Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 922906 - <=app-misc/pax-utils-1.3.7: heap-buffer-overflow in dumpelf dumpelf.c:137:3
Summary: <=app-misc/pax-utils-1.3.7: heap-buffer-overflow in dumpelf dumpelf.c:137:3
Status: CONFIRMED
Alias: None
Product: Gentoo Linux
Classification: Unclassified
Component: Current packages (show other bugs)
Hardware: All Linux
: Normal normal
Assignee: Gentoo Toolchain Maintainers
URL:
Whiteboard:
Keywords:
Depends on:
Blocks:
 
Reported: 2024-01-25 14:28 UTC by Agostino Sarubbo
Modified: 2024-09-22 04:40 UTC (History)
0 users

See Also:
Package list:
Runtime testing required: ---


Attachments
stacktrace (file_922906.txt,4.14 KB, text/plain)
2024-01-25 14:28 UTC, Agostino Sarubbo
Details
testcase (crash-e49e3e635e2e31115a1312ad149fc319c27494db.zip,325 bytes, application/zip)
2024-01-25 14:30 UTC, Agostino Sarubbo
Details

Note You need to log in before you can comment on or make changes to this bug.
Description Agostino Sarubbo gentoo-dev 2024-01-25 14:28:10 UTC
While trying to reproduce the dumpelf crash reported in bug 890028 I discovered that there is a libfuzzer support for it and during the src_test I hit an heap overflow.

I'm attaching the crash-* file and the stacktrace

Tested on a1d0123581ede02b54cf2c071507612dde25236c

As a side note, -print_final_stats expects an argument like 1 while we do not pass arguments.
(https://github.com/gentoo/pax-utils/blob/a1d0123581ede02b54cf2c071507612dde25236c/meson.build#L170)
Comment 1 Agostino Sarubbo gentoo-dev 2024-01-25 14:28:57 UTC
Created attachment 883112 [details]
stacktrace
Comment 2 Agostino Sarubbo gentoo-dev 2024-01-25 14:30:31 UTC
Created attachment 883113 [details]
testcase
Comment 3 SpanKY gentoo-dev 2024-01-26 03:54:39 UTC
i think i tracked down the issue with repro.  with a clean run, the heap is in a fairly pristine state, so the allocation is pretty well aligned.  however, when libfuzzer runs for a long time, it fragments the heap, and the incoming buffer can have smaller alignment.  that seems to be enough to cause ASAN to detect slightly out-of-bound reads that otherwise it misses.

so by hacking up _readelf_fd to force unaligned buffers, i can repro via `dumpelf`.  not sure if there's a good way to integrate this into the tool though so i don't have to keep hotpatching it.  i'll have to noodle some more.

--- a/paxelf.c
+++ b/paxelf.c
@@ -688,13 +688,12 @@
        return NULL;
    }
 
-   ret = readelf_buffer(filename, buffer, len);
-   if (ret == NULL)
+   int off = 7;
+   char *x = xmalloc(len + 8);
+   memcpy(x + off, buffer, len);
+   ret = readelf_buffer(filename, x + off, len);
        munmap(buffer, len);
-   else {
        ret->fd = fd;
-       ret->is_mmap = 1;
-   }
 
    return ret;
 }
Comment 4 Larry the Git Cow gentoo-dev 2024-08-09 10:06:21 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/proj/pax-utils.git/commit/?id=599d8c41b144596764b33d87d09f80948652ed92

commit 599d8c41b144596764b33d87d09f80948652ed92
Author:     Mike Frysinger <vapier@gentoo.org>
AuthorDate: 2024-01-26 03:57:24 +0000
Commit:     Sam James <sam@gentoo.org>
CommitDate: 2024-08-09 10:06:16 +0000

    dumpelf: improve note memory check
    
    Make sure the entire structure fits within the bounds of memory,
    not just the start of it.
    
    Bug: https://bugs.gentoo.org/922906
    Signed-off-by: Mike Frysinger <vapier@gentoo.org>
    (cherry picked from commit a5298c41c27a35a5c2dcca0723c808029d241953)
    Signed-off-by: Sam James <sam@gentoo.org>

 dumpelf.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)
Comment 5 Larry the Git Cow gentoo-dev 2024-09-22 04:40:42 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=9d250d23d6c2ff3286a8cdbfbe89f2c040b4a20c

commit 9d250d23d6c2ff3286a8cdbfbe89f2c040b4a20c
Author:     Sam James <sam@gentoo.org>
AuthorDate: 2024-09-22 04:38:47 +0000
Commit:     Sam James <sam@gentoo.org>
CommitDate: 2024-09-22 04:40:13 +0000

    app-misc/pax-utils: add 1.3.8
    
    Aliaksei Urbanski (1):
          Fix fuzz-dumpelf test
    
    Daniel Verkamp (1):
          lddtree: use readlink -f for absolute links
    
    David Riley (1):
          lddtree: Add --wrapper-preload
    
    Frederic Cambus (2):
          lddtree: allow lddtree.sh to find Xenocara libraries on OpenBSD.
          README: fix typo: s/peforming/performing.
    
    George Burgess IV (1):
          lddtree: add LD_ARGV0_REL
    
    Mathias Krause (4):
          seccomp: make socket() fail with -ENOSYS
          tests: add basic pspax test
          pspax: fix libcap memory leaks
          meson: avoid using replace() to not unnecessarily bump meson >= 0.58.0
    
    Mike Frysinger (45):
          Revert "paxinc: include <alloca.h> for alloca"
          lddtree: add docstring for all classes
          pylintrc: remove old entries
          github: update to checkout@v3
          lddtree: use f-string in warn message
          lddtree: fix argcomplete typing
          elf.h: pull from latest glibc
          update copyright headers
          dumpelf: use explicit 64-bit to display off_t
          github: disable fuzzing on macOS
          github: update to checkout@v4
          lddtree: use older Python typing style
          lddtree: disable pyelftools pylint import errors
          lddtree: disable mypy import errors
          lddtree: add some more typing info for mypy
          github: add python checkers
          lddtree: raise min version to Python 3.8
          pyproject.toml: add black & isort & mypy settings
          pylintrc: merge into pyproject.toml
          requirements: pin(ish) Python deps that we use to check things
          drop old __BOUNDS_CHECKING_ON support
          fix various typos found w/codespell
          github: add codespell checker
          build: use standard config.h naming
          build: use standard HAVE_xxx define style
          pspax: rework & document get_proc_name
          pspax: replace proc_fopen with fopenat_r
          pspax: fix buffer limiting in cmdline reading
          pspax: fix error handling when reading attr or ipaddr fail
          pspax: switch from fgets to getline
          unify usage() output across all the tools
          ar: handle invalid ascii numbers better
          ar: handle invalid extended filename offsets
          ar: switch from alloca to malloc
          scanelf: fix hashtable overflow checks
          README: update macOS name
          paxelf: reject ELFs with incomplete Ehdr structures
          dumpelf: free elf after fuzzing it to avoid leaking
          sanitizer: fix feature tests under clang
          dumpelf: check dyn pointer before DT_NULL check too
          dumpelf: improve note memory check
          dumpelf: limit note name display
          fuzz-ar: fuzzer for the archive parsing API
          fuzz-dumpelf: fix stats argument
          fuzzer: fix unused setting on argc & argv
    
    Mike Gilbert (1):
          make-seccomp-filters.sh: split cflags/ldflags for libseccomp
    
    Sam James (10):
          Make headers standalone (missing includes, prep for clang-tidy)
          *: IWYU fixes
          *: IWYU fixes deux
          .github: add Alpine CI
          Undo IWYU fixes
          paxinc: include <alloca.h> for alloca
          porting.h: include <stddef.h> for size_t, sort includes
          ci: make tests verbose
          meson.build: prepare for pax-utils-1.3.8
          CI: update muon URL
    
    Takuto Ikuta (1):
          lddtree: keep relativeness of invoked program in elf wrapper
    
    Zach van Rijn (1):
          paxelf: use correct format string
    
    Bug: https://bugs.gentoo.org/890028
    Bug: https://bugs.gentoo.org/890577
    Bug: https://bugs.gentoo.org/890579
    Bug: https://bugs.gentoo.org/922906
    Signed-off-by: Sam James <sam@gentoo.org>

 app-misc/pax-utils/Manifest               |  1 +
 app-misc/pax-utils/pax-utils-1.3.8.ebuild | 77 +++++++++++++++++++++++++++++++
 2 files changed, 78 insertions(+)