[PATCH] libdwfl: Fix overflow check in link_map.c read_addrs
The buffer_available overflow check wasn't complete. Also check nb
isn't too big.
https://sourceware.org/bugzilla/show_bug.cgi?id=28720
Signed-off-by: Mark Wielaard
---
libdwfl/ChangeLog | 4
libdwfl/link_map.c | 3 ++-
2 files changed, 6 insertions(+), 1 deletion(-)
diff --git a/libdwfl/ChangeLog b/libdwfl/ChangeLog
index 149383ad..f8319f44 100644
--- a/libdwfl/ChangeLog
+++ b/libdwfl/ChangeLog
@@ -1,3 +1,7 @@
+2022-01-03 Mark Wielaard
+
+ * link_map.c (read_addrs): Fix buffer_available nb overflow.
+
2021-12-23 Mark Wielaard
* link_map.c (read_addrs): Calculate addr to read by hand.
diff --git a/libdwfl/link_map.c b/libdwfl/link_map.c
index cd9c5042..99222bb9 100644
--- a/libdwfl/link_map.c
+++ b/libdwfl/link_map.c
@@ -257,7 +257,8 @@ read_addrs (struct memory_closure *closure,
/* Read a new buffer if the old one doesn't cover these words. */
if (*buffer == NULL
|| vaddr < *read_vaddr
- || vaddr - (*read_vaddr) + nb > *buffer_available)
+ || nb > *buffer_available
+ || vaddr - (*read_vaddr) > *buffer_available - nb)
{
release_buffer (closure, buffer, buffer_available, 0);
--
2.30.2
[Bug libdw/28720] UBSan: member access within misaligned address 0x7f6e8d80f142 for type 'struct Elf32_Phdr', which requires 4 byte alignment
https://sourceware.org/bugzilla/show_bug.cgi?id=28720 --- Comment #13 from Mark Wielaard --- (In reply to Evgeny Vereshchagin from comment #9) > According to OSS-Fuzz looks like that commit triggered > https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=43307 (which was also > reported in > https://sourceware.org/pipermail/elfutils-devel/2022q1/004623.html): > ``` > $ wget -O CRASH 'https://oss-fuzz.com/download?testcase_id=4696722113167360' > $ LD_LIBRARY_PATH="./libdw;./libelf" ./src/stack --core ./CRASH > AddressSanitizer:DEADLYSIGNAL > = > ==153072==ERROR: AddressSanitizer: SEGV on unknown address 0x7fbe8640afe0 > (pc 0x7fbe89eb2fc7 bp 0x7fffe2855510 sp 0x7fffe2855020 T0) > ==153072==The signal is caused by a READ memory access. > #0 0x7fbe89eb2fc7 in __bswap_64 /usr/include/bits/byteswap.h:73 > #1 0x7fbe89eb2fc7 in read_addrs > /home/vagrant/elfutils/libdwfl/link_map.c:288 > #2 0x7fbe89eb2fc7 in report_r_debug > /home/vagrant/elfutils/libdwfl/link_map.c:341 > #3 0x7fbe89eb2fc7 in dwfl_link_map_report > /home/vagrant/elfutils/libdwfl/link_map.c:1117 > #4 0x7fbe89eb7103 in _new.dwfl_core_file_report > /home/vagrant/elfutils/libdwfl/core-file.c:552 > #5 0x403d06 in parse_opt /home/vagrant/elfutils/src/stack.c:595 > #6 0x7fbe89a90471 in argp_parse (/lib64/libc.so.6+0x11e471) > #7 0x40281d in main /home/vagrant/elfutils/src/stack.c:695 > #8 0x7fbe8999f55f in __libc_start_call_main (/lib64/libc.so.6+0x2d55f) > #9 0x7fbe8999f60b in __libc_start_main_impl (/lib64/libc.so.6+0x2d60b) > #10 0x402c94 in _start (/home/vagrant/elfutils/src/stack+0x402c94) > > AddressSanitizer can not provide additional info. > SUMMARY: AddressSanitizer: SEGV /usr/include/bits/byteswap.h:73 in __bswap_64 > ==153072==ABORTING > ``` Interesting, that looks like an incomplete overflow check in read_addrs. Proposed fix: https://sourceware.org/pipermail/elfutils-devel/2022q1/004633.html -- You are receiving this mail because: You are on the CC list for the bug.
[PATCH] libdwfl: Handle unaligned Dyns in dwfl_segment_report_module
The xlate functions only handle correctly aligned buffers. But they do
handle src == dest. So if the source buffer isn't aligned correctly
just copy it first into the destination (which is already correctly
aligned).
https://sourceware.org/bugzilla/show_bug.cgi?id=28720
Signed-off-by: Mark Wielaard
---
libdwfl/ChangeLog| 5 +
libdwfl/dwfl_segment_report_module.c | 12
2 files changed, 17 insertions(+)
diff --git a/libdwfl/ChangeLog b/libdwfl/ChangeLog
index f8319f44..aace969f 100644
--- a/libdwfl/ChangeLog
+++ b/libdwfl/ChangeLog
@@ -1,3 +1,8 @@
+2022-01-03 Mark Wielaard
+
+ * dwfl_segment_report_module.c (dwfl_segment_report_module): Copy
+ dyn_data and set xlatefrom.d_buf to dyns when dyns is not aligned.
+
2022-01-03 Mark Wielaard
* link_map.c (read_addrs): Fix buffer_available nb overflow.
diff --git a/libdwfl/dwfl_segment_report_module.c
b/libdwfl/dwfl_segment_report_module.c
index 5bef249e..1461ae26 100644
--- a/libdwfl/dwfl_segment_report_module.c
+++ b/libdwfl/dwfl_segment_report_module.c
@@ -844,7 +844,19 @@ dwfl_segment_report_module (Dwfl *dwfl, int ndx, const
char *name,
xlateto.d_buf = dyns;
xlateto.d_size = dyn_filesz;
+ /* dyn_data may be unaligned, in which case xlatetom would not work.
+xlatetom does work when the in and out d_buf are equal (but not
+for any other overlap). */
bool is32 = (ei_class == ELFCLASS32);
+ size_t dyn_align = (is32
+ ? __alignof__ (Elf32_Dyn)
+ : __alignof__ (Elf64_Dyn));
+ if (((uintptr_t) dyn_data & (dyn_align - 1)) != 0)
+ {
+ memcpy (dyns, dyn_data, dyn_filesz);
+ xlatefrom.d_buf = dyns;
+ }
+
if ((is32 && elf32_xlatetom (&xlateto, &xlatefrom, ei_data) != NULL)
|| (!is32 && elf64_xlatetom (&xlateto, &xlatefrom, ei_data) != NULL))
{
--
2.30.2
[Bug libdw/28720] UBSan: member access within misaligned address 0x7f6e8d80f142 for type 'struct Elf32_Phdr', which requires 4 byte alignment
https://sourceware.org/bugzilla/show_bug.cgi?id=28720 --- Comment #14 from Mark Wielaard --- (In reply to Evgeny Vereshchagin from comment #3) > $ UBSAN_OPTIONS=print_stacktrace=1:print_summary=1:halt_on_error=1 > LD_LIBRARY_PATH="./libdw;./libelf" ./src/stack --core > SIGABRT.PC.7fffe4f4e84c.STACK.1976b2f3ff.CODE.-6.ADDR.0.INSTR.mov%eax, > %ebp.fuzz > gelf_xlate.h:48:1: runtime error: member access within misaligned address > 0x7f0817719077 for type 'struct Elf32_Dyn', which requires 4 byte alignment > 0x7f0817719077: note: pointer points here > 00 10 00 00 00 00 00 00 00 00 02 01 00 00 00 00 00 00 7f 45 46 4c 46 00 > 00 01 01 00 01 00 08 00 > ^ > #0 0x7f0822689542 in Elf32_cvt_Dyn > /home/vagrant/elfutils/libelf/gelf_xlate.h:48 > #1 0x7f082268835e in elf32_xlatetom > /home/vagrant/elfutils/libelf/elf32_xlatetom.c:104 > #2 0x7f0819563307 in dwfl_segment_report_module > /home/vagrant/elfutils/libdwfl/dwfl_segment_report_module.c:848 > #3 0x7f081956c06c in _new.dwfl_core_file_report > /home/vagrant/elfutils/libdwfl/core-file.c:563 > #4 0x4053f7 in parse_opt /home/vagrant/elfutils/src/stack.c:595 > #5 0x7f0818721471 in argp_parse (/lib64/libc.so.6+0x11e471) > #6 0x404b39 in main /home/vagrant/elfutils/src/stack.c:695 > #7 0x7f081863055f in __libc_start_call_main (/lib64/libc.so.6+0x2d55f) > #8 0x7f081863060b in __libc_start_main_impl (/lib64/libc.so.6+0x2d60b) > #9 0x404fa4 in _start (/home/vagrant/elfutils/src/stack+0x404fa4) > > SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior gelf_xlate.h:48:1 in > ``` Proposed patch for this issue: https://sourceware.org/pipermail/elfutils-devel/2022q1/004635.html -- You are receiving this mail because: You are on the CC list for the bug.
[PATCH] libdwfl: Declare possible zero sized arrays only when non-zero
The gcc undefined sanitizer complains when seeing a zero sized array
declaration. Move the declaration to the point in the code where we
know they aren't zero sized.
https://sourceware.org/bugzilla/show_bug.cgi?id=28720
Signed-off-by: Mark Wielaard
---
libdwfl/ChangeLog | 5 +
libdwfl/link_map.c | 4 ++--
2 files changed, 7 insertions(+), 2 deletions(-)
diff --git a/libdwfl/ChangeLog b/libdwfl/ChangeLog
index aace969f..b2588b12 100644
--- a/libdwfl/ChangeLog
+++ b/libdwfl/ChangeLog
@@ -1,3 +1,8 @@
+2022-01-03 Mark Wielaard
+
+ * link_map.c (dwfl_link_map_report): Only declare d32 and d64 before
+ actual use.
+
2022-01-03 Mark Wielaard
* dwfl_segment_report_module.c (dwfl_segment_report_module): Copy
diff --git a/libdwfl/link_map.c b/libdwfl/link_map.c
index 99222bb9..c0207cd3 100644
--- a/libdwfl/link_map.c
+++ b/libdwfl/link_map.c
@@ -1037,8 +1037,6 @@ dwfl_link_map_report (Dwfl *dwfl, const void *auxv,
size_t auxv_size,
return false;
}
void *buf = malloc (dyn_filesz);
- Elf32_Dyn (*d32)[dyn_filesz / sizeof (Elf32_Dyn)] = buf;
- Elf64_Dyn (*d64)[dyn_filesz / sizeof (Elf64_Dyn)] = buf;
if (unlikely (buf == NULL))
{
__libdwfl_seterrno (DWFL_E_NOMEM);
@@ -1068,6 +1066,7 @@ dwfl_link_map_report (Dwfl *dwfl, const void *auxv,
size_t auxv_size,
/* We are looking for DT_DEBUG. */
if (elfclass == ELFCLASS32)
{
+ Elf32_Dyn (*d32)[dyn_filesz / sizeof (Elf32_Dyn)] = buf;
size_t n = dyn_filesz / sizeof (Elf32_Dyn);
for (size_t i = 0; i < n; ++i)
if ((*d32)[i].d_tag == DT_DEBUG)
@@ -1078,6 +1077,7 @@ dwfl_link_map_report (Dwfl *dwfl, const void *auxv,
size_t auxv_size,
}
else
{
+ Elf64_Dyn (*d64)[dyn_filesz / sizeof (Elf64_Dyn)] = buf;
size_t n = dyn_filesz / sizeof (Elf64_Dyn);
for (size_t i = 0; i < n; ++i)
if ((*d64)[i].d_tag == DT_DEBUG)
--
2.30.2
[Bug libdw/28720] UBSan: member access within misaligned address 0x7f6e8d80f142 for type 'struct Elf32_Phdr', which requires 4 byte alignment
https://sourceware.org/bugzilla/show_bug.cgi?id=28720 --- Comment #15 from Mark Wielaard --- (In reply to Evgeny Vereshchagin from comment #3) > $ UBSAN_OPTIONS=print_stacktrace=1:print_summary=1:halt_on_error=1 > LD_LIBRARY_PATH="./libdw;./libelf" ./src/stack --core > SIGABRT.PC.7fffe4f4e84c.STACK.18f0f46b60.CODE.-6.ADDR.0.INSTR.mov%eax, > %ebp.fuzz > link_map.c:1040:20: runtime error: variable length array bound evaluates to > non-positive value 0 > #0 0x7fbc58f053e9 in dwfl_link_map_report > /home/vagrant/elfutils/libdwfl/link_map.c:1040 > #1 0x7fbc59023fa7 in _new.dwfl_core_file_report > /home/vagrant/elfutils/libdwfl/core-file.c:552 > #2 0x4053f7 in parse_opt /home/vagrant/elfutils/src/stack.c:595 > #3 0x7fbc581d9471 in argp_parse (/lib64/libc.so.6+0x11e471) > #4 0x404b39 in main /home/vagrant/elfutils/src/stack.c:695 > #5 0x7fbc580e855f in __libc_start_call_main (/lib64/libc.so.6+0x2d55f) > #6 0x7fbc580e860b in __libc_start_main_impl (/lib64/libc.so.6+0x2d60b) > #7 0x404fa4 in _start (/home/vagrant/elfutils/src/stack+0x404fa4) > > SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior link_map.c:1040:20 in Proposed fix: https://sourceware.org/pipermail/elfutils-devel/2022q1/004637.html -- You are receiving this mail because: You are on the CC list for the bug.
[Bug libdw/28720] UBSan: member access within misaligned address 0x7f6e8d80f142 for type 'struct Elf32_Phdr', which requires 4 byte alignment
https://sourceware.org/bugzilla/show_bug.cgi?id=28720 --- Comment #16 from Evgeny Vereshchagin --- I tested both patches with CFLite, AFL++ and hongfuzz for about ten minutes under ASan/UBSan with the reproducer testcases included in the "seed" corpus. I also unleashed the latest corpus provided by OSS-Fuzz on the fuzzer and it found nothing. Looks like both issues are gone for good. Thanks! FWIW I recently posted patch v4 where AFL/AFL++ is supported as well. I think with both `--enable-honggfuzz` and `--enable-afl` it should be possible to integrate it into buildboot smoothly. The patch can be found at https://patchwork.sourceware.org/project/elfutils/patch/20211226160323.2450838-1-evv...@ya.ru/ -- You are receiving this mail because: You are on the CC list for the bug.
[Bug libdw/28720] UBSan: member access within misaligned address 0x7f6e8d80f142 for type 'struct Elf32_Phdr', which requires 4 byte alignment
https://sourceware.org/bugzilla/show_bug.cgi?id=28720 --- Comment #17 from Evgeny Vereshchagin --- FWIW I tested https://sourceware.org/pipermail/elfutils-devel/2022q1/004637.html as well with gcc (since it isn't reproducible with clang), honggfuzz and the latest OSS-Fuzz corpus. That issue is gone too. Thanks! -- You are receiving this mail because: You are on the CC list for the bug.
