Unknown-crash in function dwarf::line_table::begin at dwarf/line.cc:153

[bladchan]

Hi,

I am running some experiments for AFLAPI and it has found a Unknown-crash in function dwarf::line_table::begin at dwarf/line.cc:153. This bug may allows attackers to cause DoS, so I report it here.

Environment: Ubuntu 18.04 + Clang 6.0

Test target: examples/dump-lines

Testcase here: badelf_unknown_crash.zip

To reproduce: • Complie the hole project and examples with ASAN

You can use like this: ./dump-lines ./badelf_unknown_crash

🤔 ASAN says:

================================================================= ==5860==ERROR: AddressSanitizer: unknown-crash on address 0x7f7a5bbdd7de at pc 0x0000005a4d22 bp 0x7fff60293fb0 sp 0x7fff60293fa8 READ of size 1 at 0x7f7a5bbdd7de thread T0 #0 0x5a4d21 in dwarf::line_table::iterator::step(dwarf::cursor*) /home/ubuntu/libelfin/dwarf/./internal.hh:211:24 #1 0x59adea in dwarf::line_table::iterator::operator++() /home/ubuntu/libelfin/dwarf/line.cc:280:26 #2 0x59822e in dwarf::line_table::iterator::iterator(dwarf::line_table const*, unsigned long) /home/ubuntu/libelfin/dwarf/line.cc:267:17 #3 0x59822e in dwarf::line_table::begin() const /home/ubuntu/libelfin/dwarf/line.cc:153 #4 0x5188e1 in dump_line_table(dwarf::line_table const&) /home/ubuntu/libelfin/examples/dump-lines.cc:13:25 #5 0x519ff0 in main /home/ubuntu/libelfin/examples/dump-lines.cc:41:17 #6 0x7f7a5a768c86 in __libc_start_main /build/glibc-CVJwZb/glibc-2.27/csu/../csu/libc-start.c:310 #7 0x41bf29 in _start (/home/ubuntu/libelfin/examples/dump-lines+0x41bf29)

Address 0x7f7a5bbdd7de is a wild pointer. SUMMARY: AddressSanitizer: unknown-crash /home/ubuntu/libelfin/dwarf/./internal.hh:211:24 in dwarf::line_table::iterator::step(dwarf::cursor*) Shadow bytes around the buggy address: 0x0fefcb773aa0: fe fe fe fe fe fe fe fe fe fe fe fe fe fe fe fe 0x0fefcb773ab0: fe fe fe fe fe fe fe fe fe fe fe fe fe fe fe fe 0x0fefcb773ac0: fe fe fe fe fe fe fe fe fe fe fe fe fe fe fe fe 0x0fefcb773ad0: fe fe fe fe fe fe fe fe fe fe fe fe fe fe fe fe 0x0fefcb773ae0: fe fe fe fe fe fe fe fe fe fe fe fe fe fe fe fe =>0x0fefcb773af0: fe fe fe fe fe fe fe fe fe fe fe[fe]fe fe fe fe 0x0fefcb773b00: fe fe fe fe fe fe fe fe fe fe fe fe fe fe fe fe 0x0fefcb773b10: fe fe fe fe fe fe fe fe fe fe fe fe fe fe fe fe 0x0fefcb773b20: fe fe fe fe fe fe fe fe fe fe fe fe fe fe fe fe 0x0fefcb773b30: fe fe fe fe fe fe fe fe fe fe fe fe fe fe fe fe 0x0fefcb773b40: fe fe fe fe fe fe fe fe fe fe fe fe fe fe fe fe Shadow byte legend (one shadow byte represents 8 application bytes): Addressable: 00 Partially addressable: 01 02 03 04 05 06 07 Heap left redzone: fa Freed heap region: fd Stack left redzone: f1 Stack mid redzone: f2 Stack right redzone: f3 Stack after return: f5 Stack use after scope: f8 Global redzone: f9 Global init order: f6 Poisoned by user: f7 Container overflow: fc Array cookie: ac Intra object redzone: bb ASan internal: fe Left alloca redzone: ca Right alloca redzone: cb ==5860==ABORTING

Impact: An attacker can exploit this vulnerability by submitting a malicious elf file that exploits this bug which will result in a DoS.

[bladchan]

There is also a SEGV in function dwarf::line_table::begin at dwarf/line.cc:153, here I just upload the file: badelf_segv_begin.zip

ASAN says:

AddressSanitizer:DEADLYSIGNAL ================================================================= ==50710==ERROR: AddressSanitizer: SEGV on unknown address 0x7ffabbe6cade (pc 0x7ffabae7acb8 bp 0x7ffee0f141f0 sp 0x7ffee0f13f60 T0) ==50710==The signal is caused by a READ memory access. #0 0x7ffabae7acb7 in unsigned char dwarf::cursor::fixed() /home/ubuntu/libelfin/dwarf/./internal.hh:143:21 #1 0x7ffabae7acb7 in dwarf::line_table::iterator::step(dwarf::cursor*) /home/ubuntu/libelfin/dwarf/line.cc:309 #2 0x7ffabae72f7a in dwarf::line_table::iterator::operator++() /home/ubuntu/libelfin/dwarf/line.cc:280:26 #3 0x7ffabae703be in dwarf::line_table::iterator::iterator(dwarf::line_table const*, unsigned long) /home/ubuntu/libelfin/dwarf/line.cc:267:17 #4 0x7ffabae703be in dwarf::line_table::begin() const /home/ubuntu/libelfin/dwarf/line.cc:153 #5 0x5191e2 in dump_line_table(dwarf::line_table const&) /home/ubuntu/libelfin/fuzz/harness.cpp:118:25 #6 0x51ab12 in main /home/ubuntu/libelfin/fuzz/harness.cpp:157:11 #7 0x7ffab9a1ec86 in __libc_start_main /build/glibc-CVJwZb/glibc-2.27/csu/../csu/libc-start.c:310 #8 0x41b339 in _start (/home/ubuntu/libelfin/fuzz/harness+0x41b339) AddressSanitizer can not provide additional info. SUMMARY: AddressSanitizer: SEGV /home/ubuntu/libelfin/dwarf/./internal.hh:143:21 in unsigned char dwarf::cursor::fixed() ==50710==ABORTING