oss-sec mailing list archives

Previous By Date Next
Previous By Thread Next

pax-utils: dumpelf: multiple divide-by-zero in dumpelf.c

From: Agostino Sarubbo <ago () gentoo org>
Date: Sat, 04 Feb 2017 13:20:17 +0100
Description:
pax-utils is a set of tools that check files for security relevant properties.

A fuzz on dumpelf shows multiple divide-by-zero . They was reported to vapier 
which fixed the issues immediately.
Unfortunately I can’t get the ASan stacktrace, so I will show only the 
useful(not at all) part of the crash.

# dumpelf $FILE
 FPE on unknown address 0x00000051ca65 (pc 0x00000051ca65 bp 0x7ffc31bb6f80 sp 
0x7ffc31bb6e40 T0)

Reproducer:
https://github.com/asarubbo/poc/blob/master/00137-pax-utils-dumpelf-fpe1

# dumpelf $FILE
  FPE on unknown address 0x00000051d335 (pc 0x00000051d335 bp 0x7ffc17babf80 
sp 0x7ffc17babe40 T0)

Reproducer:
https://github.com/asarubbo/poc/blob/master/00138-pax-utils-dumpelf-fpe2

# dumpelf $FILE
  FPE on unknown address 0x00000051db76 (pc 0x00000051db76 bp 0x7ffdf90fff80 
sp 0x7ffdf90ffe40 T0)

Reproducer:
https://github.com/asarubbo/poc/blob/master/00139-pax-utils-dumpelf-fpe3

Affected version:
1.2.2

Fixed version:
N/A

Commit fix:
https://github.com/gentoo/pax-utils/commit/4609f57a690b4a5670baeb93167dab5300d07d4e

Credit:
These bugs were discovered by Agostino Sarubbo of Gentoo.

CVE:
N/A

Timeline:
2017-01-30: bug discovered and reported to upstream
2017-02-01: upstream released a patch
2017-02-04: blog post about the issue

Note:
These bugs were found with American Fuzzy Lop.

Permalink:
https://blogs.gentoo.org/ago/2017/02/04/pax-utils-dumpelf-multiple-divide-by-zero-in-dumpelf-c

-- 
Agostino Sarubbo
Gentoo Linux Developer
Previous By Date Next
Previous By Thread Next

Current thread: