Bug 17509

Summary: Segfault / out of bounds access in strings
Product: binutils Reporter: Hanno Boeck <hanno>
Component: binutilsAssignee: Not yet assigned to anyone <unassigned>
Status: RESOLVED OBSOLETE    
Severity: normal CC: allan
Priority: P2    
Version: 2.24   
Target Milestone: ---   
URL: https://sourceware.org/git/?p=binutils-gdb.git;a=commit;h=bd25671c6f202c4a5108883caa2adb24ff6f361f
See Also: https://bugzilla.redhat.com/show_bug.cgi?id=1156272
https://bugs.gentoo.org/show_bug.cgi?id=526626
Host: Target:
Build: Last reconfirmed:
Attachments: strings crasher 1
strings crasher 2

Description Hanno Boeck 2014-10-24 11:41:24 UTC 
Created attachment 7844 [details]
strings crasher 1

Attached are two samples that cause the strings tool to segfault. The first one has been found by Michal Zalewski and postet on twitter:
https://twitter.com/lcamtuf/status/524214698237898753

Here's how he described the issue on oss-security:
"The immediate cause is due to srec_scan() in srec.c decreasing 'bytes'
without range checking until it wraps around. The already-bad value of
'bytes' is assigned to 'sec->size' few lines before the crash, so
perhaps there would be potential for exploitability later down the
line; but the code ends up crashing soon thereafter in a 'while (bytes
> 0)' loop that has no other exit conditions. That loop would need to  
go over the entire address space without SEGV to avoid the crash."

In reply to that someone else postet another crasher to oss-security that seems to expose a different code path.

Here's the corresponding thread:
http://seclists.org/oss-sec/2014/q4/424
Comment 1 Hanno Boeck 2014-10-24 11:41:49 UTC 
Created attachment 7845 [details]
strings crasher 2
Comment 2 Mike Frysinger 2014-10-24 16:21:18 UTC 
this was already fixed months ago and is included in the pending 2.25 release
https://sourceware.org/git/?p=binutils-gdb.git;a=commit;h=bd25671c6f202c4a5108883caa2adb24ff6f361f