Replying to this email means your email address will be shared with the team that works on this product. https://issues.oss-fuzz.com/issues/441055980
Changed [email protected] added comment #2: It can be reproduced by building elfutils with ASan, downloading the testcase from https://oss-fuzz.com/download?testcase_id=5433808192339968 and running `readelf -a`: ``` git clone https://sourceware.org/git/elfutils.git autoreconf -i -f ./configure --enable-maintainer-mode --enable-sanitize-address make V=1 wget -O TESTCASE-441055980 https://oss-fuzz.com/download?testcase_id=5433808192339968 LD_LIBRARY_PATH=$(pwd)/libdw:$(pwd)/libelf ./src/readelf -a TESTCASE-441055980 ``` ``` ================================================================= ==138206==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x7d28fe1e02ac at pc 0x7fc8ffae4937 bp 0x7ffea5b28990 sp 0x7ffea5b28150 READ of size 64 at 0x7d28fe1e02ac thread T0 #0 0x7fc8ffae4936 in memcpy (/lib64/libasan.so.8+0xe4936) (BuildId: 10b8ccd49f75c21babf1d7abe51bb63589d8471f) #1 0x7fc8ff6a98ac in __libdwfl_elf_address_range /home/vagrant/elfutils/libdwfl/dwfl_report_elf.c:76 #2 0x7fc8ff6aa37a in __libdwfl_report_elf /home/vagrant/elfutils/libdwfl/dwfl_report_elf.c:247 #3 0x7fc8ff6b121f in process_elf /home/vagrant/elfutils/libdwfl/offline.c:137 #4 0x7fc8ff6b121f in process_file /home/vagrant/elfutils/libdwfl/offline.c:125 #5 0x7fc8ff6b15bd in process_archive_member /home/vagrant/elfutils/libdwfl/offline.c:235 #6 0x7fc8ff6b15bd in process_archive /home/vagrant/elfutils/libdwfl/offline.c:265 #7 0x7fc8ff6b15bd in process_file /home/vagrant/elfutils/libdwfl/offline.c:128 #8 0x7fc8ff6b15bd in process_archive_member /home/vagrant/elfutils/libdwfl/offline.c:235 #9 0x7fc8ff6b15bd in process_archive /home/vagrant/elfutils/libdwfl/offline.c:265 #10 0x7fc8ff6b15bd in process_file /home/vagrant/elfutils/libdwfl/offline.c:128 #11 0x7fc8ff6b1eda in __libdwfl_report_offline /home/vagrant/elfutils/libdwfl/offline.c:295 #12 0x00000040fb04 in create_dwfl /home/vagrant/elfutils/src/readelf.c:970 #13 0x00000040fe62 in process_file /home/vagrant/elfutils/src/readelf.c:1014 #14 0x00000040295c in main /home/vagrant/elfutils/src/readelf.c:482 #15 0x7fc8ff811574 in __libc_start_call_main (/lib64/libc.so.6+0x3574) (BuildId: 48c4b9b1efb1df15da8e787f489128bf31893317) #16 0x7fc8ff811627 in __libc_start_main@GLIBC_2.2.5 (/lib64/libc.so.6+0x3627) (BuildId: 48c4b9b1efb1df15da8e787f489128bf31893317) #17 0x0000004047d4 in _start (/home/vagrant/elfutils/src/readelf+0x4047d4) (BuildId: f53bce073c5090b8a49889e1f590b6b4a4023a28) 0x7d28fe1e02ac is located 0 bytes after 556-byte region [0x7d28fe1e0080,0x7d28fe1e02ac) allocated by thread T0 here: #0 0x7fc8ffae5e4b in realloc.part.0 (/lib64/libasan.so.8+0xe5e4b) (BuildId: 10b8ccd49f75c21babf1d7abe51bb63589d8471f) #1 0x7fc8ff6eb9b3 in smaller_buffer /home/vagrant/elfutils/libdwfl/gzip.c:108 #2 0x7fc8ff6eb9b3 in __libdw_gunzip /home/vagrant/elfutils/libdwfl/gzip.c:394 SUMMARY: AddressSanitizer: heap-buffer-overflow /home/vagrant/elfutils/libdwfl/dwfl_report_elf.c:76 in __libdwfl_elf_address_range Shadow bytes around the buggy address: 0x7d28fe1e0000: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x7d28fe1e0080: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x7d28fe1e0100: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x7d28fe1e0180: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x7d28fe1e0200: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 =>0x7d28fe1e0280: 00 00 00 00 00[04]fa fa fa fa fa fa fa fa fa fa 0x7d28fe1e0300: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x7d28fe1e0380: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x7d28fe1e0400: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x7d28fe1e0480: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x7d28fe1e0500: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa Shadow byte legend (one shadow byte represents 8 application bytes): Addressable: 00 Partially addressable: 01 02 03 04 05 06 07 Heap left redzone: fa Freed heap region: fd Stack left redzone: f1 Stack mid redzone: f2 Stack right redzone: f3 Stack after return: f5 Stack use after scope: f8 Global redzone: f9 Global init order: f6 Poisoned by user: f7 Container overflow: fc Array cookie: ac Intra object redzone: bb ASan internal: fe Left alloca redzone: ca Right alloca redzone: cb ==138206==ABORTING ``` _______________________________ Reference Info: 441055980 elfutils:fuzz-libdwfl: Heap-buffer-overflow in gelf_getshdr component: Public Trackers > 1362134 > OSS Fuzz status: New reporter: [email protected] cc: [email protected], [email protected], [email protected], and 1 more collaborators: [email protected] type: Vulnerability access level: Default access priority: P2 severity: S2 hotlist: Reproducible, Stability-Memory-AddressSanitizer retention: Component default Project: elfutils Reported: Aug 25, 2025 Generated by Google IssueTracker notification system.
