


id: DW201605-011
cve:
datereported: 20160506
reportedby: Yue Liu
vulnerability: OOB read bug in _dwarf_read_line_table_header
product: libdwarf
description: Test object shows
 null dereverence at line 62
 of dwarf_line_table_reader.c.
 Frame code and linetable code was not noticing data corruption.
datefixed: 20160507
references: liu/OOB_read4.elf
gitfixid: b3c1706d48e02fa01be47da3d7a406023e8e63f7
tarrelease: 20160507
endrec:


id: DW201605-010
cve:
datereported: 20160506
reportedby: Yue Liu
vulnerability: OOB read bug in dump_block
product: libdwarf
description: Test object shows
 null dereverence at line 186
 of dump_block() in print_sections.c
 Frame code was not noticing frame data corruption.
datefixed: 20160507
references: liu/OOB_read3.elf
gitfixid: b3c1706d48e02fa01be47da3d7a406023e8e63f7
tarrelease: 20160507
endrec:

id: DW201605-009
cve:
datereported: 20160505
reportedby: Yue Liu
vulnerability: NULL dereference in _dwarf_load_section
product: libdwarf
description: Test object shows
 null dereverence at line 1010
 if(!strncmp("ZLIB",(const char *)src,4)) {
 in dwarf_init_finish.c
 The zlib code was not checking for
 a corrupted length-value.
datefixed: 20160506
references: liu/NULLderefer0505_01.elf
gitfixid: b6ec2dfd850929821626ea63fb0a752076a3c08a
tarrelease: 20160507
endrec:

id: DW201605-008
cve:
datereported: 20160505
reportedby: Yue Liu
vulnerability: OOB read in dwarf_get_macro_startend_file()
product: libdwarf
description: Test object shows
 out of bound read.
 OOB at:
 line 772  *src_file_name = macro_context->mc_srcfiles[trueindex];
 in dwarf_macro5.c
 A string offset into .debug_str is outside the bounds
 of the .debug_str section.
datefixed: 20150506
references: liu/OOB0505_02.elf
gitfixid: b6ec2dfd850929821626ea63fb0a752076a3c08a
tarrelease: 20160507
endrec:

id: DW201605-007
cve:
datereported: 20160505
reportedby: Yue Liu
vulnerability: OOB read bug in get_attr_value()
product: libdwarf
description: Test object shows
 out of bound read.
 Object had data all-bits-on so
 the existing length check did not work
 due to wraparound. Added a check
 not susceptible to that error (DW_DLE_FORM_BLOCK_LENGTH_ERROR).
datefixed: 20160506
references: liu/OOB0505_01.elf
gitfixid: eb1472afac95031d0c9dd8c11d527b865fe7deb8
gittag: 20160507
tarrelease: 20160507
endrec:

id: DW201605-006
cve:
datereported: 20160505
reportedby: Yue Liu
vulnerability: Two Heap-Overflow bug
product: libdwarf
description: Two test objects showing
 a heap overflow in libdwarf when
 using dwarfdump.
 It seems that these were fixed
 by the previous git update.
 Neither gdb nor valgrind find any errors
 when building with yesterday's commit.
datefixed: 20160504
references: liu/free_invalid_address.elf
 liu/heapoverflow01b.elf
gitfixid: 98a3da1e8237fe0d45b67ef77f3fa5ed9ff0215f
tarrelease: 20160507
endrec:

id: DW201605-001
publicid:
datereported: 20160502
reportedby: Yue Liu
vulnerability: A specially crafted DWARF section
 results in a duplicate free() in libdwarf and
 the calling application will crash. 
product:  libdwarf
description:
 In file dwarf_elf_access.c:1071
 WRITE_UNALIGNED(dbg,target_section + offset,
     &outval,sizeof(outval),reloc_size);
 A crafted ELF file may lead to a large offset value, which
 bigger than the size of target_section heap chunk, then this
 WRITE_UNALIGNED() function will write the value of &outval
 out of the heap chunk.
 offset is a 64bit unsigned int value, so this is more than
 a heap overflow bug, but also a Out-of-Bound write bug.
 So WRITE_UNALIGNED() need more strictly checking to prevent
 this.
datefixed: 20160504
references:
testcase:
 regressiontests/liu/heapoverflow01.elf
gitfixid: 98a3da1e8237fe0d45b67ef77f3fa5ed9ff0215f
gittag: 20160507
tarrelease: 20160507
endrec:



id: DW201605-002
publicid:
datereported: 20160502
reportedby: Yue Liu
vulnerability: A specially crafted DWARF section
 results in a read outside the bounds of in memory
 data so the calling application can crash.
product:  libdwarf
description:

 Out of bound read bug in libdwarf git code.

 dwarf_dealloc() did not check the Dwarf_Ptr space argument
 before using it. This will lead to a out-of-bound read bug.

 backtrace:
 #0  dwarf_dealloc (dbg=dbg@entry=0x655f30, space=0xa0,
 alloc_type=alloc_type@entry=1) at dwarf_alloc.c:477
 #1  0x00002aaaaacf3296 in dealloc_srcfiles
 (dbg=0x655f30, srcfiles=0x66b8f0, srcfiles_count=17) at
 dwarf_macro5.c:1025 #2  0x00002aaaaacf50e6 in dealloc_srcfiles
 (srcfiles_count=<optimized out>, srcfiles=<optimized out>,
 dbg=<optimized out>) at dwarf_macro5.c:1021 -----

 gef> p &r->rd_dbg
 $14 = (void **) 0x90

datefixed: 20160504
references:
testcase:
 regressiontests/liu/outofbound01.elf
gitfixid: 98a3da1e8237fe0d45b67ef77f3fa5ed9ff0215f
tarrelease: 20160507
endrec:

id: DW201605-003
publicid:
datereported: 20160502
reportedby: Yue Liu
vulnerability: A specially crafted DWARF section
 results in an infinite loop that eventually
 crashes the application.
product:  libdwarf
description:
 In dwarf_get_aranges_list()
 an invalid count will iterate, reading from memory
 addresses that increase till it all fails.

datefixed: 20160504
references:
testcase:
 regressiontests/liu/infiniteloop.elf
gitfixid: 98a3da1e8237fe0d45b67ef77f3fa5ed9ff0215f
tarrelease: 20160507
endrec:

id: DW201605-004
publicid:
datereported: 20160502
reportedby: Yue Liu
vulnerability: A specially crafted DWARF section
 results in a null dereference reading debugging
 information entries  which
 crashes the application.
product:  libdwarf
description:
 If no DW_AT_name is present in a debugging
 information entry  using DWARF5 macros
 a null dereference in dwarf_macro5.c will
 crash the application.
 
datefixed: 20160504
references:
testcase:
 regressiontests/liu/null01.elf
gitfixid: 98a3da1e8237fe0d45b67ef77f3fa5ed9ff0215f
tarrelease: 20160507
endrec:

id: DW201605-005
publicid:
datereported: 20160502
reportedby: Yue Liu
vulnerability: A specially crafted DWARF section
 results in  reading a compilation unit header
 that crashes the application.
product:  libdwarf
description:
 If the data read for a compilation unit header
 contains a too large length value the library
 will read outside of its bounds and crash the application.
datefixed: 20160504
references:
testcase:
 regressiontests/liu/null02.elf
gitfixid: 98a3da1e8237fe0d45b67ef77f3fa5ed9ff0215f
tarrelease: 20160507
endrec:




