oss-sec mailing list archives

Re: strings / libbfd crasher

From: Michal Zalewski <lcamtuf () coredump cx>
Date: Thu, 23 Oct 2014 08:24:00 -0700

http://lcamtuf.coredump.cx/stringme


The immediate cause is due to srec_scan() in srec.c decreasing 'bytes'
without range checking until it wraps around. The already-bad value of
'bytes' is assigned to 'sec->size' few lines before the crash, so
perhaps there would be potential for exploitability later down the
line; but the code ends up crashing soon thereafter in a 'while (bytes

0)' loop that has no other exit conditions. That loop would need to

go over the entire address space without SEGV to avoid the crash.

/mz

Current thread:

strings / libbfd crasher Hanno Böck (Oct 23)
- Re: strings / libbfd crasher Michal Zalewski (Oct 23)
  - Re: strings / libbfd crasher Dave Rutherford (Oct 23)
  - Re: strings / libbfd crasher mancha (Oct 23)
    - Re: strings / libbfd crasher mancha (Oct 24)
    - Re: strings / libbfd crasher Hanno Böck (Oct 24)
    - Re: strings / libbfd crasher Michal Zalewski (Oct 24)
    - Re: strings / libbfd crasher Michal Zalewski (Oct 24)
    - Re: strings / libbfd crasher Hanno Böck (Oct 24)
    - Re: strings / libbfd crasher Michal Zalewski (Oct 24)
    - Re: strings / libbfd crasher Tavis Ormandy (Oct 24)
    - Re: strings / libbfd crasher mancha (Oct 24)

(Thread continues...)