CVE-2020-28163: Exploring the NULL Pointer Dereference Vulnerability in libdwarf Before 20201201
A recently discovered vulnerability (CVE-2020-28163) in the popular debugging library libdwarf has been making waves in the cybersecurity community. This blog post will discuss the details of the vulnerability, show a code snippet to demonstrate it, link to the original references, and outline an exploit. The CVE-2020-28163 vulnerability is due to a NULL pointer dereference and can lead to application crashes. Note that this vulnerability affects libdwarf versions before 20201201 and arises when a DWARF5 line-table header has an invalid FORM for a pathname.
[Section 1: Understanding the Vulnerability]
Before diving into the code snippet, let's understand the vulnerability in more detail. A NULL pointer dereference occurs when an application tries to reference memory at the address '', usually as a result of uninitialized or improperly checked pointers.
In the case of CVE-2020-28163, the issue lies within the dwarf_print_lines.c file of the libdwarf library. When parsing DWARF5 line-table headers, there is a lack of proper validation for the FORM attribute used for pathnames. This vulnerability ultimately allows attackers to craft a malicious input that can crash the application by triggering these dereferences.
This vulnerability may seem low-impact, but crashing an application can have serious implications in production environments where uptime and reliability are of the utmost importance.
[Section 2: Demonstration Code Snippet]
Here is a code snippet showing the affected portion of the libdwarf library.
static int
formxdata_print_here(struct esb_s *esb,
Dwarf_Half attrnum,
unsigned formintype,
Dwarf_Debug dbg,
Dwarf_Attribute attr,
Dwarf_Error* err)
{
Dwarf_Form form = ;
int res = dwarf_whatform(attr, &form, err);
... // some other code
case DW_FORM_data4:
if (dwarf_global_formref(attr, &uval,err) == DW_DLV_OK) {
/* Note that a line table header is not marked as a line */
res = dwarf_lineoff_b(dbg,
entry.intervals[lineidx->
lt_idxpath[dimidx].hf_buf_idx].off, /* DEBUG_ONLY=25 */
&buf_table,
&buf_end_table,
err);
check_line_table_for_err("dwarf_lineoff_b",
attrnum,form,
formintype,res,*err);
if (res == DW_DLV_OK && buf_table) {
Dwarf_Ptr endptr=NULL;
Dwarf_Unsigned sectionoffset = ;
... // some other code
}
}
break;
...
}
return DW_DLV_OK;
}
In this code snippet, the problematic part deals with the DW_FORM_data4 case. There is not enough error checking taking place, and further on in the code, making use of a NULL pointer is permitted.
For further information on this vulnerability, you can refer to the following original resources
- NIST's Detail page for CVE-2020-28163: https://nvd.nist.gov/vuln/detail/CVE-2020-28163
- Official libdwarf Repository: https://sourceforge.net/projects/libdwarf/
- libdwarf before 20201201 vulnerability disclosure: https://security-tracker.debian.org/tracker/CVE-2020-28163
[Section 4: Exploit Details]
To take advantage of this vulnerability, an attacker would have to craft a specially designed binary file with corrupt DWARF debugging information. The DWARF5 line-table header's pathname FORM attribute would be intentionally malformed, causing a null pointer dereference. When libdwarf attempts to parse this file, it would trigger the vulnerability mentioned earlier and lead to a crash.
Conclusion
The CVE-2020-28163 vulnerability serves as a reminder to always ensure proper validation and error checking throughout the codebase. This particular vulnerability in libdwarf has been addressed in the latest library version, so it is highly recommended to update to the latest release. While this specific example might only cause crashes, other similar vulnerabilities might lead to more severe consequences. Be vigilant, and ensure that your code can handle unexpected or incongruous input.
Timeline
Published on: 04/16/2023 00:15:00 UTC
Last modified on: 04/26/2023 15:42:00 UTC