Bug 1038877 - (CVE-2017-9041) VUL-1: CVE-2017-9041: binutils: readelf-heapoverflow2-byte_get_little_endian
(CVE-2017-9041)
VUL-1: CVE-2017-9041: binutils: readelf-heapoverflow2-byte_get_little_endian
Status: NEW
Classification: Novell Products
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents
unspecified
Other Other
: P4 - Low : Normal
: ---
Assigned To: Michael Matz
Security Team bot
https://smash.suse.de/issue/185115/
CVSSv2:SUSE:CVE-2017-9040:2.6:(AV:N/A...
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2017-05-12 13:28 UTC by Mikhail Kasimov
Modified: 2020-10-19 16:15 UTC (History)
2 users (show)

See Also:
Found By: ---
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---


Attachments
binutils-readelf-heapoverflow2-byte_get_little_endian_reproducer (10.12 KB, application/x-executable)
2017-05-12 13:28 UTC, Mikhail Kasimov
Details

Note You need to log in before you can comment on or make changes to this bug.
Description Mikhail Kasimov 2017-05-12 13:28:24 UTC
Created attachment 724892 [details]
binutils-readelf-heapoverflow2-byte_get_little_endian_reproducer

Ref: https://blogs.gentoo.org/ago/2017/05/12/binutils-multiple-crashes/
=======================================================================
# readelf -a $FILE
==20287==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x602000000039 at pc 0x00000064c061 bp 0x7ffcc34b2580 sp 0x7ffcc34b2578
READ of size 1 at 0x602000000039 thread T0
    #0 0x64c060 in byte_get_little_endian /tmp/portage/sys-devel/binutils-2.28/work/binutils-2.28/binutils/elfcomm.c:210:22
    #1 0x5d31c5 in process_mips_specific /tmp/portage/sys-devel/binutils-2.28/work/binutils-2.28/binutils/readelf.c:15190:8
    #2 0x549e1d in process_arch_specific /tmp/portage/sys-devel/binutils-2.28/work/binutils-2.28/binutils/readelf.c:16565:14
    #3 0x549e1d in process_object /tmp/portage/sys-devel/binutils-2.28/work/binutils-2.28/binutils/readelf.c:16770
    #4 0x51780f in process_file /tmp/portage/sys-devel/binutils-2.28/work/binutils-2.28/binutils/readelf.c:17138:13
    #5 0x51780f in main /tmp/portage/sys-devel/binutils-2.28/work/binutils-2.28/binutils/readelf.c:17209
    #6 0x7fa5fc60b78f in __libc_start_main /tmp/portage/sys-libs/glibc-2.23-r3/work/glibc-2.23/csu/../csu/libc-start.c:289
    #7 0x41a158 in getenv (/usr/x86_64-pc-linux-gnu/binutils-bin/2.28/readelf+0x41a158)

0x602000000039 is located 0 bytes to the right of 9-byte region [0x602000000030,0x602000000039)
allocated by thread T0 here:
    #0 0x4d9828 in malloc /tmp/portage/sys-libs/compiler-rt-sanitizers-4.0.0/work/compiler-rt-4.0.0.src/lib/asan/asan_malloc_linux.cc:66
    #1 0x518af2 in get_data /tmp/portage/sys-devel/binutils-2.28/work/binutils-2.28/binutils/readelf.c:392:9
    #2 0x5d2ee2 in process_mips_specific /tmp/portage/sys-devel/binutils-2.28/work/binutils-2.28/binutils/readelf.c:15169:32
    #3 0x549e1d in process_arch_specific /tmp/portage/sys-devel/binutils-2.28/work/binutils-2.28/binutils/readelf.c:16565:14
    #4 0x549e1d in process_object /tmp/portage/sys-devel/binutils-2.28/work/binutils-2.28/binutils/readelf.c:16770
    #5 0x51780f in process_file /tmp/portage/sys-devel/binutils-2.28/work/binutils-2.28/binutils/readelf.c:17138:13
    #6 0x51780f in main /tmp/portage/sys-devel/binutils-2.28/work/binutils-2.28/binutils/readelf.c:17209
    #7 0x7fa5fc60b78f in __libc_start_main /tmp/portage/sys-libs/glibc-2.23-r3/work/glibc-2.23/csu/../csu/libc-start.c:289

SUMMARY: AddressSanitizer: heap-buffer-overflow /tmp/portage/sys-devel/binutils-2.28/work/binutils-2.28/binutils/elfcomm.c:210:22 in byte_get_little_endian

Affected version:
2.28
Fixed version:
N/A

Reproducer:
https://github.com/asarubbo/poc/blob/master/00258-binutils-readelf-heapoverflow2-byte_get_little_endian

Commit fix:
https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=75ec1fdbb797a389e4fe4aaf2e15358a070dcc19

https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=c4ab9505b53cdc899506ed421fddb7e1f8faf7a3
=======================================================================


(open-)SUSE: https://software.opensuse.org/package/binutils

2.28 (TW, official repo)
2.26.1 (42.{1,2}, official repo)
Comment 1 Swamp Workflow Management 2017-12-01 02:13:09 UTC
SUSE-SU-2017:3170-1: An update that solves 57 vulnerabilities and has 18 fixes is now available.

Category: security (moderate)
Bug References: 1003846,1025282,1029907,1029908,1029909,1029995,1030296,1030297,1030298,1030583,1030584,1030585,1030588,1030589,1031590,1031593,1031595,1031638,1031644,1031656,1033122,1037052,1037057,1037061,1037062,1037066,1037070,1037072,1037273,1038874,1038875,1038876,1038877,1038878,1038880,1038881,1044891,1044897,1044901,1044909,1044925,1044927,1046094,1052061,1052496,1052503,1052507,1052509,1052511,1052514,1052518,1053347,1056312,1056437,1057139,1057144,1057149,1058480,1059050,1060599,1060621,1061241,437293,445037,546106,561142,578249,590820,691290,698346,713504,776968,863764,938658,970239
CVE References: CVE-2014-9939,CVE-2017-12448,CVE-2017-12450,CVE-2017-12452,CVE-2017-12453,CVE-2017-12454,CVE-2017-12456,CVE-2017-12799,CVE-2017-13757,CVE-2017-14128,CVE-2017-14129,CVE-2017-14130,CVE-2017-14333,CVE-2017-14529,CVE-2017-14729,CVE-2017-14745,CVE-2017-14974,CVE-2017-6965,CVE-2017-6966,CVE-2017-6969,CVE-2017-7209,CVE-2017-7210,CVE-2017-7223,CVE-2017-7224,CVE-2017-7225,CVE-2017-7226,CVE-2017-7227,CVE-2017-7299,CVE-2017-7300,CVE-2017-7301,CVE-2017-7302,CVE-2017-7303,CVE-2017-7304,CVE-2017-7614,CVE-2017-8392,CVE-2017-8393,CVE-2017-8394,CVE-2017-8395,CVE-2017-8396,CVE-2017-8397,CVE-2017-8398,CVE-2017-8421,CVE-2017-9038,CVE-2017-9039,CVE-2017-9040,CVE-2017-9041,CVE-2017-9042,CVE-2017-9043,CVE-2017-9044,CVE-2017-9746,CVE-2017-9747,CVE-2017-9748,CVE-2017-9750,CVE-2017-9755,CVE-2017-9756,CVE-2017-9954,CVE-2017-9955
Sources used:
SUSE Linux Enterprise Software Development Kit 12-SP3 (src):    binutils-2.29.1-9.20.2, cross-ppc-binutils-2.29.1-9.20.2, cross-spu-binutils-2.29.1-9.20.2
SUSE Linux Enterprise Software Development Kit 12-SP2 (src):    binutils-2.29.1-9.20.2, cross-ppc-binutils-2.29.1-9.20.2, cross-spu-binutils-2.29.1-9.20.2
SUSE Linux Enterprise Server for SAP 12-SP1 (src):    binutils-2.29.1-9.20.2
SUSE Linux Enterprise Server for Raspberry Pi 12-SP2 (src):    binutils-2.29.1-9.20.2
SUSE Linux Enterprise Server 12-SP3 (src):    binutils-2.29.1-9.20.2
SUSE Linux Enterprise Server 12-SP2 (src):    binutils-2.29.1-9.20.2
SUSE Linux Enterprise Desktop 12-SP3 (src):    binutils-2.29.1-9.20.2
SUSE Linux Enterprise Desktop 12-SP2 (src):    binutils-2.29.1-9.20.2
OpenStack Cloud Magnum Orchestration 7 (src):    binutils-2.29.1-9.20.2
Comment 2 Swamp Workflow Management 2017-12-02 20:11:11 UTC
openSUSE-SU-2017:3199-1: An update that solves 57 vulnerabilities and has 18 fixes is now available.

Category: security (moderate)
Bug References: 1003846,1025282,1029907,1029908,1029909,1029995,1030296,1030297,1030298,1030583,1030584,1030585,1030588,1030589,1031590,1031593,1031595,1031638,1031644,1031656,1033122,1037052,1037057,1037061,1037062,1037066,1037070,1037072,1037273,1038874,1038875,1038876,1038877,1038878,1038880,1038881,1044891,1044897,1044901,1044909,1044925,1044927,1046094,1052061,1052496,1052503,1052507,1052509,1052511,1052514,1052518,1053347,1056312,1056437,1057139,1057144,1057149,1058480,1059050,1060599,1060621,1061241,437293,445037,546106,561142,578249,590820,691290,698346,713504,776968,863764,938658,970239
CVE References: CVE-2014-9939,CVE-2017-12448,CVE-2017-12450,CVE-2017-12452,CVE-2017-12453,CVE-2017-12454,CVE-2017-12456,CVE-2017-12799,CVE-2017-13757,CVE-2017-14128,CVE-2017-14129,CVE-2017-14130,CVE-2017-14333,CVE-2017-14529,CVE-2017-14729,CVE-2017-14745,CVE-2017-14974,CVE-2017-6965,CVE-2017-6966,CVE-2017-6969,CVE-2017-7209,CVE-2017-7210,CVE-2017-7223,CVE-2017-7224,CVE-2017-7225,CVE-2017-7226,CVE-2017-7227,CVE-2017-7299,CVE-2017-7300,CVE-2017-7301,CVE-2017-7302,CVE-2017-7303,CVE-2017-7304,CVE-2017-7614,CVE-2017-8392,CVE-2017-8393,CVE-2017-8394,CVE-2017-8395,CVE-2017-8396,CVE-2017-8397,CVE-2017-8398,CVE-2017-8421,CVE-2017-9038,CVE-2017-9039,CVE-2017-9040,CVE-2017-9041,CVE-2017-9042,CVE-2017-9043,CVE-2017-9044,CVE-2017-9746,CVE-2017-9747,CVE-2017-9748,CVE-2017-9750,CVE-2017-9755,CVE-2017-9756,CVE-2017-9954,CVE-2017-9955
Sources used:
openSUSE Leap 42.3 (src):    binutils-2.29.1-13.1, cross-aarch64-binutils-2.29.1-13.1, cross-arm-binutils-2.29.1-13.1, cross-avr-binutils-2.29.1-13.1, cross-hppa-binutils-2.29.1-13.1, cross-hppa64-binutils-2.29.1-13.1, cross-i386-binutils-2.29.1-13.1, cross-ia64-binutils-2.29.1-13.1, cross-m68k-binutils-2.29.1-13.1, cross-mips-binutils-2.29.1-13.1, cross-ppc-binutils-2.29.1-13.1, cross-ppc64-binutils-2.29.1-13.1, cross-ppc64le-binutils-2.29.1-13.1, cross-s390-binutils-2.29.1-13.1, cross-s390x-binutils-2.29.1-13.1, cross-sparc-binutils-2.29.1-13.1, cross-sparc64-binutils-2.29.1-13.1, cross-spu-binutils-2.29.1-13.1, cross-x86_64-binutils-2.29.1-13.1
openSUSE Leap 42.2 (src):    binutils-2.29.1-9.6.1, cross-aarch64-binutils-2.29.1-9.6.1, cross-arm-binutils-2.29.1-9.6.1, cross-avr-binutils-2.29.1-9.6.1, cross-hppa-binutils-2.29.1-9.6.1, cross-hppa64-binutils-2.29.1-9.6.1, cross-i386-binutils-2.29.1-9.6.1, cross-ia64-binutils-2.29.1-9.6.1, cross-m68k-binutils-2.29.1-9.6.1, cross-mips-binutils-2.29.1-9.6.1, cross-ppc-binutils-2.29.1-9.6.1, cross-ppc64-binutils-2.29.1-9.6.1, cross-ppc64le-binutils-2.29.1-9.6.1, cross-s390-binutils-2.29.1-9.6.1, cross-s390x-binutils-2.29.1-9.6.1, cross-sparc-binutils-2.29.1-9.6.1, cross-sparc64-binutils-2.29.1-9.6.1, cross-spu-binutils-2.29.1-9.6.1, cross-x86_64-binutils-2.29.1-9.6.1