This is the mail archive of the
mailing list for the binutils project.
Re: vulnerabilities in libbfd (CVE-2014-beats-me)
- From: Yury Gribov <y dot gribov at samsung dot com>
- To: Mark Wielaard <mjw at redhat dot com>, Petr Machata <pmachata at redhat dot com>
- Cc: Pedro Alves <palves at redhat dot com>, Nicholas Clifton <nickc at redhat dot com>, "Maciej W. Rozycki" <macro at linux-mips dot org>, Michal Zalewski <lcamtuf at coredump dot cx>, bugtraq <bugtraq at securityfocus dot com>, binutils at sourceware dot org
- Date: Fri, 31 Oct 2014 15:34:53 +0300
- Subject: Re: vulnerabilities in libbfd (CVE-2014-beats-me)
- Authentication-results: sourceware.org; auth=none
- References: <CALx_OUBq4iRGZNPLdCuqXmehVV=6vhXN3J16ytzM91cFqVSAoQ at mail dot gmail dot com> <alpine dot LFD dot 2 dot 11 dot 1410271451411 dot 3413 at eddie dot linux-mips dot org> <54521A7F dot 4050501 at redhat dot com> <5452389B dot 502 at samsung dot com> <54524C50 dot 8010606 at redhat dot com> <m261f1d1ja dot fsf at redhat dot com> <1414758166 dot 18323 dot 46 dot camel at bordewijk dot wildebeest dot org>
On 10/31/2014 03:22 PM, Mark Wielaard wrote:
My idea was simply like the above suggestion. Run the elfutils testsuite
on fuzzed input under valgrind. The valgrind part is already integrated
in the testsuite. Or build the library with the GCC sanitizers. I
haven't found any issues with the address sanitizer, probably because
all those issues were already caught by valgrind.
Actually I'd recommend running both: sanitizers can detect overflows in
stack/global variables and use-after-return errors but Valgrind is able
to catch overflows inside precompiled libraries (say glibc).
If people haven't yet, then I would highly recommend upgrading to GCC
4.8 or 4.9 and play with adding -fsanitize flags to CFLAGS and see what
Or even 5.0 - sanitizers are constantly improved. One thing to watch
out is that some safety checks are not enabled by default (like e.g.