Re: found vuln in bfd lib Coff code

bug-binutils

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: found vuln in bfd lib Coff code

From:	Nick Clifton
Subject:	Re: found vuln in bfd lib Coff code
Date:	Wed, 17 Aug 2005 18:50:03 +0100
User-agent:	Mozilla Thunderbird 1.0 (X11/20041206)

Hi ICBM,

Found a new vuln in bfd lib coff code and similar with the lastone...

        In the do_slurp_coff_armap() funciton:

        static bfd_boolean
        do_slurp_coff_armap (bfd *abfd){
        ¡

carsym_size = (nsymz * sizeof (carsym)); //uses the nsymz from fileptrsize = (4 * nsymz); //integer overflow here

        ¡
        /* Allocate and read in the raw offsets.  */
          raw_armap = bfd_alloc (abfd, ptrsize);  // allocate wrong memory size 
here
          if (raw_armap == NULL)
            goto release_symdefs;
        ¡
        }

I do not understand why this can lead to a vulnerability. Even if thecomputation of "ptrsize" does overflow all that will happen is that thecode will read in too little of the archive's map. The code inbfd_alloc() treats the size parameter as unsigned and it copes with avery large value which is too big to be allocated. So where is thevulnerability ?


Cheers
  Nick

[Prev in Thread]

Current Thread

[Next in Thread]

found vuln in bfd lib Coff code, ICBM, 2005/08/15
- Re: found vuln in bfd lib Coff code, Nick Clifton <=

Prev by Date: Re: gprof : histogram records
Next by Date: Re: infinate loop in as with .org pseudo
Previous by thread: found vuln in bfd lib Coff code
Next by thread: gprof : histogram records
Index(es):
- Date
- Thread