On 2017/01/17 08:41, Marshall Whittaker wrote: > >Synopsis: OpenBSD's readelf does not properly validate input. > >Category: system > >Environment: > System : OpenBSD 6.0 > Details : OpenBSD 6.0 (GENERIC) #2148: Tue Jul 26 12:55:20 MDT 2016 > [email protected]:/usr/src/sys/arch/amd64/compile/GENERIC > > Architecture: OpenBSD.amd64 > Machine : amd64 > >Description: > The /usr/bin/readelf binary on OpenBSD 6.0 does not seem to properly > validate input. > You can for example cat a binary and take the first few "lines" of the file > and throw them at readelf, > which will cause a sig abort, as shown in the test case. This could > possibly be exploited, > but I havn't tried to manipulate memory any more than in the test case so > far. > The relevant code can be found in > https://github.com/openbsd/src/blob/5271000b44abe23907b73bbb3aa38ddf4a0bce08/gnu/usr.bin/binutils/binutils/readelf.c > and the directory it is in. > (Though I havn't compiled from that git tree specifically to see if it has > the same bug, 6.0 release does).
There were a bunch of changes in binutils upstream fixing bugs found through fuzzing after AFL got popular, however for various reasons we can't update binutils directly. If someone is interested in this they should probably look at libiberty commits and see what areas they've fixed. If someone just wants to run readelf against untrusted files they might be better off with one from a newer binutils (the newest one easily available is "arm-none-eabi-readelf" in the arm-none-eabi-binutils package; this does not require an ARM machine to run it), or the python-based parser from the py-elftools package.
