oss-sec mailing list archives
Re: strings / libbfd crasher
From: mancha <mancha1 () zoho com>
Date: Fri, 24 Oct 2014 11:30:50 +0000
On Thu, Oct 23, 2014 at 06:55:17PM +0000, mancha wrote:
On Thu, Oct 23, 2014 at 08:24:00AM -0700, Michal Zalewski wrote:http://lcamtuf.coredump.cx/stringmeThe immediate cause is due to srec_scan() in srec.c decreasing 'bytes' without range checking until it wraps around. The already-bad value of 'bytes' is assigned to 'sec->size' few lines before the crash, so perhaps there would be potential for exploitability later down the line; but the code ends up crashing soon thereafter in a 'while (bytes0)' loop that has no other exit conditions. That loop would need togo over the entire address space without SEGV to avoid the crash.I'm no leporidae but I agree srec_scan needs tlc. Fun-with-NULL: http://sf.net/projects/mancha/files/rnd/stringmetoo --mancha
To clarify... While my sample input to strings (or objdump, etc.) also gets bytes to wraparound, the nature of the crash is different that that of Michal's sample. My input triggers a NULL pointer dereference and further demonstrates the need to tighten up the codebase.
Attachment:
_bin
Description:
Current thread:
- strings / libbfd crasher Hanno Böck (Oct 23)
- Re: strings / libbfd crasher Michal Zalewski (Oct 23)
- Re: strings / libbfd crasher Dave Rutherford (Oct 23)
- Re: strings / libbfd crasher mancha (Oct 23)
- Re: strings / libbfd crasher mancha (Oct 24)
- Re: strings / libbfd crasher Hanno Böck (Oct 24)
- Re: strings / libbfd crasher Michal Zalewski (Oct 24)
- Re: strings / libbfd crasher Michal Zalewski (Oct 24)
- Re: strings / libbfd crasher Hanno Böck (Oct 24)
- Re: strings / libbfd crasher Michal Zalewski (Oct 24)
- Re: strings / libbfd crasher Tavis Ormandy (Oct 24)
- Re: strings / libbfd crasher mancha (Oct 24)
- Re: strings / libbfd crasher Michal Zalewski (Oct 23)
- Re: Re: strings / libbfd crasher Hanno Böck (Oct 26)
- Re: strings / libbfd crasher cve-assign (Oct 30)