Bug 1011137 - (CVE-2016-9558) VUL-1: CVE-2016-9558: libdwarf: negation overflow in dwarf_leb.c
(CVE-2016-9558)
VUL-1: CVE-2016-9558: libdwarf: negation overflow in dwarf_leb.c
Status: RESOLVED UPSTREAM
Classification: openSUSE
Product: openSUSE Distribution
Classification: openSUSE
Component: Security
Leap 42.1
Other Other
: P3 - Medium : Minor (vote)
: ---
Assigned To: Michael Matz
E-mail List
CVSSv2:RedHat:CVE-2016-9558:4.3:(AV:N...
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2016-11-19 18:26 UTC by Mikhail Kasimov
Modified: 2019-08-28 22:43 UTC (History)
1 user (show)

See Also:
Found By: ---
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Mikhail Kasimov 2016-11-19 18:26:01 UTC
Reference: http://seclists.org/oss-sec/2016/q4/471
===================================================
Description:
libdwarf is a library to consume and produce DWARF debug information.

A fuzz with the Undefined Behavior Sanitizer shows a negation that cannot be 
represented as long long.

The complete UBSan output:

# dwarfdump $FILE
dwarf_leb.c:306:19: runtime error: negation of -9223372036854775808 cannot be 
represented in type 'Dwarf_Signed' (aka 'long long'); cast to an unsigned type 
to negate this value to itself

Affected version:
20161021

Fixed version:
N/A

Commit fix:
https://sourceforge.net/p/libdwarf/code/ci/4f19e1050cd8e9ddf2cb6caa061ff2fec4c9b5f9/#diff-5

Credit:
This bug was discovered by Agostino Sarubbo of Gentoo.

CVE:
N/A

Reproducer:
https://github.com/asarubbo/poc/blob/master/00050-libdwarf-negate-itself

Timeline:
2016-11-11: bug discovered and reported to upstream
2016-11-11: upstream released a patch
2016-11-19: blog post about the issue

Note:
This bug was found with American Fuzzy Lop.

Permalink:
https://blogs.gentoo.org/ago/2016/11/19/libdwarf-negation-overflow-in-dwarf_leb-c

-- 
Agostino Sarubbo
Gentoo Linux Developer
===================================================

By the way, https://software.opensuse.org/package/libdwarf :

libdwarf is in official repo for 42.1 and TW and not for 42.2. What's the logic here?
Comment 1 Swamp Workflow Management 2016-11-19 23:00:07 UTC
bugbot adjusting priority
Comment 2 Alexander Bergmann 2016-11-23 10:22:13 UTC
It's a good question why libdwarf didn't show up at software.opensuse.org, because it's also part of 42.2.

http://download.opensuse.org/distribution/leap/42.2/repo/oss/suse/x86_64/

I'll check if this is currently a general problem.
Comment 3 Mikhail Kasimov 2016-11-23 10:26:40 UTC
(In reply to Alexander Bergmann from comment #2)
> It's a good question why libdwarf didn't show up at software.opensuse.org,
> because it's also part of 42.2.
> 
> http://download.opensuse.org/distribution/leap/42.2/repo/oss/suse/x86_64/
> 
> I'll check if this is currently a general problem.

General: boo#1011485
Comment 4 Michael Matz 2016-11-23 15:07:40 UTC
Blaeh, usual non-sense fuzzing find.  With ubsan even!  Why this got a CVE
is beyond me.  The undefined behaviour that ubsan found is indeed undefined
in C, but GCC and all other compilers implement the negation of INT_MIN sensibly
(to INT_MIN), simply because all CPUs (we're targeting) do.  So in fact while
the source code contained use of an undefined construct (and hence it's sort of
nice to fix if ever a low QoI compiler comes) it doesn't lead to any problem at
runtime.

Making problems that can _only_ be shown with ubsan CVEs is totally bollocks,
as they are always only source code problems that don't manifest in the produced
code (if they would there would be other ways to show them besides ubsan).
In this case the libdwarf library does the right thing already.  No need to fix
anything.