Date: Tue, 28 Oct 2014 16:07:17 +0300 From: Alexander Cherepanov <cherepan@...me.ru> To: oss-security@...ts.openwall.com Subject: Re: Re: strings / libbfd crasher On 2014-10-27 04:35, Michal Zalewski wrote: >> I don't know whether it's the same crash or not but I've dug results of my >> older experiments with zzuf. Attached are two crasher for `objdump -x` -- >> one pe and one elf. elf also crashes `strings`. Sorry, not researched. > > objdump-elf-crasher looks like a stack exhaustion with > /usr/bin/strings, so probably not a big deal. > > objdump-pe-crasher doesn't affect strings, but if you do run objdump > -x, it looks like an attempt to do fprintf() with a bogus pointer, > called from pe_print_edata(). Specifically, there's a line that goes > like this: > > fprintf (file, > " %s\n", data + edt.name - adj); > > ...and edt.name, looks like, comes from: > > edt.name = bfd_get_32 (abfd, data + 12); > > ...and the value is completely off-charts. So, probably another > instance of essentially no range checking, although this particular > crash may be not exploitable at a very quick glance, unless something > interesting happened beforehand. Michal, thanks for the analysis! And thanks, Hanno, for uploading them to binutils bugtracker. -- Alexander Cherepanov
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Powered by Openwall GNU/*/Linux - Powered by OpenVZ