Bugzilla – Bug 936786
VUL-1: CVE-2015-3239 libunwind: off-by-one in dwarf_to_unw_regnum()
Last modified: 2020-09-24 08:39:24 UTC
via rh#1232265 Paolo Bonzini from Red Hat reported following issue in libunwind: An invalid DW_OP_bregXX opcodes can access dwarf_to_unw_regnum_map one item past the end. Spotted by Coverity, suggested patch below: """ --- a/include/dwarf_i.h +++ b/include/dwarf_i.h @@ -20,7 +20,7 @@ extern const uint8_t dwarf_to_unw_regnum_map[DWARF_REGNUM_MAP_LENGTH]; /* REG is evaluated multiple times; it better be side-effects free! */ # define dwarf_to_unw_regnum(reg) \ - (((reg) <= DWARF_REGNUM_MAP_LENGTH) ? dwarf_to_unw_regnum_map[reg] : 0) + (((reg) < DWARF_REGNUM_MAP_LENGTH) ? dwarf_to_unw_regnum_map[reg] : 0) #endif #ifdef UNW_LOCAL_ONLY """ The same off-by one affects the v0.98-stable branch: diff --git a/include/dwarf_i.h b/include/dwarf_i.h index 55320c2..cddeef8 100644 --- a/include/dwarf_i.h +++ b/include/dwarf_i.h @@ -16,7 +16,7 @@ extern uint8_t dwarf_to_unw_regnum_map[DWARF_REGNUM_MAP_LENGTH]; static inline unw_regnum_t dwarf_to_unw_regnum (unw_word_t regnum) { - if (regnum <= DWARF_REGNUM_MAP_LENGTH) + if (regnum < DWARF_REGNUM_MAP_LENGTH) return dwarf_to_unw_regnum_map[regnum]; return 0; } References: http://savannah.nongnu.org/bugs/?45276 https://bugzilla.redhat.com/show_bug.cgi?id=1232265 http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-3239 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-3239
bugbot adjusting priority
SLE11 affected SLE12 affected openSUSE-* affected
This is an autogenerated message for OBS integration: This bug (936786) was mentioned in https://build.opensuse.org/request/show/314851 Factory / libunwind https://build.opensuse.org/request/show/314852 13.2 / libunwind https://build.opensuse.org/request/show/314853 13.1 / libunwind
openSUSE-SU-2015:1245-2: An update that fixes one vulnerability is now available. Category: security (low) Bug References: 936786 CVE References: CVE-2015-3239 Sources used: openSUSE 13.1 (src): libunwind-1.1-6.3.1
Created attachment 716855 [details] Upstream patches for SLE-10, 11 and 12. Codestreams with versions of libunwind <= 1.1 are affected by CVE-2015-3239: Leap:42.2:Update 1.1 Comes from SLE-12 Leap:42.1:Update 1.1 Comes from SLE-12 SLE-12:Update 1.1 libunwind-1.1-CVE-2015-3239.patch SLE-11:Update 0.98.6 libunwind-0.98-CVE-2015-3239.patch SLE-10-SP2:Update 0.98.5 libunwind-0.98-CVE-2015-3239.patch Added patch for version 1.1 libunwind-1.1-CVE-2015-3239.patch Added patch for versions 0.98.* libunwind-0.98-CVE-2015-3239.patch CVE corrected upstream in version 1.2 (commit 396b6c7ab737e2bff244d640601c436a26260ca1) Reassigning bug to the security-team.
This is an autogenerated message for OBS integration: This bug (936786) was mentioned in https://build.opensuse.org/request/show/666346 42.3 / libunwind
openSUSE-SU-2019:0061-1: An update that solves one vulnerability and has one errata is now available. Category: security (low) Bug References: 1122012,936786 CVE References: CVE-2015-3239 Sources used: openSUSE Leap 42.3 (src): libunwind-1.1-15.3.1
SUSE-SU-2019:0284-1: An update that solves one vulnerability and has two fixes is now available. Category: security (moderate) Bug References: 1122012,936786,976955 CVE References: CVE-2015-3239 Sources used: SUSE Linux Enterprise Software Development Kit 12-SP4 (src): libunwind-1.1-11.3.1 SUSE Linux Enterprise Software Development Kit 12-SP3 (src): libunwind-1.1-11.3.1 SUSE Linux Enterprise Server 12-SP4 (src): libunwind-1.1-11.3.1 SUSE Linux Enterprise Server 12-SP3 (src): libunwind-1.1-11.3.1 SUSE Linux Enterprise Desktop 12-SP4 (src): libunwind-1.1-11.3.1 SUSE Linux Enterprise Desktop 12-SP3 (src): libunwind-1.1-11.3.1
An update workflow for this issue was started. This issue was rated as low. Please submit fixed packages until 2020-06-01. When done, reassign the bug to security-team@suse.de. https://swamp.suse.de/webswamp/wf/64438
Released.