Discussion on CVE-2017-13710 (nm)

Here we provide a detailed analysis on the CVE we reproduced on nm, which is CVE-2017-13710, which is a null-pointer dereference in the bfd library used by nm (and other tools of GNU Binutils).

We found that this CVE is actually newly introduced in binutils version 2.29, which means that it cannot crash previous versions of nm.

Here, we use version 2.15 (the version used in the AFLFast paper) as example.

The figure below shows two runs of the poc with nm version 2.15 and version 2.29 respectively.

We can see that in nm version 2.15, the program will report "Memory exhausted" and exit with status 1 (not a crash).

But in nm version 2.29, the program will run into a segmentation fault and exit with status 139 (signal 11, for SEGV).

This is because the bug is newly introduced in nm version 2.29.

So the proof-of-crash cannot trigger crash in previous versions of nm.

Actually, as developers add in new features, they may introduce new bugs in both the newly added code and existing code.

So we keep fuzzing new versions of these libraries in the purpose of finding new bugs.

This also shows that given a new program (with existing bugs fixed and may contain new bugs), Cerebro can outperform AFL and AFLFast.

The nm version 2.15 and version 2.29, together with the proof-of-crash (poc) are in the attachment on this page.

Interested readers can download and reproduce the results.