Bug 1033088 - (CVE-2017-7611) VUL-1: CVE-2017-7611: elfutils: denial of service (heap-based buffer over-read and application crash) via a crafted ELF file
(CVE-2017-7611)
VUL-1: CVE-2017-7611: elfutils: denial of service (heap-based buffer over-rea...
Status: RESOLVED FIXED
Classification: Novell Products
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents
unspecified
Other Other
: P4 - Low : Normal
: ---
Assigned To: Martin Liška
Security Team bot
https://smash.suse.de/issue/183201/
CVSSv2:NVD:CVE-2017-7611:4.3:(AV:N/AC...
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2017-04-09 19:04 UTC by Mikhail Kasimov
Modified: 2022-08-01 13:17 UTC (History)
4 users (show)

See Also:
Found By: ---
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---


Attachments
CVE-2017-7611_Reproducer (2.00 KB, application/x-object)
2017-04-09 19:04 UTC, Mikhail Kasimov
Details

Note You need to log in before you can comment on or make changes to this bug.
Description Mikhail Kasimov 2017-04-09 19:04:41 UTC
Created attachment 720366 [details]
CVE-2017-7611_Reproducer

Ref: https://nvd.nist.gov/vuln/detail/CVE-2017-7611
===================================================
Description

The check_symtab_shndx function in elflint.c in elfutils 0.168 allows remote attackers to cause a denial of service (heap-based buffer over-read and application crash) via a crafted ELF file.

Source:  MITRE      Last Modified:  04/09/2017
===================================================

Hyperlink:

[1] https://blogs.gentoo.org/ago/2017/04/03/elfutils-heap-based-buffer-overflow-in-check_symtab_shndx-elflint-c

[1]:
===================================================
elfutils: heap-based buffer overflow in check_symtab_shndx (elflint.c)
Posted on April 3, 2017 by ago	

Description:
elfutils is a set of libraries/utilities to handle ELF objects (drop in replacement for libelf).

A fuzz on eu-elflint showed an heap overflow.

The complete ASan output:

# eu-elflint -d $FILE
==14342==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x60200000efd0 at pc 0x0000004267ec bp 0x7ffdf36a7ad0 sp 0x7ffdf36a7ac8
READ of size 4 at 0x60200000efd0 thread T0
    #0 0x4267eb in check_symtab_shndx /tmp/portage/dev-libs/elfutils-0.168/work/elfutils-0.168/src/elflint.c:1961
    #1 0x4267eb in check_sections /tmp/portage/dev-libs/elfutils-0.168/work/elfutils-0.168/src/elflint.c:4114
    #2 0x42961f in process_elf_file /tmp/portage/dev-libs/elfutils-0.168/work/elfutils-0.168/src/elflint.c:4697
    #3 0x42961f in process_file /tmp/portage/dev-libs/elfutils-0.168/work/elfutils-0.168/src/elflint.c:242
    #4 0x402d33 in main /tmp/portage/dev-libs/elfutils-0.168/work/elfutils-0.168/src/elflint.c:175
    #5 0x7f625ef4678f in __libc_start_main (/lib64/libc.so.6+0x2078f)
    #6 0x403498 in _start (/usr/bin/eu-elflint+0x403498)

0x60200000efd2 is located 0 bytes to the right of 2-byte region [0x60200000efd0,0x60200000efd2)
allocated by thread T0 here:
    #0 0x7f6260633288 in malloc (/usr/lib/gcc/x86_64-pc-linux-gnu/6.3.0/libasan.so.3+0xc2288)
    #1 0x7f626028fb46 in convert_data /tmp/portage/dev-libs/elfutils-0.168/work/elfutils-0.168/libelf/elf_getdata.c:166
    #2 0x7f626028fb46 in __libelf_set_data_list_rdlock /tmp/portage/dev-libs/elfutils-0.168/work/elfutils-0.168/libelf/elf_getdata.c:434
    #3 0x7f6260290662 in __elf_getdata_rdlock /tmp/portage/dev-libs/elfutils-0.168/work/elfutils-0.168/libelf/elf_getdata.c:541
    #4 0x7f6260290776 in elf_getdata /tmp/portage/dev-libs/elfutils-0.168/work/elfutils-0.168/libelf/elf_getdata.c:559
    #5 0x7f62602bc035 in elf32_getchdr /tmp/portage/dev-libs/elfutils-0.168/work/elfutils-0.168/libelf/elf32_getchdr.c:72
    #6 0x7f62602bc55c in gelf_getchdr /tmp/portage/dev-libs/elfutils-0.168/work/elfutils-0.168/libelf/gelf_getchdr.c:52
    #7 0x420edf in check_sections /tmp/portage/dev-libs/elfutils-0.168/work/elfutils-0.168/src/elflint.c:3911
    #8 0x42961f in process_elf_file /tmp/portage/dev-libs/elfutils-0.168/work/elfutils-0.168/src/elflint.c:4697
    #9 0x42961f in process_file /tmp/portage/dev-libs/elfutils-0.168/work/elfutils-0.168/src/elflint.c:242
    #10 0x402d33 in main /tmp/portage/dev-libs/elfutils-0.168/work/elfutils-0.168/src/elflint.c:175
    #11 0x7f625ef4678f in __libc_start_main (/lib64/libc.so.6+0x2078f)

SUMMARY: AddressSanitizer: heap-buffer-overflow /tmp/portage/dev-libs/elfutils-0.168/work/elfutils-0.168/src/elflint.c:1961 in check_symtab_shndx
Shadow bytes around the buggy address:
  0x0c047fff9da0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047fff9db0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047fff9dc0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047fff9dd0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047fff9de0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
=>0x0c047fff9df0: fa fa fa fa fa fa fa fa fa fa[02]fa fa fa 00 01
  0x0c047fff9e00: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047fff9e10: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047fff9e20: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047fff9e30: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047fff9e40: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Heap right redzone:      fb
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack partial redzone:   f4
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==14342==ABORTING

Affected version:
0.168

Fixed version:
0.169 (not released atm)

Commit fix:
https://sourceware.org/ml/elfutils-devel/2017-q1/msg00129.html

Credit:
This bug was discovered by Agostino Sarubbo of Gentoo.

CVE:
N/A

Reproducer:
https://github.com/asarubbo/poc/blob/master/00234-elfutils-heapoverflow-check_symtab_shndx

Timeline:
2017-03-27: bug discovered and reported to upstream
2017-04-04: blog post about the issue

Note:
This bug was found with American Fuzzy Lop.

Permalink:

    elfutils: heap-based buffer overflow in check_symtab_shndx (elflint.c)
===================================================

(open-)SUSE:
https://software.opensuse.org/package/elfutils

0.168 (TW, official repo)
0.158 (42.{1,2}, official repo)


Test-case on 42.2 (version 0.158):
===================================================
k_mikhail@linux-mk500:~> eu-elflint -d 00234-elfutils-heapoverflow-check_symtab_shndx 
e_ident[13] is not zero
e_ident[14] is not zero
e_ident[15] is not zero
unknown machine type 0
unknown object file version
invalid machine flags: 0x38000a
invalid ELF header size: 64
invalid program header size: 37
invalid section header size: 6
only executables, shared objects, and core files can have program headers
cannot get program header entry 0: invalid data
cannot get program header entry 1: invalid data
cannot get program header entry 2: invalid data
cannot get program header entry 3: invalid data
cannot get program header entry 4: invalid data
cannot get program header entry 5: invalid data
cannot get program header entry 6: invalid data
cannot get program header entry 7: invalid data
cannot get program header entry 8: invalid data
cannot get program header entry 9: invalid data
cannot get program header entry 10: invalid data
cannot get program header entry 11: invalid data
cannot get program header entry 12: invalid data
cannot get program header entry 13: invalid data
cannot get program header entry 14: invalid data
cannot get program header entry 15: invalid data
cannot get program header entry 16: invalid data
cannot get program header entry 17: invalid data
cannot get program header entry 18: invalid data
cannot get program header entry 19: invalid data
cannot get program header entry 20: invalid data
cannot get program header entry 21: invalid data
cannot get program header entry 22: invalid data
cannot get program header entry 23: invalid data
cannot get program header entry 24: invalid data
cannot get program header entry 25: invalid data
cannot get program header entry 26: invalid data
cannot get program header entry 27: invalid data
cannot get program header entry 28: invalid data
cannot get program header entry 29: invalid data
cannot get program header entry 30: invalid data
cannot get program header entry 31: invalid data
cannot get program header entry 32: invalid data
cannot get program header entry 33: invalid data
zeroth section has nonzero name
zeroth section has nonzero type
zeroth section has nonzero flags
zeroth section has nonzero address
zeroth section has nonzero offset
zeroth section has nonzero entry size value
zeroth section has nonzero link value while ELF header does not signal overflow in shstrndx
zeroth section has nonzero link value while ELF header does not signal overflow in phnum
section [ 1]: invalid name
section [ 1] '<invalid>': size not multiple of entry size
cannot get section header
section [ 1] '<invalid>' has unsupported type 112
section [ 1] '<invalid>' contains unknown flag(s) 0x2000000
section [ 1] '<invalid>': invalid section reference in link value
section [ 2]: invalid name
cannot get section header
section [ 3]: invalid name
cannot get section header
section [ 3] '<invalid>' has unsupported type 68
section [ 3] '<invalid>' contains unknown flag(s) 0x7000000
section [ 3] '<invalid>': invalid section reference in link value
section [ 4]: invalid name
section [ 4] '<invalid>': size not multiple of entry size
cannot get section header
section [ 4] '<invalid>' has unsupported type -960051514
section [ 4] '<invalid>' contains invalid processor-specific flag(s) 0xc0000000
section [ 4] '<invalid>' contains unknown flag(s) 0x6c6c000
section [ 4] '<invalid>': invalid section reference in link value
section [ 4] '<invalid>': invalid section reference in info value
section [ 4] '<invalid>': section with SHF_GROUP flag set not part of a section group
section [ 4] '<invalid>' has unexpected type -960051514 for an executable section
section [ 5]: invalid name
section [ 5] '<invalid>': size not multiple of entry size
cannot get section header
section [ 5] '<invalid>' has unsupported type 33554432
section [ 5] '<invalid>': ELF header says this is the section header string table but type is not SHT_TYPE
section [ 6]: invalid name
section [ 6] '<invalid>': size not multiple of entry size
cannot get section header
section [ 6] '<invalid>' has unsupported type 509607936
section [ 6] '<invalid>': invalid section reference in link value
section [ 6] '<invalid>': invalid section reference in info value
section [ 7]: invalid name
section [ 7] '<invalid>': size not multiple of entry size
cannot get section header
section [ 7] '<invalid>': invalid section reference in link value
section [ 8]: invalid name
cannot get section header
section [ 8] '<invalid>' has unsupported type 289669120
section [ 8] '<invalid>': invalid section reference in link value
section [ 9]: invalid name
cannot get section header
section [ 9] '<invalid>' has unsupported type -445357050
section [ 9] '<invalid>': invalid section reference in link value
section [10]: invalid name
cannot get section header
section [10] '<invalid>' has unsupported type 4096
section [11]: invalid name
section [11] '<invalid>': size not multiple of entry size
cannot get section header
section [11] '<invalid>' has unsupported type 61441
section [11] '<invalid>' contains unknown flag(s) 0x8000000
section [12]: invalid name
section [12] '<invalid>': size not multiple of entry size
cannot get section header
section [12] '<invalid>': invalid section reference in link value
section [12] '<invalid>': nonzero sh_size for NULL section
section [12] '<invalid>': nonzero sh_link for NULL section
section [12] '<invalid>': nonzero sh_addralign for NULL section
section [12] '<invalid>': nonzero sh_entsize for NULL section
section [13]: invalid name
section [13] '<invalid>': size not multiple of entry size
cannot get section header
section [13] '<invalid>' has unsupported type 12140
section [13] '<invalid>' contains invalid processor-specific flag(s) 0x60000000
section [13] '<invalid>' contains unknown flag(s) 0x9623000
section [13] '<invalid>': invalid section reference in link value
section [13] '<invalid>': section with SHF_GROUP flag set not part of a section group
section [13] '<invalid>' has unexpected type 12140 for an executable section
section [14]: invalid name
cannot get section header
section [14] '<invalid>' has unsupported type 18254
section [14] '<invalid>' contains invalid processor-specific flag(s) 0x50000000
section [14] '<invalid>' contains unknown flag(s) 0x5000000
section [15]: invalid name
cannot get section header
section [15] '<invalid>': invalid section reference in link value
section [15] '<invalid>': relocatable files cannot have hash tables
section [16]: invalid name
cannot get section header
section [16] '<invalid>': nonzero sh_offset for NULL section
section [16] '<invalid>': nonzero sh_size for NULL section
section [17]: invalid name
cannot get section header
section [17] '<invalid>': extended section index section not for symbol table
cannot get data for symbol section
section [17] '<invalid>': entry size does not match Elf32_Word
section [17] '<invalid>': extended index table too small for symbol table
Ошибка сегментирования (core dumped)
===================================================
Comment 10 João Moreira 2019-06-12 15:40:42 UTC
SLE15: Reproduced and fixed
SLE12: Reproduced and fixed
SLE11-SP2: Not reproduced, upstream patch applied
SLE11-SP1: Reproduced and fixed (patch backported)
Comment 12 Swamp Workflow Management 2019-06-13 13:12:27 UTC
SUSE-SU-2019:1486-1: An update that fixes 15 vulnerabilities is now available.

Category: security (moderate)
Bug References: 1033084,1033085,1033086,1033087,1033088,1033089,1033090,1106390,1107066,1107067,1111973,1112723,1112726,1123685,1125007
CVE References: CVE-2017-7607,CVE-2017-7608,CVE-2017-7609,CVE-2017-7610,CVE-2017-7611,CVE-2017-7612,CVE-2017-7613,CVE-2018-16062,CVE-2018-16402,CVE-2018-16403,CVE-2018-18310,CVE-2018-18520,CVE-2018-18521,CVE-2019-7150,CVE-2019-7665
Sources used:
SUSE Linux Enterprise Module for Open Buildservice Development Tools 15-SP1 (src):    elfutils-0.168-4.5.3
SUSE Linux Enterprise Module for Basesystem 15-SP1 (src):    elfutils-0.168-4.5.3
SUSE Linux Enterprise Module for Basesystem 15 (src):    elfutils-0.168-4.5.3

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 13 Swamp Workflow Management 2019-06-20 01:14:11 UTC
openSUSE-SU-2019:1590-1: An update that fixes 15 vulnerabilities is now available.

Category: security (moderate)
Bug References: 1033084,1033085,1033086,1033087,1033088,1033089,1033090,1106390,1107066,1107067,1111973,1112723,1112726,1123685,1125007
CVE References: CVE-2017-7607,CVE-2017-7608,CVE-2017-7609,CVE-2017-7610,CVE-2017-7611,CVE-2017-7612,CVE-2017-7613,CVE-2018-16062,CVE-2018-16402,CVE-2018-16403,CVE-2018-18310,CVE-2018-18520,CVE-2018-18521,CVE-2019-7150,CVE-2019-7665
Sources used:
openSUSE Leap 15.1 (src):    elfutils-0.168-lp151.4.3.1
openSUSE Leap 15.0 (src):    elfutils-0.168-lp150.3.3.1
Comment 14 Swamp Workflow Management 2019-07-03 16:13:20 UTC
SUSE-SU-2019:1733-1: An update that fixes 15 vulnerabilities is now available.

Category: security (low)
Bug References: 1030472,1030476,1033084,1033085,1033087,1033088,1033089,1033090,1106390,1107067,1111973,1112723,1112726,1123685,1125007
CVE References: CVE-2016-10254,CVE-2016-10255,CVE-2017-7607,CVE-2017-7608,CVE-2017-7610,CVE-2017-7611,CVE-2017-7612,CVE-2017-7613,CVE-2018-16062,CVE-2018-16403,CVE-2018-18310,CVE-2018-18520,CVE-2018-18521,CVE-2019-7150,CVE-2019-7665
Sources used:
SUSE Linux Enterprise Software Development Kit 12-SP4 (src):    elfutils-0.158-7.7.2
SUSE Linux Enterprise Software Development Kit 12-SP3 (src):    elfutils-0.158-7.7.2
SUSE Linux Enterprise Server 12-SP4 (src):    elfutils-0.158-7.7.2
SUSE Linux Enterprise Server 12-SP3 (src):    elfutils-0.158-7.7.2
SUSE Linux Enterprise Desktop 12-SP4 (src):    elfutils-0.158-7.7.2
SUSE Linux Enterprise Desktop 12-SP3 (src):    elfutils-0.158-7.7.2
SUSE CaaS Platform 3.0 (src):    elfutils-0.158-7.7.2
OpenStack Cloud Magnum Orchestration 7 (src):    elfutils-0.158-7.7.2

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 15 Marcus Meissner 2020-01-08 09:49:56 UTC
-> reassign to current maintainer
Comment 16 Marcus Meissner 2020-07-31 06:55:21 UTC
is done
Comment 17 Swamp Workflow Management 2022-08-01 13:17:22 UTC
SUSE-SU-2022:2614-1: An update that fixes 19 vulnerabilities, contains one feature is now available.

Category: security (moderate)
Bug References: 1033084,1033085,1033086,1033087,1033088,1033089,1033090,1082318,1104264,1106390,1107066,1107067,1111973,1112723,1112726,1123685,1125007
CVE References: CVE-2017-7607,CVE-2017-7608,CVE-2017-7609,CVE-2017-7610,CVE-2017-7611,CVE-2017-7612,CVE-2017-7613,CVE-2018-16062,CVE-2018-16402,CVE-2018-16403,CVE-2018-18310,CVE-2018-18520,CVE-2018-18521,CVE-2019-7146,CVE-2019-7148,CVE-2019-7149,CVE-2019-7150,CVE-2019-7664,CVE-2019-7665
JIRA References: SLE-24501
Sources used:
openSUSE Leap 15.3 (src):    dwarves-1.22-150300.7.3.1, elfutils-0.177-150300.11.3.1
SUSE Linux Enterprise Module for Basesystem 15-SP3 (src):    dwarves-1.22-150300.7.3.1, elfutils-0.177-150300.11.3.1
SUSE Linux Enterprise Micro 5.2 (src):    dwarves-1.22-150300.7.3.1, elfutils-0.177-150300.11.3.1
SUSE Linux Enterprise Micro 5.1 (src):    dwarves-1.22-150300.7.3.1, elfutils-0.177-150300.11.3.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.