Headline
CVE-2022-44940: Fix Out-of-bounds read in the function modifyRPath by xiaoxiaoafeifei · Pull Request #419 · NixOS/patchelf
Patchelf v0.9 was discovered to contain an out-of-bounds read via the function modifyRPath at src/patchelf.cc.
Hi:
Out-of-bounds read exists in the function modifyRPath, I fixed this issue in this PR
root@iZ2vcadn43p7fjzbhl6zqwZ:~/patchelf_0# /usr/local/bin/patchelf --shrink-rpath sample00900
AddressSanitizer:DEADLYSIGNAL
=================================================================
==60417==ERROR: AddressSanitizer: SEGV on unknown address 0x626200001e58 (pc 0x557356cd43e7 bp 0x7ffeea76e550 sp 0x7ffeea76dfa0 T0)
==60417==The signal is caused by a READ memory access.
#0 0x557356cd43e6 in ElfFile<Elf64_Ehdr, Elf64_Phdr, Elf64_Shdr, unsigned long, unsigned long, Elf64_Dyn, Elf64_Sym, Elf64_Verneed, unsigned short>::modifyRPath(ElfFile<Elf64_Ehdr, Elf64_Phdr, Elf64_Shdr, unsigned long, unsigned long, Elf64_Dyn, Elf64_Sym, Elf64_Verneed, unsigned short>::RPathOp, std::vector<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> >, std::allocator<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > > > const&, std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> >) /root/patchelf_0/src/patchelf.cc:1376
#1 0x557356b6ba6c in patchElf2<ElfFile<Elf64_Ehdr, Elf64_Phdr, Elf64_Shdr, long unsigned int, long unsigned int, Elf64_Dyn, Elf64_Sym, Elf64_Verneed, short unsigned int> > /root/patchelf_0/src/patchelf.cc:1865
#2 0x557356b6ba6c in patchElf /root/patchelf_0/src/patchelf.cc:1907
#3 0x557356b6ba6c in mainWrapped(int, char**) /root/patchelf_0/src/patchelf.cc:2089
#4 0x557356b56ee5 in main /root/patchelf_0/src/patchelf.cc:2097
#5 0x7ff86c8b6082 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x24082)
#6 0x557356b57bdd in _start (/usr/local/bin/patchelf+0x225bdd)Related news
Ubuntu Security Notice USN-6036-1
Ubuntu Security Notice 6036-1 - It was discovered that PatchELF was not properly performing bounds checks, which could lead to an out-of-bounds read via a specially crafted file. An attacker could possibly use this issue to cause a denial of service or to expose sensitive information.