Tree - source-git/libdwarf - CentOS Git server

source-git / libdwarf

Blame bugxml/data.txt

Blob History Raw

Packit	cdaae3
Packit	cdaae3	`id: DW201801-001`
Packit	cdaae3	`cve:`
Packit	cdaae3	`datereported: 2018-01-28`
Packit	cdaae3	`reportedby: Agostino Sarubbo`
Packit	cdaae3	`vulnerability: Incorrect frame section can crash dwarfdump`
Packit	cdaae3	`product: dwarfdump`
Packit	cdaae3	`description: A carefully crafted object with an`
Packit	cdaae3	`invalid frame section set of initial-instructions`
Packit	cdaae3	`can crash the frame-instructions decode in`
Packit	cdaae3	`dwarfdump. In addition, a couple places in libdwarf`
Packit	cdaae3	`are not as careful in checking frame data as`
Packit	cdaae3	`they should be.`
Packit	cdaae3	`A segmentation-fault/core-dump is possible.`
Packit	cdaae3	`datefixed: 2018-01-29`
Packit	cdaae3	`references: sarubbo-11/testcase{1,2,3,4,5}.bin`
Packit	cdaae3	`gitfixid: 3cdaabbeea38b8459f411e95536d7cf33b5a1763`
Packit	cdaae3	`tarrelease:`
Packit	cdaae3	`endrec: DW201801-001`
Packit	cdaae3
Packit	cdaae3
Packit	cdaae3	`id: DW201712-001`
Packit	cdaae3	`cve:`
Packit	cdaae3	`datereported: 2017-12-01`
Packit	cdaae3	`reportedby: Agostino Sarubbo`
Packit	cdaae3	`vulnerability: Incorrect frame section could let caller crash`
Packit	cdaae3	`product: libdwarf`
Packit	cdaae3	`description: A carefully crafted object with an`
Packit	cdaae3	`invalid frame section`
Packit	cdaae3	`can result in passing back data to a caller of`
Packit	cdaae3	`dwarf_get_fde_augmentation_data()`
Packit	cdaae3	`is erroneous and will result in the`
Packit	cdaae3	`caller reference off the end of the frame`
Packit	cdaae3	`section.`
Packit	cdaae3	`A segmentation-fault/core-dump is possible.`
Packit	cdaae3	`datefixed: 2017-12-01`
Packit	cdaae3	`references: sarubbo-10/1.crashes.bin`
Packit	cdaae3	`gitfixid: 329ea8e56bc9550260cae6e2e9756bfbe7e2ff6d`
Packit	cdaae3	`tarrelease:`
Packit	cdaae3	`endrec: DW201712-001`
Packit	cdaae3
Packit	cdaae3
Packit	cdaae3
Packit	cdaae3	`id: DW201711-002`
Packit	cdaae3	`cve:`
Packit	cdaae3	`datereported: 2017-11-08`
Packit	cdaae3	`reportedby: Agostino Sarubbo`
Packit	cdaae3	`vulnerability: Incorrect line table section could crash caller`
Packit	cdaae3	`product: libdwarf`
Packit	cdaae3	`description: An carefully crafted object with a`
Packit	cdaae3	`invalid line table section crafted to`
Packit	cdaae3	`end early at a particular point resulted in`
Packit	cdaae3	`dereferencing outside the line table from`
Packit	cdaae3	`libdwarf/dwarf_line_table_reader_common.c .`
Packit	cdaae3	`A segmentation-fault/core-dump is possible.`
Packit	cdaae3	`datefixed: 2017-11-08`
Packit	cdaae3	`references: regressiontests/sarubbo-9/3.crashes.bin`
Packit	cdaae3	`gitfixid: a1644f4dde7dd5990537ff7ad22a9e94b8723186`
Packit	cdaae3	`tarrelease:`
Packit	cdaae3	`endrec: DW201711-002`
Packit	cdaae3
Packit	cdaae3	`id: DW201711-001`
Packit	cdaae3	`cve:`
Packit	cdaae3	`datereported: 2017-11-01`
Packit	cdaae3	`reportedby: Agostino Sarubbo`
Packit	cdaae3	`vulnerability: Incorrect frame section could crash caller`
Packit	cdaae3	`product: libdwarf`
Packit	cdaae3	`description: A carefully crafted object with a`
Packit	cdaae3	`resulting invalid frame section`
Packit	cdaae3	`with DW_CFA_advance_loc1 implying`
Packit	cdaae3	`data off-the-end-of-section`
Packit	cdaae3	`will dereference an invalid pointer.`
Packit	cdaae3	`A segmentation fault and core dump is possible.`
Packit	cdaae3	`Corrected code checks now.`
Packit	cdaae3	`datefixed: 2017-11-02`
Packit	cdaae3	`references: regressiontests/sarubbo-8/1.crashes.bin`
Packit	cdaae3	`gitfixid: 44349d7991e44dd3751794f76537cabcf65ee28d`
Packit	cdaae3	`tarrelease:`
Packit	cdaae3	`endrec: DW201711-001`
Packit	cdaae3
Packit	cdaae3
Packit	cdaae3
Packit	cdaae3
Packit	cdaae3	`id: DW201709-001`
Packit	cdaae3	`cve:`
Packit	cdaae3	`datereported: 2017-09-19`
Packit	cdaae3	`reportedby: Agostino Sarubbo`
Packit	cdaae3	`vulnerability: Incorrect abbrev section could crash caller.`
Packit	cdaae3	`product: libdwarf`
Packit	cdaae3	`description: A fuzzed object with a`
Packit	cdaae3	`resulting invalid abbrev section where`
Packit	cdaae3	`the end of section follows an abbrev tag`
Packit	cdaae3	`would dereference a non-existent has-child byte.`
Packit	cdaae3
Packit	cdaae3	`datefixed: 2017-09-26`
Packit	cdaae3	`references: regressiontests/sarubbo-3/1.crashes.bin`
Packit	cdaae3	`gitfixid: bcc2e33908e669bacd397e3c941ffd1db3005d17`
Packit	cdaae3	`tarrelease:`
Packit	cdaae3	`endrec: DW201709-001`
Packit	cdaae3
Packit	cdaae3
Packit	cdaae3	`id: DW201706-001`
Packit	cdaae3	`cve: CVE-2017-9998`
Packit	cdaae3	`datereported: 2017-06-28`
Packit	cdaae3	`reportedby: team OWL337`
Packit	cdaae3	`vulnerability: Addition overflow in libdwarf leads to segmentation violation`
Packit	cdaae3	`product: libdwarf`
Packit	cdaae3	`description: A fuzzed object with a`
Packit	cdaae3	`resulting invalid value can overflow`
Packit	cdaae3	`when added to a valid pointer`
Packit	cdaae3	`(depending on how the runtime memory is laid out)`
Packit	cdaae3	`and thereafter a dereference results in a`
Packit	cdaae3	`segmentation violation).`
Packit	cdaae3
Packit	cdaae3	`see`
Packit	cdaae3	`https://bugzilla.redhat.com/show_bug.cgi?id=1465756`
Packit	cdaae3	`for contact information of those finding the bug.`
Packit	cdaae3	`Fabian Wolff sent email and provided`
Packit	cdaae3	`the link to the web page.`
Packit	cdaae3
Packit	cdaae3
Packit	cdaae3	`datefixed: 2017-07-06`
Packit	cdaae3	`references: regressiontests/wolff/POC1`
Packit	cdaae3	`gitfixid: e91681e8841291f57386f26a90897fd1dcf92a6e`
Packit	cdaae3	`tarrelease:`
Packit	cdaae3	`endrec: DW201706-001`
Packit	cdaae3
Packit	cdaae3
Packit	cdaae3
Packit	cdaae3	`id: DW201703-007`
Packit	cdaae3	`cve:`
Packit	cdaae3	`datereported: 2017-03-21`
Packit	cdaae3	`reportedby: Marcel Bohme and Van-Thuan Pham`
Packit	cdaae3	`vulnerability: Heap overflow in strncmp (libelf bug)`
Packit	cdaae3	`product: libdwarf (libelf)`
Packit	cdaae3	`description: 7/7. A heap overflow in`
Packit	cdaae3	`strncmp() is due to libelf failing to check arguments`
Packit	cdaae3	`to elf_ strptr.`
Packit	cdaae3	`This is not a bug in libdwarf, it is a libelf bug.`
Packit	cdaae3	`A pointer for being in bounds (in a few places in this`
Packit	cdaae3	`function) and a failure in a check in dwarf_attr_list().`
Packit	cdaae3	`The test object is intentionally corrupted (fuzzed).`
Packit	cdaae3
Packit	cdaae3
Packit	cdaae3	`A portion of sanitizer output with Ubuntu 14.04:`
Packit	cdaae3	`==180133==ERROR: AddressSanitizer: heap-buffer-overflow`
Packit	cdaae3	`on address 0x60d00000cff1 at pc 0x0000004476f4`
Packit	cdaae3	`bp 0x7fff87dd7dd0 sp 0x7fff87dd7590`
Packit	cdaae3	`READ of size 8 at 0x60d00000cff1 thread T0`
Packit	cdaae3	`#0 0x4476f3 in __interceptor_strncmp (/home/ubuntu/subjects/`
Packit	cdaae3	`build-asan/libdwarf/dwarfdump/dwarfdump+0x4476f3)`
Packit	cdaae3	`#1 0x7992ae in this_section_dwarf_relevant /home/ubuntu/subjects/`
Packit	cdaae3	`build-asan/libdwarf/libdwarf/dwarf_init_finish.c:608:13`
Packit	cdaae3	`#2 0x781064 in _dwarf_setup /home/ubuntu/subjects/`
Packit	cdaae3	`build-asan/libdwarf/libdwarf/dwarf_init_finish.c:722:14`
Packit	cdaae3	`#3 0x77d59c in dwarf_object_init /home/ubuntu/subjects/`
Packit	cdaae3	`build-asan/libdwarf/libdwarf/dwarf_init_finish.c:922:20`
Packit	cdaae3
Packit	cdaae3	`With Ubuntu 16.04 libelf dwarfdump gets:`
Packit	cdaae3	`ERROR: dwarf_elf_init: DW_DLE_ELF_STRPTR_ERROR (30)`
Packit	cdaae3	`a call to elf_strptr() failed trying to get a section name`
Packit	cdaae3
Packit	cdaae3
Packit	cdaae3
Packit	cdaae3	`datefixed:`
Packit	cdaae3	`references: regressiontests/marcel/crash7`
Packit	cdaae3	`gitfixid:`
Packit	cdaae3	`tarrelease: libdwarf-20160507.tar.gz`
Packit	cdaae3	`endrec: DW201703-007`
Packit	cdaae3
Packit	cdaae3
Packit	cdaae3	`id: DW201703-006`
Packit	cdaae3	`cve: CVE-2017-9052`
Packit	cdaae3	`datereported: 2017-03-21`
Packit	cdaae3	`reportedby: Marcel Bohme and Van-Thuan Pham`
Packit	cdaae3	`vulnerability: Heap overflow in dwarf_formsdata`
Packit	cdaae3	`product: libdwarf`
Packit	cdaae3	`description: 6/7. A heap overflow in`
Packit	cdaae3	`dwarf_formsdata() is due to a failure to check`
Packit	cdaae3	`a pointer for being in bounds (in a few places in this`
Packit	cdaae3	`function) and a failure in a check in dwarf_attr_list().`
Packit	cdaae3	`The test object is intentionally corrupted (fuzzed).`
Packit	cdaae3
Packit	cdaae3
Packit	cdaae3	`A portion of sanitizer output with Ubuntu 14.04:`
Packit	cdaae3	`==180130==ERROR: AddressSanitizer: heap-buffer-overflow`
Packit	cdaae3	`on address 0x61100000589c at pc 0x0000006cab95`
Packit	cdaae3	`bp 0x7fff749aab10 sp 0x7fff749aab08`
Packit	cdaae3	`READ of size 1 at 0x61100000589c thread T0`
Packit	cdaae3	`#0 0x6cab94 in dwarf_formsdata /home/ubuntu/subjects/`
Packit	cdaae3	`build-asan/libdwarf/libdwarf/dwarf_form.c:937:9`
Packit	cdaae3	`#1 0x567daf in get_small_encoding_integer_and_name /home/ubuntu/subjects/`
Packit	cdaae3	`build-asan/libdwarf/dwarfdump/print_die.c:1533:16`
Packit	cdaae3	`#2 0x562f28 in get_attr_value /home/ubuntu/subjects/`
Packit	cdaae3	`build-asan/libdwarf/dwarfdump/print_die.c:5030:24`
Packit	cdaae3	`#3 0x555f86 in print_attribute /home/ubuntu/subjects/`
Packit	cdaae3	`build-asan/libdwarf/dwarfdump/print_die.c:3357:13`
Packit	cdaae3
Packit	cdaae3	`After fixes applied dwarfdump says:`
Packit	cdaae3	`ERROR: dwarf_attrlist: DW_DLE_DW_DLE_ATTR_OUTSIDE_SECTION(281)`
Packit	cdaae3
Packit	cdaae3
Packit	cdaae3	`datefixed: 2017-03-21`
Packit	cdaae3	`references: regressiontests/marcel/crash6`
Packit	cdaae3	`gitfixid: cc37d6917011733d776ae228af4e5d6abe9613c1`
Packit	cdaae3	`tarrelease: libdwarf-20160507.tar.gz`
Packit	cdaae3	`endrec: DW201703-006`
Packit	cdaae3
Packit	cdaae3
Packit	cdaae3
Packit	cdaae3	`id: DW201703-005`
Packit	cdaae3	`cve: CVE-2017-9053`
Packit	cdaae3	`datereported: 2017-03-21`
Packit	cdaae3	`reportedby: Marcel Bohme and Van-Thuan Pham`
Packit	cdaae3	`vulnerability: Heap overflow in _dwarf_read_loc_expr_op()`
Packit	cdaae3	`product: libdwarf`
Packit	cdaae3	`description: 5/7. A heap overflow in`
Packit	cdaae3	`_dwarf_read_loc_expr_op() is due to a failure to check`
Packit	cdaae3	`a pointer for being in bounds (in a few places in this`
Packit	cdaae3	`function).`
Packit	cdaae3	`The test object is intentionally corrupted (fuzzed).`
Packit	cdaae3
Packit	cdaae3
Packit	cdaae3	`A portion of sanitizer output with Ubuntu 14.04:`
Packit	cdaae3	`==180112==ERROR: AddressSanitizer: heap-buffer-overflow`
Packit	cdaae3	`on address 0x60800000bf72 at pc 0x00000084dd52`
Packit	cdaae3	`bp 0x7ffc12136fd0 sp 0x7ffc12136fc8`
Packit	cdaae3	`READ of size 1 at 0x60800000bf72 thread T0`
Packit	cdaae3	`#0 0x84dd51 in _dwarf_read_loc_expr_op /home/ubuntu/subjects/`
Packit	cdaae3	`build-asan/libdwarf/libdwarf/./dwarf_loc.c:250:9`
Packit	cdaae3	`#1 0x841f16 in _dwarf_get_locdesc_c /home/ubuntu/subjects/`
Packit	cdaae3	`build-asan/libdwarf/libdwarf/./dwarf_loc2.c:109:15`
Packit	cdaae3	`#2 0x837d08 in dwarf_get_loclist_c /home/ubuntu/subjects/`
Packit	cdaae3	`build-asan/libdwarf/libdwarf/./dwarf_loc2.c:685:18`
Packit	cdaae3	`#3 0x57dff2 in get_location_list /home/ubuntu/subjects/`
Packit	cdaae3	`build-asan/libdwarf/dwarfdump/print_die.c:3812:16`
Packit	cdaae3
Packit	cdaae3	`After fixes applied dwarfdump says:`
Packit	cdaae3	`ERROR: dwarf_get_loclist_c: DW_DLE_LOCEXPR_OFF_SECTION_END`
Packit	cdaae3	`(343) Corrupt dwarf`
Packit	cdaae3
Packit	cdaae3
Packit	cdaae3	`datefixed: 2017-03-21`
Packit	cdaae3	`references: regressiontests/marcel/crash5`
Packit	cdaae3	`gitfixid: cc37d6917011733d776ae228af4e5d6abe9613c1`
Packit	cdaae3	`tarrelease: libdwarf-20160507.tar.gz`
Packit	cdaae3	`endrec: DW201703-005`
Packit	cdaae3
Packit	cdaae3	`id: DW201703-004`
Packit	cdaae3	`cve:`
Packit	cdaae3	`datereported: 2017-03-21`
Packit	cdaae3	`reportedby: Marcel Bohme and Van-Thuan Pham`
Packit	cdaae3	`vulnerability: Heap overflow in set_up_section strlen`
Packit	cdaae3	`product: libdwarf (libelf)`
Packit	cdaae3	`description: 4/7. An apparent heap overflow that`
Packit	cdaae3	`gives the appearance of being in libdwarf is due to`
Packit	cdaae3	`libelf call elf_strptr() failing to fully check`
Packit	cdaae3	`that its arguments make sense.`
Packit	cdaae3	`This is not a bug in libdwarf, it is a libelf bug.`
Packit	cdaae3	`The test object is intentionally corrupted (fuzzed).`
Packit	cdaae3	`The submission was with Ubuntu 14.04. With Ubuntu`
Packit	cdaae3	`16.04 there is no sanitizer error report.`
Packit	cdaae3
Packit	cdaae3
Packit	cdaae3	`A portion of sanitizer output with Ubuntu 14.04:`
Packit	cdaae3	`==180109==ERROR: AddressSanitizer: heap-buffer-overflow`
Packit	cdaae3	`on address 0x60b00000b000 at pc 0x00000048fd12`
Packit	cdaae3	`bp 0x7fff4ad31ef0 sp 0x7fff4ad316b0`
Packit	cdaae3	`READ of size 16 at 0x60b00000b000 thread T0`
Packit	cdaae3	`#0 0x48fd11 in __interceptor_strlen (/home/ubuntu/`
Packit	cdaae3	`subjects/build-asan/libdwarf/dwarfdump/dwarfdump+0x48fd11)`
Packit	cdaae3	`#1 0x7a84a4 in set_up_section /home/ubuntu/`
Packit	cdaae3	`subjects/build-asan/libdwarf/libdwarf/dwarf_init_finish.c:285:27`
Packit	cdaae3	`#2 0x79aaa5 in enter_section_in_de_debug_sections_array /home/ubuntu/`
Packit	cdaae3	`subjects/build-asan/libdwarf/libdwarf/dwarf_init_finish.c:355:5`
Packit	cdaae3	`#3 0x78170b in _dwarf_setup /home/ubuntu/`
Packit	cdaae3	`subjects/build-asan/libdwarf/libdwarf/dwarf_init_finish.c:746:19`
Packit	cdaae3
Packit	cdaae3	`With Ubuntu 16.04 libelf one gets:`
Packit	cdaae3	`ERROR: dwarf_elf_init: DW_DLE_ELF_STRPTR_ERROR (30)`
Packit	cdaae3	`a call to elf_strptr() failed trying to get a section name`
Packit	cdaae3
Packit	cdaae3	`datefixed:`
Packit	cdaae3	`references: regressiontests/marcel/crash4`
Packit	cdaae3	`gitfixid:`
Packit	cdaae3	`tarrelease: libdwarf-20160507.tar.gz`
Packit	cdaae3	`endrec: DW201703-004`
Packit	cdaae3
Packit	cdaae3
Packit	cdaae3
Packit	cdaae3	`id: DW201703-003`
Packit	cdaae3	`cve:`
Packit	cdaae3	`datereported: 2017-03-21`
Packit	cdaae3	`reportedby: Marcel Bohme and Van-Thuan Pham`
Packit	cdaae3	`vulnerability: Heap overflow in strcmp`
Packit	cdaae3	`product: libdwarf (libelf)`
Packit	cdaae3	`description: 3/7. An apparent heap overflow that`
Packit	cdaae3	`gives the appearance of being in libdwarf is due to`
Packit	cdaae3	`libelf call elf_strptr() failing to fully check`
Packit	cdaae3	`that its arguments make sense.`
Packit	cdaae3	`This is not a bug in libdwarf, it is a libelf bug.`
Packit	cdaae3	`The test object is intentionally corrupted (fuzzed).`
Packit	cdaae3	`The submission was with Ubuntu 14.04. With Ubuntu`
Packit	cdaae3	`16.04 there is no sanitizer error report.`
Packit	cdaae3
Packit	cdaae3
Packit	cdaae3	`A portion of sanitizer output with Ubuntu 14.04:`
Packit	cdaae3	`==180106==ERROR: AddressSanitizer: heap-buffer-overflow`
Packit	cdaae3	`on address 0x60f00000ef09 at pc 0x000000447300`
Packit	cdaae3	`bp 0x7ffc667dce10 sp 0x7ffc667dc5d0`
Packit	cdaae3	`READ of size 4 at 0x60f00000ef09 thread T0`
Packit	cdaae3	`#0 0x4472ff in __interceptor_strcmp (/home/ubuntu/`
Packit	cdaae3	`subjects/build-asan/libdwarf/dwarfdump/dwarfdump+0x4472ff)`
Packit	cdaae3	`#1 0x79938f in this_section_dwarf_relevant /home/ubuntu/`
Packit	cdaae3	`subjects/build-asan/libdwarf/libdwarf/dwarf_init_finish.c:612:12`
Packit	cdaae3	`#2 0x781064 in _dwarf_setup /home/ubuntu/`
Packit	cdaae3	`subjects/build-asan/libdwarf/libdwarf/dwarf_init_finish.c:722:14`
Packit	cdaae3	`#3 0x77d59c in dwarf_object_init /home/ubuntu/`
Packit	cdaae3	`subjects/build-asan/libdwarf/libdwarf/dwarf_init_finish.c:922:20`
Packit	cdaae3	`#4 0x899d4f in dwarf_elf_init_file_ownership /`
Packit	cdaae3
Packit	cdaae3	`With Ubuntu 16.04 libelf one gets:`
Packit	cdaae3	`ERROR: dwarf_elf_init: DW_DLE_ELF_STRPTR_ERROR (30)`
Packit	cdaae3	`a call to elf_strptr() failed trying to get a section name`
Packit	cdaae3
Packit	cdaae3	`datefixed:`
Packit	cdaae3	`references: regressiontests/marcel/crash3`
Packit	cdaae3	`gitfixid:`
Packit	cdaae3	`tarrelease: libdwarf-20160507.tar.gz`
Packit	cdaae3	`endrec: DW201703-003`
Packit	cdaae3
Packit	cdaae3
Packit	cdaae3	`id: DW201703-002`
Packit	cdaae3	`cve: CVE-2017-9054`
Packit	cdaae3	`datereported: 2017-03-21`
Packit	cdaae3	`reportedby: Marcel Bohme and Van-Thuan Pham`
Packit	cdaae3	`vulnerability: Heap overflow in _dwarf_decode_s_leb128_chk()`
Packit	cdaae3	`product: libdwarf`
Packit	cdaae3	`description: 2/7. In _dwarf_decode_s_leb128_chk()`
Packit	cdaae3	`a byte pointer was dereferenced just before was checked`
Packit	cdaae3	`as being in bounds.`
Packit	cdaae3	`The test object is intentionally corrupted (fuzzed).`
Packit	cdaae3
Packit	cdaae3
Packit	cdaae3	`A portion of sanitizer output:`
Packit	cdaae3	`.debug_line: line number info for a single cu`
Packit	cdaae3	`==180103==ERROR: AddressSanitizer: heap-buffer-overflow`
Packit	cdaae3	`on address 0x610000007ffc at pc 0x0000007b0f5b`
Packit	cdaae3	`bp 0x7ffe06bbf510 sp 0x7ffe06bbf508`
Packit	cdaae3	`READ of size 1 at 0x610000007ffc thread T0`
Packit	cdaae3	`#0 0x7b0f5a in _dwarf_decode_s_leb128_chk /home/ubuntu/`
Packit	cdaae3	`subjects/build-asan/libdwarf/libdwarf/dwarf_leb.c:304:9`
Packit	cdaae3	`#1 0x7e753e in read_line_table_program /home/ubuntu/`
Packit	cdaae3	`subjects/build-asan/libdwarf/libdwarf/./`
Packit	cdaae3	`dwarf_line_table_reader_common.c:1167:17`
Packit	cdaae3	`#2 0x7d7fe3 in _dwarf_internal_srclines /home/ubuntu/`
Packit	cdaae3	`subjects/build-asan/libdwarf/libdwarf/./dwarf_line.c:690:15`
Packit	cdaae3	`#3 0x7f9dbb in dwarf_srclines_b /home/ubuntu/`
Packit	cdaae3	`subjects/build-asan/libdwarf/libdwarf/./dwarf_line.c:944:12`
Packit	cdaae3	`#4 0x5caaa5 in print_line_numbers_this_cu /home/ubuntu/`
Packit	cdaae3	`subjects/build-asan/libdwarf/dwarfdump/print_lines.c:762:16`
Packit	cdaae3
Packit	cdaae3	`After fix applied one gets:`
Packit	cdaae3	`ERROR: dwarf_srclines: DW_DLE_LEB_IMPROPER (329)`
Packit	cdaae3	`Runs off end of section or CU`
Packit	cdaae3
Packit	cdaae3
Packit	cdaae3	`datefixed: 2017-03-21`
Packit	cdaae3	`references: regressiontests/marcel/crash2`
Packit	cdaae3	`gitfixid: cc37d6917011733d776ae228af4e5d6abe9613c1`
Packit	cdaae3	`tarrelease: libdwarf-20160507.tar.gz`
Packit	cdaae3	`endrec: DW201703-002`
Packit	cdaae3
Packit	cdaae3
Packit	cdaae3	`id: DW201703-001`
Packit	cdaae3	`cve: CVE-2017-9055`
Packit	cdaae3	`datereported: 2017-03-21`
Packit	cdaae3	`reportedby: Marcel Bohme and Van-Thuan Pham`
Packit	cdaae3	`vulnerability: Heap overflow in dwarf_formsdata`
Packit	cdaae3	`product: libdwarf`
Packit	cdaae3	`description: 1/7. In dwarf_formsdata() a few`
Packit	cdaae3	`data types were not checked as being in bounds.`
Packit	cdaae3	`The test object is intentionally corrupted (fuzzed).`
Packit	cdaae3
Packit	cdaae3
Packit	cdaae3	`A portion of sanitizer output:`
Packit	cdaae3	`LOCAL_SYMBOLS:`
Packit	cdaae3	`< 1><0x0000002f> DW_TAG_subprogram`
Packit	cdaae3
Packit	cdaae3	`==180088==ERROR: AddressSanitizer: heap-buffer-overflow on`
Packit	cdaae3	`address 0x60800000bf72 at pc 0x0000006cab95 bp`
Packit	cdaae3	`0x7fff31425830 sp 0x7fff31425828`
Packit	cdaae3	`READ of size 1 at 0x60800000bf72 thread T0`
Packit	cdaae3	`#0 0x6cab94 in dwarf_formsdata /home/ubuntu/subjects/`
Packit	cdaae3	`build-asan/libdwarf/libdwarf/dwarf_form.c:937:9`
Packit	cdaae3	`#1 0x567daf in get_small_encoding_integer_and_name /home/`
Packit	cdaae3	`ubuntu/subjects/build-asan/libdwarf/dwarfdump/print_die.c:1533:16`
Packit	cdaae3	`#2 0x576f38 in check_for_type_unsigned /home/ubuntu/`
Packit	cdaae3	`subjects/build-asan/libdwarf/dwarfdump/print_die.c:4301:11`
Packit	cdaae3	`#3 0x56ad8c in formxdata_print_value /home/ubuntu/`
Packit	cdaae3	`subjects/build-asan/libdwarf/dwarfdump/print_die.c:4374:39`
Packit	cdaae3	`#4 0x5643be in get_attr_value /home/ubuntu/`
Packit	cdaae3	`subjects/build-asan/libdwarf/dwarfdump/print_die.c:5140:24`
Packit	cdaae3	`#5 0x555f86 in print_attribute /home/ubuntu/subjects/build`
Packit	cdaae3	`...`
Packit	cdaae3
Packit	cdaae3	`After fixes applied dwarfdump gets:`
Packit	cdaae3	`ERROR: dwarf_attrlist: DW_DLE_DW_DLE_ATTR_OUTSIDE_SECTION(281)`
Packit	cdaae3
Packit	cdaae3	`datefixed: 2017-03-21`
Packit	cdaae3	`references: regressiontests/marcel/crash1`
Packit	cdaae3	`gitfixid: cc37d6917011733d776ae228af4e5d6abe9613c1`
Packit	cdaae3	`tarrelease: libdwarf-20160507.tar.gz`
Packit	cdaae3	`endrec: DW201703-001`
Packit	cdaae3
Packit	cdaae3
Packit	cdaae3
Packit	cdaae3
Packit	cdaae3
Packit	cdaae3	`id: DW201611-006`
Packit	cdaae3	`cve: CVE-2016-9480`
Packit	cdaae3	`datereported: 2016-11-14`
Packit	cdaae3	`reportedby: Puzzor (Shi Ji)`
Packit	cdaae3	`vulnerability: Heap buffer overflow`
Packit	cdaae3	`product: libdwarf`
Packit	cdaae3	`description: An object with corrupt contents causes a memory reference`
Packit	cdaae3	`out of bounds, a heap buffer overflow reference.`
Packit	cdaae3
Packit	cdaae3	`heap-buffer-overflow in dwarf_util.c:208 for val_ptr`
Packit	cdaae3
Packit	cdaae3	`# Version`
Packit	cdaae3	`bb9a3492ac5713bed9cf3ae58ddb7afa6e9e98f8`
Packit	cdaae3	`(in regression tests here named heap_buf_overflow.o)`
Packit	cdaae3
Packit	cdaae3
Packit	cdaae3	`# ASAN Output`
Packit	cdaae3	`<0> tag: 17 DW_TAG_compile_unit name: "strstrnocase.c" FORM 0xe "DW_FORM_strp"`
Packit	cdaae3	`<1> tag: 46 DW_TAG_subprogram name: "is_strstrnocase" FORM 0xe "DW_FORM_strp"`
Packit	cdaae3	`=================`
Packit	cdaae3	`==1666==ERROR: AddressSanitizer: heap-buffer-overflow on address`
Packit	cdaae3	`0xb5846db9 at p`
Packit	cdaae3	`c 0x080b3a1b bp 0xbfa75d18 sp 0xbfa75d08`
Packit	cdaae3	`READ of size 1 at 0xb5846db9 thread T0`
Packit	cdaae3	`#0 0x80b3a1a in _dwarf_get_size_of_val /home/puzzor/libdwarf-code/`
Packit	cdaae3	`libdwarf/dwarf_util.c:208`
Packit	cdaae3	`#1 0x8056602 in _dwarf_next_die_info_ptr /home/puzzor/libdwarf-code/`
Packit	cdaae3	`libdwarf/dwarf_die_deliv.c:1353`
Packit	cdaae3	`#2 0x8057f4b in dwarf_child /home/puzzor/libdwarf-code/libdwarf/`
Packit	cdaae3	`dwarf_die_de liv.c:1688`
Packit	cdaae3	`#3 0x804b5fa in get_die_and_siblings simplereader.c:637`
Packit	cdaae3	`#4 0x804b65c in get_die_and_siblings simplereader.c:643`
Packit	cdaae3	`#5 0x804b3f3 in read_cu_list simplereader.c:611`
Packit	cdaae3	`#6 0x804aeae in main simplereader.c:533`
Packit	cdaae3	`#7 0xb6ffe275 in __libc_start_main (/lib/i386-linux-gnu/libc.so.6+0x18275)`
Packit	cdaae3	`#8 0x80491c0 (/home/puzzor/libdwarf-code/dwarfexample/simplereader+`
Packit	cdaae3	`0x80491c 0)`
Packit	cdaae3
Packit	cdaae3	`0xb5846db9 is located 0 bytes to the right of 249-byte region`
Packit	cdaae3	`[0xb5846cc0,0xb5846db9)`
Packit	cdaae3	`allocated by thread T0 here:`
Packit	cdaae3	`#0 0xb727fae4 in __interceptor_malloc (/usr/lib/i386-linux-gnu/libasan.so.`
Packit	cdaae3	`3+ 0xc3ae4)`
Packit	cdaae3	`#1 0xb71a9b98 (/usr/lib/i386-linux-gnu/libelf.so.1+0x9b98)`
Packit	cdaae3
Packit	cdaae3	`For the orignal bug report see`
Packit	cdaae3
Packit	cdaae3	`https://sourceforge.net/p/libdwarf/bugs/5/`
Packit	cdaae3
Packit	cdaae3	`datefixed: 2016-11-16`
Packit	cdaae3	`references: regressiontests/puzzor/heap_buf_overflow.o`
Packit	cdaae3	`gitfixid: 5dd64de047cd5ec479fb11fe7ff2692fd819e5e5`
Packit	cdaae3	`tarrelease: libdwarf-20160507.tar.gz`
Packit	cdaae3	`endrec:`
Packit	cdaae3
Packit	cdaae3
Packit	cdaae3	`id: DW201611-005`
Packit	cdaae3	`cve:`
Packit	cdaae3	`datereported: 2016-11-11`
Packit	cdaae3	`reportedby: Agostino Sarubbo`
Packit	cdaae3	`vulnerability: negation of -9223372036854775808 cannot be represented in type`
Packit	cdaae3	`product: libdwarf`
Packit	cdaae3	`description: With the right bit pattern in a signed leb number`
Packit	cdaae3	`the signed leb decode would execute an unary minus with undefined`
Packit	cdaae3	`effect. This is not known to generate an incorrect value,`
Packit	cdaae3	`but it could, one supposes.`
Packit	cdaae3	`datefixed: 2016-11-11`
Packit	cdaae3	`references: regressiontests/sarubbo-2/00050-libdwarf-negate-itself`
Packit	cdaae3	`gitfixid: 4f19e1050cd8e9ddf2cb6caa061ff2fec4c9b5f9`
Packit	cdaae3	`tarrelease: libdwarf-20160507.tar.gz`
Packit	cdaae3	`endrec:`
Packit	cdaae3
Packit	cdaae3	`id: DW201611-004`
Packit	cdaae3	`cve:`
Packit	cdaae3	`datereported: 2016-11-02`
Packit	cdaae3	`reportedby: Agostino Sarubbo`
Packit	cdaae3	`vulnerability: Heap overflow in dwarf_skim_forms()`
Packit	cdaae3	`product: libdwarf`
Packit	cdaae3	`description: If a non-terminated string`
Packit	cdaae3	`in a DWARF5 macro section`
Packit	cdaae3	`ends a section it can result in accessing memory not`
Packit	cdaae3	`in the application. dwarf_macro5.c(in _dwarf_skim_forms()).`
Packit	cdaae3	`datefixed: 2016-11-04`
Packit	cdaae3	`references: regressiontests/sarubbo-2/00027-libdwarf-heapoverflow-_dwarf_skim_forms`
Packit	cdaae3	`gitfixid: 583f8834083b5ef834c497f5b47797e16101a9a6`
Packit	cdaae3	`endrec:`
Packit	cdaae3
Packit	cdaae3	`id: DW201611-003`
Packit	cdaae3	`cve:`
Packit	cdaae3	`datereported: 2016-11-02`
Packit	cdaae3	`reportedby: Agostino Sarubbo`
Packit	cdaae3	`vulnerability: Bad aranges length leads to overflow and bad pointer`
Packit	cdaae3	`product: libdwarf`
Packit	cdaae3	`description: in dwarf_arange.c(dwarf_get_aranges_list) an aranges`
Packit	cdaae3	`header with corrupt data could, with an overflowing calculation,`
Packit	cdaae3	`result in pointers to invalid or inappropriate memory being`
Packit	cdaae3	`dereferenced.`
Packit	cdaae3	`datefixed: 2016-11-04`
Packit	cdaae3	`references: regressiontests/sarubbo-2/00026-libdwarf-heapoverflow-dwarf_get_aranges_list`
Packit	cdaae3	`gitfixid: 583f8834083b5ef834c497f5b47797e16101a9a6`
Packit	cdaae3	`tarrelease: libdwarf-20170416.tar.gz`
Packit	cdaae3	`endrec:`
Packit	cdaae3
Packit	cdaae3
Packit	cdaae3	`id: DW201611-002`
Packit	cdaae3	`cve:`
Packit	cdaae3	`datereported: 2016-11-02`
Packit	cdaae3	`reportedby: Agostino Sarubbo`
Packit	cdaae3	`vulnerability: heap overflow in get_attr_value`
Packit	cdaae3	`product: libdwarf`
Packit	cdaae3	`description: Libdwarf failed to check for a bogus`
Packit	cdaae3	`length in dwarf_form.c (dwarf_formblock()) resulting`
Packit	cdaae3	`in a pointer pointing outside of the intended memory`
Packit	cdaae3	`region. Anything could happen in the subsequent`
Packit	cdaae3	`use of the bogus pointer.`
Packit	cdaae3
Packit	cdaae3	`0x61300000de1c is located 0 bytes to the right of 348-byte region`
Packit	cdaae3	`[0x61300000dcc0,0x61300000de1c)`
Packit	cdaae3	`allocated by thread T0 here:`
Packit	cdaae3	`#0 0x4c0ad8 in malloc /var/tmp/portage/sys-devel/llvm-3.8.1-`
Packit	cdaae3	`r2/work/llvm-3.8.1.src/projects/compiler-rt/lib/asan/asan_malloc_linux.cc:52`
Packit	cdaae3	`#1 0x7f883cfc6206 in __libelf_set_rawdata_wrlock /tmp/portage/dev-`
Packit	cdaae3	`libs/elfutils-0.166/work/elfutils-0.166/libelf/elf_getdata.c:318`
Packit	cdaae3
Packit	cdaae3	`datefixed: 2016-11-04`
Packit	cdaae3	`references: regressiontests/sarubbo-2/00025-libdwarf-heapoverflow-get_attr_value`
Packit	cdaae3	`gitfixid: 583f8834083b5ef834c497f5b47797e16101a9a6`
Packit	cdaae3	`tarrelease: libdwarf-20170416.tar.gz`
Packit	cdaae3	`endrec:`
Packit	cdaae3
Packit	cdaae3	`id: DW201611-001`
Packit	cdaae3	`cve:`
Packit	cdaae3	`datereported: 2016-11-02`
Packit	cdaae3	`reportedby: Agostino Sarubbo`
Packit	cdaae3	`vulnerability: Memory allocation failure in do_decompress_zlib`
Packit	cdaae3	`product: libdwarf`
Packit	cdaae3	`description: In decompressing a zlib compressed section if`
Packit	cdaae3	`the decompressed section size is nonsense (too large)`
Packit	cdaae3	`an attempted malloc will fail and could let an exception`
Packit	cdaae3	`propagate to callers.`
Packit	cdaae3
Packit	cdaae3	`==27994==WARNING: AddressSanitizer failed to allocate 0x62696c2f7273752f`
Packit	cdaae3	`bytes ==27994==AddressSanitizer's allocator is terminating the process`
Packit	cdaae3	`instead of returning 0`
Packit	cdaae3	`...`
Packit	cdaae3	`#6 0x4c0ab1 in malloc /var/tmp/portage/sys-devel/llvm-3.8.1-`
Packit	cdaae3	`r2/work/llvm-3.8.1.src/projects/compiler-rt/lib/asan/asan_malloc_linux.cc:53`
Packit	cdaae3	`#7 0x5b582e in do_decompress_zlib`
Packit	cdaae3	`/tmp/dwarf-20161021/libdwarf/dwarf_init_finish.c:1085:12`
Packit	cdaae3	`#8 0x5b582e in _dwarf_load_section`
Packit	cdaae3	`/tmp/dwarf-20161021/libdwarf/dwarf_init_finish.c:1159`
Packit	cdaae3	`#9 0x5bb479 in dwarf_srcfiles`
Packit	cdaae3	`/tmp/dwarf-20161021/libdwarf/./dwarf_line.c:336:11`
Packit	cdaae3	`#10 0x5145cd in print_one_die_section`
Packit	cdaae3
Packit	cdaae3	`datefixed: 2016-11-04`
Packit	cdaae3	`references: regressiontests/sarubbo-2/00024-libdwarf-memalloc-do_decompress_zlib`
Packit	cdaae3	`gitfixid: 583f8834083b5ef834c497f5b47797e16101a9a6`
Packit	cdaae3	`tarrelease: libdwarf-20170416.tar.gz`
Packit	cdaae3	`endrec:`
Packit	cdaae3
Packit	cdaae3
Packit	cdaae3
Packit	cdaae3
Packit	cdaae3	`id: DW201609-004`
Packit	cdaae3	`cve:`
Packit	cdaae3	`datereported: 20160917`
Packit	cdaae3	`reportedby: Puzzor`
Packit	cdaae3	`vulnerability: libdwarf 20160613 Out-of-Bounds read`
Packit	cdaae3	`product: libdwarf`
Packit	cdaae3	`description: read line table program Out-of-Bounds read`
Packit	cdaae3	`line_ptr in dwarf_line_table_reader_common.c:1433 Out-of-Bounds read`
Packit	cdaae3	`See:`
Packit	cdaae3
Packit	cdaae3	`https://bugzilla.redhat.com/show_bug.cgi?id=1377015`
Packit	cdaae3	`https://sourceforge.net/p/libdwarf/bugs/4/`
Packit	cdaae3
Packit	cdaae3
Packit	cdaae3	`# Address Sanitizer Output`
Packit	cdaae3	`==27763==ERROR: AddressSanitizer: heap-buffer-overflow on address 0xf4603f84 at pc 0x8408ede bp 0xffff6518 sp 0xffff6510`
Packit	cdaae3	`READ of size 1 at 0xf4603f84 thread T0`
Packit	cdaae3	`#0 0x8408edd in read_line_table_program /home/puzzor/test-fuzzing/code/libdwarf/./dwarf_line_table_reader_common.c:1433`
Packit	cdaae3	`#1 0x83f716c in _dwarf_internal_srclines /home/puzzor/test-fuzzing/code/libdwarf/./dwarf_line.c:690`
Packit	cdaae3	`#2 0x841436c in dwarf_srclines_b /home/puzzor/test-fuzzing/code/libdwarf/./dwarf_line.c:944`
Packit	cdaae3	`#3 0x81fbc28 in print_line_numbers_this_cu /home/puzzor/test-fuzzing/code/dwarfdump/print_lines.c:763`
Packit	cdaae3	`#4 0x815c191 in print_one_die_section /home/puzzor/test-fuzzing/code/dwarfdump/print_die.c:850`
Packit	cdaae3	`#5 0x81565c1 in print_infos /home/puzzor/test-fuzzing/code/dwarfdump`
Packit	cdaae3
Packit	cdaae3	`datefixed: 20160923`
Packit	cdaae3	`references: regressiontests/DW201609-004/poc`
Packit	cdaae3	`gitfixid: 3767305debcba8bd7e1c483ae48c509d25399252`
Packit	cdaae3	`tarrelease: libdwarf-20160923.tar.gz`
Packit	cdaae3	`endrec:`
Packit	cdaae3
Packit	cdaae3
Packit	cdaae3
Packit	cdaae3
Packit	cdaae3	`id: DW201609-003`
Packit	cdaae3	`cve: CVE-2016-7410`
Packit	cdaae3	`datereported: 20160913`
Packit	cdaae3	`reportedby: https://marc.info/?l=oss-security&m=147391785920048&w=2`
Packit	cdaae3	`vulnerability: libdwarf 20160613 heap-buffer-overflow`
Packit	cdaae3	`product: libdwarf`
Packit	cdaae3	`description: With AddressSanitizer,`
Packit	cdaae3	`we found a Heap-Buffer-overflow in the latest`
Packit	cdaae3	`release version of dwarfdump. The crash output is as follows:`
Packit	cdaae3
Packit	cdaae3	`See also:`
Packit	cdaae3	`https://marc.info/?l=oss-security&m=147378394815872&w=2`
Packit	cdaae3	`The testcase poc is from this web page.`
Packit	cdaae3
Packit	cdaae3
Packit	cdaae3	`==17411==ERROR: AddressSanitizer: heap-buffer-overflow on address`
Packit	cdaae3	`0xf3808904 at pc 0x80a6f76 bp 0xffb95e78 sp 0xffb95a5c`
Packit	cdaae3	`READ of size 4 at 0xf3808904 thread T0`
Packit	cdaae3	`==17411==WARNING: Trying to symbolize code, but external symbolizer is`
Packit	cdaae3	`not initialized!`
Packit	cdaae3	`#0 0x80a6f75 in __interceptor_memcpy ??:?`
Packit	cdaae3	`#1 0x8426c3b in _dwarf_read_loc_section`
Packit	cdaae3	`/home/starlab/fuzzing/dwarf-20160613/libdwarf/./dwarf_loc.c:919`
Packit	cdaae3	`#2 0x84250e2 in _dwarf_get_loclist_count`
Packit	cdaae3	`/home/starlab/fuzzing/dwarf-20160613/libdwarf/./dwarf_loc.c:970`
Packit	cdaae3	`#3 0x8438826 in dwarf_get_loclist_c`
Packit	cdaae3	`/home/starlab/fuzzing/dwarf-20160613/libdwarf/./dwarf_loc2.c:551`
Packit	cdaae3	`#4 0x81a1be8 in get_location_list`
Packit	cdaae3	`/home/starlab/fuzzing/dwarf-20160613/dwarfdump/print_die.c:3523`
Packit	cdaae3	`#5 0x816e1a2 in print_attribute`
Packit	cdaae3
Packit	cdaae3	`_dwarf_get_loclist_header_start() is not cautious about values`
Packit	cdaae3	`in the header being absurdly large.`
Packit	cdaae3	`Unclear as yet if this is the problem`
Packit	cdaae3	`but it is a potential problem (fixed for next release).`
Packit	cdaae3
Packit	cdaae3	`Address Sanitizer in gcc reproduces the report.`
Packit	cdaae3	`In _dwarf_read_loc_section() the simple calculation of`
Packit	cdaae3	`loc_section_end was wrong, so end-of section was`
Packit	cdaae3	`incorrect for the local reads.`
Packit	cdaae3	`With that fixed we get DW_DLE_READ_LITTLEENDIAN_ERROR when`
Packit	cdaae3	`libdwarf attempts to read off end of section.`
Packit	cdaae3
Packit	cdaae3	`datefixed: 20160923`
Packit	cdaae3	`references: regressiontests/DW201609-003/poc`
Packit	cdaae3	`gitfixid: 3767305debcba8bd7e1c483ae48c509d25399252`
Packit	cdaae3	`tarrelease: libdwarf-20160923.tar.gz`
Packit	cdaae3	`endrec:`
Packit	cdaae3
Packit	cdaae3
Packit	cdaae3	`id: DW201609-002`
Packit	cdaae3	`cve: CVE-2016-7511`
Packit	cdaae3	`datereported: 20160918`
Packit	cdaae3	`reportedby: Shi Ji (@Puzzor)`
Packit	cdaae3	`vulnerability: libdwarf 20160613 Integer Overflow`
Packit	cdaae3	`product: libdwarf`
Packit	cdaae3	`description: In dwarf_get_size_of_val() with`
Packit	cdaae3	`fuzzed DWARF data we get a SEGV.`
Packit	cdaae3
Packit	cdaae3	`See`
Packit	cdaae3	`https://sourceforge.net/p/libdwarf/bugs/3/`
Packit	cdaae3
Packit	cdaae3
Packit	cdaae3	`==6825== ERROR: AddressSanitizer: SEGV on unknown address 0x0583903c (pc 0xb61f1a98 sp 0xbfa388b4 bp 0xbfa38d08 T0)`
Packit	cdaae3	`AddressSanitizer can not provide additional info.`
Packit	cdaae3	`#1 0xb61e3c0b (/usr/lib/i386-linux-gnu/libasan.so.0+0xdc0b)`
Packit	cdaae3	`#2 0x80a21b1 in _dwarf_get_size_of_val /home/fuzzing/fuzzing/dwarf-20160613/libdwarf/dwarf_util.c:210`
Packit	cdaae3	`#3 0x8054214 in _dwarf_next_die_info_ptr /home/fuzzing/fuzzing/dwarf-20160613/libdwarf/dwarf_die_deliv.c:1340`
Packit	cdaae3	`#4 0x80557a5 in dwarf_child /home/fuzzing/fuzzing/dwarf-20160613/libdwarf/dwarf_die_deliv.c:1640`
Packit	cdaae3	`#5 0x804b23f in get_die_and_siblings /home/fuzzing/fuzzing/dwarf-20160613/dwarfexample/./simplereader.c:573`
Packit	cdaae3
Packit	cdaae3	`_dwarf_make_CU_Context() is insufficiently cautious about`
Packit	cdaae3	`the length of a CU being absurd.`
Packit	cdaae3	`Unclear as yet if this is the problem`
Packit	cdaae3	`but it is a problem and is fixed for next release.`
Packit	cdaae3	`datefixed: 20160923`
Packit	cdaae3	`references: regressiontests/DW201609-002/DW201609-002-poc`
Packit	cdaae3	`gitfixid: 3767305debcba8bd7e1c483ae48c509d25399252`
Packit	cdaae3	`tarrelease: libdwarf-20160923.tar.gz`
Packit	cdaae3	`endrec:`
Packit	cdaae3
Packit	cdaae3
Packit	cdaae3
Packit	cdaae3	`id: DW201609-001`
Packit	cdaae3	`cve:`
Packit	cdaae3	`datereported: 20160916`
Packit	cdaae3	`reportedby: STARLAB`
Packit	cdaae3	`https://sourceforge.net/p/libdwarf/bugs/2/`
Packit	cdaae3	`vulnerability: libdwarf 20160613 die_info_ptr in dwarf_die_deliv.c: 1533 Out-Of_bounds`
Packit	cdaae3	`product: libdwarf`
Packit	cdaae3	`description: At line 1533 of dwarf_die_deliv.c a`
Packit	cdaae3	`pointer dereference is done with a pointer pointing`
Packit	cdaae3	`past the end of the CU data.`
Packit	cdaae3
Packit	cdaae3	`see`
Packit	cdaae3	`https://sourceforge.net/p/libdwarf/bugs/2/`
Packit	cdaae3
Packit	cdaae3
Packit	cdaae3	`==8054==ERROR: AddressSanitizer: heap-buffer-overflow on`
Packit	cdaae3	`address 0xf4c027ab at pc 0x819e4a4 bp 0xff88eb38 sp 0xff88eb30`
Packit	cdaae3	`READ of size 1 at 0xf4c027ab thread T0`
Packit	cdaae3	`#0 0x819e4a3 in dwarf_siblingof_b /home/starlab/fuzzing/dwarf-20160613/libdwarf/dwarf_die_deliv.c:1533`
Packit	cdaae3	`#1 0x8116201 in print_die_and_children_internal /home/starlab/fuzzing/dwarf-20160613/dwarfdump/print_die.c:1157`
Packit	cdaae3	`Bug report on sourceforge.net bug list for libdwarf.`
Packit	cdaae3	`The bad pointer dereference is due to libdwarf`
Packit	cdaae3	`not noticing that the DWARF in that file is corrupt.`
Packit	cdaae3	`In addtion`
Packit	cdaae3	`The code was not noticing that it could dereference`
Packit	cdaae3	`a pointer that pointed out of bounds in the end-sibling-list`
Packit	cdaae3	`loop.`
Packit	cdaae3
Packit	cdaae3
Packit	cdaae3	`The example from the bug report (DW201609-001-poc) has`
Packit	cdaae3	`the same problem.`
Packit	cdaae3	`dwarfdump now reports DW_DLE_SIBLING_LIST_IMPROPER`
Packit	cdaae3	`on both test2.o and DW201609-001-poc.`
Packit	cdaae3
Packit	cdaae3	`datefixed: 20160917`
Packit	cdaae3	`references: regressiontests/DW201609-001/test2.o`
Packit	cdaae3	`regressiontests/DW201609-001/DW201609-001-poc`
Packit	cdaae3	`gitfixid: 3767305debcba8bd7e1c483ae48c509d25399252`
Packit	cdaae3	`tarrelease: libdwarf-20160923.tar.gz`
Packit	cdaae3	`endrec:`
Packit	cdaae3
Packit	cdaae3
Packit	cdaae3	`id: DW201605-019`
Packit	cdaae3	`cve: CVE-2016-5028`
Packit	cdaae3	`datereported: 20160523`
Packit	cdaae3	`reportedby: Yue Liu`
Packit	cdaae3	`vulnerability: Null dereference in print_frame_inst_bytes (dwarfdump)`
Packit	cdaae3	`product: libdwarf`
Packit	cdaae3	`description: The null dereference is due to a corrupted`
Packit	cdaae3	`object file. Libdwarf was not dealing with empty (bss-like)`
Packit	cdaae3	`sections since it really did not expect to see such in`
Packit	cdaae3	`sections it reads! Now libdwarf catches the object error`
Packit	cdaae3	`so dwarfdump sees the section as empty (as indeed it is!).`
Packit	cdaae3	`datefixed: 20160523`
Packit	cdaae3	`references: regressiontests/liu/NULLdeference0522c.elf`
Packit	cdaae3	`gitfixid: a55b958926cc67f89a512ed30bb5a22b0adb10f4`
Packit	cdaae3	`tarrelease: libdwarf-20160923.tar.gz`
Packit	cdaae3	`endrec:`
Packit	cdaae3
Packit	cdaae3
Packit	cdaae3	`id: DW201605-018`
Packit	cdaae3	`cve: CVE-2016-5029`
Packit	cdaae3	`datereported: 20160522`
Packit	cdaae3	`reportedby: Yue Liu`
Packit	cdaae3	`vulnerability: Null dereference in create_fullest_file_path().`
Packit	cdaae3	`product: libdwarf`
Packit	cdaae3	`description: The null dereference in create_fullest_file_path()`
Packit	cdaae3	`causes a crash. This is due to corrupted dwarf and the fix`
Packit	cdaae3	`detects this corruption and if that null string pointer`
Packit	cdaae3	`happens undetected a static string is substituted so`
Packit	cdaae3	`readers can notice the situation.`
Packit	cdaae3
Packit	cdaae3	`202 }`
Packit	cdaae3	`203 if (dirno > 0 && fe->fi_dir_index > 0) {`
Packit	cdaae3	`204 inc_dir_name = (char *)`
Packit	cdaae3	`line_context->lc_include_directories[`
Packit	cdaae3	`205 fe->fi_dir_index - 1];`
Packit	cdaae3	`206 incdirnamelen = strlen(inc_dir_name); <- $pc`
Packit	cdaae3	`207 }`
Packit	cdaae3	`208 full_name = (char *) _dwarf_get_alloc(dbg,`
Packit	cdaae3
Packit	cdaae3	`#0 create_fullest_file_path (dbg=<optimized out>,`
Packit	cdaae3	`fe=0x68d510, line_context=0x68c4f0, name_ptr_out=`
Packit	cdaae3	`out>, error=0x7fffffffe2b8) at ./dwarf_line.c:206`
Packit	cdaae3
Packit	cdaae3	`#1 0x00007ffff7b6d3f9 in dwarf_filename (context=`
Packit	cdaae3	`out>, fileno_in=<optimized out>, ret_filename=0x7fffffffe280,`
Packit	cdaae3	`error=0x7fffffffe2b8) at ./dwarf_line.c:1418`
Packit	cdaae3
Packit	cdaae3	`#2 dwarf_linesrc (line=<optimized out>,`
Packit	cdaae3	`ret_linesrc=<optimized out>, error=<optimized out>) at`
Packit	cdaae3	`./dwarf_line.c:1436`
Packit	cdaae3
Packit	cdaae3	`datefixed: 20160522`
Packit	cdaae3	`references: regressiontests/liu/NULLdereference0522.elf`
Packit	cdaae3	`gitfixid: acae971371daa23a19358bc62204007d258fbc5e`
Packit	cdaae3	`tarrelease: libdwarf-20160923.tar.gz`
Packit	cdaae3	`endrec:`
Packit	cdaae3
Packit	cdaae3
Packit	cdaae3
Packit	cdaae3
Packit	cdaae3	`id: DW201605-017`
Packit	cdaae3	`cve: CVE-2016-5030`
Packit	cdaae3	`datereported: 20160519`
Packit	cdaae3	`reportedby: Yue Liu`
Packit	cdaae3	`vulnerability: Null dereference bug in _dwarf_calculate_info_section_end_ptr().`
Packit	cdaae3	`product: libdwarf`
Packit	cdaae3	`description:`
Packit	cdaae3	`NULL dereference bug in _dwarf_calculate_info_section_end_ptr().`
Packit	cdaae3
Packit	cdaae3	`1742 Dwarf_Off off2 = 0;`
Packit	cdaae3	`1743 Dwarf_Small *dataptr = 0;`
Packit	cdaae3	`1744`
Packit	cdaae3	`1745 dbg = context->cc_dbg;`
Packit	cdaae3	`1746 dataptr = context->cc_is_info? dbg->de_debug_info.dss_data: <- $pc`
Packit	cdaae3	`1747 dbg->de_debug_types.dss_data;`
Packit	cdaae3	`1748 off2 = context->cc_debug_offset;`
Packit	cdaae3	`1749 info_start = dataptr + off2;`
Packit	cdaae3	`1750 info_end = info_start + context->cc_length +`
Packit	cdaae3
Packit	cdaae3	`#0 _dwarf_calculate_info_section_end_ptr`
Packit	cdaae3	`(context=context@entry=0x0) at dwarf_query.c:1746`
Packit	cdaae3
Packit	cdaae3	`#1 0x00002aaaaace307d in`
Packit	cdaae3	`_dwarf_extract_string_offset_via_str_offsets`
Packit	cdaae3	`(dbg=dbg@entry=0x655a70, info_data_ptr=0x6629f0`
Packit	cdaae3	`"", attrnum=attrnum@entry=121,`
Packit	cdaae3	`attrform=attrform@entry=26, cu_context=0x0,`
Packit	cdaae3	`str_sect_offset_out=str_sect_offset_out@entry=0x7fffffffd718,`
Packit	cdaae3	`error=error@entry=0x7fffffffd878) at dwarf_form.c:1099`
Packit	cdaae3
Packit	cdaae3	`#2 0x00002aaaaacf4ed7 in dwarf_get_macro_defundef`
Packit	cdaae3	`(macro_context=macro_context@entry=0x65b790,`
Packit	cdaae3	`op_number=op_number@entry=1,`
Packit	cdaae3	`line_number=line_number@entry=0x7fffffffd858,`
Packit	cdaae3	`index=index@entry=0x7fffffffd860,`
Packit	cdaae3	`offset=offset@entry=0x7fffffffd868,`
Packit	cdaae3	`forms_count=forms_count@entry=0x7fffffffd7ce,`
Packit	cdaae3	`macro_string=macro_string@entry=0x7fffffffd870,`
Packit	cdaae3	`error=error@entry=0x7fffffffd878) at dwarf_macro5.c:557`
Packit	cdaae3
Packit	cdaae3	`------`
Packit	cdaae3
Packit	cdaae3	`_dwarf_calculate_info_section_end_ptr (context=context@entry=0x0) at`
Packit	cdaae3	`dwarf_query.c:1746`
Packit	cdaae3	`1746 dataptr = context->cc_is_info? dbg->de_debug_info.dss_data:`
Packit	cdaae3	`gef> p/x $rdi`
Packit	cdaae3	`$4 = 0x0`
Packit	cdaae3
Packit	cdaae3	`datefixed: 20160522`
Packit	cdaae3	`references: regressiontests/liu/NULLdereference0519.elf`
Packit	cdaae3	`gitfixid: 6fa3f710ee6f21bba7966b963033a91d77c952bd`
Packit	cdaae3	`tarrelease: libdwarf-20160923.tar.gz`
Packit	cdaae3	`endrec:`
Packit	cdaae3
Packit	cdaae3
Packit	cdaae3
Packit	cdaae3	`id: DW201605-016`
Packit	cdaae3	`cve:`
Packit	cdaae3	`datereported: 20160519`
Packit	cdaae3	`reportedby: Yue Liu`
Packit	cdaae3	`vulnerability: Invalid dwarf leads to`
Packit	cdaae3	`dwarfdump crash in print_frame_inst_bytes.`
Packit	cdaae3	`product: dwarfdump`
Packit	cdaae3	`description: Corrupted dwarf crashes dwarfdump`
Packit	cdaae3
Packit	cdaae3	`1297 }`
Packit	cdaae3	`1298 len = len_in;`
Packit	cdaae3	`1299 endpoint = instp + len;`
Packit	cdaae3	`1300 for (; len > 0;) {`
Packit	cdaae3	`1301 unsigned char ibyte = *instp; <- $pc`
Packit	cdaae3	`1302 int top = ibyte & 0xc0;`
Packit	cdaae3	`1303 int bottom = ibyte & 0x3f;`
Packit	cdaae3	`1304 int delta = 0;`
Packit	cdaae3	`1305 int reg = 0;`
Packit	cdaae3
Packit	cdaae3	`#0 print_frame_inst_bytes (dbg=dbg@entry=0x655ca0,`
Packit	cdaae3	`cie_init_inst=<optimized out>, len_in=<optimized out>,`
Packit	cdaae3	`data_alignment_factor=-4, code_alignment_factor=4,`
Packit	cdaae3	`addr_size=addr_size@entry=4, offset_size=4, version=3,`
Packit	cdaae3	`config_data=config_data@entry=0x63cda0 <g_config_file_data>)`
Packit	cdaae3	`at print_frames.c:1301`
Packit	cdaae3
Packit	cdaae3	`#1 0x000000000041b70c in print_one_cie`
Packit	cdaae3	`(dbg=dbg@entry=0x655ca0, cie=<optimized out>,`
Packit	cdaae3	`cie_index=cie_index@entry=2, address_size=<optimized out>,`
Packit	cdaae3	`config_data=config_data@entry=0x63cda0 <g_config_file_data>)`
Packit	cdaae3	`at print_frames.c:1161`
Packit	cdaae3
Packit	cdaae3	`#2 0x000000000041cf52 in print_frames (dbg=0x655ca0,`
Packit	cdaae3	`print_debug_frame=print_debug_frame@entry=1, print_eh_frame=0,`
Packit	cdaae3	`config_data=config_data@entry=0x63cda0 <g_config_file_data>)`
Packit	cdaae3	`at print_frames.c:2229`
Packit	cdaae3
Packit	cdaae3	`gef> p/x $r13`
Packit	cdaae3	`$1 = 0x4bcad8`
Packit	cdaae3	`gef> p/x *$r13`
Packit	cdaae3	`Cannot access memory at address 0x4bcad8`
Packit	cdaae3
Packit	cdaae3	`datefixed: 20160522`
Packit	cdaae3	`references: regressiontests/liu/OOB_READ0519.elf`
Packit	cdaae3	`gitfixid: 6fa3f710ee6f21bba7966b963033a91d77c952bd`
Packit	cdaae3	`tarrelease: libdwarf-20160923.tar.gz`
Packit	cdaae3	`endrec:`
Packit	cdaae3
Packit	cdaae3
Packit	cdaae3	`id: DW201605-015`
Packit	cdaae3	`cve: CVE-2016-5031`
Packit	cdaae3	`datereported: 20160517`
Packit	cdaae3	`reportedby: Yue Liu`
Packit	cdaae3	`vulnerability: OOB read bug in print_frame_inst_bytes()`
Packit	cdaae3	`product: libdwarf`
Packit	cdaae3	`description: Test object shows`
Packit	cdaae3	`an invalid read in print_frame_inst_bytes().`
Packit	cdaae3
Packit	cdaae3	`1294 for (; len > 0;) {`
Packit	cdaae3	`1295 unsigned char ibyte = *instp; <- $pc`
Packit	cdaae3	`1296 int top = ibyte & 0xc0;`
Packit	cdaae3
Packit	cdaae3	`#0 print_frame_inst_bytes (dbg=dbg@entry=0x654c80,`
Packit	cdaae3	`cie_init_inst=<optimized out>, len=503715, data_alignment_factor=-4,`
Packit	cdaae3	`code_alignment_factor=1, addr_size=addr_size@entry=4, offset_size=4,`
Packit	cdaae3	`version=3, config_data=config_data@entry=0x63bda0`
Packit	cdaae3	`<g_config_file_data>) at print_frames.c:1295`
Packit	cdaae3	`#1 0x000000000041b64c in print_one_cie (dbg=dbg@entry=0x654c80,`
Packit	cdaae3	`cie=<optimized out>, cie_index=cie_index@entry=1,`
Packit	cdaae3	`address_size=<optimized out>, config_data=`
Packit	cdaae3	`config_data@entry=0x63bda0 <g_config_file_data>) at print_frames.c:1161`
Packit	cdaae3	`#2 0x000000000041ce92 in print_frames (dbg=0x654c80,`
Packit	cdaae3	`print_debug_frame=print_debug_frame@entry=1, print_eh_frame=0,`
Packit	cdaae3	`config_data=config_data@entry=0x63bda0 <g_config_file_data>)`
Packit	cdaae3	`at print_frames.c:2209`
Packit	cdaae3
Packit	cdaae3	`gef> x/10x $r13`
Packit	cdaae3	`0x5e7981: Cannot access memory at address 0x5e7981`
Packit	cdaae3	`gef> p/x $r13`
Packit	cdaae3	`$14 = 0x5e7981`
Packit	cdaae3
Packit	cdaae3	`datefixed: 20150518`
Packit	cdaae3	`references: regressiontests/liu/OOB0517_03.elf`
Packit	cdaae3	`gitfixid: ac6673e32f3443a5d36c2217cb814000930b2c54`
Packit	cdaae3	`tarrelease: libdwarf-20160923.tar.gz`
Packit	cdaae3	`endrec:`
Packit	cdaae3
Packit	cdaae3
Packit	cdaae3
Packit	cdaae3
Packit	cdaae3	`id: DW201605-014`
Packit	cdaae3	`cve: CVE-2016-5032`
Packit	cdaae3	`datereported: 20160517`
Packit	cdaae3	`reportedby: Yue Liu`
Packit	cdaae3	`vulnerability: OOB read bug in dwarf_get_xu_hash_entry()`
Packit	cdaae3	`product: libdwarf`
Packit	cdaae3	`description: Test object shows`
Packit	cdaae3	`an invalid read in dwarf_get _xu_hash_entry, lin 211.`
Packit	cdaae3
Packit	cdaae3	`#0 dwarf_get_xu_hash_entry (xuhdr=xuhdr@entry=0x657360,`
Packit	cdaae3	`index=index@entry=2897626028, hash_value=`
Packit	cdaae3	`hash_value@entry=0x7fffffffd5b0,`
Packit	cdaae3	`index_to_sections=index_to_sections@entry=0x7fffffffd5a8,`
Packit	cdaae3	`err=err@entry=0x7fffffffdb08) at dwarf_xu_index.c:211`
Packit	cdaae3	`#1 0x00002aaaaacfd05e in _dwarf_search_fission_for_key (`
Packit	cdaae3	`dbg=0x654a50, error=0x7fffffffdb08, percu_index_out=<synthetic pointer>,`
Packit	cdaae3	`key_in=0x7fffffffd670, xuhdr=0x657360) at dwarf_xu_index.c:363`
Packit	cdaae3	`#2 dwarf_get_debugfission_for_key (dbg=dbg@entry=0x654a50,`
Packit	cdaae3	`key=key@entry=0x7fffffffd670, key_type=key_type@entry=0x2aaaaad15e2a`
Packit	cdaae3	`"tu", percu_out=percu_out@entry=0x65a830,`
Packit	cdaae3	`error=error@entry=0x7fffffffdb08) at dwarf_xu_index.c:577`
Packit	cdaae3
Packit	cdaae3	`datefixed: 20150518`
Packit	cdaae3	`references: regressiontests/liu/OOB0517_02.elf`
Packit	cdaae3	`gitfixid: ac6673e32f3443a5d36c2217cb814000930b2c54`
Packit	cdaae3	`tarrelease: libdwarf-20160923.tar.gz`
Packit	cdaae3	`endrec:`
Packit	cdaae3
Packit	cdaae3
Packit	cdaae3
Packit	cdaae3
Packit	cdaae3	`id: DW201605-013`
Packit	cdaae3	`cve: CVE-2016-5033`
Packit	cdaae3	`datereported: 20160517`
Packit	cdaae3	`reportedby: Yue Liu`
Packit	cdaae3	`vulnerability: OOB read bug in print_exprloc_content`
Packit	cdaae3	`product: libdwarf`
Packit	cdaae3	`description: Test object shows`
Packit	cdaae3	`an invalid write in print_exprloc_content.`
Packit	cdaae3
Packit	cdaae3	`#0 print_exprloc_content (dbg=dbg@entry=0x654ea0,`
Packit	cdaae3	`die=die@entry=0x65b110, attrib=attrib@entry=0x65b590,`
Packit	cdaae3	`esbp=esbp@entry=0x7fffffffcef0, showhextoo=1) at print_die.c:4182`
Packit	cdaae3	`#1 0x0000000000412fb1 in get_attr_value (dbg=dbg@entry=0x654ea0,`
Packit	cdaae3	`tag=<optimized out>, die=die@entry=0x65b110,`
Packit	cdaae3	`dieprint_cu_goffset=dieprint_cu_goffset@entry=11,`
Packit	cdaae3	`attrib=attrib@entry=0x65b590, srcfiles=srcfiles@entry=0x0,`
Packit	cdaae3	`cnt=cnt@entry=0, esbp=esbp@entry=0x7fffffffcef0, show_form=0,`
Packit	cdaae3	`local_verbose=0) at print_die.c:4972`
Packit	cdaae3
Packit	cdaae3	`datefixed: 20150518`
Packit	cdaae3	`references: regressiontests/liu/OOB0517_01.elf`
Packit	cdaae3	`gitfixid: ac6673e32f3443a5d36c2217cb814000930b2c54`
Packit	cdaae3	`tarrelease: libdwarf-20160923.tar.gz`
Packit	cdaae3	`endrec:`
Packit	cdaae3
Packit	cdaae3
Packit	cdaae3	`id: DW201605-012`
Packit	cdaae3	`cve: CVE-2016-5034`
Packit	cdaae3	`datereported: 20160513`
Packit	cdaae3	`reportedby: Yue Liu`
Packit	cdaae3	`vulnerability: OOB write. From relocation records`
Packit	cdaae3	`product: libdwarf`
Packit	cdaae3	`description: Test object shows`
Packit	cdaae3	`an invalid write in dwarf_elf_access.c`
Packit	cdaae3	`(when doing the relocations).`
Packit	cdaae3	`Adding the relocation value to anything overflowed`
Packit	cdaae3	`and disguised the bad relocation record.`
Packit	cdaae3	`With a 32bit kernel build the test could show`
Packit	cdaae3	`a double-free and coredump due to the unchecked invalid`
Packit	cdaae3	`writes from relocations.`
Packit	cdaae3	`datefixed: 20160517`
Packit	cdaae3	`references: regressiontests/liu/HeapOverflow0513.elf`
Packit	cdaae3	`gitfixid: 10ca310f64368dc083efacac87732c02ef560a92`
Packit	cdaae3	`tarrelease: libdwarf-20160923.tar.gz`
Packit	cdaae3	`endrec:`
Packit	cdaae3
Packit	cdaae3
Packit	cdaae3
Packit	cdaae3	`id: DW201605-011`
Packit	cdaae3	`cve: CVE-2016-5035`
Packit	cdaae3	`datereported: 20160506`
Packit	cdaae3	`reportedby: Yue Liu`
Packit	cdaae3	`vulnerability: OOB read bug in _dwarf_read_line_table_header`
Packit	cdaae3	`product: libdwarf`
Packit	cdaae3	`description: Test object shows`
Packit	cdaae3	`null dereference at line 62`
Packit	cdaae3	`of dwarf_line_table_reader.c.`
Packit	cdaae3	`Frame code and linetable code was not noticing data corruption.`
Packit	cdaae3	`datefixed: 20160512`
Packit	cdaae3	`references: regressiontests/liu/OOB_read4.elf`
Packit	cdaae3	`gitfixid: 82d8e007851805af0dcaaff41f49a2d48473334b`
Packit	cdaae3	`tarrelease: libdwarf-20160923.tar.gz`
Packit	cdaae3	`endrec:`
Packit	cdaae3
Packit	cdaae3
Packit	cdaae3	`id: DW201605-010`
Packit	cdaae3	`cve: CVE-2016-5036`
Packit	cdaae3	`datereported: 20160506`
Packit	cdaae3	`reportedby: Yue Liu`
Packit	cdaae3	`vulnerability: OOB read bug in dump_block`
Packit	cdaae3	`product: libdwarf`
Packit	cdaae3	`description: Test object shows`
Packit	cdaae3	`null dereverence at line 186`
Packit	cdaae3	`of dump_block() in print_sections.c`
Packit	cdaae3	`Frame code was not noticing frame data corruption.`
Packit	cdaae3	`datefixed: 20160512`
Packit	cdaae3	`references: regressiontests/liu/OOB_read3.elf`
Packit	cdaae3	`regressiontests/liu/OOB_read3_02.elf`
Packit	cdaae3	`gitfixid: 82d8e007851805af0dcaaff41f49a2d48473334b`
Packit	cdaae3	`tarrelease: libdwarf-20160923.tar.gz`
Packit	cdaae3	`endrec:`
Packit	cdaae3
Packit	cdaae3	`id: DW201605-009`
Packit	cdaae3	`cve: CVE-2016-5037`
Packit	cdaae3	`datereported: 20160505`
Packit	cdaae3	`reportedby: Yue Liu`
Packit	cdaae3	`vulnerability: NULL dereference in _dwarf_load_section`
Packit	cdaae3	`product: libdwarf`
Packit	cdaae3	`description: Test object shows`
Packit	cdaae3	`null dereverence at line 1010`
Packit	cdaae3	`if(!strncmp("ZLIB",(const char *)src,4)) {`
Packit	cdaae3	`in dwarf_init_finish.c`
Packit	cdaae3	`The zlib code was not checking for`
Packit	cdaae3	`a corrupted length-value.`
Packit	cdaae3	`datefixed: 20160506`
Packit	cdaae3	`references: regressiontests/liu/NULLderefer0505_01.elf`
Packit	cdaae3	`gitfixid: b6ec2dfd850929821626ea63fb0a752076a3c08a`
Packit	cdaae3	`tarrelease: libdwarf-20160507.tar.gz`
Packit	cdaae3	`endrec:`
Packit	cdaae3
Packit	cdaae3	`id: DW201605-008`
Packit	cdaae3	`cve: CVE-2016-5038`
Packit	cdaae3	`datereported: 20160505`
Packit	cdaae3	`reportedby: Yue Liu`
Packit	cdaae3	`vulnerability: OOB read in dwarf_get_macro_startend_file()`
Packit	cdaae3	`product: libdwarf`
Packit	cdaae3	`description: Test object shows`
Packit	cdaae3	`out of bound read.`
Packit	cdaae3	`OOB at:`
Packit	cdaae3	`line 772 *src_file_name = macro_context->mc_srcfiles[trueindex];`
Packit	cdaae3	`in dwarf_macro5.c`
Packit	cdaae3	`A string offset into .debug_str is outside the bounds`
Packit	cdaae3	`of the .debug_str section.`
Packit	cdaae3	`datefixed: 20160512`
Packit	cdaae3	`references: regressiontests/liu/OOB0505_02.elf`
Packit	cdaae3	`regressiontests/liu/OOB0505_02_02.elf`
Packit	cdaae3	`gitfixid: 82d8e007851805af0dcaaff41f49a2d48473334b`
Packit	cdaae3	`tarrelease: libdwarf-20160923.tar.gz`
Packit	cdaae3	`endrec:`
Packit	cdaae3
Packit	cdaae3	`id: DW201605-007`
Packit	cdaae3	`cve: CVE-2016-5039`
Packit	cdaae3	`datereported: 20160505`
Packit	cdaae3	`reportedby: Yue Liu`
Packit	cdaae3	`vulnerability: OOB read bug in get_attr_value()`
Packit	cdaae3	`product: libdwarf`
Packit	cdaae3	`description: Test object shows`
Packit	cdaae3	`out of bound read.`
Packit	cdaae3	`Object had data all-bits-on so`
Packit	cdaae3	`the existing length check did not work`
Packit	cdaae3	`due to wraparound. Added a check`
Packit	cdaae3	`not susceptible to that error (DW_DLE_FORM_BLOCK_LENGTH_ERROR).`
Packit	cdaae3	`datefixed: 20160506`
Packit	cdaae3	`references: regressiontests/liu/OOB0505_01.elf`
Packit	cdaae3	`gitfixid: eb1472afac95031d0c9dd8c11d527b865fe7deb8`
Packit	cdaae3	`gittag: 20160507`
Packit	cdaae3	`tarrelease: libdwarf-20160507.tar.gz`
Packit	cdaae3	`endrec:`
Packit	cdaae3
Packit	cdaae3	`id: DW201605-006`
Packit	cdaae3	`cve:`
Packit	cdaae3	`datereported: 20160505`
Packit	cdaae3	`reportedby: Yue Liu`
Packit	cdaae3	`vulnerability: Two Heap-Overflow bug`
Packit	cdaae3	`product: libdwarf`
Packit	cdaae3	`description: Two test objects showing`
Packit	cdaae3	`a heap overflow in libdwarf when`
Packit	cdaae3	`using dwarfdump.`
Packit	cdaae3	`It seems that these were fixed`
Packit	cdaae3	`by the previous git update.`
Packit	cdaae3	`Neither gdb nor valgrind find any errors`
Packit	cdaae3	`when building with yesterday's commit.`
Packit	cdaae3	`datefixed: 20160504`
Packit	cdaae3	`references: regressiontests/liu/free_invalid_address.elf`
Packit	cdaae3	`regressiontests/liu/heapoverflow01b.elf`
Packit	cdaae3	`gitfixid: 98a3da1e8237fe0d45b67ef77f3fa5ed9ff0215f`
Packit	cdaae3	`tarrelease: libdwarf-20160507.tar.gz`
Packit	cdaae3	`endrec:`
Packit	cdaae3
Packit	cdaae3	`id: DW201605-001`
Packit	cdaae3	`cve: CVE-2016-5044`
Packit	cdaae3	`datereported: 20160502`
Packit	cdaae3	`reportedby: Yue Liu`
Packit	cdaae3	`vulnerability: A specially crafted DWARF section`
Packit	cdaae3	`results in a duplicate free() in libdwarf and`
Packit	cdaae3	`the calling application will crash.`
Packit	cdaae3	`product: libdwarf`
Packit	cdaae3	`description:`
Packit	cdaae3	`In file dwarf_elf_access.c:1071`
Packit	cdaae3
Packit	cdaae3	`WRITE_UNALIGNED(dbg,target_section + offset,`
Packit	cdaae3	`&outval,sizeof(outval),reloc_size);`
Packit	cdaae3
Packit	cdaae3	`A crafted ELF file may lead to a large offset value, which`
Packit	cdaae3	`bigger than the size of target_section heap chunk, then this`
Packit	cdaae3	`WRITE_UNALIGNED() function will write the value of &outval`
Packit	cdaae3	`out of the heap chunk.`
Packit	cdaae3	`offset is a 64bit unsigned int value, so this is more than`
Packit	cdaae3	`a heap overflow bug, but also a Out-of-Bound write bug.`
Packit	cdaae3	`So WRITE_UNALIGNED() need more strictly checking to prevent`
Packit	cdaae3	`this.`
Packit	cdaae3	`datefixed: 20160504`
Packit	cdaae3	`references: regressiontests/liu/heapoverflow01.elf`
Packit	cdaae3
Packit	cdaae3	`https://bugzilla.redhat.com/show_bug.cgi?id=1332141`
Packit	cdaae3
Packit	cdaae3	`gitfixid: 98a3da1e8237fe0d45b67ef77f3fa5ed9ff0215f`
Packit	cdaae3	`gittag: 20160507`
Packit	cdaae3	`tarrelease: libdwarf-20160507.tar.gz`
Packit	cdaae3	`endrec:`
Packit	cdaae3
Packit	cdaae3
Packit	cdaae3
Packit	cdaae3	`id: DW201605-002`
Packit	cdaae3	`cve: CVE-2016-5043`
Packit	cdaae3	`datereported: 20160502`
Packit	cdaae3	`reportedby: Yue Liu`
Packit	cdaae3	`vulnerability: A specially crafted DWARF section`
Packit	cdaae3	`results in a read outside the bounds of in memory`
Packit	cdaae3	`data so the calling application can crash.`
Packit	cdaae3	`product: libdwarf`
Packit	cdaae3	`description:`
Packit	cdaae3
Packit	cdaae3	`Out of bound read bug in libdwarf git code.`
Packit	cdaae3
Packit	cdaae3	`dwarf_dealloc() did not check the Dwarf_Ptr space argument`
Packit	cdaae3	`before using it. This will lead to a out-of-bound read bug.`
Packit	cdaae3
Packit	cdaae3	`backtrace:`
Packit	cdaae3	`#0 dwarf_dealloc (dbg=dbg@entry=0x655f30, space=0xa0,`
Packit	cdaae3	`alloc_type=alloc_type@entry=1) at dwarf_alloc.c:477`
Packit	cdaae3	`#1 0x00002aaaaacf3296 in dealloc_srcfiles`
Packit	cdaae3	`(dbg=0x655f30, srcfiles=0x66b8f0, srcfiles_count=17) at`
Packit	cdaae3	`dwarf_macro5.c:1025 #2 0x00002aaaaacf50e6 in dealloc_srcfiles`
Packit	cdaae3	`(srcfiles_count=<optimized out>, srcfiles=<optimized out>,`
Packit	cdaae3	`dbg=<optimized out>) at dwarf_macro5.c:1021 -----`
Packit	cdaae3
Packit	cdaae3	`gef> p &r->rd_dbg`
Packit	cdaae3	`$14 = (void **) 0x90`
Packit	cdaae3
Packit	cdaae3	`datefixed: 20160504`
Packit	cdaae3	`references: regressiontests/liu/outofbound01.elf`
Packit	cdaae3
Packit	cdaae3	`https://bugzilla.redhat.com/show_bug.cgi?id=1332144`
Packit	cdaae3
Packit	cdaae3	`gitfixid: 98a3da1e8237fe0d45b67ef77f3fa5ed9ff0215f`
Packit	cdaae3	`tarrelease: libdwarf-20160507.tar.gz`
Packit	cdaae3	`endrec:`
Packit	cdaae3
Packit	cdaae3	`id: DW201605-003`
Packit	cdaae3	`cve: CVE-2016-5042`
Packit	cdaae3	`datereported: 20160502`
Packit	cdaae3	`reportedby: Yue Liu`
Packit	cdaae3	`vulnerability: A specially crafted DWARF section`
Packit	cdaae3	`results in an infinite loop that eventually`
Packit	cdaae3	`crashes the application.`
Packit	cdaae3	`product: libdwarf`
Packit	cdaae3	`description:`
Packit	cdaae3	`In dwarf_get_aranges_list()`
Packit	cdaae3	`an invalid count will iterate, reading from memory`
Packit	cdaae3	`addresses that increase till it all fails.`
Packit	cdaae3
Packit	cdaae3	`datefixed: 20160504`
Packit	cdaae3	`references: regressiontests/liu/infiniteloop.elf`
Packit	cdaae3
Packit	cdaae3	`https://bugzilla.redhat.com/show_bug.cgi?id=1332145`
Packit	cdaae3
Packit	cdaae3	`gitfixid: 98a3da1e8237fe0d45b67ef77f3fa5ed9ff0215f`
Packit	cdaae3	`tarrelease: libdwarf-20160507.tar.gz`
Packit	cdaae3	`endrec:`
Packit	cdaae3
Packit	cdaae3	`id: DW201605-004`
Packit	cdaae3	`cve: CVE-2016-5041`
Packit	cdaae3	`datereported: 20160502`
Packit	cdaae3	`reportedby: Yue Liu`
Packit	cdaae3	`vulnerability: A specially crafted DWARF section`
Packit	cdaae3	`results in a null dereference reading debugging`
Packit	cdaae3	`information entries which`
Packit	cdaae3	`crashes the application.`
Packit	cdaae3	`product: libdwarf`
Packit	cdaae3	`description:`
Packit	cdaae3	`If no DW_AT_name is present in a debugging`
Packit	cdaae3	`information entry using DWARF5 macros`
Packit	cdaae3	`a null dereference in dwarf_macro5.c will`
Packit	cdaae3	`crash the application.`
Packit	cdaae3
Packit	cdaae3	`datefixed: 20160504`
Packit	cdaae3	`references: regressiontests/liu/null01.elf`
Packit	cdaae3
Packit	cdaae3	`https://bugzilla.redhat.com/show_bug.cgi?id=1332148`
Packit	cdaae3
Packit	cdaae3	`gitfixid: 98a3da1e8237fe0d45b67ef77f3fa5ed9ff0215f`
Packit	cdaae3	`tarrelease: libdwarf-20160507.tar.gz`
Packit	cdaae3	`endrec:`
Packit	cdaae3
Packit	cdaae3	`id: DW201605-005`
Packit	cdaae3	`cve: CVE-2016-5040`
Packit	cdaae3	`datereported: 20160502`
Packit	cdaae3	`reportedby: Yue Liu`
Packit	cdaae3	`vulnerability: A specially crafted DWARF section`
Packit	cdaae3	`results in reading a compilation unit header`
Packit	cdaae3	`that crashes the application.`
Packit	cdaae3	`product: libdwarf`
Packit	cdaae3	`description:`
Packit	cdaae3	`If the data read for a compilation unit header`
Packit	cdaae3	`contains a too large length value the library`
Packit	cdaae3	`will read outside of its bounds and crash the application.`
Packit	cdaae3	`datefixed: 20160504`
Packit	cdaae3	`references: regressiontests/liu/null02.elf`
Packit	cdaae3
Packit	cdaae3	`https://bugzilla.redhat.com/show_bug.cgi?id=1332149`
Packit	cdaae3
Packit	cdaae3	`gitfixid: 98a3da1e8237fe0d45b67ef77f3fa5ed9ff0215f`
Packit	cdaae3	`tarrelease: libdwarf-20160507.tar.gz`
Packit	cdaae3	`endrec:`
Packit	cdaae3

source-git / libdwarf

Source Code

Blame bugxml/data.txt