oss-security - Re: Re: strings / libbfd crasher

Follow @Openwall on Twitter for new release announcements and other news

[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]

Date: Tue, 28 Oct 2014 16:07:17 +0300
From: Alexander Cherepanov <cherepan@...me.ru>
To: oss-security@...ts.openwall.com
Subject: Re: Re: strings / libbfd crasher

On 2014-10-27 04:35, Michal Zalewski wrote:
>> I don't know whether it's the same crash or not but I've dug results of my
>> older experiments with zzuf. Attached are two crasher for `objdump -x` --
>> one pe and one elf. elf also crashes `strings`. Sorry, not researched.
>
> objdump-elf-crasher looks like a stack exhaustion with
> /usr/bin/strings, so probably not a big deal.
>
> objdump-pe-crasher doesn't affect strings, but if you do run objdump
> -x, it looks like an attempt to do fprintf() with a bogus pointer,
> called from pe_print_edata(). Specifically, there's a line that goes
> like this:
>
>    fprintf (file,
>             " %s\n", data + edt.name - adj);
>
> ...and edt.name, looks like, comes from:
>
>    edt.name           = bfd_get_32 (abfd, data + 12);
>
> ...and the value is completely off-charts. So, probably another
> instance of essentially no range checking, although this particular
> crash may be not exploitable at a very quick glance, unless something
> interesting happened beforehand.

Michal, thanks for the analysis! And thanks, Hanno, for uploading them 
to binutils bugtracker.

-- 
Alexander Cherepanov

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.