Bug 2584 - SIGSEGV in strings tool when the file is crafted.
Summary: SIGSEGV in strings tool when the file is crafted.
Status: RESOLVED FIXED
Alias: None
Product: binutils
Classification: Unclassified
Component: binutils (show other bugs)
Version: 2.16
: P2 normal
Target Milestone: ---
Assignee: unassigned
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2006-04-18 12:59 UTC by jolmos@isecauditors.com
Modified: 2006-05-24 15:45 UTC (History)
4 users (show)

See Also:
Host:
Target: strings and libbfd-2.16.1.so
Build:
Last reconfirmed:


Attachments
a patch (879 bytes, patch)
2006-04-23 23:44 UTC, Kaz Kojima
Details | Diff

Note You need to log in before you can comment on or make changes to this bug.
Description jolmos@isecauditors.com 2006-04-18 12:59:00 UTC
This evil file cannot be scanned with strings command:

root@jolmos:/research# strings evil
Violación de segmento   

root@jolmos:/research# cat evil
%253Cc%253Cc%253Cc%253Cc%253Cc%253Cc%253Cc
root@jolmos:/research#

(gdb) r evil
Starting program: /usr/bin/strings evil
(no debugging symbols found)
(no debugging symbols found)
(no debugging symbols found)
(no debugging symbols found)

Program received signal SIGSEGV, Segmentation fault.
0xb7e9ecbd in bfd_hash_lookup () from /usr/lib/libbfd-2.16.1.so
(gdb)

The problem is in bfd_hack_lookup from libbfd-2.16.1.so library, at this snippet
of code:

   1fcb1:       c1 ef 02                shr    $0x2,%edi
   1fcb4:       31 c7                   xor    %eax,%edi
   1fcb6:       89 f8                   mov    %edi,%eax
   1fcb8:       8b 4d 08                mov    0x8(%ebp),%ecx  
   1fcbb:       31 d2                   xor    %edx,%edx
   1fcbd:       f7 71 04                divl   0x4(%ecx)        <--SIGSEGV with
%253Cc%AAAAA%AAAAA%AAAAA%AAAAA%AAAAA%AAAAA
   1fcc0:       01 d2                   add    %edx,%edx
   1fcc2:       01 d2                   add    %edx,%edx
   1fcc4:       89 55 e0                mov    %edx,0xffffffe0(%ebp)


with %253Cc ecx gets 0x54 value, and it cannot access to this address. It seems
there is not exploitable.

Ubuntu:
Linux jolmos 2.6.12-9-386 #1 Mon Oct 10 13:14:36 BST 2005 i686 GNU/Linux

i have tested on other kernels and the result is the same.

Jesús Olmos Gonzalez
Internet Security Auditors
www.isecauditors.com
Comment 1 H.J. Lu 2006-04-18 17:54:19 UTC
Can you try the current binutils in CVS?
Comment 2 Kaz Kojima 2006-04-23 23:44:02 UTC
Created attachment 978 [details]
a patch

I can reproduce this on CVS too.
bfd/tekhex.c:getsym() doesn't check if the length character is
a valid hexadecimal character.	hex_value() returns 99 for non
hexadecimal characters and getsym uses it as the length to be read.
Then it causes a buffer overrun because getsym is called with only
17 bytes buffer.  The patch attached seems to fix the given test
case anyway, though it'd be better to add more checks.
Comment 3 Alec Berryman 2006-05-20 14:13:03 UTC
This is CVE-2006-2362.
Comment 4 H.J. Lu 2006-05-24 15:45:06 UTC
Fixed by

http://sourceware.org/ml/binutils/2006-04/msg00393.html