Replying to this email means your email address will be shared with the
team that works on this product.
https://issues.oss-fuzz.com/issues/443254909
Changed
[email protected] added comment #2:
I haven't been able to reproduce it locally with the toolchain provided by
OSS-Fuzz but Valgrind reports invalid reads pointing to the place OSS-Fuzz
reports:
```
autoreconf -i -f
./configure --enable-maintainer-mode
make V=1
wget -O TESTCASE-443254909
https://oss-fuzz.com/download?testcase_id=5817803392483328
LD_LIBRARY_PATH=$(pwd)/libdw:$(pwd)/libelf DEBUGINFOD_URLS= valgrind
./src/readelf -a TESTCASE-443254909
```
```
==229051== Memcheck, a memory error detector
==229051== Copyright (C) 2002-2024, and GNU GPL'd, by Julian Seward et al.
==229051== Using Valgrind-3.25.1 and LibVEX; rerun with -h for copyright
info
==229051== Command: ./src/readelf -a TESTCASE-443254909
==229051==
==229051== Invalid read of size 8
==229051== at 0x490C6C2: __bswap_64 (byteswap.h:73)
==229051== by 0x490C6C2: __elf64_getphdr_wrlock.part.0
(elf32_getphdr.c:167)
==229051== by 0x490CA39: gelf_getphdr (gelf_getphdr.c:111)
==229051== by 0x4898BFB: __libdwfl_elf_address_range
(dwfl_report_elf.c:183)
==229051== by 0x4898F20: __libdwfl_report_elf (dwfl_report_elf.c:247)
==229051== by 0x489B4DB: process_elf (offline.c:137)
==229051== by 0x489B4DB: process_file (offline.c:125)
==229051== by 0x489B680: process_archive_member (offline.c:235)
==229051== by 0x489B680: process_archive (offline.c:265)
==229051== by 0x489B680: process_file (offline.c:128)
==229051== by 0x489B680: process_archive_member (offline.c:235)
==229051== by 0x489B680: process_archive (offline.c:265)
==229051== by 0x489B680: process_file (offline.c:128)
==229051== by 0x489B680: process_archive_member (offline.c:235)
==229051== by 0x489B680: process_archive (offline.c:265)
==229051== by 0x489B680: process_file (offline.c:128)
==229051== by 0x489B680: process_archive_member (offline.c:235)
==229051== by 0x489B680: process_archive (offline.c:265)
==229051== by 0x489B680: process_file (offline.c:128)
==229051== by 0x489B680: process_archive_member (offline.c:235)
==229051== by 0x489B680: process_archive (offline.c:265)
==229051== by 0x489B680: process_file (offline.c:128)
==229051== by 0x489B680: process_archive_member (offline.c:235)
==229051== by 0x489B680: process_archive (offline.c:265)
==229051== by 0x489B680: process_file (offline.c:128)
==229051== by 0x489B680: process_archive_member (offline.c:235)
==229051== by 0x489B680: process_archive (offline.c:265)
==229051== by 0x489B680: process_file (offline.c:128)
==229051== Address 0x4935ff9 is in a rw- mapped file
/home/vagrant/elfutils/TESTCASE-443254909 segment
==229051==
==229051==
==229051== Process terminating with default action of signal 11 (SIGSEGV):
dumping core
==229051== Access not within mapped region at address 0x4936000
==229051== at 0x490C6C2: __bswap_64 (byteswap.h:73)
==229051== by 0x490C6C2: __elf64_getphdr_wrlock.part.0
(elf32_getphdr.c:167)
==229051== by 0x490CA39: gelf_getphdr (gelf_getphdr.c:111)
==229051== by 0x4898BFB: __libdwfl_elf_address_range
(dwfl_report_elf.c:183)
==229051== by 0x4898F20: __libdwfl_report_elf (dwfl_report_elf.c:247)
==229051== by 0x489B4DB: process_elf (offline.c:137)
==229051== by 0x489B4DB: process_file (offline.c:125)
==229051== by 0x489B680: process_archive_member (offline.c:235)
==229051== by 0x489B680: process_archive (offline.c:265)
==229051== by 0x489B680: process_file (offline.c:128)
==229051== by 0x489B680: process_archive_member (offline.c:235)
==229051== by 0x489B680: process_archive (offline.c:265)
==229051== by 0x489B680: process_file (offline.c:128)
==229051== by 0x489B680: process_archive_member (offline.c:235)
==229051== by 0x489B680: process_archive (offline.c:265)
==229051== by 0x489B680: process_file (offline.c:128)
==229051== by 0x489B680: process_archive_member (offline.c:235)
==229051== by 0x489B680: process_archive (offline.c:265)
==229051== by 0x489B680: process_file (offline.c:128)
==229051== by 0x489B680: process_archive_member (offline.c:235)
==229051== by 0x489B680: process_archive (offline.c:265)
==229051== by 0x489B680: process_file (offline.c:128)
==229051== by 0x489B680: process_archive_member (offline.c:235)
==229051== by 0x489B680: process_archive (offline.c:265)
==229051== by 0x489B680: process_file (offline.c:128)
==229051== by 0x489B680: process_archive_member (offline.c:235)
==229051== by 0x489B680: process_archive (offline.c:265)
==229051== by 0x489B680: process_file (offline.c:128)
==229051== If you believe this happened as a result of a stack
==229051== overflow in your program's main thread (unlikely but
==229051== possible), you can try to increase the size of the
==229051== main thread stack using the --main-stacksize= flag.
==229051== The main thread stack size used in this run was 8388608.
==229051==
==229051== HEAP SUMMARY:
==229051== in use at exit: 41,332 bytes in 444 blocks
==229051== total heap usage: 647 allocs, 203 frees, 54,722 bytes allocated
==229051==
==229051== LEAK SUMMARY:
==229051== definitely lost: 0 bytes in 0 blocks
==229051== indirectly lost: 0 bytes in 0 blocks
==229051== possibly lost: 0 bytes in 0 blocks
==229051== still reachable: 41,332 bytes in 444 blocks
==229051== suppressed: 0 bytes in 0 blocks
==229051== Rerun with --leak-check=full to see details of leaked memory
==229051==
==229051== For lists of detected and suppressed errors, rerun with: -s
==229051== ERROR SUMMARY: 1 errors from 1 contexts (suppressed: 0 from 0)
Segmentation fault (core dumped)
```
Just in case here is the backtrace OSS-Fuzz reported when it ran
https://github.com/google/oss-fuzz/blob/master/projects/elfutils/fuzz-libdwfl.c
with
the testcase downloaded from
https://oss-fuzz.com/testcase?key=5817803392483328:
```
==399==ERROR: UndefinedBehaviorSanitizer: SEGV on unknown address
0x7a4421539000 (pc 0x7a4423632963 bp 0x7ffca8cec3d0 sp 0x7ffca8cec378 T399)
==399==The signal is caused by a READ memory access.
#0 0x7a4423632963 in memmove-vec-unaligned-erms.S:262
/build/glibc-LcI20x/glibc-2.31/sysdeps/x86_64/multiarch/memmove-vec-unaligned-erms.S:262
#1 0x5ad2e0f6ab6d in memcpy
/usr/include/x86_64-linux-gnu/bits/string_fortified.h:34:10
#2 0x5ad2e0f6ab6d in __elf64_getphdr_wrlock
/src/elfutils/libelf/elf32_getphdr.c:155:9
#3 0x5ad2e0f5d1c5 in gelf_getphdr
/src/elfutils/libelf/gelf_getphdr.c:111:11
#4 0x5ad2e0f1942f in __libdwfl_elf_address_range
/src/elfutils/libdwfl/dwfl_report_elf.c:183:30
#5 0x5ad2e0f19c74 in __libdwfl_report_elf
/src/elfutils/libdwfl/dwfl_report_elf.c:247:9
#6 0x5ad2e0e92785 in process_elf
/src/elfutils/libdwfl/offline.c:137:22
#7 0x5ad2e0e92785 in process_file
/src/elfutils/libdwfl/offline.c:125:14
#8 0x5ad2e0e92ae9 in process_archive_member
/src/elfutils/libdwfl/offline.c:235:10
#9 0x5ad2e0e92ae9 in process_archive
/src/elfutils/libdwfl/offline.c:265:10
#10 0x5ad2e0e92ae9 in process_file
/src/elfutils/libdwfl/offline.c:128:14
#11 0x5ad2e0e92ae9 in process_archive_member
/src/elfutils/libdwfl/offline.c:235:10
#12 0x5ad2e0e92ae9 in process_archive
/src/elfutils/libdwfl/offline.c:265:10
#13 0x5ad2e0e92ae9 in process_file
/src/elfutils/libdwfl/offline.c:128:14
#14 0x5ad2e0e92ae9 in process_archive_member
/src/elfutils/libdwfl/offline.c:235:10
#15 0x5ad2e0e92ae9 in process_archive
/src/elfutils/libdwfl/offline.c:265:10
#16 0x5ad2e0e92ae9 in process_file
/src/elfutils/libdwfl/offline.c:128:14
#17 0x5ad2e0e92ae9 in process_archive_member
/src/elfutils/libdwfl/offline.c:235:10
#18 0x5ad2e0e92ae9 in process_archive
/src/elfutils/libdwfl/offline.c:265:10
#19 0x5ad2e0e92ae9 in process_file
/src/elfutils/libdwfl/offline.c:128:14
#20 0x5ad2e0e92ae9 in process_archive_member
/src/elfutils/libdwfl/offline.c:235:10
#21 0x5ad2e0e92ae9 in process_archive
/src/elfutils/libdwfl/offline.c:265:10
#22 0x5ad2e0e92ae9 in process_file
/src/elfutils/libdwfl/offline.c:128:14
#23 0x5ad2e0e92ae9 in process_archive_member
/src/elfutils/libdwfl/offline.c:235:10
#24 0x5ad2e0e92ae9 in process_archive
/src/elfutils/libdwfl/offline.c:265:10
#25 0x5ad2e0e92ae9 in process_file
/src/elfutils/libdwfl/offline.c:128:14
#26 0x5ad2e0e92ae9 in process_archive_member
/src/elfutils/libdwfl/offline.c:235:10
#27 0x5ad2e0e92ae9 in process_archive
/src/elfutils/libdwfl/offline.c:265:10
#28 0x5ad2e0e92ae9 in process_file
/src/elfutils/libdwfl/offline.c:128:14
#29 0x5ad2e0e92ae9 in process_archive_member
/src/elfutils/libdwfl/offline.c:235:10
#30 0x5ad2e0e92ae9 in process_archive
/src/elfutils/libdwfl/offline.c:265:10
#31 0x5ad2e0e92ae9 in process_file
/src/elfutils/libdwfl/offline.c:128:14
#32 0x5ad2e0e92ae9 in process_archive_member
/src/elfutils/libdwfl/offline.c:235:10
#33 0x5ad2e0e92ae9 in process_archive
/src/elfutils/libdwfl/offline.c:265:10
#34 0x5ad2e0e92ae9 in process_file
/src/elfutils/libdwfl/offline.c:128:14
#35 0x5ad2e0e92ae9 in process_archive_member
/src/elfutils/libdwfl/offline.c:235:10
#36 0x5ad2e0e92ae9 in process_archive
/src/elfutils/libdwfl/offline.c:265:10
#37 0x5ad2e0e92ae9 in process_file
/src/elfutils/libdwfl/offline.c:128:14
#38 0x5ad2e0e92ae9 in process_archive_member
/src/elfutils/libdwfl/offline.c:235:10
#39 0x5ad2e0e92ae9 in process_archive
/src/elfutils/libdwfl/offline.c:265:10
#40 0x5ad2e0e92ae9 in process_file
/src/elfutils/libdwfl/offline.c:128:14
#41 0x5ad2e0e92ae9 in process_archive_member
/src/elfutils/libdwfl/offline.c:235:10
#42 0x5ad2e0e92ae9 in process_archive
/src/elfutils/libdwfl/offline.c:265:10
#43 0x5ad2e0e92ae9 in process_file
/src/elfutils/libdwfl/offline.c:128:14
#44 0x5ad2e0e92ae9 in process_archive_member
/src/elfutils/libdwfl/offline.c:235:10
#45 0x5ad2e0e92ae9 in process_archive
/src/elfutils/libdwfl/offline.c:265:10
#46 0x5ad2e0e92ae9 in process_file
/src/elfutils/libdwfl/offline.c:128:14
#47 0x5ad2e0e92ae9 in process_archive_member
/src/elfutils/libdwfl/offline.c:235:10
#48 0x5ad2e0e92ae9 in process_archive
/src/elfutils/libdwfl/offline.c:265:10
#49 0x5ad2e0e92ae9 in process_file
/src/elfutils/libdwfl/offline.c:128:14
#50 0x5ad2e0e92ae9 in process_archive_member
/src/elfutils/libdwfl/offline.c:235:10
#51 0x5ad2e0e92ae9 in process_archive
/src/elfutils/libdwfl/offline.c:265:10
#52 0x5ad2e0e92ae9 in process_file
/src/elfutils/libdwfl/offline.c:128:14
#53 0x5ad2e0e92ae9 in process_archive_member
/src/elfutils/libdwfl/offline.c:235:10
#54 0x5ad2e0e92ae9 in process_archive
/src/elfutils/libdwfl/offline.c:265:10
#55 0x5ad2e0e92ae9 in process_file
/src/elfutils/libdwfl/offline.c:128:14
#56 0x5ad2e0e92ae9 in process_archive_member
/src/elfutils/libdwfl/offline.c:235:10
#57 0x5ad2e0e92ae9 in process_archive
/src/elfutils/libdwfl/offline.c:265:10
#58 0x5ad2e0e92ae9 in process_file
/src/elfutils/libdwfl/offline.c:128:14
#59 0x5ad2e0e92ae9 in process_archive_member
/src/elfutils/libdwfl/offline.c:235:10
#60 0x5ad2e0e92ae9 in process_archive
/src/elfutils/libdwfl/offline.c:265:10
#61 0x5ad2e0e92ae9 in process_file
/src/elfutils/libdwfl/offline.c:128:14
#62 0x5ad2e0e92ae9 in process_archive_member
/src/elfutils/libdwfl/offline.c:235:10
#63 0x5ad2e0e92ae9 in process_archive
/src/elfutils/libdwfl/offline.c:265:10
#64 0x5ad2e0e92ae9 in process_file
/src/elfutils/libdwfl/offline.c:128:14
#65 0x5ad2e0e92ae9 in process_archive_member
/src/elfutils/libdwfl/offline.c:235:10
#66 0x5ad2e0e92ae9 in process_archive
/src/elfutils/libdwfl/offline.c:265:10
#67 0x5ad2e0e92ae9 in process_file
/src/elfutils/libdwfl/offline.c:128:14
#68 0x5ad2e0e92ae9 in process_archive_member
/src/elfutils/libdwfl/offline.c:235:10
#69 0x5ad2e0e92ae9 in process_archive
/src/elfutils/libdwfl/offline.c:265:10
#70 0x5ad2e0e92ae9 in process_file
/src/elfutils/libdwfl/offline.c:128:14
#71 0x5ad2e0e92ae9 in process_archive_member
/src/elfutils/libdwfl/offline.c:235:10
#72 0x5ad2e0e92ae9 in process_archive
/src/elfutils/libdwfl/offline.c:265:10
#73 0x5ad2e0e92ae9 in process_file
/src/elfutils/libdwfl/offline.c:128:14
#74 0x5ad2e0e92ae9 in process_archive_member
/src/elfutils/libdwfl/offline.c:235:10
#75 0x5ad2e0e92ae9 in process_archive
/src/elfutils/libdwfl/offline.c:265:10
#76 0x5ad2e0e92ae9 in process_file
/src/elfutils/libdwfl/offline.c:128:14
#77 0x5ad2e0e92ae9 in process_archive_member
/src/elfutils/libdwfl/offline.c:235:10
#78 0x5ad2e0e92ae9 in process_archive
/src/elfutils/libdwfl/offline.c:265:10
#79 0x5ad2e0e92ae9 in process_file
/src/elfutils/libdwfl/offline.c:128:14
#80 0x5ad2e0e92ae9 in process_archive_member
/src/elfutils/libdwfl/offline.c:235:10
#81 0x5ad2e0e92ae9 in process_archive
/src/elfutils/libdwfl/offline.c:265:10
#82 0x5ad2e0e92ae9 in process_file
/src/elfutils/libdwfl/offline.c:128:14
#83 0x5ad2e0e92ae9 in process_archive_member
/src/elfutils/libdwfl/offline.c:235:10
#84 0x5ad2e0e92ae9 in process_archive
/src/elfutils/libdwfl/offline.c:265:10
#85 0x5ad2e0e92ae9 in process_file
/src/elfutils/libdwfl/offline.c:128:14
#86 0x5ad2e0e92ae9 in process_archive_member
/src/elfutils/libdwfl/offline.c:235:10
#87 0x5ad2e0e92ae9 in process_archive
/src/elfutils/libdwfl/offline.c:265:10
#88 0x5ad2e0e92ae9 in process_file
/src/elfutils/libdwfl/offline.c:128:14
#89 0x5ad2e0e92ae9 in process_archive_member
/src/elfutils/libdwfl/offline.c:235:10
#90 0x5ad2e0e92ae9 in process_archive
/src/elfutils/libdwfl/offline.c:265:10
#91 0x5ad2e0e92ae9 in process_file
/src/elfutils/libdwfl/offline.c:128:14
#92 0x5ad2e0e92ae9 in process_archive_member
/src/elfutils/libdwfl/offline.c:235:10
#93 0x5ad2e0e92ae9 in process_archive
/src/elfutils/libdwfl/offline.c:265:10
#94 0x5ad2e0e92ae9 in process_file
/src/elfutils/libdwfl/offline.c:128:14
#95 0x5ad2e0e92ae9 in process_archive_member
/src/elfutils/libdwfl/offline.c:235:10
#96 0x5ad2e0e92ae9 in process_archive
/src/elfutils/libdwfl/offline.c:265:10
#97 0x5ad2e0e92ae9 in process_file
/src/elfutils/libdwfl/offline.c:128:14
#98 0x5ad2e0e92ae9 in process_archive_member
/src/elfutils/libdwfl/offline.c:235:10
#99 0x5ad2e0e92ae9 in process_archive
/src/elfutils/libdwfl/offline.c:265:10
#100 0x5ad2e0e92ae9 in process_file
/src/elfutils/libdwfl/offline.c:128:14
#101 0x5ad2e0e92ae9 in process_archive_member
/src/elfutils/libdwfl/offline.c:235:10
#102 0x5ad2e0e92ae9 in process_archive
/src/elfutils/libdwfl/offline.c:265:10
#103 0x5ad2e0e92ae9 in process_file
/src/elfutils/libdwfl/offline.c:128:14
#104 0x5ad2e0e92ae9 in process_archive_member
/src/elfutils/libdwfl/offline.c:235:10
#105 0x5ad2e0e92ae9 in process_archive
/src/elfutils/libdwfl/offline.c:265:10
#106 0x5ad2e0e92ae9 in process_file
/src/elfutils/libdwfl/offline.c:128:14
#107 0x5ad2e0e92ae9 in process_archive_member
/src/elfutils/libdwfl/offline.c:235:10
#108 0x5ad2e0e92ae9 in process_archive
/src/elfutils/libdwfl/offline.c:265:10
#109 0x5ad2e0e92ae9 in process_file
/src/elfutils/libdwfl/offline.c:128:14
#110 0x5ad2e0e92ae9 in process_archive_member
/src/elfutils/libdwfl/offline.c:235:10
#111 0x5ad2e0e92ae9 in process_archive
/src/elfutils/libdwfl/offline.c:265:10
#112 0x5ad2e0e92ae9 in process_file
/src/elfutils/libdwfl/offline.c:128:14
#113 0x5ad2e0e92ae9 in process_archive_member
/src/elfutils/libdwfl/offline.c:235:10
#114 0x5ad2e0e92ae9 in process_archive
/src/elfutils/libdwfl/offline.c:265:10
#115 0x5ad2e0e92ae9 in process_file
/src/elfutils/libdwfl/offline.c:128:14
#116 0x5ad2e0e92ae9 in process_archive_member
/src/elfutils/libdwfl/offline.c:235:10
#117 0x5ad2e0e92ae9 in process_archive
/src/elfutils/libdwfl/offline.c:265:10
#118 0x5ad2e0e92ae9 in process_file
/src/elfutils/libdwfl/offline.c:128:14
#119 0x5ad2e0e92ae9 in process_archive_member
/src/elfutils/libdwfl/offline.c:235:10
#120 0x5ad2e0e92ae9 in process_archive
/src/elfutils/libdwfl/offline.c:265:10
#121 0x5ad2e0e92ae9 in process_file
/src/elfutils/libdwfl/offline.c:128:14
#122 0x5ad2e0e92eac in __libdwfl_report_offline
/src/elfutils/libdwfl/offline.c:295:22
#123 0x5ad2e0e92eac in dwfl_report_offline
/src/elfutils/libdwfl/offline.c:324:10
#124 0x5ad2e0e90679 in LLVMFuzzerTestOneInput
/src/fuzz-libdwfl.c:53:22
#125 0x5ad2e0df2a20 in fuzzer::Fuzzer::ExecuteCallback(unsigned
char const*, unsigned long)
/src/llvm-project/compiler-rt/lib/fuzzer/FuzzerLoop.cpp:614:13
#126 0x5ad2e0dddc95 in fuzzer::RunOneTest(fuzzer::Fuzzer*, char
const*, unsigned long)
/src/llvm-project/compiler-rt/lib/fuzzer/FuzzerDriver.cpp:327:6
#127 0x5ad2e0de372f in fuzzer::FuzzerDriver(int*, char***, int
(*)(unsigned char const*, unsigned long))
/src/llvm-project/compiler-rt/lib/fuzzer/FuzzerDriver.cpp:862:9
#128 0x5ad2e0e0e9d2 in main
/src/llvm-project/compiler-rt/lib/fuzzer/FuzzerMain.cpp:20:10
#129 0x7a44234cb082 in __libc_start_main
/build/glibc-LcI20x/glibc-2.31/csu/libc-start.c:308:16
#130 0x5ad2e0dd5e7d in _start
UndefinedBehaviorSanitizer can not provide additional info.
SUMMARY: UndefinedBehaviorSanitizer: SEGV
(/lib/x86_64-linux-gnu/libc.so.6+0x18b963) (BuildId:
0702430aef5fa3dda43986563e9ffcc47efbd75e)
==399==ABORTING
```
_______________________________
Reference Info: 443254909 elfutils:fuzz-libdwfl: Crash in
__elf64_getphdr_wrlock
component: Public Trackers > 1362134 > OSS Fuzz
status: New
reporter: [email protected]
cc: [email protected], [email protected], [email protected],
and 1 more
collaborators: [email protected]
type: Vulnerability
access level: Default access
priority: P2
severity: S2
hotlist: Reproducible, Stability-UndefinedBehaviorSanitizer
retention: Component default
Project: elfutils
Reported: Sep 5, 2025
Generated by Google IssueTracker notification system.
