[Bug binutils/17510] strings: crash when given a truncated ELF
https://sourceware.org/bugzilla/show_bug.cgi?id=17510 --- Comment #10 from cvs-commit at gcc dot gnu.org --- This is an automated email from the git hooks/post-receive script. It was generated because a ref change was pushed to the repository containing the project "gdb and binutils". The branch, binutils-2_25-branch has been updated via b2f93c5011cab00f31669363577b938697752e43 (commit) from a809b386e59dfcb3f4dedd8465975dabc55db5db (commit) Those revisions listed above that are new to this repository have not appeared on any other notification email; so we list those revisions in full, below. - Log - https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=b2f93c5011cab00f31669363577b938697752e43 commit b2f93c5011cab00f31669363577b938697752e43 Author: Nick Clifton Date: Tue Oct 28 10:50:17 2014 + Import patches from the master branch which prevent seg-faults when parsing corrupt binaries. 2014-10-28 Andreas Schwab Nick Clifton PR binutils/17510 * srec.c (srec_bad_byte): Increase size of buf to allow for negative values. (srec_scan): Use an unsigned char buffer to hold header bytes. 2014-10-27 Nick Clifton PR binutils/17512 * elf.c (bfd_section_from_shdr): Detect and warn about ELF binaries with a group of sections linked by the string table indicies. * peXXigen.c (_bfd_XXi_swap_aouthdr_in): Handle corrupt binaries with an invalid value for NumberOfRvaAndSizes. (pe_print_edata): Detect out of range rvas and entry counts for the Export Address table, Name Pointer table and Ordinal table. PR binutils/17510 * elf.c (setup_group): Improve handling of corrupt group sections. --- Summary of changes: bfd/ChangeLog | 25 ++ bfd/elf.c | 226 +++- bfd/peXXigen.c | 29 +++- bfd/srec.c |4 +- 4 files changed, 212 insertions(+), 72 deletions(-) -- You are receiving this mail because: You are on the CC list for the bug. ___ bug-binutils mailing list bug-binutils@gnu.org https://lists.gnu.org/mailman/listinfo/bug-binutils
[Bug binutils/17510] strings: crash when given a truncated ELF
https://sourceware.org/bugzilla/show_bug.cgi?id=17510 --- Comment #9 from cvs-commit at gcc dot gnu.org --- This is an automated email from the git hooks/post-receive script. It was generated because a ref change was pushed to the repository containing the project "gdb and binutils". The branch, master has been updated via 708d7d0d11f0f2d776171979aa3479e8e12a38a0 (commit) from 6fb9c0f83252a79b2f1a3f8e75fa117ca7a4d589 (commit) Those revisions listed above that are new to this repository have not appeared on any other notification email; so we list those revisions in full, below. - Log - https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=708d7d0d11f0f2d776171979aa3479e8e12a38a0 commit 708d7d0d11f0f2d776171979aa3479e8e12a38a0 Author: Nick Clifton Date: Tue Oct 28 10:48:14 2014 + This patch fixes a flaw in the SREC parser which could cause a stack overflow and potential secuiryt breach. PR binutils/17510 * srec.c (srec_bad_byte): Increase size of buf to allow for negative values. (srec_scan): Use an unsigned char buffer to hold header bytes. --- Summary of changes: bfd/ChangeLog |8 bfd/elf.c |2 +- bfd/peXXigen.c |1 - bfd/srec.c |4 ++-- 4 files changed, 11 insertions(+), 4 deletions(-) -- You are receiving this mail because: You are on the CC list for the bug. ___ bug-binutils mailing list bug-binutils@gnu.org https://lists.gnu.org/mailman/listinfo/bug-binutils
[Bug binutils/17510] strings: crash when given a truncated ELF
https://sourceware.org/bugzilla/show_bug.cgi?id=17510
--- Comment #8 from Andreas Schwab ---
This should fix it:
diff --git a/bfd/srec.c b/bfd/srec.c
index 9ed2080..0c473b2 100644
--- a/bfd/srec.c
+++ b/bfd/srec.c
@@ -452,7 +452,7 @@ srec_scan (bfd *abfd)
case 'S':
{
file_ptr pos;
-char hdr[3];
+unsigned char hdr[3];
unsigned int bytes, min_bytes;
bfd_vma address;
bfd_byte *data;
--
You are receiving this mail because:
You are on the CC list for the bug.
___
bug-binutils mailing list
bug-binutils@gnu.org
https://lists.gnu.org/mailman/listinfo/bug-binutils
[Bug binutils/17510] strings: crash when given a truncated ELF
https://sourceware.org/bugzilla/show_bug.cgi?id=17510 --- Comment #7 from Michal Zalewski --- Do you want me to file separate bugs for each? For example, I have this in srec.c: char buf[10]; ... sprintf (buf, "\\%03o", (unsigned int) c); But with this test case, c will be -44, or "\177724", which sounds a lot longer than 9 characters. http://lcamtuf.coredump.cx/strings-stack-overflow -- You are receiving this mail because: You are on the CC list for the bug. ___ bug-binutils mailing list bug-binutils@gnu.org https://lists.gnu.org/mailman/listinfo/bug-binutils
[Bug binutils/17510] strings: crash when given a truncated ELF
https://sourceware.org/bugzilla/show_bug.cgi?id=17510 --- Comment #6 from Nick Clifton --- oops - sorry, I meant "Michal" not "Markus". Sorry Michal. -- You are receiving this mail because: You are on the CC list for the bug. ___ bug-binutils mailing list bug-binutils@gnu.org https://lists.gnu.org/mailman/listinfo/bug-binutils
[Bug binutils/17510] strings: crash when given a truncated ELF
https://sourceware.org/bugzilla/show_bug.cgi?id=17510 Nick Clifton changed: What|Removed |Added Status|NEW |RESOLVED Resolution|--- |FIXED --- Comment #5 from Nick Clifton --- Hi Markus, I have applied a patch (also uploaded to this PR) to fix this problem. Please let me know if you find any more examples of corrupt binaries that can trigger this sort of problem. Cheers Nick -- You are receiving this mail because: You are on the CC list for the bug. ___ bug-binutils mailing list bug-binutils@gnu.org https://lists.gnu.org/mailman/listinfo/bug-binutils
[Bug binutils/17510] strings: crash when given a truncated ELF
https://sourceware.org/bugzilla/show_bug.cgi?id=17510 Nick Clifton changed: What|Removed |Added CC||nickc at redhat dot com --- Comment #4 from Nick Clifton --- Created attachment 7851 --> https://sourceware.org/bugzilla/attachment.cgi?id=7851&action=edit Improve handling of corrupt section groups. -- You are receiving this mail because: You are on the CC list for the bug. ___ bug-binutils mailing list bug-binutils@gnu.org https://lists.gnu.org/mailman/listinfo/bug-binutils
[Bug binutils/17510] strings: crash when given a truncated ELF
https://sourceware.org/bugzilla/show_bug.cgi?id=17510 --- Comment #3 from cvs-commit at gcc dot gnu.org --- This is an automated email from the git hooks/post-receive script. It was generated because a ref change was pushed to the repository containing the project "gdb and binutils". The branch, master has been updated via 493a33860c71cac998f1a56d6d87d6faa801fbaa (commit) from 763905a3ad8f98d33bd9319790a8d53904554265 (commit) Those revisions listed above that are new to this repository have not appeared on any other notification email; so we list those revisions in full, below. - Log - https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=493a33860c71cac998f1a56d6d87d6faa801fbaa commit 493a33860c71cac998f1a56d6d87d6faa801fbaa Author: Nick Clifton Date: Mon Oct 27 12:43:16 2014 + This patch closes a potential security hole in applications that use the bfd library to parse binaries containing maliciously corrupt section group headers. PR binutils/17510 * elf.c (setup_group): Improve handling of corrupt group sections. --- Summary of changes: bfd/ChangeLog |6 ++ bfd/elf.c | 34 ++ 2 files changed, 36 insertions(+), 4 deletions(-) -- You are receiving this mail because: You are on the CC list for the bug. ___ bug-binutils mailing list bug-binutils@gnu.org https://lists.gnu.org/mailman/listinfo/bug-binutils
[Bug binutils/17510] strings: crash when given a truncated ELF
https://sourceware.org/bugzilla/show_bug.cgi?id=17510 --- Comment #2 from Michal Zalewski --- Created attachment 7848 --> https://sourceware.org/bugzilla/attachment.cgi?id=7848&action=edit Test case #2 Note that range checking problems are somewhat endemic across the function; here's a test case that crashes in a different location but due to the same --n_elt / ++idx pattern. This one looks like it leads to writes to arbitrary pointers. -- You are receiving this mail because: You are on the CC list for the bug. ___ bug-binutils mailing list bug-binutils@gnu.org https://lists.gnu.org/mailman/listinfo/bug-binutils
[Bug binutils/17510] strings: crash when given a truncated ELF
https://sourceware.org/bugzilla/show_bug.cgi?id=17510 Allan McRae changed: What|Removed |Added CC||allan at archlinux dot org -- You are receiving this mail because: You are on the CC list for the bug. ___ bug-binutils mailing list bug-binutils@gnu.org https://lists.gnu.org/mailman/listinfo/bug-binutils
[Bug binutils/17510] strings: crash when given a truncated ELF
https://sourceware.org/bugzilla/show_bug.cgi?id=17510 Mike Frysinger changed: What|Removed |Added Summary|probably exploitable crash |strings: crash when given a |in strings |truncated ELF -- You are receiving this mail because: You are on the CC list for the bug. ___ bug-binutils mailing list bug-binutils@gnu.org https://lists.gnu.org/mailman/listinfo/bug-binutils
