Mageia Bugzilla – Attachment 10879 Details for
Bug 18987
binutils several new security issues
Home
|
New
|
Browse
|
Search
|
[?]
|
Reports
|
Requests
|
Help
|
Log In
[x]
|
New Account
|
Forgot Password
Brief reports of reproducer tests before updating
poc_tests_before (text/plain), 10.85 KB, created by
Len Lawrence
on 2019-03-23 22:05:42 CET
(
hide
)
Description:
Brief reports of reproducer tests before updating
Filename:
MIME Type:
Creator:
Len Lawrence
Created:
2019-03-23 22:05:42 CET
Size:
10.85 KB
patch
obsolete
>mga6, x86_64 > >*Before update* >Some of these POC are meant to be used with ASAN and should result in aborts within that framework - not so here. > >------------------------------------------------------------------------------- > >CVE-2018-10372 >https://sourceware.org/bugzilla/show_bug.cgi?id=23064 >$ readelf -w bug3 >readelf: Warning: possibly corrupt ELF header - it has a non-zero program header offset, but no program headers >[...] > >------------------------------------------------------------------------------- > >CVE-2018-10373 >https://bugzilla.suse.com/show_bug.cgi?id=1090997&_ga=2.211092119.384073384.1553193400-55335118.1500933662 >This file is definitely intended for ASAN testing. >Trying this: >$ nm -l crash3 > U abort@@GLIBC_2.2.5 >00000000004076b0 T adjust_relative_path elfcomm.c:398 >[...] >000000000040f880 T xmalloc ./xmalloc.c:146 >000000000040f720 T xmalloc_failed ./xmalloc.c:119 >000000000040f680 T xmalloc_set_program_name ./xmalloc.c:112 >000000000040fb00 T xrealloc ./xmalloc.c:175 > U __xstat@@GLIBC_2.2.5 >0000000000410060 T xstrdup ./xstrdup.c:32 > >------------------------------------------------------------------------------- > >CVE-2018-10534 >https://sourceware.org/bugzilla/show_bug.cgi?id=23110 >$ objcopy objcopy_crash.input /dev/null >$ objcopy objcopy_crash.input /dev/null >Segmentation fault (core dumped) > >------------------------------------------------------------------------------- > >CVE-2018-10535 >The POC and result are the same as for CVE-2018-10534. > >------------------------------------------------------------------------------- > >CVE-2018-6323 >https://bugzilla.suse.com/show_bug.cgi?id=1077745&_ga=2.222233242.384073384.1553193400-55335118.1500933662 >$ objdump -x c2 >objdump: c2: File truncated > >------------------------------------------------------------------------------- > >CVE-2018-6543 >$ objdump -g c3 >c3: file format elf32-i386 >Can't get contents for section '.eh_frame'. > >------------------------------------------------------------------------------- > >CVE-2018-6759 >https://bugzilla.suse.com/show_bug.cgi?id=1079741&_ga=2.226372248.384073384.1553193400-55335118.1500933662 >$ valgrind --leak-check=full nm -A -a -l -S -s --special-syms --synthetic -D binutils_2-30-51_nm_unchecked_strlen_bfd_get_debug_link_info_1 >[...] >==13820== ERROR SUMMARY: 2 errors from 2 contexts (suppressed: 0 from 0) > >------------------------------------------------------------------------------- > >CVE-2018-6872 >https://sourceware.org/bugzilla/show_bug.cgi?id=22788 >$ objdump -x id_000025,sig_06,src_000072,op_int32,pos_6216,val_be_+16 >id_000025,sig_06,src_000072,op_int32,pos_6216,val_be_+16: file format elf32-i386 >id_000025,sig_06,src_000072,op_int32,pos_6216,val_be_+16 >architecture: i386, flags 0x00000112: >[...] >00000000 w *UND* 00000000 _ITM_registerTMCloneTable >080482a8 g F .init 00000000 _init > >Upstream, this aborted under ASAN. > >------------------------------------------------------------------------------- > >CVE-2018-7208 >https://sourceware.org/bugzilla/show_bug.cgi?id=22741 >$ objcopy objcopy_crash.input >Segmentation fault (core dumped) > >------------------------------------------------------------------------------- > >CVE-2018-7568 >https://github.com/skysider/FuzzVuln/blob/master/binutils_nm_integer_overflow_parse_die.elf >$ nm -A -a -l -S -s --special-syms --synthetic -D binutils_nm_integer_overflow_parse_die.elf >binutils_nm_integer_overflow_parse_die.elf: U __cxa_begin_catch >binutils_nm_integer_overflow_parse_die.elf:0000000000400770 0000000000e677e6 T __cxa_begin_catch@plt >[...] >binutils_nm_integer_overflow_parse_die.elf: U _ZSt9terminatev >binutils_nm_integer_overflow_parse_die.elf:0000000000400750 T _ZSt9terminatev@plt > >------------------------------------------------------------------------------- > >CVE-2018-7569 >https://github.com/skysider/FuzzVuln/blob/master/binutils_nm_integer_overflow_read_attribute_value.elf >$ nm -A -a -l -S -s --special-syms --synthetic -D binutils_nm_integer_overflow_read_attribute_value.elf >Output was similar to that of the previous CVE. > >------------------------------------------------------------------------------- > >CVE-2018-7570 >https://github.com/skysider/FuzzVuln/blob/master/binutils_objcopy_null_pointer_dereference_assign_file_positions_for_non_load_sections.elf >$ objcopy binutils_objcopy_null_pointer_dereference_assign_file_positions_for_non_load_sections.elf >objcopy: stpDHKjB: warning: allocated section `.init_array' not in segment >objcopy: stpDHKjB: warning: allocated section `.fini_array' not in segment >objcopy: stpDHKjB: warning: allocated section `.jcr' not in segment >objcopy: stpDHKjB: warning: allocated section `.dynamic' not in segment >objcopy: stpDHKjB: warning: allocated section `.got' not in segment >objcopy: stpDHKjB: warning: allocated section `.got.plt' not in segment >objcopy: stpDHKjB: warning: allocated section `.data' not in segment >objcopy:binutils_objcopy_null_pointer_dereference_assign_file_positions_for_non_load_sections.elf[.data]: File truncated > >------------------------------------------------------------------------------- > >CVE-2018-7642 >https://github.com/skysider/FuzzVuln/blob/master/binutils_objcopy_null_pointer_dereference_aout_32_swap_std_reloc_out.elf >$ objcopy binutils_objcopy_null_pointer_dereference_aout_32_swap_std_reloc_out.elf >Segmentation fault (core dumped) > >------------------------------------------------------------------------------- > >CVE-2018-7643 >https://github.com/skysider/FuzzVuln/blob/master/binutils_objdump_integer_overflow_display_debug_ranges.elf >$ objdump -x -D -S -s -g -e -G --dwarf -t -T -r -R --special-syms --dwarf-check binutils_objdump_integer_overflow_display_debug_ranges.elf >EXEC_P, HAS_SYMS >start address 0x00000000004007b0 >[...] > INIT_ARRAY 0x0000000000601de0 >:objdump: Warning: Invalid length 0x0010001c in FDE at 0x000210 >objdump: Warning: Range lists in .debug_ranges section start at 0xff000000 >[...] ><The whole file is analyzed and then disassembled - apparently successfully> > >------------------------------------------------------------------------------- > >CVE-2018-8945 >This has two reproducers at https://bugzilla.suse.com/show_bug.cgi?id=1086608&_ga=2.184871851.384073384.1553193400-55335118.1500933662 >$ objdump -x -W bfd_section_from_shdr_pe >[...] >objdump: bfd_section_from_shdr_pe: no group info for section >objdump: bfd_section_from_shdr_pe: File truncated ><segfault expected> >$ objdump -x -W bfd_section_from_shdr_elf >objdump: bfd_section_from_shdr_elf: File truncated > >------------------------------------------------------------------------------- > >Suse claims to have fixed the issues covered by the CVEs listed in comment 25. > >CVE-2017-12488 >https://bugzilla.suse.com/show_bug.cgi?id=1052518&_ga=2.259881994.1290866901.1553368644-55335118.1500933662 >$ objdump -x use-after-free >In archive use-after-free: >In nested archive : >objdump: : File format not recognized ><segfault upstream> > >------------------------------------------------------------------------------- > >No reproducers for CVE-2017-1245{0,2,3,4,6} > >------------------------------------------------------------------------------- > >CVE-2017-12799 >https://bugzilla.suse.com/show_bug.cgi?id=1053347&_ga=2.202293137.1290866901.1553368644-55335118.1500933662 >$ objdump -S heapoverflow-objdump >objdump: heapoverflow-objdump: File truncated > >------------------------------------------------------------------------------- > >CVE-2017-13757 >https://bugzilla.suse.com/show_bug.cgi?id=1056312&_ga=2.265638031.1290866901.1553368644-55335118.1500933662 >$ valgrind objdump -x -Wl -R -SD objdump_hoobr_elf_i386_get_synthetic_symtab >This went into a loop with one core at 100%, reporting "undefined" many times (related to address ranges and permissions in some way). Crashed out of it: >==24753== ERROR SUMMARY: 10000000 errors from 2 contexts (suppressed: 0 from 0) ><Same as upstream> >Without valgrind it does not loop. > >------------------------------------------------------------------------------- > >CVE-2017-14128 >https://bugzilla.suse.com/show_bug.cgi?id=1057139&_ga=2.35043361.1290866901.1553368644-55335118.1500933662 >$ valgrind objdump -x -Wl -R -SD objdump_hoobr_read_1_byte >Behaviour was similar to the reproducer for CVE-2017-13757, and also without valgrind. > >------------------------------------------------------------------------------- > >CVE-2017-14129 >https://bugzilla.suse.com/show_bug.cgi?id=1057144&_ga=2.21909691.1290866901.1553368644-55335118.1500933662 >$ valgrind objdump -x -Wl -R -SD objdump_hoobr_parse_comp_unit >Same again. > >------------------------------------------------------------------------------- > >CVE-2017-14130 >https://bugzilla.suse.com/show_bug.cgi?id=1057149&_ga=2.21909691.1290866901.1553368644-55335118.1500933662 >https://bugzilla.suse.com/show_bug.cgi?id=1057149&_ga=2.234771486.1290866901.1553368644-55335118.1500933662 >$ objdump -x -Wl -R -SD objdump_hoobr_bfd_elf_attr_strdupCVE-2017-14130 >objdump: objdump_hoobr_bfd_elf_attr_strdup: invalid string offset 808464432 >= 244 for section `.shstrtab' >objdump: objdump_hoobr_bfd_elf_attr_strdup: Bad value > >------------------------------------------------------------------------------- > >No reproducer for CVE-2017-14333 (DOS) > >------------------------------------------------------------------------------- > >CVE-2017-14529 >https://bugzilla.suse.com/show_bug.cgi?id=1059050&_ga=2.192847658.1290866901.1553368644-55335118.1500933662 >$ valgrind objdump -x -Wl -R -SD objdump_hoobr_bfd_getl16 >[...] >==30086== ERROR SUMMARY: 1 errors from 1 contexts (suppressed: 0 from 0) > >------------------------------------------------------------------------------- > >No reproducer for CVE-2017-14729 (DOS) > >------------------------------------------------------------------------------- > >CVE-2017-14745 >https://sourceware.org/bugzilla/show_bug.cgi?id=22148 >There is no specific instruction for this file but the comments refer to using objdump, so using it in the most basic way: >$ objdump -x crash_1 >This produced a full dump without any obvious errors. > >------------------------------------------------------------------------------- > >CVE-2017-14974 >https://bugzilla.suse.com/show_bug.cgi?id=1061241&_ga=2.192796842.1290866901.1553368644-55335118.1500933662 >$ objdump -S crash.elf >No crash. Full disassembly of the file. >The issue is DOS via null pointer dereference then crash. > >------------------------------------------------------------------------------- > >There are dozens more which I am skipping. The last in the list is >CVE-2017-9955 >https://bugzilla.suse.com/show_bug.cgi?id=1046094&_ga=2.189119659.1290866901.1553368644-55335118.1500933662 >$ objdump -S CVE-2017-9955.poc1 > /dev/null >Nothing reported. >$ objdump -S CVE-2017-9955.poc2 > /dev/null >objdump: out of memory allocating 549755813914 bytes after a total of 0 bytes > >If bugsquad thinks it worth pursuing the CVEs missed then I would do that at a later date. >The current crop of POC tests might indicate that some of the issues have already been addressed. Need to run them all again after the update. > >
mga6, x86_64 *Before update* Some of these POC are meant to be used with ASAN and should result in aborts within that framework - not so here. ------------------------------------------------------------------------------- CVE-2018-10372 https://sourceware.org/bugzilla/show_bug.cgi?id=23064 $ readelf -w bug3 readelf: Warning: possibly corrupt ELF header - it has a non-zero program header offset, but no program headers [...] ------------------------------------------------------------------------------- CVE-2018-10373 https://bugzilla.suse.com/show_bug.cgi?id=1090997&_ga=2.211092119.384073384.1553193400-55335118.1500933662 This file is definitely intended for ASAN testing. Trying this: $ nm -l crash3 U abort@@GLIBC_2.2.5 00000000004076b0 T adjust_relative_path elfcomm.c:398 [...] 000000000040f880 T xmalloc ./xmalloc.c:146 000000000040f720 T xmalloc_failed ./xmalloc.c:119 000000000040f680 T xmalloc_set_program_name ./xmalloc.c:112 000000000040fb00 T xrealloc ./xmalloc.c:175 U __xstat@@GLIBC_2.2.5 0000000000410060 T xstrdup ./xstrdup.c:32 ------------------------------------------------------------------------------- CVE-2018-10534 https://sourceware.org/bugzilla/show_bug.cgi?id=23110 $ objcopy objcopy_crash.input /dev/null $ objcopy objcopy_crash.input /dev/null Segmentation fault (core dumped) ------------------------------------------------------------------------------- CVE-2018-10535 The POC and result are the same as for CVE-2018-10534. ------------------------------------------------------------------------------- CVE-2018-6323 https://bugzilla.suse.com/show_bug.cgi?id=1077745&_ga=2.222233242.384073384.1553193400-55335118.1500933662 $ objdump -x c2 objdump: c2: File truncated ------------------------------------------------------------------------------- CVE-2018-6543 $ objdump -g c3 c3: file format elf32-i386 Can't get contents for section '.eh_frame'. ------------------------------------------------------------------------------- CVE-2018-6759 https://bugzilla.suse.com/show_bug.cgi?id=1079741&_ga=2.226372248.384073384.1553193400-55335118.1500933662 $ valgrind --leak-check=full nm -A -a -l -S -s --special-syms --synthetic -D binutils_2-30-51_nm_unchecked_strlen_bfd_get_debug_link_info_1 [...] ==13820== ERROR SUMMARY: 2 errors from 2 contexts (suppressed: 0 from 0) ------------------------------------------------------------------------------- CVE-2018-6872 https://sourceware.org/bugzilla/show_bug.cgi?id=22788 $ objdump -x id_000025,sig_06,src_000072,op_int32,pos_6216,val_be_+16 id_000025,sig_06,src_000072,op_int32,pos_6216,val_be_+16: file format elf32-i386 id_000025,sig_06,src_000072,op_int32,pos_6216,val_be_+16 architecture: i386, flags 0x00000112: [...] 00000000 w *UND* 00000000 _ITM_registerTMCloneTable 080482a8 g F .init 00000000 _init Upstream, this aborted under ASAN. ------------------------------------------------------------------------------- CVE-2018-7208 https://sourceware.org/bugzilla/show_bug.cgi?id=22741 $ objcopy objcopy_crash.input Segmentation fault (core dumped) ------------------------------------------------------------------------------- CVE-2018-7568 https://github.com/skysider/FuzzVuln/blob/master/binutils_nm_integer_overflow_parse_die.elf $ nm -A -a -l -S -s --special-syms --synthetic -D binutils_nm_integer_overflow_parse_die.elf binutils_nm_integer_overflow_parse_die.elf: U __cxa_begin_catch binutils_nm_integer_overflow_parse_die.elf:0000000000400770 0000000000e677e6 T __cxa_begin_catch@plt [...] binutils_nm_integer_overflow_parse_die.elf: U _ZSt9terminatev binutils_nm_integer_overflow_parse_die.elf:0000000000400750 T _ZSt9terminatev@plt ------------------------------------------------------------------------------- CVE-2018-7569 https://github.com/skysider/FuzzVuln/blob/master/binutils_nm_integer_overflow_read_attribute_value.elf $ nm -A -a -l -S -s --special-syms --synthetic -D binutils_nm_integer_overflow_read_attribute_value.elf Output was similar to that of the previous CVE. ------------------------------------------------------------------------------- CVE-2018-7570 https://github.com/skysider/FuzzVuln/blob/master/binutils_objcopy_null_pointer_dereference_assign_file_positions_for_non_load_sections.elf $ objcopy binutils_objcopy_null_pointer_dereference_assign_file_positions_for_non_load_sections.elf objcopy: stpDHKjB: warning: allocated section `.init_array' not in segment objcopy: stpDHKjB: warning: allocated section `.fini_array' not in segment objcopy: stpDHKjB: warning: allocated section `.jcr' not in segment objcopy: stpDHKjB: warning: allocated section `.dynamic' not in segment objcopy: stpDHKjB: warning: allocated section `.got' not in segment objcopy: stpDHKjB: warning: allocated section `.got.plt' not in segment objcopy: stpDHKjB: warning: allocated section `.data' not in segment objcopy:binutils_objcopy_null_pointer_dereference_assign_file_positions_for_non_load_sections.elf[.data]: File truncated ------------------------------------------------------------------------------- CVE-2018-7642 https://github.com/skysider/FuzzVuln/blob/master/binutils_objcopy_null_pointer_dereference_aout_32_swap_std_reloc_out.elf $ objcopy binutils_objcopy_null_pointer_dereference_aout_32_swap_std_reloc_out.elf Segmentation fault (core dumped) ------------------------------------------------------------------------------- CVE-2018-7643 https://github.com/skysider/FuzzVuln/blob/master/binutils_objdump_integer_overflow_display_debug_ranges.elf $ objdump -x -D -S -s -g -e -G --dwarf -t -T -r -R --special-syms --dwarf-check binutils_objdump_integer_overflow_display_debug_ranges.elf EXEC_P, HAS_SYMS start address 0x00000000004007b0 [...] INIT_ARRAY 0x0000000000601de0 :objdump: Warning: Invalid length 0x0010001c in FDE at 0x000210 objdump: Warning: Range lists in .debug_ranges section start at 0xff000000 [...] <The whole file is analyzed and then disassembled - apparently successfully> ------------------------------------------------------------------------------- CVE-2018-8945 This has two reproducers at https://bugzilla.suse.com/show_bug.cgi?id=1086608&_ga=2.184871851.384073384.1553193400-55335118.1500933662 $ objdump -x -W bfd_section_from_shdr_pe [...] objdump: bfd_section_from_shdr_pe: no group info for section objdump: bfd_section_from_shdr_pe: File truncated <segfault expected> $ objdump -x -W bfd_section_from_shdr_elf objdump: bfd_section_from_shdr_elf: File truncated ------------------------------------------------------------------------------- Suse claims to have fixed the issues covered by the CVEs listed in comment 25. CVE-2017-12488 https://bugzilla.suse.com/show_bug.cgi?id=1052518&_ga=2.259881994.1290866901.1553368644-55335118.1500933662 $ objdump -x use-after-free In archive use-after-free: In nested archive : objdump: : File format not recognized <segfault upstream> ------------------------------------------------------------------------------- No reproducers for CVE-2017-1245{0,2,3,4,6} ------------------------------------------------------------------------------- CVE-2017-12799 https://bugzilla.suse.com/show_bug.cgi?id=1053347&_ga=2.202293137.1290866901.1553368644-55335118.1500933662 $ objdump -S heapoverflow-objdump objdump: heapoverflow-objdump: File truncated ------------------------------------------------------------------------------- CVE-2017-13757 https://bugzilla.suse.com/show_bug.cgi?id=1056312&_ga=2.265638031.1290866901.1553368644-55335118.1500933662 $ valgrind objdump -x -Wl -R -SD objdump_hoobr_elf_i386_get_synthetic_symtab This went into a loop with one core at 100%, reporting "undefined" many times (related to address ranges and permissions in some way). Crashed out of it: ==24753== ERROR SUMMARY: 10000000 errors from 2 contexts (suppressed: 0 from 0) <Same as upstream> Without valgrind it does not loop. ------------------------------------------------------------------------------- CVE-2017-14128 https://bugzilla.suse.com/show_bug.cgi?id=1057139&_ga=2.35043361.1290866901.1553368644-55335118.1500933662 $ valgrind objdump -x -Wl -R -SD objdump_hoobr_read_1_byte Behaviour was similar to the reproducer for CVE-2017-13757, and also without valgrind. ------------------------------------------------------------------------------- CVE-2017-14129 https://bugzilla.suse.com/show_bug.cgi?id=1057144&_ga=2.21909691.1290866901.1553368644-55335118.1500933662 $ valgrind objdump -x -Wl -R -SD objdump_hoobr_parse_comp_unit Same again. ------------------------------------------------------------------------------- CVE-2017-14130 https://bugzilla.suse.com/show_bug.cgi?id=1057149&_ga=2.21909691.1290866901.1553368644-55335118.1500933662 https://bugzilla.suse.com/show_bug.cgi?id=1057149&_ga=2.234771486.1290866901.1553368644-55335118.1500933662 $ objdump -x -Wl -R -SD objdump_hoobr_bfd_elf_attr_strdupCVE-2017-14130 objdump: objdump_hoobr_bfd_elf_attr_strdup: invalid string offset 808464432 >= 244 for section `.shstrtab' objdump: objdump_hoobr_bfd_elf_attr_strdup: Bad value ------------------------------------------------------------------------------- No reproducer for CVE-2017-14333 (DOS) ------------------------------------------------------------------------------- CVE-2017-14529 https://bugzilla.suse.com/show_bug.cgi?id=1059050&_ga=2.192847658.1290866901.1553368644-55335118.1500933662 $ valgrind objdump -x -Wl -R -SD objdump_hoobr_bfd_getl16 [...] ==30086== ERROR SUMMARY: 1 errors from 1 contexts (suppressed: 0 from 0) ------------------------------------------------------------------------------- No reproducer for CVE-2017-14729 (DOS) ------------------------------------------------------------------------------- CVE-2017-14745 https://sourceware.org/bugzilla/show_bug.cgi?id=22148 There is no specific instruction for this file but the comments refer to using objdump, so using it in the most basic way: $ objdump -x crash_1 This produced a full dump without any obvious errors. ------------------------------------------------------------------------------- CVE-2017-14974 https://bugzilla.suse.com/show_bug.cgi?id=1061241&_ga=2.192796842.1290866901.1553368644-55335118.1500933662 $ objdump -S crash.elf No crash. Full disassembly of the file. The issue is DOS via null pointer dereference then crash. ------------------------------------------------------------------------------- There are dozens more which I am skipping. The last in the list is CVE-2017-9955 https://bugzilla.suse.com/show_bug.cgi?id=1046094&_ga=2.189119659.1290866901.1553368644-55335118.1500933662 $ objdump -S CVE-2017-9955.poc1 > /dev/null Nothing reported. $ objdump -S CVE-2017-9955.poc2 > /dev/null objdump: out of memory allocating 549755813914 bytes after a total of 0 bytes If bugsquad thinks it worth pursuing the CVEs missed then I would do that at a later date. The current crop of POC tests might indicate that some of the issues have already been addressed. Need to run them all again after the update.
View Attachment As Raw
Actions:
View
Attachments on
bug 18987
: 10879 |
10880