Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Fri, 24 Oct 2014 11:30:50 +0000
From: mancha <mancha1@...o.com>
To: oss-security@...ts.openwall.com
Cc: lcamtuf@...edump.cx
Subject: Re: strings / libbfd crasher

On Thu, Oct 23, 2014 at 06:55:17PM +0000, mancha wrote:
> On Thu, Oct 23, 2014 at 08:24:00AM -0700, Michal Zalewski wrote:
> > > http://lcamtuf.coredump.cx/stringme
> > 
> > The immediate cause is due to srec_scan() in srec.c decreasing
> > 'bytes' without range checking until it wraps around. The
> > already-bad value of 'bytes' is assigned to 'sec->size' few lines
> > before the crash, so perhaps there would be potential for
> > exploitability later down the line; but the code ends up crashing
> > soon thereafter in a 'while (bytes
> > > 0)' loop that has no other exit conditions. That loop would need
> > > to
> > go over the entire address space without SEGV to avoid the crash.
> 
> I'm no leporidae but I agree srec_scan needs tlc.
> 
> Fun-with-NULL:
> 
> http://sf.net/projects/mancha/files/rnd/stringmetoo
> 
> --mancha
> 

To clarify...

While my sample input to strings (or objdump, etc.) also gets bytes to
wraparound, the nature of the crash is different that that of Michal's
sample. My input triggers a NULL pointer dereference and further
demonstrates the need to tighten up the codebase. 


Content of type "application/pgp-signature" skipped

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ