libdw/elfutils Heap-based buffer overflow

2014.04.10

Credit: Florian

Risk: High

Local: Yes

Remote: No

CVE: CVE-2014-0172

CWE: CWE-119

CVSS Base Score: 6.8/10

Impact Subscore: 6.4/10

Exploitability Subscore: 8.6/10

Exploit range: Remote

Attack complexity: Medium

Authentication: No required

Confidentiality impact: Partial

Integrity impact: Partial

Availability impact: Partial

The compressed debug information support in libdw does not handle malformed compressed debug sections properly. When computing the size of a memory region, integer wraparound is not taken into account, resulting in a heap allocation that is smaller than expected and which is subsequently filled with arbitrary decompressed data:
<https://bugzilla.redhat.com/show_bug.cgi?id=1085663>
We have assigned CVE-2014-0172 to this issue.
This issue affects versions 0.153 and later.
A possible patch from Mark Wielaard:
diff --git a/libdw/dwarf_begin_elf.c b/libdw/dwarf_begin_elf.c
index 79daeac..cf37013 100644
--- a/libdw/dwarf_begin_elf.c
+++ b/libdw/dwarf_begin_elf.c
@@ -282,6 +282,9 @@ check_section (Dwarf *result, GElf_Ehdr *ehdr, Elf_Scn *scn, bool inscngrp)
memcpy (&size, data->d_buf + 4, sizeof size);
size = be64toh (size);
+ if (unlikely (UINT64_MAX - size < sizeof (Elf_Data)))
+ break;
+
Elf_Data *zdata = malloc (sizeof (Elf_Data) + size);
if (unlikely (zdata == NULL))
break;

References:

https://bugzilla.redhat.com/show_bug.cgi?id=1085663

Vote for this issue:

50%

Comment it here.

Nick (*)

Email (*)

Video

Text (*)

(*) - required fields.

{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1

{{ x.comment }}