Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Tue, 28 Oct 2014 16:07:17 +0300
From: Alexander Cherepanov <cherepan@...me.ru>
To: oss-security@...ts.openwall.com
Subject: Re: Re: strings / libbfd crasher

On 2014-10-27 04:35, Michal Zalewski wrote:
>> I don't know whether it's the same crash or not but I've dug results of my
>> older experiments with zzuf. Attached are two crasher for `objdump -x` --
>> one pe and one elf. elf also crashes `strings`. Sorry, not researched.
>
> objdump-elf-crasher looks like a stack exhaustion with
> /usr/bin/strings, so probably not a big deal.
>
> objdump-pe-crasher doesn't affect strings, but if you do run objdump
> -x, it looks like an attempt to do fprintf() with a bogus pointer,
> called from pe_print_edata(). Specifically, there's a line that goes
> like this:
>
>    fprintf (file,
>             " %s\n", data + edt.name - adj);
>
> ...and edt.name, looks like, comes from:
>
>    edt.name           = bfd_get_32 (abfd, data + 12);
>
> ...and the value is completely off-charts. So, probably another
> instance of essentially no range checking, although this particular
> crash may be not exploitable at a very quick glance, unless something
> interesting happened beforehand.

Michal, thanks for the analysis! And thanks, Hanno, for uploading them 
to binutils bugtracker.

-- 
Alexander Cherepanov

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ