The compressed debug information support in libdw does not handle malformed compressed debug sections properly. When computing the size of a memory region, integer wraparound is not taken into account, resulting in a heap allocation that is smaller than expected and which is subsequently filled with arbitrary decompressed data:
<https://bugzilla.redhat.com/show_bug.cgi?id=1085663>
We have assigned CVE-2014-0172 to this issue.
This issue affects versions 0.153 and later.
A possible patch from Mark Wielaard:
diff --git a/libdw/dwarf_begin_elf.c b/libdw/dwarf_begin_elf.c
index 79daeac..cf37013 100644
--- a/libdw/dwarf_begin_elf.c
+++ b/libdw/dwarf_begin_elf.c
@@ -282,6 +282,9 @@ check_section (Dwarf *result, GElf_Ehdr *ehdr, Elf_Scn *scn, bool inscngrp)
memcpy (&size, data->d_buf + 4, sizeof size);
size = be64toh (size);
+ if (unlikely (UINT64_MAX - size < sizeof (Elf_Data)))
+ break;
+
Elf_Data *zdata = malloc (sizeof (Elf_Data) + size);
if (unlikely (zdata == NULL))
break;