Bug 1033087 (CVE-2017-7610)

Summary: VUL-1: CVE-2017-7610: elfutils: denial of service (heap-based buffer over-read and application crash) via a crafted ELF file
Product: [Novell Products] SUSE Security Incidents Reporter: Mikhail Kasimov <mikhail.kasimov>
Component: IncidentsAssignee: Martin Liška <martin.liska>
Status: RESOLVED FIXED QA Contact: Security Team bot <security-team>
Severity: Normal    
Priority: P4 - Low CC: abergmann, jmoreira, matz, meissner
Version: unspecified   
Target Milestone: ---   
Hardware: Other   
OS: Other   
URL: https://smash.suse.de/issue/183200/
Whiteboard: CVSSv2:NVD:CVE-2017-7610:4.3:(AV:N/AC:M/Au:N/C:N/I:N/A:P) CVSSv2:SUSE:CVE-2017-7610:1.9:(AV:L/AC:M/Au:N/C:N/I:N/A:P) CVSSv3:NVD:CVE-2017-7610:5.5:(AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H) CVSSv3:SUSE:CVE-2017-7610:3.3:(AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L) CVSSv3:RedHat:CVE-2017-7610:3.3:(AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L)
Found By: --- Services Priority:
Business Priority: Blocker: ---
Marketing QA Status: --- IT Deployment: ---
Attachments: CVE-2017-7610_Reproducer

Description Mikhail Kasimov 2017-04-09 18:58:29 UTC
Created attachment 720365 [details]
CVE-2017-7610_Reproducer

Ref: https://nvd.nist.gov/vuln/detail/CVE-2017-7610
===================================================
Description

The check_group function in elflint.c in elfutils 0.168 allows remote attackers to cause a denial of service (heap-based buffer over-read and application crash) via a crafted ELF file.

Source:  MITRE      Last Modified:  04/09/2017
===================================================

Hyperlink:

[1] https://blogs.gentoo.org/ago/2017/04/03/elfutils-heap-based-buffer-overflow-in-check_group-elflint-c

[1]:
===================================================
elfutils: heap-based buffer overflow in check_group (elflint.c)
Posted on April 3, 2017 by ago	

Description:
elfutils is a set of libraries/utilities to handle ELF objects (drop in replacement for libelf).

A fuzz on eu-elflint showed an heap overflow.

The complete ASan output:

# eu-elflint -d $FILE
==12804==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x60200000efd0 at pc 0x00000041a39f bp 0x7ffee6a331d0 sp 0x7ffee6a331c8
READ of size 4 at 0x60200000efd0 thread T0
    #0 0x41a39e in check_group /tmp/portage/dev-libs/elfutils-0.168/work/elfutils-0.168/src/elflint.c:2664
    #1 0x420787 in check_sections /tmp/portage/dev-libs/elfutils-0.168/work/elfutils-0.168/src/elflint.c:4132
    #2 0x42961f in process_elf_file /tmp/portage/dev-libs/elfutils-0.168/work/elfutils-0.168/src/elflint.c:4697
    #3 0x42961f in process_file /tmp/portage/dev-libs/elfutils-0.168/work/elfutils-0.168/src/elflint.c:242
    #4 0x402d33 in main /tmp/portage/dev-libs/elfutils-0.168/work/elfutils-0.168/src/elflint.c:175
    #5 0x7ff00282678f in __libc_start_main (/lib64/libc.so.6+0x2078f)
    #6 0x403498 in _start (/usr/bin/eu-elflint+0x403498)

0x60200000efd1 is located 0 bytes to the right of 1-byte region [0x60200000efd0,0x60200000efd1)
allocated by thread T0 here:
    #0 0x7ff003f13288 in malloc (/usr/lib/gcc/x86_64-pc-linux-gnu/6.3.0/libasan.so.3+0xc2288)
    #1 0x7ff003b6fb46 in convert_data /tmp/portage/dev-libs/elfutils-0.168/work/elfutils-0.168/libelf/elf_getdata.c:166
    #2 0x7ff003b6fb46 in __libelf_set_data_list_rdlock /tmp/portage/dev-libs/elfutils-0.168/work/elfutils-0.168/libelf/elf_getdata.c:434
    #3 0x7ff003b70662 in __elf_getdata_rdlock /tmp/portage/dev-libs/elfutils-0.168/work/elfutils-0.168/libelf/elf_getdata.c:541
    #4 0x7ff003b70776 in elf_getdata /tmp/portage/dev-libs/elfutils-0.168/work/elfutils-0.168/libelf/elf_getdata.c:559
    #5 0x420935 in check_scn_group /tmp/portage/dev-libs/elfutils-0.168/work/elfutils-0.168/src/elflint.c:544
    #6 0x420935 in check_sections /tmp/portage/dev-libs/elfutils-0.168/work/elfutils-0.168/src/elflint.c:3940
    #7 0x42961f in process_elf_file /tmp/portage/dev-libs/elfutils-0.168/work/elfutils-0.168/src/elflint.c:4697
    #8 0x42961f in process_file /tmp/portage/dev-libs/elfutils-0.168/work/elfutils-0.168/src/elflint.c:242
    #9 0x402d33 in main /tmp/portage/dev-libs/elfutils-0.168/work/elfutils-0.168/src/elflint.c:175
    #10 0x7ff00282678f in __libc_start_main (/lib64/libc.so.6+0x2078f)

SUMMARY: AddressSanitizer: heap-buffer-overflow /tmp/portage/dev-libs/elfutils-0.168/work/elfutils-0.168/src/elflint.c:2664 in check_group
Shadow bytes around the buggy address:
  0x0c047fff9da0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047fff9db0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047fff9dc0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047fff9dd0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047fff9de0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
=>0x0c047fff9df0: fa fa fa fa fa fa 04 fa fa fa[01]fa fa fa 00 01
  0x0c047fff9e00: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047fff9e10: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047fff9e20: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047fff9e30: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047fff9e40: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Heap right redzone:      fb
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack partial redzone:   f4
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==12804==ABORTING

Affected version:
0.168

Fixed version:
0.169 (not released atm)

Commit fix:
https://sourceware.org/ml/elfutils-devel/2017-q1/msg00137.html

Credit:
This bug was discovered by Agostino Sarubbo of Gentoo.

CVE:
N/A

Reproducer:
https://github.com/asarubbo/poc/blob/master/00247-elfutils-heapoverflow-check_group

Timeline:
2017-03-28: bug discovered and reported to upstream
2017-04-04: blog post about the issue

Note:
This bug was found with American Fuzzy Lop.

Permalink:

    elfutils: heap-based buffer overflow in check_group (elflint.c)
===================================================

(open-)SUSE:
https://software.opensuse.org/package/elfutils

0.168 (TW, official repo)
0.158 (42.{1,2}, official repo)

Test-case on 42.2 (version 0.158):
===================================================
k_mikhail@linux-mk500:~> eu-readelf -a 00247-elfutils-heapoverflow-check_group 
ELF Header:
  Magic:   7f 45 4c 46 01 02 01 00 00 00 00 00 00 45 4c 46
  Class:                             ELF32
  Data:                              2's complement, big endian
  Ident Version:                     1 (current)
  OS/ABI:                            UNIX - System V
  ABI Version:                       0
  Type:                              REL (Relocatable file)
  Machine:                           <unknown>
  Version:                           184549632 (???)
  Entry point address:               0x6004
  Start of program headers:          536870912 (bytes into file)
  Start of section headers:          64 (bytes into file)
  Flags:                             0x38000a
  Size of this header:               64 (bytes)
  Size of program header entries:    37 (bytes)
  Number of program headers entries: 34
  Size of section header entries:    6 (bytes)
  Number of section headers entries: 0 (48 in [0].sh_size)
  Section header string table index: 5

Section Headers:
[Nr] Name                 Type         Addr     Off    Size   ES Flags Lk Inf Al
[ 0] <corrupt>            <unknown>: 64 00000030 2000000 000030  3       33554432 62471  0
[ 1] <corrupt>            <unknown>: 112 00000070 2400000 000066 28       37748736  28  0
[ 2] <corrupt>            PROGBITS     00ffff01 000005 000000  0        0   0 4194304
[ 3] <corrupt>            <unknown>: 68 00000044 7000000 000000 16       2097152   1  6
[ 4] <corrupt>            PREINIT_ARRAY 00000010 e600000 000030  0       33554432  56 33614336
[ 5] <corrupt>            SYMTAB       00000028 e000000 000028 208 AX    241172480  40 241172480
[ 6] <corrupt>            <unknown>: 208 00000008 000000 000004 140       570425348 140 33554432
[ 7] <corrupt>            <unknown>: 140 00000020 000000 000020 80        0   4  0
[ 8] <corrupt>            <unknown>: 24 00000018 6400000 000018 52       104857600  52  0
[ 9] <corrupt>            RELA         00000051 e5746406 000000  0        0   0 4294967286
[10] <corrupt>            NULL         00000000 000000 000010 16        0  82 3849610244
[11] <corrupt>            PREINIT_ARRAY 00000010 e600000 0000f0  1       16777216 240 16777216
[12] <corrupt>            <unknown>: 128 43000000 000000 00faff 10 NT    2816   0  0
[13] <corrupt>            NULL         e1000008 000000 00002f 1970810232 WAXMSILNGT 1818845750 875523172 762079598
[14] <corrupt>            <unknown>: 875459439 00000010 f1ffff00 000000  0 X      0   0  0
[15] <corrupt>            NULL         06000000 20000000 000000  0       16908288 393237  0
[16] <corrupt>            SYMTAB_SHNDX 00000000 000000 000004 305787531       34799616 1310720 11772663
[17] <corrupt>            NULL         00000000 000000 000000  0       10027008 1179648  0
[18] <corrupt>            NULL         00120000 000000 000000 1179648        0   0 720896
[19] <corrupt>            NULL         00000000 2f0000 120000 4294770688        0   0  0
[20] <corrupt>            <unknown>: 1179648 00000000 000000 000000  0       8388608 1179648  0
[21] <corrupt>            NULL         00120000 000000 000000 1179648       -2147483648   0 2031616
[22] <corrupt>            NULL         0000007f 000012 000000 158        0   0  0
[23] <corrupt>            NULL         00000000 000000 000034  0       18   0  0
[24] <corrupt>            <unknown>: 76 00000000 000000 000000  0 AM     0  23 18
[25] <corrupt>            NULL         00000053 000012 000000 122        0   0  0
[26] <corrupt>            NULL         00000000 000000 000028  0       18   0  0
[27] <corrupt>            SYMTAB_SHNDX 00000000 000000 000000  0 AM     0 -50331558  0
[28] <corrupt>            <unknown>: -805158912 00000000 000000 000000  0       50332928 805519360  0
[29] <corrupt>            NULL         70034000 000000 000000 2013478912 GT     0   0 50333440
[30] <corrupt>            NULL         00000000 3000800 98034000 1701667696       111 1667331177 1869480045
[31] <corrupt>            SHT_LOOS+c6c6f63 61726700 73746465 72720067 1819243363 XMSI  1702129520 1952410735 1852244067
[32] <corrupt>            SHT_LOOS+e006670 66005f5f 6c696284 5f737461 6250343 XMSIGTO 1920229229 1634299392 1718773093
[33] <corrupt>            NULL         00000300 400d002 40000000 768        0   0  0
[34] <corrupt>            <unknown>: 1073741824 00000000 000000 000300  0       100691971 1073741824  0
[35] <corrupt>            <unknown>: 768 40000000 000000 000000 1073741824 WA     0 768 134256643
[36] <corrupt>            NULL         01000000 6000000 100e0000 269380608        0 269377536  0
[37] <corrupt>            <unknown>: 805502720 380200ea ffff00 002040 672006144       14811135 -65536 100663296
[38] <corrupt>            <unknown>: 672030720 280e6000 000000 d0000000 100663296        0 -132161536  0
[39] <corrupt>            NULL         c0206000 000000 5000000 3760218112       318767104   0  0
[40] <corrupt>            <unknown>: 83886080 00000000 000000 3000964  0       212992   0  0
[41] <corrupt>            <unknown>: 50334208 00000000 000000 000000  0 OE     0 50334464 536870912
[42] <corrupt>            NULL         000000ee 000000 000000  0       238   0 196634
[43] <corrupt>            <unknown>: 452984832 00000000 000000 000000  0       768 469762048  0
[44] <corrupt>            NULL         1d000000 000000 000000 503316480 NG     0   0 768
[45] <corrupt>            NULL         00000000 000300 1f000000  0        0   0  0
[46] <corrupt>            <unknown>: 536870912 00000000 000000 0400f1  0       -16777216   0  0
[47] <corrupt>            GROUP        00000000 000041 000001  0 SIGT  1441792 25600  0

Program Headers:
  Type           Offset   VirtAddr   PhysAddr   FileSiz  MemSiz   Flg Align
  ???
  ???
  ???
  ???
  ???
  ???
  ???
  ???
  ???
  ???
  ???
  ???
  ???
  ???
  ???
  ???
  ???
  ???
  ???
  ???
  ???
  ???
  ???
  ???
  ???
  ???
  ???
  ???
  ???
  ???
  ???
  ???
  ???
  ???

Invalid symbol table at offset 0xe5746406
===================================================
Comment 10 João Moreira 2019-06-12 15:39:05 UTC
SLE15: Reproduced and fixed
SLE12: Reproduced and fixed (patch backported)
SLE11-SP2: Reproduced and fixed (patch backported)
SLE11-SP1: Reproduced and fixed (patch backported)
Comment 12 Swamp Workflow Management 2019-06-13 13:12:19 UTC
SUSE-SU-2019:1486-1: An update that fixes 15 vulnerabilities is now available.

Category: security (moderate)
Bug References: 1033084,1033085,1033086,1033087,1033088,1033089,1033090,1106390,1107066,1107067,1111973,1112723,1112726,1123685,1125007
CVE References: CVE-2017-7607,CVE-2017-7608,CVE-2017-7609,CVE-2017-7610,CVE-2017-7611,CVE-2017-7612,CVE-2017-7613,CVE-2018-16062,CVE-2018-16402,CVE-2018-16403,CVE-2018-18310,CVE-2018-18520,CVE-2018-18521,CVE-2019-7150,CVE-2019-7665
Sources used:
SUSE Linux Enterprise Module for Open Buildservice Development Tools 15-SP1 (src):    elfutils-0.168-4.5.3
SUSE Linux Enterprise Module for Basesystem 15-SP1 (src):    elfutils-0.168-4.5.3
SUSE Linux Enterprise Module for Basesystem 15 (src):    elfutils-0.168-4.5.3

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 13 Swamp Workflow Management 2019-06-20 01:14:02 UTC
openSUSE-SU-2019:1590-1: An update that fixes 15 vulnerabilities is now available.

Category: security (moderate)
Bug References: 1033084,1033085,1033086,1033087,1033088,1033089,1033090,1106390,1107066,1107067,1111973,1112723,1112726,1123685,1125007
CVE References: CVE-2017-7607,CVE-2017-7608,CVE-2017-7609,CVE-2017-7610,CVE-2017-7611,CVE-2017-7612,CVE-2017-7613,CVE-2018-16062,CVE-2018-16402,CVE-2018-16403,CVE-2018-18310,CVE-2018-18520,CVE-2018-18521,CVE-2019-7150,CVE-2019-7665
Sources used:
openSUSE Leap 15.1 (src):    elfutils-0.168-lp151.4.3.1
openSUSE Leap 15.0 (src):    elfutils-0.168-lp150.3.3.1
Comment 14 Swamp Workflow Management 2019-07-03 16:13:12 UTC
SUSE-SU-2019:1733-1: An update that fixes 15 vulnerabilities is now available.

Category: security (low)
Bug References: 1030472,1030476,1033084,1033085,1033087,1033088,1033089,1033090,1106390,1107067,1111973,1112723,1112726,1123685,1125007
CVE References: CVE-2016-10254,CVE-2016-10255,CVE-2017-7607,CVE-2017-7608,CVE-2017-7610,CVE-2017-7611,CVE-2017-7612,CVE-2017-7613,CVE-2018-16062,CVE-2018-16403,CVE-2018-18310,CVE-2018-18520,CVE-2018-18521,CVE-2019-7150,CVE-2019-7665
Sources used:
SUSE Linux Enterprise Software Development Kit 12-SP4 (src):    elfutils-0.158-7.7.2
SUSE Linux Enterprise Software Development Kit 12-SP3 (src):    elfutils-0.158-7.7.2
SUSE Linux Enterprise Server 12-SP4 (src):    elfutils-0.158-7.7.2
SUSE Linux Enterprise Server 12-SP3 (src):    elfutils-0.158-7.7.2
SUSE Linux Enterprise Desktop 12-SP4 (src):    elfutils-0.158-7.7.2
SUSE Linux Enterprise Desktop 12-SP3 (src):    elfutils-0.158-7.7.2
SUSE CaaS Platform 3.0 (src):    elfutils-0.158-7.7.2
OpenStack Cloud Magnum Orchestration 7 (src):    elfutils-0.158-7.7.2

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 15 Marcus Meissner 2020-01-08 09:50:03 UTC
-> reassign to current maintainer
Comment 16 Marcus Meissner 2020-07-31 06:54:20 UTC
is done
Comment 17 Swamp Workflow Management 2022-08-01 13:17:17 UTC
SUSE-SU-2022:2614-1: An update that fixes 19 vulnerabilities, contains one feature is now available.

Category: security (moderate)
Bug References: 1033084,1033085,1033086,1033087,1033088,1033089,1033090,1082318,1104264,1106390,1107066,1107067,1111973,1112723,1112726,1123685,1125007
CVE References: CVE-2017-7607,CVE-2017-7608,CVE-2017-7609,CVE-2017-7610,CVE-2017-7611,CVE-2017-7612,CVE-2017-7613,CVE-2018-16062,CVE-2018-16402,CVE-2018-16403,CVE-2018-18310,CVE-2018-18520,CVE-2018-18521,CVE-2019-7146,CVE-2019-7148,CVE-2019-7149,CVE-2019-7150,CVE-2019-7664,CVE-2019-7665
JIRA References: SLE-24501
Sources used:
openSUSE Leap 15.3 (src):    dwarves-1.22-150300.7.3.1, elfutils-0.177-150300.11.3.1
SUSE Linux Enterprise Module for Basesystem 15-SP3 (src):    dwarves-1.22-150300.7.3.1, elfutils-0.177-150300.11.3.1
SUSE Linux Enterprise Micro 5.2 (src):    dwarves-1.22-150300.7.3.1, elfutils-0.177-150300.11.3.1
SUSE Linux Enterprise Micro 5.1 (src):    dwarves-1.22-150300.7.3.1, elfutils-0.177-150300.11.3.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 18 Swamp Workflow Management 2022-09-01 15:34:09 UTC
SUSE-SU-2022:2614-2: An update that fixes 19 vulnerabilities, contains one feature is now available.

Category: security (moderate)
Bug References: 1033084,1033085,1033086,1033087,1033088,1033089,1033090,1082318,1104264,1106390,1107066,1107067,1111973,1112723,1112726,1123685,1125007
CVE References: CVE-2017-7607,CVE-2017-7608,CVE-2017-7609,CVE-2017-7610,CVE-2017-7611,CVE-2017-7612,CVE-2017-7613,CVE-2018-16062,CVE-2018-16402,CVE-2018-16403,CVE-2018-18310,CVE-2018-18520,CVE-2018-18521,CVE-2019-7146,CVE-2019-7148,CVE-2019-7149,CVE-2019-7150,CVE-2019-7664,CVE-2019-7665
JIRA References: SLE-24501
Sources used:
openSUSE Leap Micro 5.2 (src):    dwarves-1.22-150300.7.3.1, elfutils-0.177-150300.11.3.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.