
id: DW201605-019
cve: CVE-2016-5028
datereported: 20160523
reportedby: Yue Liu
vulnerability: Null derefernce in print_frame_inst_bytes (dwarfdump)
product: libdwarf
description: The null dereference is due to a corrupted
 object file. Libdwarf was not dealing with empty (bss-like)
 sections since it really did not expect to see such in
 sections it reads!  Now libdwarf catches the object error
 so dwarfdump sees the section as empty (as indeed it is!).
datefixed: 20160523
references: dwarftests/liu/NULLdeference0522c.elf
gitfixid: a55b958926cc67f89a512ed30bb5a22b0adb10f4
endrec:


id: DW201605-018
cve: CVE-2016-5029
datereported: 20160522
reportedby: Yue Liu
vulnerability: Null dereference in create_fullest_file_path().
product: libdwarf
description: The null dereference in create_fullest_file_path()
 causes a crash. This is due to corrupted dwarf and the fix
 detects this corruption and if that null string pointer
 happens undetected a static string is substituted so
 readers can notice the situation.
 <pre>
  202             }
 203             if (dirno > 0 && fe->fi_dir_index > 0) {
 204                 inc_dir_name = (char *) 
                         line_context->lc_include_directories[
 205                     fe->fi_dir_index - 1];
 206                 incdirnamelen = strlen(inc_dir_name);  <- $pc
 207             }
 208             full_name = (char *) _dwarf_get_alloc(dbg, 

 #0  create_fullest_file_path (dbg=<optimized out>,
 fe=0x68d510, line_context=0x68c4f0, name_ptr_out=<optimized
 out>, error=0x7fffffffe2b8) at ./dwarf_line.c:206

 #1  0x00007ffff7b6d3f9 in dwarf_filename (context=<optimized
 out>, fileno_in=<optimized out>, ret_filename=0x7fffffffe280,
 error=0x7fffffffe2b8) at ./dwarf_line.c:1418

 #2  dwarf_linesrc (line=<optimized out>,
 ret_linesrc=<optimized out>, error=<optimized out>) at
 ./dwarf_line.c:1436
 </pre>
datefixed: 20160522
references: dwarftests/liu/NULLdereference0522.elf
gitfixid: acae971371daa23a19358bc62204007d258fbc5e
endrec:




id: DW201605-017
cve: CVE-2016-5030
datereported: 20160519
reportedby: Yue Liu
vulnerability: Null dereference bug in  _dwarf_calculate_info_section_end_ptr().
product: libdwarf
description: 
 NULL dereference bug in _dwarf_calculate_info_section_end_ptr().
 <pre>
 1742         Dwarf_Off off2 = 0;
 1743         Dwarf_Small *dataptr = 0;
 1744     
 1745         dbg = context->cc_dbg;
 1746         dataptr = context->cc_is_info? dbg->de_debug_info.dss_data:                 <- $pc
 1747             dbg->de_debug_types.dss_data;
 1748         off2 = context->cc_debug_offset;
 1749         info_start = dataptr + off2;
 1750         info_end = info_start + context->cc_length +
 
 #0  _dwarf_calculate_info_section_end_ptr
 (context=context@entry=0x0) at dwarf_query.c:1746
 
 #1  0x00002aaaaace307d in
 _dwarf_extract_string_offset_via_str_offsets
 (dbg=dbg@entry=0x655a70, info_data_ptr=0x6629f0
 "", attrnum=attrnum@entry=121,
 attrform=attrform@entry=26, cu_context=0x0,
 str_sect_offset_out=str_sect_offset_out@entry=0x7fffffffd718,
 error=error@entry=0x7fffffffd878) at dwarf_form.c:1099
 
 #2  0x00002aaaaacf4ed7 in dwarf_get_macro_defundef
 (macro_context=macro_context@entry=0x65b790,
 op_number=op_number@entry=1,
 line_number=line_number@entry=0x7fffffffd858,
 index=index@entry=0x7fffffffd860,
 offset=offset@entry=0x7fffffffd868,
 forms_count=forms_count@entry=0x7fffffffd7ce,
 macro_string=macro_string@entry=0x7fffffffd870,
 error=error@entry=0x7fffffffd878) at dwarf_macro5.c:557
 
 ------
 
 _dwarf_calculate_info_section_end_ptr (context=context@entry=0x0) at 
   dwarf_query.c:1746
 1746        dataptr = context->cc_is_info? dbg->de_debug_info.dss_data:
 gef> p/x $rdi
 $4 = 0x0
 </pre>
datefixed: 20160522
references: regressiontests/liu/NULLdereference0519.elf
gitfixid: 6fa3f710ee6f21bba7966b963033a91d77c952bd
endrec:



id: DW201605-016
cve:
datereported: 20160519
reportedby: Yue Liu
vulnerability: Invalid dwarf leads to 
 dwarfdump crash in print_frame_inst_bytes.
product: dwarfdump
description: Corrupted dwarf crashes dwarfdump
 <pre>
 1297         }
 1298         len = len_in;
 1299         endpoint = instp + len;
 1300         for (; len > 0;) {
 1301             unsigned char ibyte = *instp;           <- $pc
 1302             int top = ibyte & 0xc0;
 1303             int bottom = ibyte & 0x3f;
 1304             int delta = 0;
 1305             int reg = 0;

 #0  print_frame_inst_bytes (dbg=dbg@entry=0x655ca0,
 cie_init_inst=<optimized out>, len_in=<optimized out>,
 data_alignment_factor=-4, code_alignment_factor=4,
 addr_size=addr_size@entry=4, offset_size=4, version=3,
 config_data=config_data@entry=0x63cda0 <g_config_file_data>)
 at print_frames.c:1301

 #1  0x000000000041b70c in print_one_cie
 (dbg=dbg@entry=0x655ca0, cie=<optimized out>,
 cie_index=cie_index@entry=2, address_size=<optimized out>,
 config_data=config_data@entry=0x63cda0 <g_config_file_data>)
 at print_frames.c:1161

 #2  0x000000000041cf52 in print_frames (dbg=0x655ca0,
 print_debug_frame=print_debug_frame@entry=1, print_eh_frame=0,
 config_data=config_data@entry=0x63cda0 <g_config_file_data>)
 at print_frames.c:2229

 gef> p/x $r13
 $1 = 0x4bcad8
 gef> p/x *$r13
 Cannot access memory at address 0x4bcad8
 </pre>
datefixed: 20160522
references: regressiontests/liu/OOB_READ0519.elf
gitfixid: 6fa3f710ee6f21bba7966b963033a91d77c952bd
endrec:


id: DW201605-015
cve: CVE-2016-5031
datereported: 20160517
reportedby: Yue Liu
vulnerability: OOB read bug in print_frame_inst_bytes()
product: libdwarf
description: Test object shows
 an invalid read in  print_frame_inst_bytes().
 <pre>
 1294         for (; len > 0;) {
 1295             unsigned char ibyte = *instp;           <- $pc
 1296             int top = ibyte & 0xc0;

 #0  print_frame_inst_bytes (dbg=dbg@entry=0x654c80, 
    cie_init_inst=<optimized out>, len=503715, data_alignment_factor=-4, 
    code_alignment_factor=1, addr_size=addr_size@entry=4, offset_size=4, 
    version=3, config_data=config_data@entry=0x63bda0 
    <g_config_file_data>) at print_frames.c:1295
 #1  0x000000000041b64c in print_one_cie (dbg=dbg@entry=0x654c80, 
    cie=<optimized out>, cie_index=cie_index@entry=1, 
    address_size=<optimized out>, config_data=
    config_data@entry=0x63bda0 <g_config_file_data>) at print_frames.c:1161
 #2  0x000000000041ce92 in print_frames (dbg=0x654c80, 
    print_debug_frame=print_debug_frame@entry=1, print_eh_frame=0, 
    config_data=config_data@entry=0x63bda0 <g_config_file_data>) 
    at print_frames.c:2209

 gef> x/10x $r13
 0x5e7981:       Cannot access memory at address 0x5e7981
 gef> p/x $r13
 $14 = 0x5e7981
 </pre>
datefixed: 20150518
references: regressiontests/liu/OOB0517_03.elf
gitfixid: ac6673e32f3443a5d36c2217cb814000930b2c54
tarrelease:
endrec:




id: DW201605-014
cve: CVE-2016-5032
datereported: 20160517
reportedby: Yue Liu
vulnerability: OOB read bug in dwarf_get_xu_hash_entry()
product: libdwarf
description: Test object shows
 an invalid read in dwarf_get _xu_hash_entry, lin 211.
 <pre>
 #0  dwarf_get_xu_hash_entry (xuhdr=xuhdr@entry=0x657360, 
    index=index@entry=2897626028, hash_value=
    hash_value@entry=0x7fffffffd5b0, 
    index_to_sections=index_to_sections@entry=0x7fffffffd5a8, 
    err=err@entry=0x7fffffffdb08) at dwarf_xu_index.c:211
 #1  0x00002aaaaacfd05e in _dwarf_search_fission_for_key (
    dbg=0x654a50, error=0x7fffffffdb08, percu_index_out=<synthetic pointer>,
    key_in=0x7fffffffd670, xuhdr=0x657360) at dwarf_xu_index.c:363
 #2  dwarf_get_debugfission_for_key (dbg=dbg@entry=0x654a50, 
    key=key@entry=0x7fffffffd670, key_type=key_type@entry=0x2aaaaad15e2a 
    "tu", percu_out=percu_out@entry=0x65a830, 
    error=error@entry=0x7fffffffdb08) at dwarf_xu_index.c:577
 </pre>
datefixed: 20150518
references: regressiontests/liu/OOB0517_02.elf
gitfixid: ac6673e32f3443a5d36c2217cb814000930b2c54
tarrelease:
endrec:




id: DW201605-013
cve: CVE-2016-5033
datereported: 20160517
reportedby: Yue Liu
vulnerability: OOB read bug in print_exprloc_content
product: libdwarf
description: Test object shows
 an invalid write in print_exprloc_content.
 <pre>
 #0  print_exprloc_content (dbg=dbg@entry=0x654ea0, 
    die=die@entry=0x65b110, attrib=attrib@entry=0x65b590, 
    esbp=esbp@entry=0x7fffffffcef0, showhextoo=1) at print_die.c:4182
 #1  0x0000000000412fb1 in get_attr_value (dbg=dbg@entry=0x654ea0, 
    tag=<optimized out>, die=die@entry=0x65b110, 
    dieprint_cu_goffset=dieprint_cu_goffset@entry=11, 
    attrib=attrib@entry=0x65b590, srcfiles=srcfiles@entry=0x0, 
    cnt=cnt@entry=0, esbp=esbp@entry=0x7fffffffcef0, show_form=0, 
    local_verbose=0) at print_die.c:4972
 </pre>
datefixed: 20150518
references: regressiontests/liu/OOB0517_01.elf
gitfixid: ac6673e32f3443a5d36c2217cb814000930b2c54
tarrelease:
endrec:


id: DW201605-012
cve: CVE-2016-5034
datereported: 20160513
reportedby: Yue Liu
vulnerability: OOB write. From relocation records
product: libdwarf
description: Test object shows
 an invalid write in dwarf_elf_access.c
 (when doing the relocations).
 Adding the relocation value to anything overflowed
 and disguised the bad relocation record.
 With a 32bit kernel build the test could show
 a double-free and coredump due to the unchecked invalid
 writes from relocations.
datefixed: 20160517 
references: regressiontests/liu/HeapOverflow0513.elf
gitfixid: 10ca310f64368dc083efacac87732c02ef560a92
tarrelease:
endrec:



id: DW201605-011
cve: CVE-2016-5035
datereported: 20160506
reportedby: Yue Liu
vulnerability: OOB read bug in _dwarf_read_line_table_header
product: libdwarf
description: Test object shows
 null dereference at line 62
 of dwarf_line_table_reader.c.
 Frame code and linetable code was not noticing data corruption.
datefixed: 20160512
references: regressiontests/liu/OOB_read4.elf
gitfixid: 82d8e007851805af0dcaaff41f49a2d48473334b
tarrelease: 
endrec:


id: DW201605-010
cve: CVE-2016-5036
datereported: 20160506
reportedby: Yue Liu
vulnerability: OOB read bug in dump_block
product: libdwarf
description: Test object shows
 null dereverence at line 186
 of dump_block() in print_sections.c
 Frame code was not noticing frame data corruption.
datefixed: 20160512
references: regressiontests/liu/OOB_read3.elf
 regressiontests/liu/OOB_read3_02.elf
gitfixid: 82d8e007851805af0dcaaff41f49a2d48473334b
tarrelease: 
endrec:

id: DW201605-009
cve: CVE-2016-5037
datereported: 20160505
reportedby: Yue Liu
vulnerability: NULL dereference in _dwarf_load_section
product: libdwarf
description: Test object shows
 null dereverence at line 1010
 if(!strncmp("ZLIB",(const char *)src,4)) {
 in dwarf_init_finish.c
 The zlib code was not checking for
 a corrupted length-value.
datefixed: 20160506
references: regressiontests/liu/NULLderefer0505_01.elf
gitfixid: b6ec2dfd850929821626ea63fb0a752076a3c08a
tarrelease: 20160507
endrec:

id: DW201605-008
cve: CVE-2016-5038
datereported: 20160505
reportedby: Yue Liu
vulnerability: OOB read in dwarf_get_macro_startend_file()
product: libdwarf
description: Test object shows
 out of bound read.
 OOB at:
 line 772  *src_file_name = macro_context->mc_srcfiles[trueindex];
 in dwarf_macro5.c
 A string offset into .debug_str is outside the bounds
 of the .debug_str section.
datefixed: 20160512
references: regressiontests/liu/OOB0505_02.elf
 regressiontests/liu/OOB0505_02_02.elf
gitfixid: 82d8e007851805af0dcaaff41f49a2d48473334b
tarrelease: 
endrec:

id: DW201605-007
cve: CVE-2016-5039
datereported: 20160505
reportedby: Yue Liu
vulnerability: OOB read bug in get_attr_value()
product: libdwarf
description: Test object shows
 out of bound read.
 Object had data all-bits-on so
 the existing length check did not work
 due to wraparound. Added a check
 not susceptible to that error (DW_DLE_FORM_BLOCK_LENGTH_ERROR).
datefixed: 20160506
references: regressiontests/liu/OOB0505_01.elf
gitfixid: eb1472afac95031d0c9dd8c11d527b865fe7deb8
gittag: 20160507
tarrelease: 20160507
endrec:

id: DW201605-006
cve:
datereported: 20160505
reportedby: Yue Liu
vulnerability: Two Heap-Overflow bug
product: libdwarf
description: Two test objects showing
 a heap overflow in libdwarf when
 using dwarfdump.
 It seems that these were fixed
 by the previous git update.
 Neither gdb nor valgrind find any errors
 when building with yesterday's commit.
datefixed: 20160504
references: regressiontests/liu/free_invalid_address.elf
 regressiontests/liu/heapoverflow01b.elf
gitfixid: 98a3da1e8237fe0d45b67ef77f3fa5ed9ff0215f
tarrelease: 20160507
endrec:

id: DW201605-001
cve: CVE-2016-5044
datereported: 20160502
reportedby: Yue Liu
vulnerability: A specially crafted DWARF section
 results in a duplicate free() in libdwarf and
 the calling application will crash. 
product:  libdwarf
description:
 In file dwarf_elf_access.c:1071
 <pre>
 WRITE_UNALIGNED(dbg,target_section + offset,
     &outval,sizeof(outval),reloc_size);
 </pre>
 A crafted ELF file may lead to a large offset value, which
 bigger than the size of target_section heap chunk, then this
 WRITE_UNALIGNED() function will write the value of &outval
 out of the heap chunk.
 offset is a 64bit unsigned int value, so this is more than
 a heap overflow bug, but also a Out-of-Bound write bug.
 So WRITE_UNALIGNED() need more strictly checking to prevent
 this.
datefixed: 20160504
references: regressiontests/liu/heapoverflow01.elf
 <pre>
 https://bugzilla.redhat.com/show_bug.cgi?id=1332141
 </pre>
gitfixid: 98a3da1e8237fe0d45b67ef77f3fa5ed9ff0215f
gittag: 20160507
tarrelease: 20160507
endrec:



id: DW201605-002
cve: CVE-2016-5043
datereported: 20160502
reportedby: Yue Liu
vulnerability: A specially crafted DWARF section
 results in a read outside the bounds of in memory
 data so the calling application can crash.
product:  libdwarf
description:

 Out of bound read bug in libdwarf git code.

 dwarf_dealloc() did not check the Dwarf_Ptr space argument
 before using it. This will lead to a out-of-bound read bug.
 <pre>
 backtrace:
 #0  dwarf_dealloc (dbg=dbg@entry=0x655f30, space=0xa0,
 alloc_type=alloc_type@entry=1) at dwarf_alloc.c:477
 #1  0x00002aaaaacf3296 in dealloc_srcfiles
 (dbg=0x655f30, srcfiles=0x66b8f0, srcfiles_count=17) at
 dwarf_macro5.c:1025 #2  0x00002aaaaacf50e6 in dealloc_srcfiles
 (srcfiles_count=<optimized out>, srcfiles=<optimized out>,
 dbg=<optimized out>) at dwarf_macro5.c:1021 -----

 gef> p &r->rd_dbg
 $14 = (void **) 0x90
 </pre>
datefixed: 20160504
references: regressiontests/liu/outofbound01.elf
 <pre>
 https://bugzilla.redhat.com/show_bug.cgi?id=1332144
 </pre>
gitfixid: 98a3da1e8237fe0d45b67ef77f3fa5ed9ff0215f
tarrelease: 20160507
endrec:

id: DW201605-003
cve: CVE-2016-5042
datereported: 20160502
reportedby: Yue Liu
vulnerability: A specially crafted DWARF section
 results in an infinite loop that eventually
 crashes the application.
product:  libdwarf
description:
 In dwarf_get_aranges_list()
 an invalid count will iterate, reading from memory
 addresses that increase till it all fails.

datefixed: 20160504
references: regressiontests/liu/infiniteloop.elf
 <pre>
 https://bugzilla.redhat.com/show_bug.cgi?id=1332145
 </pre>
gitfixid: 98a3da1e8237fe0d45b67ef77f3fa5ed9ff0215f
tarrelease: 20160507
endrec:

id: DW201605-004
cve: CVE-2016-5041
datereported: 20160502
reportedby: Yue Liu
vulnerability: A specially crafted DWARF section
 results in a null dereference reading debugging
 information entries  which
 crashes the application.
product:  libdwarf
description:
 If no DW_AT_name is present in a debugging
 information entry  using DWARF5 macros
 a null dereference in dwarf_macro5.c will
 crash the application.
 
datefixed: 20160504
references: regressiontests/liu/null01.elf
 <pre>
 https://bugzilla.redhat.com/show_bug.cgi?id=1332148
 </pre>
gitfixid: 98a3da1e8237fe0d45b67ef77f3fa5ed9ff0215f
tarrelease: 20160507
endrec:

id: DW201605-005
cve: CVE-2016-5040
datereported: 20160502
reportedby: Yue Liu
vulnerability: A specially crafted DWARF section
 results in  reading a compilation unit header
 that crashes the application.
product:  libdwarf
description:
 If the data read for a compilation unit header
 contains a too large length value the library
 will read outside of its bounds and crash the application.
datefixed: 20160504
references: regressiontests/liu/null02.elf
 <pre>
 https://bugzilla.redhat.com/show_bug.cgi?id=1332149
 </pre>
gitfixid: 98a3da1e8237fe0d45b67ef77f3fa5ed9ff0215f
tarrelease: 20160507
endrec:




