Replying to this email means your email address will be shared with the team that works on this product. https://issues.oss-fuzz.com/issues/443547551
Changed [email protected] added comment #2: It can be reproduced by building elfutils with ASan, downloading the testcase from https://oss-fuzz.com/download?testcase_id=6696954508935168 and running `readelf -a`: ``` autoreconf -i -f ./configure --enable-maintainer-mode --enable-sanitize-address make V=1 wget -O TESTCASE-443547551 https://oss-fuzz.com/download?testcase_id=6696954508935168 LD_LIBRARY_PATH=$(pwd)/libdw:$(pwd)/libelf ./src/readelf -a TESTCASE-443547551 ``` ``` AddressSanitizer:DEADLYSIGNAL ================================================================= ==50470==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc 0x7f8fd24a8fed bp 0x7fff64d273f0 sp 0x7fff64d26b80 T0) ==50470==The signal is caused by a READ memory access. ==50470==Hint: address points to the zero page. #0 0x7f8fd24a8fed in strcmp.part.0 (/lib64/libasan.so.8+0xa8fed) (BuildId: 10b8ccd49f75c21babf1d7abe51bb63589d8471f) #1 0x7f8fd20b1b86 in process_archive_member /home/vagrant/elfutils/libdwfl/offline.c:184 #2 0x7f8fd20b1b86 in process_archive /home/vagrant/elfutils/libdwfl/offline.c:265 #3 0x7f8fd20b1b86 in process_file /home/vagrant/elfutils/libdwfl/offline.c:128 #4 0x7f8fd20b25da in __libdwfl_report_offline /home/vagrant/elfutils/libdwfl/offline.c:295 #5 0x00000040fb04 in create_dwfl /home/vagrant/elfutils/src/readelf.c:970 #6 0x00000040fe62 in process_file /home/vagrant/elfutils/src/readelf.c:1014 #7 0x00000040295c in main /home/vagrant/elfutils/src/readelf.c:482 #8 0x7f8fd2211574 in __libc_start_call_main (/lib64/libc.so.6+0x3574) (BuildId: 48c4b9b1efb1df15da8e787f489128bf31893317) #9 0x7f8fd2211627 in __libc_start_main@GLIBC_2.2.5 (/lib64/libc.so.6+0x3627) (BuildId: 48c4b9b1efb1df15da8e787f489128bf31893317) #10 0x0000004047d4 in _start (/home/vagrant/elfutils/src/readelf+0x4047d4) (BuildId: 3631d44f26b38cb673867ac59d8fc922824d4cbd) ==50470==Register values: rax = 0x0000000000000001 rbx = 0x00007cafd0be04c0 rcx = 0x00007cafd0be0358 rdx = 0x0000000000000000 rdi = 0x0000000000000000 rsi = 0x00007f8fd21a8ce0 rbp = 0x00007fff64d273f0 rsp = 0x00007fff64d26b80 r8 = 0x00007f8fd2355801 r9 = 0x0000000000000000 r10 = 0x0000000000000000 r11 = 0x00007f8fd241e019 r12 = 0x0000000000000000 r13 = 0x00007f8fd21a8ce0 r14 = 0x0000000000000000 r15 = 0x00000f95fa17c0a7 AddressSanitizer can not provide additional info. SUMMARY: AddressSanitizer: SEGV /home/vagrant/elfutils/libdwfl/offline.c:184 in process_archive_member ==50470==ABORTING ``` It's reproducible with Valgrind as well: ``` autoreconf -i -f ./configure --enable-maintainer-mode --enable-valgrind --enable-valgrind-annotations --with-valgrind make V=1 wget -O TESTCASE-443547551 https://oss-fuzz.com/download?testcase_id=6696954508935168 LD_LIBRARY_PATH=$(pwd)/libdw:$(pwd)/libelf DEBUGINFOD_URLS= valgrind ./src/readelf -a TESTCASE-443547551 ``` ``` ==61649== Memcheck, a memory error detector ==61649== Copyright (C) 2002-2024, and GNU GPL'd, by Julian Seward et al. ==61649== Using Valgrind-3.25.1 and LibVEX; rerun with -h for copyright info ==61649== Command: ./src/readelf -a TESTCASE-443547551 ==61649== ==61649== realloc() with size 0 ==61649== at 0x4846607: realloc (vg_replace_malloc.c:1801) ==61649== by 0x48AF5EA: smaller_buffer (gzip.c:108) ==61649== by 0x48AF5EA: __libdw_gunzip (gzip.c:394) ==61649== by 0x48AB664: decompress (open.c:67) ==61649== by 0x48AB963: what_kind (open.c:115) ==61649== by 0x48AB963: libdw_open_elf (open.c:136) ==61649== by 0x48ABAB6: __libdw_open_file (open.c:200) ==61649== by 0x489B935: __libdwfl_report_offline (offline.c:289) ==61649== by 0x4067B6: create_dwfl (readelf.c:970) ==61649== by 0x40697F: process_file (readelf.c:1014) ==61649== by 0x401BF1: main (readelf.c:482) ==61649== Address 0x4cda6d0 is 0 bytes inside a block of size 1,024 alloc'd ==61649== at 0x4846607: realloc (vg_replace_malloc.c:1801) ==61649== by 0x48AF47F: bigger_buffer (gzip.c:94) ==61649== by 0x48AF47F: __libdw_gunzip (gzip.c:375) ==61649== by 0x48AB664: decompress (open.c:67) ==61649== by 0x48AB963: what_kind (open.c:115) ==61649== by 0x48AB963: libdw_open_elf (open.c:136) ==61649== by 0x48ABAB6: __libdw_open_file (open.c:200) ==61649== by 0x489B935: __libdwfl_report_offline (offline.c:289) ==61649== by 0x4067B6: create_dwfl (readelf.c:970) ==61649== by 0x40697F: process_file (readelf.c:1014) ==61649== by 0x401BF1: main (readelf.c:482) ==61649== ==61649== Invalid read of size 1 ==61649== at 0x489B5DB: process_archive_member (offline.c:184) ==61649== by 0x489B5DB: process_archive (offline.c:265) ==61649== by 0x489B5DB: process_file (offline.c:128) ==61649== by 0x489B954: __libdwfl_report_offline (offline.c:295) ==61649== by 0x4067B6: create_dwfl (readelf.c:970) ==61649== by 0x40697F: process_file (readelf.c:1014) ==61649== by 0x401BF1: main (readelf.c:482) ==61649== Address 0x0 is not stack'd, malloc'd or (recently) free'd ==61649== ==61649== ==61649== Process terminating with default action of signal 11 (SIGSEGV): dumping core ==61649== Access not within mapped region at address 0x0 ==61649== at 0x489B5DB: process_archive_member (offline.c:184) ==61649== by 0x489B5DB: process_archive (offline.c:265) ==61649== by 0x489B5DB: process_file (offline.c:128) ==61649== by 0x489B954: __libdwfl_report_offline (offline.c:295) ==61649== by 0x4067B6: create_dwfl (readelf.c:970) ==61649== by 0x40697F: process_file (readelf.c:1014) ==61649== by 0x401BF1: main (readelf.c:482) ==61649== If you believe this happened as a result of a stack ==61649== overflow in your program's main thread (unlikely but ==61649== possible), you can try to increase the size of the ==61649== main thread stack using the --main-stacksize= flag. ==61649== The main thread stack size used in this run was 8388608. ==61649== ==61649== HEAP SUMMARY: ==61649== in use at exit: 19,321 bytes in 254 blocks ==61649== total heap usage: 466 allocs, 212 frees, 469,712 bytes allocated ==61649== ==61649== LEAK SUMMARY: ==61649== definitely lost: 0 bytes in 0 blocks ==61649== indirectly lost: 0 bytes in 0 blocks ==61649== possibly lost: 0 bytes in 0 blocks ==61649== still reachable: 19,321 bytes in 254 blocks ==61649== suppressed: 0 bytes in 0 blocks ==61649== Rerun with --leak-check=full to see details of leaked memory ==61649== ==61649== For lists of detected and suppressed errors, rerun with: -s ==61649== ERROR SUMMARY: 2 errors from 2 contexts (suppressed: 0 from 0) Segmentation fault (core dumped) ``` _______________________________ Reference Info: 443547551 elfutils:fuzz-libdwfl: Null-dereference READ in process_file component: Public Trackers > 1362134 > OSS Fuzz status: New reporter: [email protected] cc: [email protected], [email protected], [email protected], and 1 more collaborators: [email protected] type: Bug access level: Default access priority: P2 severity: S4 hotlist: Reproducible, Stability-Memory-AddressSanitizer retention: Component default Project: elfutils Reported: Sep 8, 2025 Generated by Google IssueTracker notification system.
