oss-sec mailing list archives
Re: Re: strings / libbfd crasher
From: Alexander Cherepanov <cherepan () mccme ru>
Date: Wed, 05 Nov 2014 05:42:16 +0300
On 2014-11-03 01:43, Alexander Cherepanov wrote:
https://sourceware.org/bugzilla/show_bug.cgi?id=17533 $ printf '!<arch>\n//%48d%8s`\n' -2 '' > test.a $ objdump -x test.a Segmentation fault At least 2.22, 2.24 and head are affected. ar, size, strip etc. are also affected. valgrind on head shows: ==14181== Invalid write of size 8 ==14181== at 0x4C2E467: memset (vg_replace_strmem.c:1094) ==14181== by 0x448AD2: bfd_zalloc (opncls.c:1011) ==14181== by 0x43F08A: _bfd_slurp_extended_name_table (archive.c:1298) ==14181== by 0x43E89B: bfd_generic_archive_p (archive.c:831) ==14181== by 0x4466A6: bfd_check_format_matches (format.c:305) ==14181== by 0x407DCD: display_any_bfd (objdump.c:3356) ==14181== by 0x409F52: display_file (objdump.c:3410) ==14181== by 0x4048F9: main (objdump.c:3692) ==14181== Address 0x55fb9a0 is 0 bytes after a block of size 4,064 alloc'd ==14181== at 0x4C27C20: malloc (vg_replace_malloc.c:296) ==14181== by 0x4D51DC: objalloc_create (objalloc.c:95) ==14181== by 0x448177: _bfd_new_bfd (opncls.c:73) ==14181== by 0x448307: bfd_fopen (opncls.c:197) ==14181== by 0x409F40: display_file (objdump.c:3403) ==14181== by 0x4048F9: main (objdump.c:3692) This is "Invalid write", hence potentially exploitable? Is further analysis required before deciding if this is a security issue? Or, more strictly, is further analysis required before deciding if this issue is CVE worthy?
This is fixed now: https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=bb0d867169d7e9743d229804106a8fbcab7f3b3f -- Alexander Cherepanov
Current thread:
- Re: Re: strings / libbfd crasher, (continued)
- Re: Re: strings / libbfd crasher Michal Zalewski (Nov 11)
- Re: Re: strings / libbfd crasher Alexander Cherepanov (Nov 15)
- Re: Re: strings / libbfd crasher Michal Zalewski (Nov 15)
- Re: Re: strings / libbfd crasher Alexander Cherepanov (Nov 15)
- Re: Re: strings / libbfd crasher mancha (Nov 03)
- Re: Re: strings / libbfd crasher Michal Zalewski (Nov 03)
- Re: Re: strings / libbfd crasher mancha (Nov 03)
- Re: strings / libbfd crasher cve-assign (Nov 04)
- Re: Re: strings / libbfd crasher Alexander Cherepanov (Nov 04)
- Re: Re: strings / libbfd crasher mancha (Nov 05)
- Re: Re: strings / libbfd crasher Alexander Cherepanov (Nov 04)
- Re: strings / libbfd crasher cve-assign (Nov 12)
- Re: Re: strings / libbfd crasher Michal Zalewski (Oct 26)
- Re: Re: strings / libbfd crasher Michal Zalewski (Oct 27)
- Re: Re: strings / libbfd crasher Jakub Wilk (Oct 27)