This is the mail archive of the
binutils@sourceware.org
mailing list for the binutils project.
Re: vulnerabilities in libbfd (CVE-2014-beats-me)
- From: Mark Wielaard <mjw at redhat dot com>
- To: Petr Machata <pmachata at redhat dot com>
- Cc: Pedro Alves <palves at redhat dot com>, Yury Gribov <y dot gribov at samsung dot com>, Nicholas Clifton <nickc at redhat dot com>, "Maciej W. Rozycki" <macro at linux-mips dot org>, Michal Zalewski <lcamtuf at coredump dot cx>, bugtraq <bugtraq at securityfocus dot com>, binutils at sourceware dot org
- Date: Fri, 31 Oct 2014 13:22:46 +0100
- Subject: Re: vulnerabilities in libbfd (CVE-2014-beats-me)
- Authentication-results: sourceware.org; auth=none
- References: <CALx_OUBq4iRGZNPLdCuqXmehVV=6vhXN3J16ytzM91cFqVSAoQ at mail dot gmail dot com> <alpine dot LFD dot 2 dot 11 dot 1410271451411 dot 3413 at eddie dot linux-mips dot org> <54521A7F dot 4050501 at redhat dot com> <5452389B dot 502 at samsung dot com> <54524C50 dot 8010606 at redhat dot com> <m261f1d1ja dot fsf at redhat dot com>
On Thu, 2014-10-30 at 16:23 +0100, Petr Machata wrote:
> Pedro Alves <palves@redhat.com> writes:
> > On 10/30/2014 01:09 PM, Yury Gribov wrote:
> >> On 10/30/2014 02:01 PM, Nicholas Clifton wrote:
> >>> It is true however that there are still vulnerabilities in libbfd, and I
> >>> for one would happy to see new bug reports exposing them. I can assure
> >>> you that any such bug report reaching me will be treated seriously, and
> >>> will be investigated and fixed as soon as possible.
> >>
> >> We could cook a (simple) ELF fuzzer and run it on Binutils with
> >> AddressSanitizer enabled. Perhaps there is one I'm unaware of?
> >
> > I've heard of Melkor - an ELF file format fuzzer. See:
> >
> > https://www.blackhat.com/us-14/arsenal.html#Hernandez
> >
> > I believe Petr Machata (in CC now) ran this against elfutils, and
> > it indeed exposed some bugs.
>
> Yep, quite a few. Melkor is nice in that it doesn't fuzz fully
> randomly, but when it tweaks a value, it also tweaks other dependent
> values, so simple sanity checking doesn't tend to catch those.
>
> If BFD validates offsets and sizes vs. actual underlying file or stream
> sizes, it would be more robust in face of these corruptions. But
> elfutils has largely been built with a policy of "if you don't trust it,
> don't open it", and so all these problems consistently burn us.
elfutils has been robustified a bit. I do think we should improve it
till you can open things you don't trust. And these days elfutils CVEs
are reported on bugs found like the recent integer/heap overflow in
libdw.
> I CC'd Mark Wielaard, the current elfutils maintainer. I saw Melkor
> mentioned in his TODO, chances are he has more insights.
Sorry. Melkor is still on my TODO list to integrate with the elfutils
testsuite. Sadly it hasn't moved up much :{
My idea was simply like the above suggestion. Run the elfutils testsuite
on fuzzed input under valgrind. The valgrind part is already integrated
in the testsuite. Or build the library with the GCC sanitizers. I
haven't found any issues with the address sanitizer, probably because
all those issues were already caught by valgrind. But I did find some
nastiness with gcc -fsanitize=undefined in the past.
If people haven't yet, then I would highly recommend upgrading to GCC
4.8 or 4.9 and play with adding -fsanitize flags to CFLAGS and see what
falls out.
Cheers,
Mark