Date: Sun, 26 Oct 2014 18:35:59 -0700 From: Michal Zalewski <lcamtuf@...edump.cx> To: oss-security <oss-security@...ts.openwall.com> Subject: Re: Re: strings / libbfd crasher > I don't know whether it's the same crash or not but I've dug results of my > older experiments with zzuf. Attached are two crasher for `objdump -x` -- > one pe and one elf. elf also crashes `strings`. Sorry, not researched. objdump-elf-crasher looks like a stack exhaustion with /usr/bin/strings, so probably not a big deal. objdump-pe-crasher doesn't affect strings, but if you do run objdump -x, it looks like an attempt to do fprintf() with a bogus pointer, called from pe_print_edata(). Specifically, there's a line that goes like this: fprintf (file, " %s\n", data + edt.name - adj); ...and edt.name, looks like, comes from: edt.name = bfd_get_32 (abfd, data + 12); ...and the value is completely off-charts. So, probably another instance of essentially no range checking, although this particular crash may be not exploitable at a very quick glance, unless something interesting happened beforehand. /mz
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.