Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Fri, 24 Oct 2014 11:30:50 +0000
From: mancha <mancha1@...o.com>
To: oss-security@...ts.openwall.com
Cc: lcamtuf@...edump.cx
Subject: Re: strings / libbfd crasher

On Thu, Oct 23, 2014 at 06:55:17PM +0000, mancha wrote:
> On Thu, Oct 23, 2014 at 08:24:00AM -0700, Michal Zalewski wrote:
> > > http://lcamtuf.coredump.cx/stringme
> > 
> > The immediate cause is due to srec_scan() in srec.c decreasing
> > 'bytes' without range checking until it wraps around. The
> > already-bad value of 'bytes' is assigned to 'sec->size' few lines
> > before the crash, so perhaps there would be potential for
> > exploitability later down the line; but the code ends up crashing
> > soon thereafter in a 'while (bytes
> > > 0)' loop that has no other exit conditions. That loop would need
> > > to
> > go over the entire address space without SEGV to avoid the crash.
> 
> I'm no leporidae but I agree srec_scan needs tlc.
> 
> Fun-with-NULL:
> 
> http://sf.net/projects/mancha/files/rnd/stringmetoo
> 
> --mancha
> 

To clarify...

While my sample input to strings (or objdump, etc.) also gets bytes to
wraparound, the nature of the crash is different that that of Michal's
sample. My input triggers a NULL pointer dereference and further
demonstrates the need to tighten up the codebase. 


Content of type "application/pgp-signature" skipped

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.