Date: Thu, 23 Oct 2014 18:55:17 +0000 From: mancha <mancha1@...o.com> To: oss-security@...ts.openwall.com Cc: lcamtuf@...edump.cx Subject: Re: strings / libbfd crasher On Thu, Oct 23, 2014 at 08:24:00AM -0700, Michal Zalewski wrote: > > http://lcamtuf.coredump.cx/stringme > > The immediate cause is due to srec_scan() in srec.c decreasing 'bytes' > without range checking until it wraps around. The already-bad value of > 'bytes' is assigned to 'sec->size' few lines before the crash, so > perhaps there would be potential for exploitability later down the > line; but the code ends up crashing soon thereafter in a 'while (bytes > > 0)' loop that has no other exit conditions. That loop would need to > go over the entire address space without SEGV to avoid the crash. I'm no leporidae but I agree srec_scan needs tlc. Fun-with-NULL: http://sf.net/projects/mancha/files/rnd/stringmetoo --mancha [ CONTENT OF TYPE application/pgp-signature SKIPPED ]
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Powered by Openwall GNU/*/Linux - Powered by OpenVZ