This is the mail archive of the mailing list for the binutils project.

Index Nav: [Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav: [Date Prev] [Date Next] [Thread Prev] [Thread Next]
Other format: [Raw text]

Re: [oss-security] Re: Fuzzing objdump (PR 17512) and readelf (PR 17531)

Hi Guys,

I was just curious how well
this works for real world tasks like objdump crashes.

Back to real world deduping. IMHO it's not ideal but works quite well,

Ah, I forgot to add that to really know the quality of the results of
this approach we have to ask Nick Clifton which actually worked with the
resulted crashers.

Many of the problems uncovered by Alexander and Hanno stem from the fact that the BFD library was never written with security in mind, It was intended to be portable and functional, but handling corrupt files was never a priority. Of course that is no excuse and so that is why I am trying to make up for lost time and fix these problems as fast as they are reported.

Another problem is that the file formats themselves (PE, COFF, ELF, etc) are designed with efficiency in mind, rather than security. So a lot of extra work needs to be done when decoding them in order to make sure that out of bounds reads and writes do not occur.

My gut feeling at the moment is that readelf is probably pretty good now. It has a lot of range checking in place and it should be fairly robust. If you are looking for places to check though I would look at dynamic symbol tables and unwind tables for various different architectures.

The BFD library is probably less robust than readelf. Especially when it comes to non-ELF file formats. Resource sections for PE files for example could be a fertile area to explore. Oh, and archives (or libraries if you prefer), probably need to be tested as well.


Index Nav: [Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav: [Date Prev] [Date Next] [Thread Prev] [Thread Next]