oss-sec mailing list archives
Re: strings / libbfd crasher
From: mancha <mancha1 () zoho com>
Date: Thu, 23 Oct 2014 18:55:17 +0000
On Thu, Oct 23, 2014 at 08:24:00AM -0700, Michal Zalewski wrote:
http://lcamtuf.coredump.cx/stringmeThe immediate cause is due to srec_scan() in srec.c decreasing 'bytes' without range checking until it wraps around. The already-bad value of 'bytes' is assigned to 'sec->size' few lines before the crash, so perhaps there would be potential for exploitability later down the line; but the code ends up crashing soon thereafter in a 'while (bytes0)' loop that has no other exit conditions. That loop would need togo over the entire address space without SEGV to avoid the crash.
I'm no leporidae but I agree srec_scan needs tlc. Fun-with-NULL: http://sf.net/projects/mancha/files/rnd/stringmetoo --mancha
Attachment:
_bin
Description:
Current thread:
- strings / libbfd crasher Hanno Böck (Oct 23)
- Re: strings / libbfd crasher Michal Zalewski (Oct 23)
- Re: strings / libbfd crasher Dave Rutherford (Oct 23)
- Re: strings / libbfd crasher mancha (Oct 23)
- Re: strings / libbfd crasher mancha (Oct 24)
- Re: strings / libbfd crasher Hanno Böck (Oct 24)
- Re: strings / libbfd crasher Michal Zalewski (Oct 24)
- Re: strings / libbfd crasher Michal Zalewski (Oct 24)
- Re: strings / libbfd crasher Hanno Böck (Oct 24)
- Re: strings / libbfd crasher Michal Zalewski (Oct 24)
- Re: strings / libbfd crasher Tavis Ormandy (Oct 24)
- Re: strings / libbfd crasher mancha (Oct 24)
- Re: strings / libbfd crasher Michal Zalewski (Oct 23)
- Re: Re: strings / libbfd crasher Hanno Böck (Oct 26)