Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Thu, 23 Oct 2014 18:55:17 +0000
From: mancha <mancha1@...o.com>
To: oss-security@...ts.openwall.com
Cc: lcamtuf@...edump.cx
Subject: Re: strings / libbfd crasher

On Thu, Oct 23, 2014 at 08:24:00AM -0700, Michal Zalewski wrote:
> > http://lcamtuf.coredump.cx/stringme
> 
> The immediate cause is due to srec_scan() in srec.c decreasing 'bytes'
> without range checking until it wraps around. The already-bad value of
> 'bytes' is assigned to 'sec->size' few lines before the crash, so
> perhaps there would be potential for exploitability later down the
> line; but the code ends up crashing soon thereafter in a 'while (bytes
> > 0)' loop that has no other exit conditions. That loop would need to
> go over the entire address space without SEGV to avoid the crash.

I'm no leporidae but I agree srec_scan needs tlc.

Fun-with-NULL:

http://sf.net/projects/mancha/files/rnd/stringmetoo

--mancha


[ CONTENT OF TYPE application/pgp-signature SKIPPED ]

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ