Date: Fri, 24 Oct 2014 11:30:50 +0000 From: mancha <mancha1@...o.com> To: oss-security@...ts.openwall.com Cc: lcamtuf@...edump.cx Subject: Re: strings / libbfd crasher On Thu, Oct 23, 2014 at 06:55:17PM +0000, mancha wrote: > On Thu, Oct 23, 2014 at 08:24:00AM -0700, Michal Zalewski wrote: > > > http://lcamtuf.coredump.cx/stringme > > > > The immediate cause is due to srec_scan() in srec.c decreasing > > 'bytes' without range checking until it wraps around. The > > already-bad value of 'bytes' is assigned to 'sec->size' few lines > > before the crash, so perhaps there would be potential for > > exploitability later down the line; but the code ends up crashing > > soon thereafter in a 'while (bytes > > > 0)' loop that has no other exit conditions. That loop would need > > > to > > go over the entire address space without SEGV to avoid the crash. > > I'm no leporidae but I agree srec_scan needs tlc. > > Fun-with-NULL: > > http://sf.net/projects/mancha/files/rnd/stringmetoo > > --mancha > To clarify... While my sample input to strings (or objdump, etc.) also gets bytes to wraparound, the nature of the crash is different that that of Michal's sample. My input triggers a NULL pointer dereference and further demonstrates the need to tighten up the codebase. [ CONTENT OF TYPE application/pgp-signature SKIPPED ]
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Powered by Openwall GNU/*/Linux - Powered by OpenVZ