crash \
/tmp/portage/app-misc/pax-utils-1.2.2/work/pax-utils-1.2.2/scanelf.c:357:3 in \
scanelf_file_get_symtabs Shadow bytes around the buggy address:
  0x0fea3b55d820: fe fe fe fe fe fe fe fe fe fe fe fe fe fe fe fe
  0x0fea3b55d830: fe fe fe fe fe fe fe fe fe fe fe fe fe fe fe fe
  0x0fea3b55d840: fe fe fe fe fe fe fe fe fe fe fe fe fe fe fe fe
  0x0fea3b55d850: fe fe fe fe fe fe fe fe fe fe fe fe fe fe fe fe
  0x0fea3b55d860: fe fe fe fe fe fe fe fe fe fe fe fe fe fe fe fe
=>0x0fea3b55d870: fe fe fe fe[fe]fe fe fe fe fe fe fe fe fe fe fe
  0x0fea3b55d880: fe fe fe fe fe fe fe fe fe fe fe fe fe fe fe fe
  0x0fea3b55d890: fe fe fe fe fe fe fe fe fe fe fe fe fe fe fe fe
  0x0fea3b55d8a0: fe fe fe fe fe fe fe fe fe fe fe fe fe fe fe fe
  0x0fea3b55d8b0: fe fe fe fe fe fe fe fe fe fe fe fe fe fe fe fe
  0x0fea3b55d8c0: fe fe fe fe fe fe fe fe fe fe fe fe fe fe fe fe
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Heap right redzone:      fb
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack partial redzone:   f4
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==1093==ABORTING

Affected version:
1.2.2

Fixed version:
1.2.3 (not released atm)

Commit fix:
https://github.com/gentoo/pax-utils/commit/e577c5b7e230c52e5fc4fa40e4e9014c634b3c1d
https://github.com/gentoo/pax-utils/commit/858939ea6ad63f1acb4ec74bba705c197a67d559

Credit:
This bug was discovered by Agostino Sarubbo of Gentoo.

CVE:
N/A

Reproducer:
https://github.com/asarubbo/poc/blob/master/00169-pax-utils-scanelf-oobread1

Timeline:
2017-02-09: bug discovered and reported to upstream
2017-02-11: upstream realeased a patch
2017-02-25: blog post about the issue

Note:
This bug was found with American Fuzzy Lop.

Permalink:
https://blogs.gentoo.org/ago/2017/02/25/pax-utils-scanelf-out-of-bounds-read-in-scanelf_file_get_symtabs-scanelf-c-2


--
Agostino Sarubbo
Gentoo Linux Developer


------MIME delimiter for sendEmail-167816.381043853--


[prev in list] [next in list] [prev in thread] [next in thread] 

Configure | About | News | Add a list | Sponsored by KoreLogic