Replying to this email means your email address will be shared with the
team that works on this product.
https://issues.oss-fuzz.com/issues/440177309
Changed
[email protected] added comment #2:
Valgrind reports an invalid read here. It can be reproduced by downloading
the testcase from
https://oss-fuzz.com/download?testcase_id=6605030137593856 and
running `readelf -a` under Valgrind:
```
autoreconf -i -f
./configure --enable-maintainer-mode --enable-valgrind
--enable-valgrind-annotations --with-valgrind
make V=1
wget -O TESTCASE-440177309
https://oss-fuzz.com/download?testcase_id=6605030137593856
LD_LIBRARY_PATH=$(pwd)/libdw:$(pwd)/libelf DEBUGINFOD_URLS= valgrind
./src/readelf -a TESTCASE-440177309
```
```
==240923== Memcheck, a memory error detector
==240923== Copyright (C) 2002-2024, and GNU GPL'd, by Julian Seward et al.
==240923== Using Valgrind-3.25.1 and LibVEX; rerun with -h for copyright
info
==240923== Command: ./src/readelf -a TESTCASE-440177309
==240923==
==240923== Invalid read of size 8
==240923== at 0x4908BC6: determine_kind (common.h:43)
==240923== by 0x4908BC6: __libelf_read_mmaped_file (elf_begin.c:533)
==240923== by 0x4908D3E: read_file (elf_begin.c:673)
==240923== by 0x4909990: dup_elf (elf_begin.c:1117)
==240923== by 0x489B569: process_archive (offline.c:258)
==240923== by 0x489B569: process_file (offline.c:128)
==240923== by 0x489B680: process_archive_member (offline.c:235)
==240923== by 0x489B680: process_archive (offline.c:265)
==240923== by 0x489B680: process_file (offline.c:128)
==240923== by 0x489B954: __libdwfl_report_offline (offline.c:295)
==240923== by 0x4067B6: create_dwfl (readelf.c:970)
==240923== by 0x40697F: process_file (readelf.c:1014)
==240923== by 0x401BF1: main (readelf.c:482)
==240923== Address 0x4cdb3d8 is 8 bytes before a block of size 272 alloc'd
==240923== at 0x48463F3: calloc (vg_replace_malloc.c:1675)
==240923== by 0x4908C51: allocate_elf (common.h:71)
==240923== by 0x4908C51: file_read_ar (elf_begin.c:57)
==240923== by 0x4908C51: __libelf_read_mmaped_file (elf_begin.c:542)
==240923== by 0x48AB683: decompress (open.c:84)
==240923== by 0x48AB963: what_kind (open.c:115)
==240923== by 0x48AB963: libdw_open_elf (open.c:136)
==240923== by 0x48ABAB6: __libdw_open_file (open.c:199)
==240923== by 0x489B935: __libdwfl_report_offline (offline.c:289)
==240923== by 0x4067B6: create_dwfl (readelf.c:970)
==240923== by 0x40697F: process_file (readelf.c:1014)
==240923== by 0x401BF1: main (readelf.c:482)
==240923==
./src/readelf: cannot stat input file: Bad file descriptor
==240923==
==240923== HEAP SUMMARY:
==240923== in use at exit: 161 bytes in 3 blocks
==240923== total heap usage: 512 allocs, 509 frees, 473,876 bytes
allocated
==240923==
==240923== LEAK SUMMARY:
==240923== definitely lost: 161 bytes in 3 blocks
==240923== indirectly lost: 0 bytes in 0 blocks
==240923== possibly lost: 0 bytes in 0 blocks
==240923== still reachable: 0 bytes in 0 blocks
==240923== suppressed: 0 bytes in 0 blocks
==240923== Rerun with --leak-check=full to see details of leaked memory
==240923==
==240923== For lists of detected and suppressed errors, rerun with: -s
==240923== ERROR SUMMARY: 1 errors from 1 contexts (suppressed: 0 from 0)
```
_______________________________
Reference Info: 440177309 elfutils:fuzz-libdwfl: Use-of-uninitialized-value
in __libelf_read_mmaped_file
component: Public Trackers > 1362134 > OSS Fuzz
status: New
reporter: [email protected]
cc: [email protected], [email protected], [email protected],
and 1 more
collaborators: [email protected]
type: Vulnerability
access level: Default access
priority: P2
severity: S2
hotlist: Reproducible, Stability-Memory-MemorySanitizer
retention: Component default
Project: elfutils
Reported: Aug 21, 2025
Generated by Google IssueTracker notification system.
