[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Bug binutils/17509] New: Segfault / out of bounds access in strings
|
From: |
hanno at hboeck dot de |
|
Subject: |
[Bug binutils/17509] New: Segfault / out of bounds access in strings |
|
Date: |
Fri, 24 Oct 2014 11:41:24 +0000 |
https://sourceware.org/bugzilla/show_bug.cgi?id=17509
Bug ID: 17509
Summary: Segfault / out of bounds access in strings
Product: binutils
Version: 2.24
Status: NEW
Severity: normal
Priority: P2
Component: binutils
Assignee: unassigned at sourceware dot org
Reporter: hanno at hboeck dot de
Created attachment 7844
--> https://sourceware.org/bugzilla/attachment.cgi?id=7844&action=edit
strings crasher 1
Attached are two samples that cause the strings tool to segfault. The first one
has been found by Michal Zalewski and postet on twitter:
https://twitter.com/lcamtuf/status/524214698237898753
Here's how he described the issue on oss-security:
"The immediate cause is due to srec_scan() in srec.c decreasing 'bytes'
without range checking until it wraps around. The already-bad value of
'bytes' is assigned to 'sec->size' few lines before the crash, so
perhaps there would be potential for exploitability later down the
line; but the code ends up crashing soon thereafter in a 'while (bytes
> 0)' loop that has no other exit conditions. That loop would need to
go over the entire address space without SEGV to avoid the crash."
In reply to that someone else postet another crasher to oss-security that seems
to expose a different code path.
Here's the corresponding thread:
http://seclists.org/oss-sec/2014/q4/424
--
You are receiving this mail because:
You are on the CC list for the bug.
- [Bug binutils/17509] New: Segfault / out of bounds access in strings,
hanno at hboeck dot de <=