vulnerabilities in libbfd (CVE-2014-beats-me)

Petr Machata pmachata@redhat.com
Thu Oct 30 15:23:00 GMT 2014
Pedro Alves <palves@redhat.com> writes:

> On 10/30/2014 01:09 PM, Yury Gribov wrote:
>> On 10/30/2014 02:01 PM, Nicholas Clifton wrote:
>>> Hi Maciej, Hi Michal,
>
>>> It is true however that there are still vulnerabilities in libbfd, and I
>>> for one would happy to see new bug reports exposing them.  I can assure
>>> you that any such bug report reaching me will be treated seriously, and
>>> will be investigated and fixed as soon as possible.
>> 
>> We could cook a (simple) ELF fuzzer and run it on Binutils with 
>> AddressSanitizer enabled.  Perhaps there is one I'm unaware of? 
>
> I've heard of Melkor - an ELF file format fuzzer.  See:
>
>   https://www.blackhat.com/us-14/arsenal.html#Hernandez
>
> I believe Petr Machata (in CC now) ran this against elfutils, and
> it indeed exposed some bugs.

Yep, quite a few.  Melkor is nice in that it doesn't fuzz fully
randomly, but when it tweaks a value, it also tweaks other dependent
values, so simple sanity checking doesn't tend to catch those.

If BFD validates offsets and sizes vs. actual underlying file or stream
sizes, it would be more robust in face of these corruptions.  But
elfutils has largely been built with a policy of "if you don't trust it,
don't open it", and so all these problems consistently burn us.

I CC'd Mark Wielaard, the current elfutils maintainer.  I saw Melkor
mentioned in his TODO, chances are he has more insights.

Thanks,
Petr



More information about the Binutils mailing list