oss-sec mailing list archives

strings / libbfd crasher

From: Hanno Böck <hanno () hboeck de>
Date: Thu, 23 Oct 2014 12:12:32 +0200

Hi,

I'm forwarding this here so it doesn't get lost:
https://twitter.com/lcamtuf/status/524213424373243905
https://twitter.com/lcamtuf/status/524214698237898753
http://lcamtuf.coredump.cx/stringme

Short: Michal Zalewski (who is also on this list and probably can give
us some more info) fuzzed a sample that crashes the strings command,
due to a bug in libbfd.
(by the way: nice catch, always interesting to see potential vulns in
places you don't expect them.)

strings/libbfd belong to binutils.
I haven't seen a corresponding commit, their latest release is a bit
old.

I think it deserves a CVE and further analysis. Seems to be "only" an
out of bounds read.

Some valgrind output that gives an idea whats going on:


==6858== Memcheck, a memory error detector
==6858== Copyright (C) 2002-2013, and GNU GPL'd, by Julian Seward et al.
==6858== Using Valgrind-3.10.0 and LibVEX; rerun with -h for copyright info
==6858== Command: strings stringme
==6858== 
==6858== Invalid read of size 1
==6858==    at 0x4E8708F: srec_scan (in /usr/lib64/binutils/x86_64-pc-linux-gnu/2.24/libbfd-2.24.so)
==6858==    by 0x4E87529: srec_object_p (in /usr/lib64/binutils/x86_64-pc-linux-gnu/2.24/libbfd-2.24.so)
==6858==    by 0x4E7C00C: bfd_check_format_matches (in /usr/lib64/binutils/x86_64-pc-linux-gnu/2.24/libbfd-2.24.so)
==6858==    by 0x401F45: main (in /usr/x86_64-pc-linux-gnu/binutils-bin/2.24/strings)
==6858==  Address 0x590beb6 is 0 bytes after a block of size 6 alloc'd
==6858==    at 0x4C28F60: malloc (in /usr/lib64/valgrind/vgpreload_memcheck-amd64-linux.so)
==6858==    by 0x4E7C92D: bfd_malloc (in /usr/lib64/binutils/x86_64-pc-linux-gnu/2.24/libbfd-2.24.so)
==6858==    by 0x4E86CEA: srec_scan (in /usr/lib64/binutils/x86_64-pc-linux-gnu/2.24/libbfd-2.24.so)
==6858==    by 0x4E87529: srec_object_p (in /usr/lib64/binutils/x86_64-pc-linux-gnu/2.24/libbfd-2.24.so)
==6858==    by 0x4E7C00C: bfd_check_format_matches (in /usr/lib64/binutils/x86_64-pc-linux-gnu/2.24/libbfd-2.24.so)
==6858==    by 0x401F45: main (in /usr/x86_64-pc-linux-gnu/binutils-bin/2.24/strings)
==6858== 
==6858== Invalid read of size 1
==6858==    at 0x4E8709E: srec_scan (in /usr/lib64/binutils/x86_64-pc-linux-gnu/2.24/libbfd-2.24.so)
==6858==    by 0x4E87529: srec_object_p (in /usr/lib64/binutils/x86_64-pc-linux-gnu/2.24/libbfd-2.24.so)
==6858==    by 0x4E7C00C: bfd_check_format_matches (in /usr/lib64/binutils/x86_64-pc-linux-gnu/2.24/libbfd-2.24.so)
==6858==    by 0x401F45: main (in /usr/x86_64-pc-linux-gnu/binutils-bin/2.24/strings)
==6858==  Address 0x590beb7 is 1 bytes after a block of size 6 alloc'd
==6858==    at 0x4C28F60: malloc (in /usr/lib64/valgrind/vgpreload_memcheck-amd64-linux.so)
==6858==    by 0x4E7C92D: bfd_malloc (in /usr/lib64/binutils/x86_64-pc-linux-gnu/2.24/libbfd-2.24.so)
==6858==    by 0x4E86CEA: srec_scan (in /usr/lib64/binutils/x86_64-pc-linux-gnu/2.24/libbfd-2.24.so)
==6858==    by 0x4E87529: srec_object_p (in /usr/lib64/binutils/x86_64-pc-linux-gnu/2.24/libbfd-2.24.so)
==6858==    by 0x4E7C00C: bfd_check_format_matches (in /usr/lib64/binutils/x86_64-pc-linux-gnu/2.24/libbfd-2.24.so)
==6858==    by 0x401F45: main (in /usr/x86_64-pc-linux-gnu/binutils-bin/2.24/strings)
==6858== 
==6858== Invalid read of size 1
==6858==    at 0x4E87200: srec_scan (in /usr/lib64/binutils/x86_64-pc-linux-gnu/2.24/libbfd-2.24.so)
==6858==    by 0x4E87529: srec_object_p (in /usr/lib64/binutils/x86_64-pc-linux-gnu/2.24/libbfd-2.24.so)
==6858==    by 0x4E7C00C: bfd_check_format_matches (in /usr/lib64/binutils/x86_64-pc-linux-gnu/2.24/libbfd-2.24.so)
==6858==    by 0x401F45: main (in /usr/x86_64-pc-linux-gnu/binutils-bin/2.24/strings)
==6858==  Address 0x590beb8 is 2 bytes after a block of size 6 alloc'd
==6858==    at 0x4C28F60: malloc (in /usr/lib64/valgrind/vgpreload_memcheck-amd64-linux.so)
==6858==    by 0x4E7C92D: bfd_malloc (in /usr/lib64/binutils/x86_64-pc-linux-gnu/2.24/libbfd-2.24.so)
==6858==    by 0x4E86CEA: srec_scan (in /usr/lib64/binutils/x86_64-pc-linux-gnu/2.24/libbfd-2.24.so)
==6858==    by 0x4E87529: srec_object_p (in /usr/lib64/binutils/x86_64-pc-linux-gnu/2.24/libbfd-2.24.so)
==6858==    by 0x4E7C00C: bfd_check_format_matches (in /usr/lib64/binutils/x86_64-pc-linux-gnu/2.24/libbfd-2.24.so)
==6858==    by 0x401F45: main (in /usr/x86_64-pc-linux-gnu/binutils-bin/2.24/strings)
==6858== 
==6858== Invalid read of size 1
==6858==    at 0x4E87207: srec_scan (in /usr/lib64/binutils/x86_64-pc-linux-gnu/2.24/libbfd-2.24.so)
==6858==    by 0x4E87529: srec_object_p (in /usr/lib64/binutils/x86_64-pc-linux-gnu/2.24/libbfd-2.24.so)
==6858==    by 0x4E7C00C: bfd_check_format_matches (in /usr/lib64/binutils/x86_64-pc-linux-gnu/2.24/libbfd-2.24.so)
==6858==    by 0x401F45: main (in /usr/x86_64-pc-linux-gnu/binutils-bin/2.24/strings)
==6858==  Address 0x590beb9 is 3 bytes after a block of size 6 alloc'd
==6858==    at 0x4C28F60: malloc (in /usr/lib64/valgrind/vgpreload_memcheck-amd64-linux.so)
==6858==    by 0x4E7C92D: bfd_malloc (in /usr/lib64/binutils/x86_64-pc-linux-gnu/2.24/libbfd-2.24.so)
==6858==    by 0x4E86CEA: srec_scan (in /usr/lib64/binutils/x86_64-pc-linux-gnu/2.24/libbfd-2.24.so)
==6858==    by 0x4E87529: srec_object_p (in /usr/lib64/binutils/x86_64-pc-linux-gnu/2.24/libbfd-2.24.so)
==6858==    by 0x4E7C00C: bfd_check_format_matches (in /usr/lib64/binutils/x86_64-pc-linux-gnu/2.24/libbfd-2.24.so)
==6858==    by 0x401F45: main (in /usr/x86_64-pc-linux-gnu/binutils-bin/2.24/strings)
==6858== 
==6858== 
==6858== Process terminating with default action of signal 11 (SIGSEGV)
==6858==  Access not within mapped region at address 0x60B4000
==6858==    at 0x4E87200: srec_scan (in /usr/lib64/binutils/x86_64-pc-linux-gnu/2.24/libbfd-2.24.so)
==6858==    by 0x4E87529: srec_object_p (in /usr/lib64/binutils/x86_64-pc-linux-gnu/2.24/libbfd-2.24.so)
==6858==    by 0x4E7C00C: bfd_check_format_matches (in /usr/lib64/binutils/x86_64-pc-linux-gnu/2.24/libbfd-2.24.so)
==6858==    by 0x401F45: main (in /usr/x86_64-pc-linux-gnu/binutils-bin/2.24/strings)
==6858==  If you believe this happened as a result of a stack
==6858==  overflow in your program's main thread (unlikely but
==6858==  possible), you can try to increase the size of the
==6858==  main thread stack using the --main-stacksize= flag.
==6858==  The main thread stack size used in this run was 8388608.
==6858== 
==6858== HEAP SUMMARY:
==6858==     in use at exit: 9,046 bytes in 7 blocks
==6858==   total heap usage: 41 allocs, 34 frees, 13,216 bytes allocated
==6858== 
==6858== LEAK SUMMARY:
==6858==    definitely lost: 0 bytes in 0 blocks
==6858==    indirectly lost: 0 bytes in 0 blocks
==6858==      possibly lost: 0 bytes in 0 blocks
==6858==    still reachable: 9,046 bytes in 7 blocks
==6858==         suppressed: 0 bytes in 0 blocks
==6858== Rerun with --leak-check=full to see details of leaked memory
==6858== 
==6858== For counts of detected and suppressed errors, rerun with: -v
==6858== ERROR SUMMARY: 4178251 errors from 4 contexts (suppressed: 0
from 0)


-- 
Hanno Böck
http://hboeck.de/

mail/jabber: hanno () hboeck de
GPG: BBB51E42

Attachment: signature.asc
Description:

Current thread:

strings / libbfd crasher Hanno Böck (Oct 23)
- Re: strings / libbfd crasher Michal Zalewski (Oct 23)
  - Re: strings / libbfd crasher Dave Rutherford (Oct 23)
  - Re: strings / libbfd crasher mancha (Oct 23)
    - Re: strings / libbfd crasher mancha (Oct 24)
    - Re: strings / libbfd crasher Hanno Böck (Oct 24)
    - Re: strings / libbfd crasher Michal Zalewski (Oct 24)
    - Re: strings / libbfd crasher Michal Zalewski (Oct 24)
    - Re: strings / libbfd crasher Hanno Böck (Oct 24)
    - Re: strings / libbfd crasher Michal Zalewski (Oct 24)
    - Re: strings / libbfd crasher Tavis Ormandy (Oct 24)

(Thread continues...)