oss-sec mailing list archives
Re: Re: strings / libbfd crasher
From: Michal Zalewski <lcamtuf () coredump cx>
Date: Sun, 26 Oct 2014 18:35:59 -0700
I don't know whether it's the same crash or not but I've dug results of my older experiments with zzuf. Attached are two crasher for `objdump -x` -- one pe and one elf. elf also crashes `strings`. Sorry, not researched.
objdump-elf-crasher looks like a stack exhaustion with /usr/bin/strings, so probably not a big deal. objdump-pe-crasher doesn't affect strings, but if you do run objdump -x, it looks like an attempt to do fprintf() with a bogus pointer, called from pe_print_edata(). Specifically, there's a line that goes like this: fprintf (file, " %s\n", data + edt.name - adj); ...and edt.name, looks like, comes from: edt.name = bfd_get_32 (abfd, data + 12); ...and the value is completely off-charts. So, probably another instance of essentially no range checking, although this particular crash may be not exploitable at a very quick glance, unless something interesting happened beforehand. /mz
Current thread:
- Re: Re: strings / libbfd crasher, (continued)
- Re: Re: strings / libbfd crasher Alexander Cherepanov (Nov 15)
- Re: Re: strings / libbfd crasher mancha (Nov 03)
- Re: Re: strings / libbfd crasher Michal Zalewski (Nov 03)
- Re: Re: strings / libbfd crasher mancha (Nov 03)
- Re: strings / libbfd crasher cve-assign (Nov 04)
- Re: Re: strings / libbfd crasher Alexander Cherepanov (Nov 04)
- Re: Re: strings / libbfd crasher mancha (Nov 05)
- Re: Re: strings / libbfd crasher Alexander Cherepanov (Nov 04)
- Re: strings / libbfd crasher cve-assign (Nov 12)
- Re: Re: strings / libbfd crasher Michal Zalewski (Oct 26)
- Re: Re: strings / libbfd crasher Michal Zalewski (Oct 27)
- Re: Re: strings / libbfd crasher Jakub Wilk (Oct 27)