heap uaf in dw_empty_errlist_item in src/lib/libdwarf/dwarf_alloc.c:200

Arbusz commented 7 months ago

Hi, we found one crash in dwarfdump(libdwarf 0.9.1), which is the latest version. To assist in diagnosing and resolving these issues, we have attached the POC file along with the asan log.

Environment: Linux 4f6b99b5cf37 6.2.0-35-generic #\35~22.04.1-Ubuntu SMP PREEMPT_DYNAMIC Fri Oct 6 10:23:26 UTC 2 x86_64 x86_64 x86_64 GNU/Linux

Command and args:

./dwarfdump --format-limit=10 --print-eh-frame --print-frame --print-info -v poc

asan log:

==34292==ERROR: AddressSanitizer: heap-use-after-free on address 0x604000000430 at pc 0x559502b0fd98 bp 0x7ffe14b50800 sp 0x7ffe14b507f0
READ of size 4 at 0x604000000430 thread T0
    #0 0x559502b0fd97 in dw_empty_errlist_item /root/programs_rq5/libdwarf-0.9.1/src/lib/libdwarf/dwarf_alloc.c:200
    #1 0x559502b10006 in _dwarf_free_static_errlist /root/programs_rq5/libdwarf-0.9.1/src/lib/libdwarf/dwarf_alloc.c:252
    #2 0x559502b11563 in _dwarf_free_all_of_one_debug /root/programs_rq5/libdwarf-0.9.1/src/lib/libdwarf/dwarf_alloc.c:1144
    #3 0x559502b8675c in dwarf_object_finish /root/programs_rq5/libdwarf-0.9.1/src/lib/libdwarf/dwarf_init_finish.c:1139
    #4 0x559502b7336f in dwarf_finish /root/programs_rq5/libdwarf-0.9.1/src/lib/libdwarf/dwarf_generic_init.c:550
    #5 0x559502a7d53e in process_one_file /root/programs_rq5/libdwarf-0.9.1/src/bin/dwarfdump/dwarfdump.c:1622
    #6 0x559502a778a5 in main /root/programs_rq5/libdwarf-0.9.1/src/bin/dwarfdump/dwarfdump.c:605
    #7 0x7f655f17f082 in __libc_start_main ../csu/libc-start.c:308
    #8 0x559502a62a6d in _start (/root/programs_rq5/libdwarf-0.9.1/build_asan/bin/dwarfdump+0x69a6d)

0x604000000430 is located 32 bytes inside of 40-byte region [0x604000000410,0x604000000438)
freed by thread T0 here:
    #0 0x7f655f47640f in __interceptor_free ../../../../src/libsanitizer/asan/asan_malloc_linux.cc:122
    #1 0x559502b10be5 in dwarf_dealloc /root/programs_rq5/libdwarf-0.9.1/src/lib/libdwarf/dwarf_alloc.c:983
    #2 0x559502b106a8 in dwarf_dealloc_error /root/programs_rq5/libdwarf-0.9.1/src/lib/libdwarf/dwarf_alloc.c:725
    #3 0x559502ac1754 in _dwarf_print_one_expr_op /root/programs_rq5/libdwarf-0.9.1/src/bin/dwarfdump/print_die.c:6352
    #4 0x559502abf36c in dwarfdump_print_expression_operations /root/programs_rq5/libdwarf-0.9.1/src/bin/dwarfdump/print_die.c:5923
    #5 0x559502ae3d9c in print_expression_operations /root/programs_rq5/libdwarf-0.9.1/src/bin/dwarfdump/print_frames.c:1803
    #6 0x559502ae62a7 in print_one_frame_reg_col /root/programs_rq5/libdwarf-0.9.1/src/bin/dwarfdump/print_frames.c:2242
    #7 0x559502ae10be in print_one_fde /root/programs_rq5/libdwarf-0.9.1/src/bin/dwarfdump/print_frames.c:1340
    #8 0x559502ae6c13 in print_all_fdes /root/programs_rq5/libdwarf-0.9.1/src/bin/dwarfdump/print_frames.c:2359
    #9 0x559502ae7c42 in print_frames /root/programs_rq5/libdwarf-0.9.1/src/bin/dwarfdump/print_frames.c:2580
    #10 0x559502a7bc5e in process_one_file /root/programs_rq5/libdwarf-0.9.1/src/bin/dwarfdump/dwarfdump.c:1401
    #11 0x559502a778a5 in main /root/programs_rq5/libdwarf-0.9.1/src/bin/dwarfdump/dwarfdump.c:605
    #12 0x7f655f17f082 in __libc_start_main ../csu/libc-start.c:308

previously allocated by thread T0 here:
    #0 0x7f655f476808 in __interceptor_malloc ../../../../src/libsanitizer/asan/asan_malloc_linux.cc:144
    #1 0x559502b11873 in _dwarf_special_no_dbg_error_malloc /root/programs_rq5/libdwarf-0.9.1/src/lib/libdwarf/dwarf_alloc.c:1185
    #2 0x559502b3a5a1 in _dwarf_error_string /root/programs_rq5/libdwarf-0.9.1/src/lib/libdwarf/dwarf_error.c:138
    #3 0x559502b3a4ad in _dwarf_error /root/programs_rq5/libdwarf-0.9.1/src/lib/libdwarf/dwarf_error.c:111
    #4 0x559502c0e075 in dwarf_cu_header_basics /root/programs_rq5/libdwarf-0.9.1/src/lib/libdwarf/dwarf_query.c:2066
    #5 0x559502ac006a in print_expression_inner_block /root/programs_rq5/libdwarf-0.9.1/src/bin/dwarfdump/print_die.c:6084
    #6 0x559502ac16e5 in _dwarf_print_one_expr_op /root/programs_rq5/libdwarf-0.9.1/src/bin/dwarfdump/print_die.c:6347
    #7 0x559502abf36c in dwarfdump_print_expression_operations /root/programs_rq5/libdwarf-0.9.1/src/bin/dwarfdump/print_die.c:5923
    #8 0x559502ae3d9c in print_expression_operations /root/programs_rq5/libdwarf-0.9.1/src/bin/dwarfdump/print_frames.c:1803
    #9 0x559502ae62a7 in print_one_frame_reg_col /root/programs_rq5/libdwarf-0.9.1/src/bin/dwarfdump/print_frames.c:2242
    #10 0x559502ae10be in print_one_fde /root/programs_rq5/libdwarf-0.9.1/src/bin/dwarfdump/print_frames.c:1340
    #11 0x559502ae6c13 in print_all_fdes /root/programs_rq5/libdwarf-0.9.1/src/bin/dwarfdump/print_frames.c:2359
    #12 0x559502ae7c42 in print_frames /root/programs_rq5/libdwarf-0.9.1/src/bin/dwarfdump/print_frames.c:2580
    #13 0x559502a7bc5e in process_one_file /root/programs_rq5/libdwarf-0.9.1/src/bin/dwarfdump/dwarfdump.c:1401
    #14 0x559502a778a5 in main /root/programs_rq5/libdwarf-0.9.1/src/bin/dwarfdump/dwarfdump.c:605
    #15 0x7f655f17f082 in __libc_start_main ../csu/libc-start.c:308

SUMMARY: AddressSanitizer: heap-use-after-free /root/programs_rq5/libdwarf-0.9.1/src/lib/libdwarf/dwarf_alloc.c:200 in dw_empty_errlist_item

libdwarf_poc.zip

davea42 commented 7 months ago

this libdwarf bug was fixed February 17, 2024 and the fix is in the next release, 0.9.2, which is to be released April 2 (or maybe April 3).

I reproduced the problem using libdwarf 0.9.1 and verified that with the current source the bug is fixed.

In current libdwarf on github you can see the fix with

gitdiff 0cae09da0aac83b2563fc3a4e140952cc398012a 404e6b1b14f60c81388d50b4239f81d461b3c3ad

Closing this as it ls already fixed. I have added your nice test case to regressiontests. Thank you.

Arbusz commented 7 months ago

Thank you for your swift response to our inquiries.

Credit: Dawei Wang and Geng Zhou, from Zhongguancun Laboratory.

davea42 / libdwarf-code

heap uaf in dw_empty_errlist_item in src/lib/libdwarf/dwarf_alloc.c:200 #238