oss-sec mailing list archives

Re: Re: strings / libbfd crasher

From: Alexander Cherepanov <cherepan () mccme ru>
Date: Tue, 28 Oct 2014 16:07:17 +0300

On 2014-10-27 04:35, Michal Zalewski wrote:

I don't know whether it's the same crash or not but I've dug results of my
older experiments with zzuf. Attached are two crasher for `objdump -x` --
one pe and one elf. elf also crashes `strings`. Sorry, not researched.


objdump-elf-crasher looks like a stack exhaustion with
/usr/bin/strings, so probably not a big deal.

objdump-pe-crasher doesn't affect strings, but if you do run objdump
-x, it looks like an attempt to do fprintf() with a bogus pointer,
called from pe_print_edata(). Specifically, there's a line that goes
like this:

   fprintf (file,
            " %s\n", data + edt.name - adj);

...and edt.name, looks like, comes from:

   edt.name           = bfd_get_32 (abfd, data + 12);

...and the value is completely off-charts. So, probably another
instance of essentially no range checking, although this particular
crash may be not exploitable at a very quick glance, unless something
interesting happened beforehand.

Michal, thanks for the analysis! And thanks, Hanno, for uploading themto binutils bugtracker.


--
Alexander Cherepanov

Current thread:

Re: Re: strings / libbfd crasher, (continued)
- - - Re: Re: strings / libbfd crasher mancha (Nov 03)
    - Re: strings / libbfd crasher cve-assign (Nov 04)
    - Re: Re: strings / libbfd crasher Alexander Cherepanov (Nov 04)
    - Re: Re: strings / libbfd crasher mancha (Nov 05)
    - Re: Re: strings / libbfd crasher Alexander Cherepanov (Nov 04)
    - Re: strings / libbfd crasher cve-assign (Nov 12)
  - Re: Re: strings / libbfd crasher Alexander Cherepanov (Oct 26)
    - Re: Re: strings / libbfd crasher Michal Zalewski (Oct 26)
    - Re: Re: strings / libbfd crasher Michal Zalewski (Oct 27)
    - Re: Re: strings / libbfd crasher Jakub Wilk (Oct 27)
    - Re: Re: strings / libbfd crasher Alexander Cherepanov (Oct 28)