This is the mail archive of the binutils@sourceware.org mailing list for the binutils project.


Index Nav: [Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav: [Date Prev] [Date Next] [Thread Prev] [Thread Next]
Other format: [Raw text]

Re: vulnerabilities in libbfd (CVE-2014-beats-me)


On 10/30/2014 01:09 PM, Yury Gribov wrote:
> On 10/30/2014 02:01 PM, Nicholas Clifton wrote:
>> Hi Maciej, Hi Michal,

>> It is true however that there are still vulnerabilities in libbfd, and I
>> for one would happy to see new bug reports exposing them.  I can assure
>> you that any such bug report reaching me will be treated seriously, and
>> will be investigated and fixed as soon as possible.
> 
> We could cook a (simple) ELF fuzzer and run it on Binutils with 
> AddressSanitizer enabled.  Perhaps there is one I'm unaware of? 

I've heard of Melkor - an ELF file format fuzzer.  See:

  https://www.blackhat.com/us-14/arsenal.html#Hernandez

I believe Petr Machata (in CC now) ran this against elfutils, and
it indeed exposed some bugs.

> Traditional fuzzers like afl are necessarily limited for highly 
> structured inputs.

Thanks,
Pedro Alves


Index Nav: [Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav: [Date Prev] [Date Next] [Thread Prev] [Thread Next]