This is the mail archive of the
mailing list for the binutils project.
Re: [oss-security] Re: Fuzzing objdump (PR 17512) and readelf (PR 17531)
- From: Nicholas Clifton <nickc at redhat dot com>
- To: Alexander Cherepanov <cherepan at mccme dot ru>, oss-security at lists dot openwall dot com
- Cc: binutils at sourceware dot org
- Date: Tue, 11 Nov 2014 16:47:09 +0000
- Subject: Re: [oss-security] Re: Fuzzing objdump (PR 17512) and readelf (PR 17531)
- Authentication-results: sourceware.org; auth=none
- References: <545C4DEF dot 5030600 at mccme dot ru> <545C9A09 dot 7030007 at samsung dot com> <20141107115906 dot 7140b89d at pc> <545CB06B dot 8010302 at samsung dot com> <545CB690 dot 6000209 at mccme dot ru> <545CB8C4 dot 4080101 at mccme dot ru>
I was just curious how well
this works for real world tasks like objdump crashes.
Back to real world deduping. IMHO it's not ideal but works quite well,
Ah, I forgot to add that to really know the quality of the results of
this approach we have to ask Nick Clifton which actually worked with the
Many of the problems uncovered by Alexander and Hanno stem from the fact
that the BFD library was never written with security in mind, It was
intended to be portable and functional, but handling corrupt files was
never a priority. Of course that is no excuse and so that is why I am
trying to make up for lost time and fix these problems as fast as they
Another problem is that the file formats themselves (PE, COFF, ELF, etc)
are designed with efficiency in mind, rather than security. So a lot of
extra work needs to be done when decoding them in order to make sure
that out of bounds reads and writes do not occur.
My gut feeling at the moment is that readelf is probably pretty good
now. It has a lot of range checking in place and it should be fairly
robust. If you are looking for places to check though I would look at
dynamic symbol tables and unwind tables for various different architectures.
The BFD library is probably less robust than readelf. Especially when
it comes to non-ELF file formats. Resource sections for PE files for
example could be a fertile area to explore. Oh, and archives (or
libraries if you prefer), probably need to be tested as well.