Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <CALx_OUA6+kRBCB+JMjzogVvoABqhtpFX4RZkQT5=HbT8WmxDeg@mail.gmail.com>
Date: Sun, 26 Oct 2014 18:35:59 -0700
From: Michal Zalewski <lcamtuf@...edump.cx>
To: oss-security <oss-security@...ts.openwall.com>
Subject: Re: Re: strings / libbfd crasher

> I don't know whether it's the same crash or not but I've dug results of my
> older experiments with zzuf. Attached are two crasher for `objdump -x` --
> one pe and one elf. elf also crashes `strings`. Sorry, not researched.

objdump-elf-crasher looks like a stack exhaustion with
/usr/bin/strings, so probably not a big deal.

objdump-pe-crasher doesn't affect strings, but if you do run objdump
-x, it looks like an attempt to do fprintf() with a bogus pointer,
called from pe_print_edata(). Specifically, there's a line that goes
like this:

  fprintf (file,
           " %s\n", data + edt.name - adj);

...and edt.name, looks like, comes from:

  edt.name           = bfd_get_32 (abfd, data + 12);

...and the value is completely off-charts. So, probably another
instance of essentially no range checking, although this particular
crash may be not exploitable at a very quick glance, unless something
interesting happened beforehand.

/mz

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.