[oss-security] Re: Fuzzing objdump (PR 17512) and readelf (PR 17531)
Tue Nov 11 16:47:00 GMT 2014
>>> I was just curious how well
>>> this works for real world tasks like objdump crashes.
>> Back to real world deduping. IMHO it's not ideal but works quite well,
> Ah, I forgot to add that to really know the quality of the results of
> this approach we have to ask Nick Clifton which actually worked with the
> resulted crashers.
Many of the problems uncovered by Alexander and Hanno stem from the fact
that the BFD library was never written with security in mind, It was
intended to be portable and functional, but handling corrupt files was
never a priority. Of course that is no excuse and so that is why I am
trying to make up for lost time and fix these problems as fast as they
Another problem is that the file formats themselves (PE, COFF, ELF, etc)
are designed with efficiency in mind, rather than security. So a lot of
extra work needs to be done when decoding them in order to make sure
that out of bounds reads and writes do not occur.
My gut feeling at the moment is that readelf is probably pretty good
now. It has a lot of range checking in place and it should be fairly
robust. If you are looking for places to check though I would look at
dynamic symbol tables and unwind tables for various different architectures.
The BFD library is probably less robust than readelf. Especially when
it comes to non-ELF file formats. Resource sections for PE files for
example could be a fertile area to explore. Oh, and archives (or
libraries if you prefer), probably need to be tested as well.
More information about the Binutils