Date: Tue, 11 Nov 2014 16:47:09 +0000 From: Nicholas Clifton <nickc@...hat.com> To: Alexander Cherepanov <cherepan@...me.ru>, oss-security@...ts.openwall.com CC: binutils@...rceware.org Subject: Re: Re: Fuzzing objdump (PR 17512) and readelf (PR 17531) Hi Guys, >>> I was just curious how well >>> this works for real world tasks like objdump crashes. >> >> Back to real world deduping. IMHO it's not ideal but works quite well, > > Ah, I forgot to add that to really know the quality of the results of > this approach we have to ask Nick Clifton which actually worked with the > resulted crashers. Many of the problems uncovered by Alexander and Hanno stem from the fact that the BFD library was never written with security in mind, It was intended to be portable and functional, but handling corrupt files was never a priority. Of course that is no excuse and so that is why I am trying to make up for lost time and fix these problems as fast as they are reported. Another problem is that the file formats themselves (PE, COFF, ELF, etc) are designed with efficiency in mind, rather than security. So a lot of extra work needs to be done when decoding them in order to make sure that out of bounds reads and writes do not occur. My gut feeling at the moment is that readelf is probably pretty good now. It has a lot of range checking in place and it should be fairly robust. If you are looking for places to check though I would look at dynamic symbol tables and unwind tables for various different architectures. The BFD library is probably less robust than readelf. Especially when it comes to non-ELF file formats. Resource sections for PE files for example could be a fertile area to explore. Oh, and archives (or libraries if you prefer), probably need to be tested as well. Cheers Nick
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Powered by Openwall GNU/*/Linux - Powered by OpenVZ