Issue 42877 in oss-fuzz: elfutils:fuzz-dwfl-core: Crash in dwfl_segment_report_module
Updates: Labels: ClusterFuzz-Verified Status: Verified Comment #2 on issue 42877 by ClusterFuzz-External: elfutils:fuzz-dwfl-core: Crash in dwfl_segment_report_module https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=42877#c2 ClusterFuzz testcase 4756614962348032 is verified as fixed in https://oss-fuzz.com/revisions?job=libfuzzer_ubsan_elfutils&range=202201031800:20220104 If this is incorrect, please file a bug on https://github.com/google/oss-fuzz/issues/new -- You received this message because: 1. You were specifically CC'd on the issue You may adjust your notification preferences at: https://bugs.chromium.org/hosting/settings Reply to this email to add a comment.
Issue 43307 in oss-fuzz: elfutils:fuzz-dwfl-core: Crash in read_addrs
Status: New Owner: CC: elfut...@sourceware.org, evv...@gmail.com, izz...@google.com Labels: ClusterFuzz Stability-Memory-AddressSanitizer Reproducible Engine-libfuzzer OS-Linux Security_Severity-Medium Proj-elfutils Reported-2022-01-04 Type: Bug-Security New issue 43307 by ClusterFuzz-External: elfutils:fuzz-dwfl-core: Crash in read_addrs https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=43307 Detailed Report: https://oss-fuzz.com/testcase?key=4696722113167360 Project: elfutils Fuzzing Engine: libFuzzer Fuzz Target: fuzz-dwfl-core Job Type: libfuzzer_asan_i386_elfutils Platform Id: linux Crash Type: UNKNOWN READ Crash Address: 0xf75b3fe0 Crash State: read_addrs dwfl_link_map_report dwfl_core_file_report Sanitizer: address (ASAN) Recommended Security Severity: Medium Crash Revision: https://oss-fuzz.com/revisions?job=libfuzzer_asan_i386_elfutils&revision=202201040606 Reproducer Testcase: https://oss-fuzz.com/download?testcase_id=4696722113167360 Issue filed automatically. See https://google.github.io/oss-fuzz/advanced-topics/reproducing for instructions to reproduce this bug locally. When you fix this bug, please * mention the fix revision(s). * state whether the bug was a short-lived regression or an old bug in any stable releases. * add any other useful information. This information can help downstream consumers. If you need to contact the OSS-Fuzz team with a question, concern, or any other feedback, please file an issue at https://github.com/google/oss-fuzz/issues. Comments on individual Monorail issues are not monitored. -- You received this message because: 1. You were specifically CC'd on the issue You may adjust your notification preferences at: https://bugs.chromium.org/hosting/settings Reply to this email to add a comment.
[Bug libdw/28720] UBSan: member access within misaligned address 0x7f6e8d80f142 for type 'struct Elf32_Phdr', which requires 4 byte alignment
https://sourceware.org/bugzilla/show_bug.cgi?id=28720 --- Comment #8 from Evgeny Vereshchagin --- (In reply to Mark Wielaard from comment #7) > commit 9f70a762ab88ceebb8a48a7c9c3ce39ff7f205af > Author: Mark Wielaard > Date: Fri Dec 24 02:01:32 2021 +0100 > > libdwfl: Calculate addr to read by hand in link_map.c read_addrs. > > The gcc undefined sanitizer doesn't like the trick we use to calculate > the (possibly) unaligned addresses to read. So calculate them by hand > as unsigned char pointers. > > https://sourceware.org/bugzilla/show_bug.cgi?id=28720 > > Signed-off-by: Mark Wielaard > > Which should this particular issue. I'm not sure but it seems it can still be triggered with that commit applied: ``` $ git log --oneline -5 9f70a762 (HEAD -> master, origin/master, origin/HEAD) libdwfl: Calculate addr to read by hand in link_map.c read_addrs. 5b490793 libdwfl: Call xlatetom on aligned buffers in dwfl_link_map_report 1cf73965 libdwfl: Make sure dwfl_elf_phdr_memory_callback returns at least minread 4fdd8588 libdwfl: Always clean up build_id.memory 8f8c78cc libdwfl: Handle unaligned Nhdr in dwfl_segment_report_module $ autoreconf -i -f $ ./configure --enable-maintainer-mode --enable-sanitize-undefined $ make -j$(nproc) V=1 $ UBSAN_OPTIONS=print_stacktrace=1:print_summary=1:halt_on_error=1 LD_LIBRARY_PATH="./libdw;./libelf" ./src/stack --core ./attachment.cgi\?id\=13875 gelf_xlate.h:48:1: runtime error: member access within misaligned address 0x7f5cd5612077 for type 'struct Elf32_Dyn', which requires 4 byte alignment 0x7f5cd5612077: note: pointer points here 00 10 00 00 00 00 00 00 00 00 02 01 00 00 00 00 00 00 7f 45 46 4c 46 00 00 01 01 00 01 00 08 00 ^ #0 0x7f5cd74851fc in Elf32_cvt_Dyn /home/vagrant/elfutils/libelf/gelf_xlate.h:48 #1 0x7f5cd7484363 in elf32_xlatetom /home/vagrant/elfutils/libelf/elf32_xlatetom.c:104 #2 0x7f5cd73b4fbf in dwfl_segment_report_module /home/vagrant/elfutils/libdwfl/dwfl_segment_report_module.c:848 #3 0x7f5cd73b9fc9 in _new.dwfl_core_file_report /home/vagrant/elfutils/libdwfl/core-file.c:563 #4 0x402fa0 in parse_opt /home/vagrant/elfutils/src/stack.c:595 #5 0x7f5cd6617471 in argp_parse (/lib64/libc.so.6+0x11e471) #6 0x4026aa in main /home/vagrant/elfutils/src/stack.c:695 #7 0x7f5cd652655f in __libc_start_call_main (/lib64/libc.so.6+0x2d55f) #8 0x7f5cd652660b in __libc_start_main_impl (/lib64/libc.so.6+0x2d60b) #9 0x402944 in _start (/home/vagrant/elfutils/src/stack+0x402944) SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior gelf_xlate.h:48:1 in ``` -- You are receiving this mail because: You are on the CC list for the bug.
Issue 43307 in oss-fuzz: elfutils:fuzz-dwfl-core: Crash in read_addrs
Updates: Labels: Fuzz-Blocker Comment #1 on issue 43307 by ClusterFuzz-External: elfutils:fuzz-dwfl-core: Crash in read_addrs https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=43307#c1 This crash occurs very frequently on linux platform and is likely preventing the fuzzer fuzz-dwfl-core from making much progress. Fixing this will allow more bugs to be found. If this is incorrect, please file a bug on https://github.com/google/oss-fuzz/issues/new -- You received this message because: 1. You were specifically CC'd on the issue You may adjust your notification preferences at: https://bugs.chromium.org/hosting/settings Reply to this email to add a comment.
[Bug libdw/28720] UBSan: member access within misaligned address 0x7f6e8d80f142 for type 'struct Elf32_Phdr', which requires 4 byte alignment
https://sourceware.org/bugzilla/show_bug.cgi?id=28720 --- Comment #9 from Evgeny Vereshchagin --- According to OSS-Fuzz looks like that commit triggered https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=43307 (which was also reported in https://sourceware.org/pipermail/elfutils-devel/2022q1/004623.html): ``` $ wget -O CRASH 'https://oss-fuzz.com/download?testcase_id=4696722113167360' $ LD_LIBRARY_PATH="./libdw;./libelf" ./src/stack --core ./CRASH AddressSanitizer:DEADLYSIGNAL = ==153072==ERROR: AddressSanitizer: SEGV on unknown address 0x7fbe8640afe0 (pc 0x7fbe89eb2fc7 bp 0x7fffe2855510 sp 0x7fffe2855020 T0) ==153072==The signal is caused by a READ memory access. #0 0x7fbe89eb2fc7 in __bswap_64 /usr/include/bits/byteswap.h:73 #1 0x7fbe89eb2fc7 in read_addrs /home/vagrant/elfutils/libdwfl/link_map.c:288 #2 0x7fbe89eb2fc7 in report_r_debug /home/vagrant/elfutils/libdwfl/link_map.c:341 #3 0x7fbe89eb2fc7 in dwfl_link_map_report /home/vagrant/elfutils/libdwfl/link_map.c:1117 #4 0x7fbe89eb7103 in _new.dwfl_core_file_report /home/vagrant/elfutils/libdwfl/core-file.c:552 #5 0x403d06 in parse_opt /home/vagrant/elfutils/src/stack.c:595 #6 0x7fbe89a90471 in argp_parse (/lib64/libc.so.6+0x11e471) #7 0x40281d in main /home/vagrant/elfutils/src/stack.c:695 #8 0x7fbe8999f55f in __libc_start_call_main (/lib64/libc.so.6+0x2d55f) #9 0x7fbe8999f60b in __libc_start_main_impl (/lib64/libc.so.6+0x2d60b) #10 0x402c94 in _start (/home/vagrant/elfutils/src/stack+0x402c94) AddressSanitizer can not provide additional info. SUMMARY: AddressSanitizer: SEGV /usr/include/bits/byteswap.h:73 in __bswap_64 ==153072==ABORTING ``` -- You are receiving this mail because: You are on the CC list for the bug.
[Bug libdw/28720] UBSan: member access within misaligned address 0x7f6e8d80f142 for type 'struct Elf32_Phdr', which requires 4 byte alignment
https://sourceware.org/bugzilla/show_bug.cgi?id=28720 --- Comment #10 from Mark Wielaard --- (In reply to Evgeny Vereshchagin from comment #8) > (In reply to Mark Wielaard from comment #7) > > commit 9f70a762ab88ceebb8a48a7c9c3ce39ff7f205af > > Author: Mark Wielaard > > Date: Fri Dec 24 02:01:32 2021 +0100 > > > > libdwfl: Calculate addr to read by hand in link_map.c read_addrs. > > > > The gcc undefined sanitizer doesn't like the trick we use to calculate > > the (possibly) unaligned addresses to read. So calculate them by hand > > as unsigned char pointers. > > > > https://sourceware.org/bugzilla/show_bug.cgi?id=28720 > > > > Signed-off-by: Mark Wielaard > > > > Which should this particular issue. > > > I'm not sure but it seems it can still be triggered with that commit applied: > ``` > $ git log --oneline -5 > 9f70a762 (HEAD -> master, origin/master, origin/HEAD) libdwfl: Calculate > addr to read by hand in link_map.c read_addrs. > 5b490793 libdwfl: Call xlatetom on aligned buffers in dwfl_link_map_report > 1cf73965 libdwfl: Make sure dwfl_elf_phdr_memory_callback returns at least > minread > 4fdd8588 libdwfl: Always clean up build_id.memory > 8f8c78cc libdwfl: Handle unaligned Nhdr in dwfl_segment_report_module > > $ autoreconf -i -f > $ ./configure --enable-maintainer-mode --enable-sanitize-undefined > $ make -j$(nproc) V=1 > > $ UBSAN_OPTIONS=print_stacktrace=1:print_summary=1:halt_on_error=1 > LD_LIBRARY_PATH="./libdw;./libelf" ./src/stack --core > ./attachment.cgi\?id\=13875 > gelf_xlate.h:48:1: runtime error: member access within misaligned address > 0x7f5cd5612077 for type 'struct Elf32_Dyn', which requires 4 byte alignment That is a different issue than the one reported in comment #5. This bug might be split up for the different issues found. -- You are receiving this mail because: You are on the CC list for the bug.
[Bug libdw/28720] UBSan: member access within misaligned address 0x7f6e8d80f142 for type 'struct Elf32_Phdr', which requires 4 byte alignment
https://sourceware.org/bugzilla/show_bug.cgi?id=28720 --- Comment #11 from Evgeny Vereshchagin --- (In reply to Mark Wielaard from comment #10) > That is a different issue than the one reported in comment #5. > This bug might be split up for the different issues found. Sorry. I seem to have overlooked that. I think this issue can be closed then. In the meantime, I've just opened https://github.com/google/oss-fuzz/pull/7092 (which should help to start catching issues like that on OSS-Fuzz). It'll sort out duplicates automatically so I'd just wait for it to report what's left. Thanks! -- You are receiving this mail because: You are on the CC list for the bug.
