Replying to this email means your email address will be shared with the team that works on this product. https://issues.oss-fuzz.com/issues/442253757
Changed [email protected] added comment #4: In the meantime I reproduced it locally by installing clang and running the following commands: ``` git clone --depth=1 https://github.com/google/oss-fuzz cd oss-fuzz/projects/elfutils git clone https://sourceware.org/git/elfutils.git ./build.sh wget -O TESTCASE-442253757 https://oss-fuzz.com/download?testcase_id=6310572573655040 ./out/fuzz-libdwfl TESTCASE-442253757 ``` ``` INFO: Running with entropic power schedule (0xFF, 100). INFO: Seed: 1048008096 INFO: Loaded 1 modules (18756 inline 8-bit counters): 18756 [0x7b2718, 0x7b705c), INFO: Loaded 1 PC tables (18756 PCs): 18756 [0x7b7060,0x8004a0), ./out/fuzz-libdwfl: Running 1 inputs 1 time(s) each. Running: TESTCASE-442253757 ================================================================= ==126417==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x7ff7eadb6000 at pc 0x00000053e64f bp 0x7ffc87d01740 sp 0x7ffc87d00f00 READ of size 196607 at 0x7ff7eadb6000 thread T0 #0 0x00000053e64e in __asan_memcpy (/home/vagrant/oss-fuzz/projects/elfutils/out/fuzz-libdwfl+0x53e64e) (BuildId: 4c6d2e445a7a161304a47d9163f4c3b8cc98dfb7) #1 0x000000663ede in memcpy /usr/include/bits/string_fortified.h:29:10 #2 0x000000663ede in convert_data /home/vagrant/oss-fuzz/projects/elfutils/elfutils/libelf/elf_getdata.c:188:4 #3 0x000000663ede in __libelf_set_data_list_rdlock /home/vagrant/oss-fuzz/projects/elfutils/elfutils/libelf/elf_getdata.c:455:7 #4 0x0000006644dc in __elf_getdata_rdlock /home/vagrant/oss-fuzz/projects/elfutils/elfutils/libelf/elf_getdata.c:562:5 #5 0x00000066b7c1 in elf_compress_gnu /home/vagrant/oss-fuzz/projects/elfutils/elfutils/libelf/elf_compress_gnu.c:150:24 #6 0x0000005f8687 in check_section /home/vagrant/oss-fuzz/projects/elfutils/elfutils/libdw/dwarf_begin_elf.c:234:5 #7 0x0000005f7742 in global_read /home/vagrant/oss-fuzz/projects/elfutils/elfutils/libdw/dwarf_begin_elf.c:467:14 #8 0x0000005f7742 in dwarf_begin_elf /home/vagrant/oss-fuzz/projects/elfutils/elfutils/libdw/dwarf_begin_elf.c:627:9 #9 0x00000058c765 in load_dw /home/vagrant/oss-fuzz/projects/elfutils/elfutils/libdwfl/dwfl_module_getdwarf.c:1369:13 #10 0x00000058ad06 in find_dw /home/vagrant/oss-fuzz/projects/elfutils/elfutils/libdwfl/dwfl_module_getdwarf.c:1422:16 #11 0x00000058ad06 in dwfl_module_getdwarf /home/vagrant/oss-fuzz/projects/elfutils/elfutils/libdwfl/dwfl_module_getdwarf.c:1477:3 #12 0x000000586abb in LLVMFuzzerTestOneInput /home/vagrant/oss-fuzz/projects/elfutils/fuzz-libdwfl.c:54:3 #13 0x00000041ef4f in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, unsigned long) fuzzer.o #14 0x000000409a46 in fuzzer::RunOneTest(fuzzer::Fuzzer*, char const*, unsigned long) fuzzer.o #15 0x00000040f859 in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned char const*, unsigned long)) fuzzer.o #16 0x00000043b886 in main (/home/vagrant/oss-fuzz/projects/elfutils/out/fuzz-libdwfl+0x43b886) (BuildId: 4c6d2e445a7a161304a47d9163f4c3b8cc98dfb7) #17 0x7ff7eb411574 in __libc_start_call_main (/lib64/libc.so.6+0x3574) (BuildId: 48c4b9b1efb1df15da8e787f489128bf31893317) #18 0x7ff7eb411627 in __libc_start_main@GLIBC_2.2.5 (/lib64/libc.so.6+0x3627) (BuildId: 48c4b9b1efb1df15da8e787f489128bf31893317) #19 0x0000004022b4 in _start (/home/vagrant/oss-fuzz/projects/elfutils/out/fuzz-libdwfl+0x4022b4) (BuildId: 4c6d2e445a7a161304a47d9163f4c3b8cc98dfb7) 0x7ff7eadb6000 is located 6144 bytes before 292183-byte region [0x7ff7eadb7800,0x7ff7eadfed57) allocated by thread T0 here: #0 0x000000540958 in malloc (/home/vagrant/oss-fuzz/projects/elfutils/out/fuzz-libdwfl+0x540958) (BuildId: 4c6d2e445a7a161304a47d9163f4c3b8cc98dfb7) #1 0x0000006ac8a7 in operator new(unsigned long) fuzzer.o #2 0x000000409a46 in fuzzer::RunOneTest(fuzzer::Fuzzer*, char const*, unsigned long) fuzzer.o #3 0x00000040f859 in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned char const*, unsigned long)) fuzzer.o #4 0x00000043b886 in main (/home/vagrant/oss-fuzz/projects/elfutils/out/fuzz-libdwfl+0x43b886) (BuildId: 4c6d2e445a7a161304a47d9163f4c3b8cc98dfb7) #5 0x7ff7eb411574 in __libc_start_call_main (/lib64/libc.so.6+0x3574) (BuildId: 48c4b9b1efb1df15da8e787f489128bf31893317) #6 0x7ff7eb411627 in __libc_start_main@GLIBC_2.2.5 (/lib64/libc.so.6+0x3627) (BuildId: 48c4b9b1efb1df15da8e787f489128bf31893317) #7 0x0000004022b4 in _start (/home/vagrant/oss-fuzz/projects/elfutils/out/fuzz-libdwfl+0x4022b4) (BuildId: 4c6d2e445a7a161304a47d9163f4c3b8cc98dfb7) SUMMARY: AddressSanitizer: heap-buffer-overflow (/home/vagrant/oss-fuzz/projects/elfutils/out/fuzz-libdwfl+0x53e64e) (BuildId: 4c6d2e445a7a161304a47d9163f4c3b8cc98dfb7) in __asan_memcpy Shadow bytes around the buggy address: 0x7ff7eadb5d80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x7ff7eadb5e00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x7ff7eadb5e80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x7ff7eadb5f00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x7ff7eadb5f80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 =>0x7ff7eadb6000:[fa]fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x7ff7eadb6080: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x7ff7eadb6100: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x7ff7eadb6180: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x7ff7eadb6200: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x7ff7eadb6280: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa Shadow byte legend (one shadow byte represents 8 application bytes): Addressable: 00 Partially addressable: 01 02 03 04 05 06 07 Heap left redzone: fa Freed heap region: fd Stack left redzone: f1 Stack mid redzone: f2 Stack right redzone: f3 Stack after return: f5 Stack use after scope: f8 Global redzone: f9 Global init order: f6 Poisoned by user: f7 Container overflow: fc Array cookie: ac Intra object redzone: bb ASan internal: fe Left alloca redzone: ca Right alloca redzone: cb ==126417==ABORTING ``` _______________________________ Reference Info: 442253757 elfutils:fuzz-libdwfl: Heap-buffer-overflow in __libelf_set_data_list_rdlock component: Public Trackers > 1362134 > OSS Fuzz status: New reporter: [email protected] cc: [email protected], [email protected], [email protected], and 1 more collaborators: [email protected] type: Vulnerability access level: Default access priority: P2 severity: S2 hotlist: Reproducible, Stability-Memory-AddressSanitizer retention: Component default Project: elfutils Reported: Aug 31, 2025 Generated by Google IssueTracker notification system.
