Re: Issue 440209723: elfutils:fuzz-libdwfl: Direct-leak in lock_dup_elf

Sun, 07 Sep 2025 08:23:40 -0700 

Replying to this email means your email address will be shared with the
team that works on this product.
https://issues.oss-fuzz.com/issues/440209723

Changed

[email protected] added comment #2:
Looks like it's still reproducible. It can be reproduced by running
`readelf -a` with the testcase downloaded from
https://oss-fuzz.com/download?testcase_id=5887830124724224 under Valgrind:
```
autoreconf -i -f
./configure --enable-maintainer-mode --enable-valgrind
--enable-valgrind-annotations --with-valgrind
make V=1
wget -O TESTCASE-440209723
https://oss-fuzz.com/download?testcase_id=5887830124724224
LD_LIBRARY_PATH=$(pwd)/libdw:$(pwd)/libelf DEBUGINFOD_URLS= valgrind
--leak-check=full ./src/readelf -a TESTCASE-440209723
```
```
==26780== Memcheck, a memory error detector
==26780== Copyright (C) 2002-2024, and GNU GPL'd, by Julian Seward et al.
==26780== Using Valgrind-3.25.1 and LibVEX; rerun with -h for copyright info
==26780== Command: ./src/readelf -a TESTCASE-440209723
==26780==
./src/readelf: failed reading 'TESTCASE-440209723': not a valid ELF file
==26780==
==26780== HEAP SUMMARY:
==26780==     in use at exit: 161 bytes in 3 blocks
==26780==   total heap usage: 472 allocs, 469 frees, 33,314 bytes allocated
==26780==
==26780== 16 bytes in 1 blocks are definitely lost in loss record 1 of 3
==26780==    at 0x483EB26: malloc (vg_replace_malloc.c:446)
==26780==    by 0x49098D8: copy_arhdr (elf_begin.c:839)
==26780==    by 0x49098D8: dup_elf (elf_begin.c:1111)
==26780==    by 0x489B569: process_archive (offline.c:258)
==26780==    by 0x489B569: process_file (offline.c:128)
==26780==    by 0x489B954: __libdwfl_report_offline (offline.c:295)
==26780==    by 0x4067B6: create_dwfl (readelf.c:970)
==26780==    by 0x40697F: process_file (readelf.c:1014)
==26780==    by 0x401BF1: main (readelf.c:482)
==26780==
==26780== 17 bytes in 1 blocks are definitely lost in loss record 2 of 3
==26780==    at 0x483EB26: malloc (vg_replace_malloc.c:446)
==26780==    by 0x4909923: copy_arhdr (elf_begin.c:848)
==26780==    by 0x4909923: dup_elf (elf_begin.c:1111)
==26780==    by 0x489B569: process_archive (offline.c:258)
==26780==    by 0x489B569: process_file (offline.c:128)
==26780==    by 0x489B954: __libdwfl_report_offline (offline.c:295)
==26780==    by 0x4067B6: create_dwfl (readelf.c:970)
==26780==    by 0x40697F: process_file (readelf.c:1014)
==26780==    by 0x401BF1: main (readelf.c:482)
==26780==
==26780== 128 bytes in 1 blocks are definitely lost in loss record 3 of 3
==26780==    at 0x48463F3: calloc (vg_replace_malloc.c:1675)
==26780==    by 0x4898280: dwfl_begin (dwfl_begin.c:44)
==26780==    by 0x406796: create_dwfl (readelf.c:966)
==26780==    by 0x40697F: process_file (readelf.c:1014)
==26780==    by 0x401BF1: main (readelf.c:482)
==26780==
==26780== LEAK SUMMARY:
==26780==    definitely lost: 161 bytes in 3 blocks
==26780==    indirectly lost: 0 bytes in 0 blocks
==26780==      possibly lost: 0 bytes in 0 blocks
==26780==    still reachable: 0 bytes in 0 blocks
==26780==         suppressed: 0 bytes in 0 blocks
==26780==
==26780== For lists of detected and suppressed errors, rerun with: -s
==26780== ERROR SUMMARY: 3 errors from 3 contexts (suppressed: 0 from 0)
```

As far as I can see OSS-Fuzz reports the same memory leaks when it runs
https://github.com/google/oss-fuzz/blob/master/projects/elfutils/fuzz-libdwfl.c with 
that testcase under ASan:
```
==399==ERROR: LeakSanitizer: detected memory leaks

        Direct leak of 17 byte(s) in 1 object(s) allocated from:
            #0 0x5bb23076726f in __interceptor_malloc
/src/llvm-project/compiler-rt/lib/asan/asan_malloc_linux.cpp:68:3
            #1 0x5bb230874f4f in copy_arhdr
/src/elfutils/libelf/elf_begin.c:848:24
            #2 0x5bb230874f4f in dup_elf
/src/elfutils/libelf/elf_begin.c:1111:7
            #3 0x5bb230874f4f in lock_dup_elf
/src/elfutils/libelf/elf_begin.c:1182:10
            #4 0x5bb2307a8fe3 in process_archive
/src/elfutils/libdwfl/offline.c:258:17
            #5 0x5bb2307a8fe3 in process_file
/src/elfutils/libdwfl/offline.c:128:14
            #6 0x5bb2307a98f0 in __libdwfl_report_offline
/src/elfutils/libdwfl/offline.c:295:22
            #7 0x5bb2307a98f0 in dwfl_report_offline
/src/elfutils/libdwfl/offline.c:324:10
            #8 0x5bb2307a6c11 in LLVMFuzzerTestOneInput
/src/fuzz-libdwfl.c:53:22
            #9 0x5bb23065b4a0 in fuzzer::Fuzzer::ExecuteCallback(unsigned
char const*, unsigned long)
/src/llvm-project/compiler-rt/lib/fuzzer/FuzzerLoop.cpp:614:13
            #10 0x5bb230646715 in fuzzer::RunOneTest(fuzzer::Fuzzer*, char
const*, unsigned long)
/src/llvm-project/compiler-rt/lib/fuzzer/FuzzerDriver.cpp:327:6
            #11 0x5bb23064c1af in fuzzer::FuzzerDriver(int*, char***, int
(*)(unsigned char const*, unsigned long))
/src/llvm-project/compiler-rt/lib/fuzzer/FuzzerDriver.cpp:862:9
            #12 0x5bb230677452 in main
/src/llvm-project/compiler-rt/lib/fuzzer/FuzzerMain.cpp:20:10
            #13 0x7e6d8dab9082 in __libc_start_main
/build/glibc-LcI20x/glibc-2.31/csu/libc-start.c:308:16


================================================================================
        The following leaks are not necessarily related to the first leak.


        Direct leak of 16 byte(s) in 1 object(s) allocated from:
            #0 0x5bb23076726f in __interceptor_malloc
/src/llvm-project/compiler-rt/lib/asan/asan_malloc_linux.cpp:68:3
            #1 0x5bb230874ee1 in copy_arhdr
/src/elfutils/libelf/elf_begin.c:839:21
            #2 0x5bb230874ee1 in dup_elf
/src/elfutils/libelf/elf_begin.c:1111:7
            #3 0x5bb230874ee1 in lock_dup_elf
/src/elfutils/libelf/elf_begin.c:1182:10
            #4 0x5bb2307a8fe3 in process_archive
/src/elfutils/libdwfl/offline.c:258:17
            #5 0x5bb2307a8fe3 in process_file
/src/elfutils/libdwfl/offline.c:128:14
            #6 0x5bb2307a98f0 in __libdwfl_report_offline
/src/elfutils/libdwfl/offline.c:295:22
            #7 0x5bb2307a98f0 in dwfl_report_offline
/src/elfutils/libdwfl/offline.c:324:10
            #8 0x5bb2307a6c11 in LLVMFuzzerTestOneInput
/src/fuzz-libdwfl.c:53:22
            #9 0x5bb23065b4a0 in fuzzer::Fuzzer::ExecuteCallback(unsigned
char const*, unsigned long)
/src/llvm-project/compiler-rt/lib/fuzzer/FuzzerLoop.cpp:614:13
            #10 0x5bb230646715 in fuzzer::RunOneTest(fuzzer::Fuzzer*, char
const*, unsigned long)
/src/llvm-project/compiler-rt/lib/fuzzer/FuzzerDriver.cpp:327:6
            #11 0x5bb23064c1af in fuzzer::FuzzerDriver(int*, char***, int
(*)(unsigned char const*, unsigned long))
/src/llvm-project/compiler-rt/lib/fuzzer/FuzzerDriver.cpp:862:9
            #12 0x5bb230677452 in main
/src/llvm-project/compiler-rt/lib/fuzzer/FuzzerMain.cpp:20:10
            #13 0x7e6d8dab9082 in __libc_start_main
/build/glibc-LcI20x/glibc-2.31/csu/libc-start.c:308:16

        SUMMARY: AddressSanitizer: 33 byte(s) leaked in 2 allocation(s).

        INFO: a leak has been found in the initial corpus.
```
_______________________________

Reference Info: 440209723 elfutils:fuzz-libdwfl: Direct-leak in lock_dup_elf
component:  Public Trackers > 1362134 > OSS Fuzz
status:  New
reporter:  [email protected]
cc:  [email protected], [email protected], [email protected],
and 1 more
collaborators:  [email protected]
type:  Bug
access level:  Default access
priority:  P2
severity:  S4
hotlist:  Reproducible, Stability-Memory-AddressSanitizer,
Stability-Memory-LeakSanitizer
retention:  Component default
Project:  elfutils
Reported:  Aug 21, 2025


Generated by Google IssueTracker notification system.

Reply via email to