Issue 45629 in oss-fuzz: elfutils:fuzz-libdwfl: Indirect-leak in __libelf_read_mmaped_file

[da… via monorail via Elfutils-devel]

Comment #2 on issue 45629 by da...@adalogics.com: elfutils:fuzz-libdwfl: 
Indirect-leak in __libelf_read_mmaped_file
https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=45629#c2

ASAN report
Indirect leak of 264 byte(s) in 1 object(s) allocated from:
#0 0x524ae2 in __interceptor_calloc 
/src/llvm-project/compiler-rt/lib/asan/asan_malloc_linux.cpp:138:3
#1 0x622d34 in allocate_elf /src/elfutils/libelf/common.h:74:17
#2 0x622d34 in __libelf_read_mmaped_file 
/src/elfutils/libelf/elf_begin.c:578:10
#3 0x6283cf in read_file /src/elfutils/libelf/elf_begin.c:701:28
#4 0x628037 in dup_elf /src/elfutils/libelf/elf_begin.c:1067:12
#5 0x628037 in lock_dup_elf /src/elfutils/libelf/elf_begin.c:1119:10
#6 0x627c93 in elf_begin /src/elfutils/libelf/elf_begin.c:0
#7 0x56009b in process_archive /src/elfutils/libdwfl/offline.c:251:17
#8 0x56009b in process_file /src/elfutils/libdwfl/offline.c:125:14
#9 0x560a48 in __libdwfl_report_offline 
/src/elfutils/libdwfl/offline.c:287:22
#10 0x560a48 in dwfl_report_offline /src/elfutils/libdwfl/offline.c:316:10
#11 0x55dc32 in LLVMFuzzerTestOneInput /src/fuzz-libdwfl.c:47:22
#12 0x455522 in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, 
unsigned long) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerLoop.cpp:611:15
#13 0x4410d2 in fuzzer::RunOneTest(fuzzer::Fuzzer*, char const*, unsigned 
long) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerDriver.cpp:324:6
#14 0x44693c in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned char 
const*, unsigned long)) 
/src/llvm-project/compiler-rt/lib/fuzzer/FuzzerDriver.cpp:860:9
#15 0x46f2d2 in main 
/src/llvm-project/compiler-rt/lib/fuzzer/FuzzerMain.cpp:20:10
#16 0x7f61fb6210b2 in __libc_start_main 
/build/glibc-eX1tMB/glibc-2.31/csu/libc-start.c:308:16
Indirect leak of 264 byte(s) in 1 object(s) allocated from:
#0 0x524ae2 in __interceptor_calloc 
/src/llvm-project/compiler-rt/lib/asan/asan_malloc_linux.cpp:138:3
#1 0x622bc1 in allocate_elf /src/elfutils/libelf/common.h:74:17
#2 0x622bc1 in file_read_ar /src/elfutils/libelf/elf_begin.c:59:9
#3 0x622bc1 in __libelf_read_mmaped_file 
/src/elfutils/libelf/elf_begin.c:570:14
#4 0x6283cf in read_file /src/elfutils/libelf/elf_begin.c:701:28
#5 0x627be1 in elf_begin /src/elfutils/libelf/elf_begin.c:0
#6 0x56b2ac in libdw_open_elf /src/elfutils/libdwfl/open.c:131:14
#7 0x56b1ac in __libdw_open_file /src/elfutils/libdwfl/open.c:197:10
#8 0x5609d2 in __libdwfl_report_offline 
/src/elfutils/libdwfl/offline.c:281:22
#9 0x5609d2 in dwfl_report_offline /src/elfutils/libdwfl/offline.c:316:10
#10 0x55dc32 in LLVMFuzzerTestOneInput /src/fuzz-libdwfl.c:47:22
#11 0x455522 in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, 
unsigned long) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerLoop.cpp:611:15
#12 0x4410d2 in fuzzer::RunOneTest(fuzzer::Fuzzer*, char const*, unsigned 
long) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerDriver.cpp:324:6
#13 0x44693c in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned char 
const*, unsigned long)) 
/src/llvm-project/compiler-rt/lib/fuzzer/FuzzerDriver.cpp:860:9
#14 0x46f2d2 in main 
/src/llvm-project/compiler-rt/lib/fuzzer/FuzzerMain.cpp:20:10
#15 0x7f61fb6210b2 in __libc_start_main 
/build/glibc-eX1tMB/glibc-2.31/csu/libc-start.c:308:16
SUMMARY: AddressSanitizer: 528 byte(s) leaked in 2 allocation(s).
INFO: a leak has been found in the initial corpus.
INFO: to ignore leaks on libFuzzer side use -detect_leaks=0.

-- 
You received this message because:
  1. You were specifically CC'd on the issue

You may adjust your notification preferences at:
https://bugs.chromium.org/hosting/settings

Reply to this email to add a comment.

Issue 45629 in oss-fuzz: elfutils:fuzz-libdwfl: Indirect-leak in __libelf_read_mmaped_file

[da… via monorail via Elfutils-devel]

Comment #3 on issue 45629 by da...@adalogics.com: elfutils:fuzz-libdwfl: 
Indirect-leak in __libelf_read_mmaped_file
https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=45629#c3

(No comment was entered for this change.)

Attachments:
clusterfuzz-testcase-minimized-fuzz-libdwfl-5280476447768576  68 bytes

-- 
You received this message because:
  1. You were specifically CC'd on the issue

You may adjust your notification preferences at:
https://bugs.chromium.org/hosting/settings

Reply to this email to add a comment.

Issue 45630 in oss-fuzz: elfutils:fuzz-libelf: Use-of-uninitialized-value in validate_str

[da… via monorail via Elfutils-devel]

Comment #2 on issue 45630 by da...@adalogics.com: elfutils:fuzz-libelf: 
Use-of-uninitialized-value in validate_str
https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=45630#c2

MSAN report:
Running: 
/mnt/scratch0/clusterfuzz/bot/inputs/fuzzer-testcases/crash-ecd598ded30b07196a2ab343f59f7a25442f0560
==744==WARNING: MemorySanitizer: use-of-uninitialized-value
#0 0x538d7b in validate_str /src/elfutils/libelf/elf_strptr.c:61:4
#1 0x5383fe in elf_strptr /src/elfutils/libelf/elf_strptr.c:188:11
#2 0x527361 in fuzz_logic_one /src/fuzz-libelf.c:37:26
#3 0x527cec in LLVMFuzzerTestOneInput /src/fuzz-libelf.c:82:3
#4 0x4551d2 in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, 
unsigned long) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerLoop.cpp:611:15
#5 0x440d82 in fuzzer::RunOneTest(fuzzer::Fuzzer*, char const*, unsigned 
long) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerDriver.cpp:324:6
#6 0x4465ec in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned char 
const*, unsigned long)) 
/src/llvm-project/compiler-rt/lib/fuzzer/FuzzerDriver.cpp:860:9
#7 0x46ef82 in main 
/src/llvm-project/compiler-rt/lib/fuzzer/FuzzerMain.cpp:20:10
#8 0x7fd73ce3f0b2 in __libc_start_main 
/build/glibc-eX1tMB/glibc-2.31/csu/libc-start.c:308:16
#9 0x41f4cd in _start
  Uninitialized value was created by a heap allocation
#0 0x4d49ad in __interceptor_malloc 
/src/llvm-project/compiler-rt/lib/msan/msan_interceptors.cpp:911:3
#1 0x53feb1 in __libelf_decompress 
/src/elfutils/libelf/elf_compress.c:227:19
#2 0x5408d7 in __libelf_decompress_elf 
/src/elfutils/libelf/elf_compress.c:300:19
#3 0x538903 in get_zdata /src/elfutils/libelf/elf_strptr.c:45:17
#4 0x537c19 in elf_strptr /src/elfutils/libelf/elf_strptr.c:135:38
#5 0x527361 in fuzz_logic_one /src/fuzz-libelf.c:37:26
#6 0x527cec in LLVMFuzzerTestOneInput /src/fuzz-libelf.c:82:3
#7 0x4551d2 in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, 
unsigned long) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerLoop.cpp:611:15
#8 0x440d82 in fuzzer::RunOneTest(fuzzer::Fuzzer*, char const*, unsigned 
long) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerDriver.cpp:324:6
#9 0x4465ec in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned char 
const*, unsigned long)) 
/src/llvm-project/compiler-rt/lib/fuzzer/FuzzerDriver.cpp:860:9
#10 0x46ef82 in main 
/src/llvm-project/compiler-rt/lib/fuzzer/FuzzerMain.cpp:20:10
#11 0x7fd73ce3f0b2 in __libc_start_main 
/build/glibc-eX1tMB/glibc-2.31/csu/libc-start.c:308:16

-- 
You received this message because:
  1. You were specifically CC'd on the issue

You may adjust your notification preferences at:
https://bugs.chromium.org/hosting/settings

Reply to this email to add a comment.

Issue 45630 in oss-fuzz: elfutils:fuzz-libelf: Use-of-uninitialized-value in validate_str

[da… via monorail via Elfutils-devel]

Comment #3 on issue 45630 by da...@adalogics.com: elfutils:fuzz-libelf: 
Use-of-uninitialized-value in validate_str
https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=45630#c3

(No comment was entered for this change.)

Attachments:
clusterfuzz-testcase-minimized-fuzz-libelf-5658767587409920  320 bytes

-- 
You received this message because:
  1. You were specifically CC'd on the issue

You may adjust your notification preferences at:
https://bugs.chromium.org/hosting/settings

Reply to this email to add a comment.

Issue 45631 in oss-fuzz: elfutils:fuzz-libdwfl: Use-of-uninitialized-value in __libdw_gunzip

[da… via monorail via Elfutils-devel]

Comment #1 on issue 45631 by da...@adalogics.com: elfutils:fuzz-libdwfl: 
Use-of-uninitialized-value in __libdw_gunzip
https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=45631#c1

MSAN report
Running: 
/mnt/scratch0/clusterfuzz/bot/inputs/fuzzer-testcases/crash-cdd503eda6f927979a20a3bd4c08c8182cdf2ff5
==593068==WARNING: MemorySanitizer: use-of-uninitialized-value
#0 0x55eeb6 in zlib_fail /src/elfutils/libdwfl/gzip.c:132:3
#1 0x55eeb6 in __libdw_gunzip /src/elfutils/libdwfl/gzip.c:387:11
#2 0x540817 in decompress /src/elfutils/libdwfl/open.c:66:11
#3 0x5400d7 in what_kind /src/elfutils/libdwfl/open.c:114:12
#4 0x5400d7 in libdw_open_elf /src/elfutils/libdwfl/open.c:134:22
#5 0x53f505 in __libdw_open_file /src/elfutils/libdwfl/open.c:197:10
#6 0x52cea7 in __libdwfl_report_offline 
/src/elfutils/libdwfl/offline.c:281:22
#7 0x52cea7 in dwfl_report_offline /src/elfutils/libdwfl/offline.c:316:10
#8 0x52747b in LLVMFuzzerTestOneInput /src/fuzz-libdwfl.c:47:22
#9 0x4552f2 in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, 
unsigned long) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerLoop.cpp:611:15
#10 0x440ea2 in fuzzer::RunOneTest(fuzzer::Fuzzer*, char const*, unsigned 
long) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerDriver.cpp:324:6
#11 0x44670c in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned char 
const*, unsigned long)) 
/src/llvm-project/compiler-rt/lib/fuzzer/FuzzerDriver.cpp:860:9
#12 0x46f0a2 in main 
/src/llvm-project/compiler-rt/lib/fuzzer/FuzzerMain.cpp:20:10
#13 0x7f5b32dd40b2 in __libc_start_main 
/build/glibc-eX1tMB/glibc-2.31/csu/libc-start.c:308:16
#14 0x41f5ed in _start
  Uninitialized value was created by an allocation of 'code' in the stack frame 
of function '__libdw_gunzip'
#0 0x55cde0 in __libdw_gunzip /src/elfutils/libdwfl/gzip.c:184
SUMMARY: MemorySanitizer: use-of-uninitialized-value 
(/mnt/scratch0/clusterfuzz/bot/builds/clusterfuzz-builds_elfutils_3ee01cb67db1a71e7adeb7f3f14722ea62f13cd5/revisions/fuzz-libdwfl+0x55eeb6)
Unique heap origins: 44
Stack depot allocated bytes: 1638400
Unique origin histories: 7
History depot allocated bytes: 196608
Exiting

-- 
You received this message because:
  1. You were specifically CC'd on the issue

You may adjust your notification preferences at:
https://bugs.chromium.org/hosting/settings

Reply to this email to add a comment.

Issue 45631 in oss-fuzz: elfutils:fuzz-libdwfl: Use-of-uninitialized-value in __libdw_gunzip

[da… via monorail via Elfutils-devel]

Comment #2 on issue 45631 by da...@adalogics.com: elfutils:fuzz-libdwfl: 
Use-of-uninitialized-value in __libdw_gunzip
https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=45631#c2

(No comment was entered for this change.)

Attachments:
clusterfuzz-testcase-minimized-fuzz-libdwfl-5742116662280192  4 bytes

-- 
You received this message because:
  1. You were specifically CC'd on the issue

You may adjust your notification preferences at:
https://bugs.chromium.org/hosting/settings

Reply to this email to add a comment.

Issue 45634 in oss-fuzz: elfutils:fuzz-libdwfl: Misaligned-address in file_read_elf

[da… via monorail via Elfutils-devel]

Comment #1 on issue 45634 by da...@adalogics.com: elfutils:fuzz-libdwfl: 
Misaligned-address in file_read_elf
https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=45634#c1

UBSAN report
Running: 
/mnt/scratch0/clusterfuzz/bot/inputs/fuzzer-testcases/crash-59b5bfa44a73565527249e5a6d13b3c2a9761f29
elf_begin.c:225:21: runtime error: member access within misaligned address 
0x7f9d7642404c for type 'Elf64_Shdr', which requires 8 byte alignment
0x7f9d7642404c: note: pointer points here
  02 01 01 20 20 20 20 20  20 20 20 20 20 20 20 20  20 20 20 20 20 20 20 20  20 
20 20 20 20 20 20 20
  ^
#0 0x56a2ad in get_shnum /src/elfutils/libelf/elf_begin.c:225:21
#1 0x56a2ad in file_read_elf /src/elfutils/libelf/elf_begin.c:299:19
#2 0x567596 in __libelf_read_mmaped_file 
/src/elfutils/libelf/elf_begin.c:566:14
#3 0x56c9dd in read_file /src/elfutils/libelf/elf_begin.c:701:28
#4 0x56c678 in dup_elf /src/elfutils/libelf/elf_begin.c:1067:12
#5 0x56c678 in lock_dup_elf /src/elfutils/libelf/elf_begin.c:1119:10
#6 0x56c17e in elf_begin /src/elfutils/libelf/elf_begin.c:0
#7 0x4b5782 in process_archive /src/elfutils/libdwfl/offline.c:251:17
#8 0x4b5782 in process_file /src/elfutils/libdwfl/offline.c:125:14
#9 0x4b5e9f in __libdwfl_report_offline 
/src/elfutils/libdwfl/offline.c:287:22
#10 0x4b5e9f in dwfl_report_offline /src/elfutils/libdwfl/offline.c:316:10
#11 0x4b2f88 in LLVMFuzzerTestOneInput /src/fuzz-libdwfl.c:47:22
#12 0x43da32 in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, 
unsigned long) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerLoop.cpp:611:15
#13 0x4295e2 in fuzzer::RunOneTest(fuzzer::Fuzzer*, char const*, unsigned 
long) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerDriver.cpp:324:6
#14 0x42ee4c in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned char 
const*, unsigned long)) 
/src/llvm-project/compiler-rt/lib/fuzzer/FuzzerDriver.cpp:860:9
#15 0x4577e2 in main 
/src/llvm-project/compiler-rt/lib/fuzzer/FuzzerMain.cpp:20:10
#16 0x7f9d760b90b2 in __libc_start_main 
/build/glibc-eX1tMB/glibc-2.31/csu/libc-start.c:308:16
#17 0x407d2d in _start
SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior elf_begin.c:225:21 in

-- 
You received this message because:
  1. You were specifically CC'd on the issue

You may adjust your notification preferences at:
https://bugs.chromium.org/hosting/settings

Reply to this email to add a comment.

Issue 45634 in oss-fuzz: elfutils:fuzz-libdwfl: Misaligned-address in file_read_elf

[da… via monorail via Elfutils-devel]

Comment #2 on issue 45634 by da...@adalogics.com: elfutils:fuzz-libdwfl: 
Misaligned-address in file_read_elf
https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=45634#c2

(No comment was entered for this change.)

Attachments:
clusterfuzz-testcase-minimized-fuzz-libdwfl-5069818166902784  140 bytes

-- 
You received this message because:
  1. You were specifically CC'd on the issue

You may adjust your notification preferences at:
https://bugs.chromium.org/hosting/settings

Reply to this email to add a comment.

Issue 45635 in oss-fuzz: elfutils:fuzz-libdwfl: Timeout in fuzz-libdwfl

[da… via monorail via Elfutils-devel]

Comment #1 on issue 45635 by da...@adalogics.com: elfutils:fuzz-libdwfl: 
Timeout in fuzz-libdwfl
https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=45635#c1

UBSAN report
Running: 
/mnt/scratch0/clusterfuzz/bot/inputs/fuzzer-testcases/timeout-2aaefec51e4f82909c4edd9ae287bf51b2eb6dd7
ALARM: working on the last Unit for 61 seconds
   and the timeout value is 60 (use -timeout=N to change)
==225963== ERROR: libFuzzer: timeout after 61 seconds
#0 0x4b1a04 in __sanitizer_print_stack_trace 
/src/llvm-project/compiler-rt/lib/ubsan/ubsan_diag_standalone.cpp:31:3
#1 0x457028 in fuzzer::PrintStackTrace() 
/src/llvm-project/compiler-rt/lib/fuzzer/FuzzerUtil.cpp:210:5
#2 0x43c3f9 in fuzzer::Fuzzer::AlarmCallback() 
/src/llvm-project/compiler-rt/lib/fuzzer/FuzzerLoop.cpp:301:5
#3 0x7f4c926dc3bf in libpthread.so.0
#4 0x56b144 in read_long_names /src/elfutils/libelf/elf_begin.c:760:28
#5 0x56b144 in __libelf_next_arhdr_wrlock 
/src/elfutils/libelf/elf_begin.c:912:8
#6 0x56c6fb in dup_elf /src/elfutils/libelf/elf_begin.c:1061:10
#7 0x56c6fb in lock_dup_elf /src/elfutils/libelf/elf_begin.c:1119:10
#8 0x56c17e in elf_begin /src/elfutils/libelf/elf_begin.c:0
#9 0x4b5782 in process_archive /src/elfutils/libdwfl/offline.c:251:17
#10 0x4b5782 in process_file /src/elfutils/libdwfl/offline.c:125:14
#11 0x4b5e9f in __libdwfl_report_offline 
/src/elfutils/libdwfl/offline.c:287:22
#12 0x4b5e9f in dwfl_report_offline /src/elfutils/libdwfl/offline.c:316:10
#13 0x4b2f88 in LLVMFuzzerTestOneInput /src/fuzz-libdwfl.c:47:22
#14 0x43da32 in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, 
unsigned long) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerLoop.cpp:611:15
#15 0x4295e2 in fuzzer::RunOneTest(fuzzer::Fuzzer*, char const*, unsigned 
long) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerDriver.cpp:324:6
#16 0x42ee4c in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned char 
const*, unsigned long)) 
/src/llvm-project/compiler-rt/lib/fuzzer/FuzzerDriver.cpp:860:9
#17 0x4577e2 in main 
/src/llvm-project/compiler-rt/lib/fuzzer/FuzzerMain.cpp:20:10
#18 0x7f4c924d00b2 in __libc_start_main 
/build/glibc-eX1tMB/glibc-2.31/csu/libc-start.c:308:16
#19 0x407d2d in _start
SUMMARY: libFuzzer: timeout

-- 
You received this message because:
  1. You were specifically CC'd on the issue

You may adjust your notification preferences at:
https://bugs.chromium.org/hosting/settings

Reply to this email to add a comment.

Issue 45635 in oss-fuzz: elfutils:fuzz-libdwfl: Timeout in fuzz-libdwfl

[da… via monorail via Elfutils-devel]

Comment #2 on issue 45635 by da...@adalogics.com: elfutils:fuzz-libdwfl: 
Timeout in fuzz-libdwfl
https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=45635#c2

(No comment was entered for this change.)

Attachments:
clusterfuzz-testcase-minimized-fuzz-libdwfl-5237809772888064  129 bytes

-- 
You received this message because:
  1. You were specifically CC'd on the issue

You may adjust your notification preferences at:
https://bugs.chromium.org/hosting/settings

Reply to this email to add a comment.

Issue 45636 in oss-fuzz: elfutils:fuzz-libdwfl: Crash in read_long_names

[da… via monorail via Elfutils-devel]

Comment #1 on issue 45636 by da...@adalogics.com: elfutils:fuzz-libdwfl: Crash 
in read_long_names
https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=45636#c1

ASAN report
=
==746==ERROR: AddressSanitizer: unknown-crash on address 0x7f1a9af3d000 at pc 
0x0048a379 bp 0x7ffeb1d3c230 sp 0x7ffeb1d3b9e8
READ of size 985 at 0x7f1a9af3d000 thread T0
SCARINESS: 16 (multi-byte-read-unknown-crash)
#0 0x48a378 in __interceptor_atol 
/src/llvm-project/compiler-rt/lib/asan/asan_interceptors.cpp:522:3
#1 0x5b4615 in read_long_names /src/elfutils/libelf/elf_begin.c:766:13
#2 0x5b2aa4 in __libelf_next_arhdr_wrlock 
/src/elfutils/libelf/elf_begin.c:912:8
#3 0x5b6d7d in dup_elf /src/elfutils/libelf/elf_begin.c:1061:10
#4 0x5b5028 in lock_dup_elf /src/elfutils/libelf/elf_begin.c:1119:10
#5 0x5b4e36 in elf_begin /src/elfutils/libelf/elf_begin.c:0
#6 0x4db735 in process_archive /src/elfutils/libdwfl/offline.c:251:17
#7 0x4db181 in process_file /src/elfutils/libdwfl/offline.c:125:14
#8 0x4daf3b in __libdwfl_report_offline 
/src/elfutils/libdwfl/offline.c:287:22
#9 0x4db2a2 in dwfl_report_offline /src/elfutils/libdwfl/offline.c:316:10
#10 0x4d842f in LLVMFuzzerTestOneInput /src/fuzz-libdwfl.c:47:22
#11 0x4d8225 in ExecuteFilesOnyByOne 
aflplusplus/utils/aflpp_driver/aflpp_driver.c:191:7
#12 0x4d8095 in main aflplusplus/utils/aflpp_driver/aflpp_driver.c:0
#13 0x7f1a9bd060b2 in __libc_start_main 
/build/glibc-eX1tMB/glibc-2.31/csu/libc-start.c:308:16
#14 0x41e58d in _start
Address 0x7f1a9af3d000 is a wild pointer inside of access range of size 
0x03d9.
SUMMARY: AddressSanitizer: unknown-crash 
(/mnt/scratch0/clusterfuzz/bot/builds/clusterfuzz-builds-afl_elfutils_b7ca3a6bcc40cef461446d759ca780e6ea3657cd/revisions/fuzz-libdwfl+0x48a378)
Shadow bytes around the buggy address:
  0x0fe3d35df9b0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0fe3d35df9c0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0fe3d35df9d0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0fe3d35df9e0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0fe3d35df9f0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x0fe3d35dfa00:[fe]fe fe fe fe fe fe fe fe fe fe fe fe fe fe fe
  0x0fe3d35dfa10: fe fe fe fe fe fe fe fe fe fe fe fe fe fe fe fe
  0x0fe3d35dfa20: fe fe fe fe fe fe fe fe fe fe fe fe fe fe fe fe
  0x0fe3d35dfa30: fe fe fe fe fe fe fe fe fe fe fe fe fe fe fe fe
  0x0fe3d35dfa40: fe fe fe fe fe fe fe fe fe fe fe fe fe fe fe fe
  0x0fe3d35dfa50: fe fe fe fe fe fe fe fe fe fe fe fe fe fe fe fe
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:   00
  Partially addressable: 01 02 03 04 05 06 07
  Heap left redzone:   fa
  Freed heap region:   fd
  Stack left redzone:  f1
  Stack mid redzone:   f2
  Stack right redzone: f3
  Stack after return:  f5
  Stack use after scope:   f8
  Global redzone:  f9
  Global init order:   f6
  Poisoned by user:f7
  Container overflow:  fc
  Array cookie:ac
  Intra object redzone:bb
  ASan internal:   fe
  Left alloca redzone: ca
  Right alloca redzone:cb
==746==ABORTING

-- 
You received this message because:
  1. You were specifically CC'd on the issue

You may adjust your notification preferences at:
https://bugs.chromium.org/hosting/settings

Reply to this email to add a comment.

Issue 45636 in oss-fuzz: elfutils:fuzz-libdwfl: Crash in read_long_names

[da… via monorail via Elfutils-devel]

Comment #2 on issue 45636 by da...@adalogics.com: elfutils:fuzz-libdwfl: Crash 
in read_long_names
https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=45636#c2

(No comment was entered for this change.)

Attachments:
clusterfuzz-testcase-minimized-fuzz-libdwfl-5787862593830912  8.0 KB

-- 
You received this message because:
  1. You were specifically CC'd on the issue

You may adjust your notification preferences at:
https://bugs.chromium.org/hosting/settings

Reply to this email to add a comment.

Issue 45637 in oss-fuzz: elfutils:fuzz-libelf: Timeout in fuzz-libelf

[da… via monorail via Elfutils-devel]

Comment #1 on issue 45637 by da...@adalogics.com: elfutils:fuzz-libelf: Timeout 
in fuzz-libelf
https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=45637#c1

ASAN report:
Running: 
/mnt/scratch0/clusterfuzz/bot/inputs/fuzzer-testcases/timeout-15f79e70f92567039dd67b7c3a16ad3a180b3a6e
ALARM: working on the last Unit for 61 seconds
   and the timeout value is 60 (use -timeout=N to change)
==5980== ERROR: libFuzzer: timeout after 61 seconds
#0 0x52e5c1 in __sanitizer_print_stack_trace 
/src/llvm-project/compiler-rt/lib/asan/asan_stack.cpp:87:3
#1 0x46e9e8 in fuzzer::PrintStackTrace() 
/src/llvm-project/compiler-rt/lib/fuzzer/FuzzerUtil.cpp:210:5
#2 0x453db9 in fuzzer::Fuzzer::AlarmCallback() 
/src/llvm-project/compiler-rt/lib/fuzzer/FuzzerLoop.cpp:301:5
#3 0x7f7ca26eb3bf in libpthread.so.0
#4 0x571322 in elf_cvt_Verneed /src/elfutils/libelf/version_xlate.h:211:20
#5 0x56957e in convert_data /src/elfutils/libelf/elf_getdata.c:192:7
#6 0x56957e in __libelf_set_data_list_rdlock 
/src/elfutils/libelf/elf_getdata.c:453:7
#7 0x569a67 in __elf_getdata_rdlock /src/elfutils/libelf/elf_getdata.c:560:5
#8 0x569b1c in elf_getdata /src/elfutils/libelf/elf_getdata.c:578:12
#9 0x56d9d4 in elf_compress_gnu 
/src/elfutils/libelf/elf_compress_gnu.c:150:24
#10 0x55dbba in fuzz_logic_one /src/fuzz-libelf.c:48:15
#11 0x55e077 in LLVMFuzzerTestOneInput /src/fuzz-libelf.c:82:3
#12 0x4553f2 in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, 
unsigned long) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerLoop.cpp:611:15
#13 0x440fa2 in fuzzer::RunOneTest(fuzzer::Fuzzer*, char const*, unsigned 
long) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerDriver.cpp:324:6
#14 0x44680c in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned char 
const*, unsigned long)) 
/src/llvm-project/compiler-rt/lib/fuzzer/FuzzerDriver.cpp:860:9
#15 0x46f1a2 in main 
/src/llvm-project/compiler-rt/lib/fuzzer/FuzzerMain.cpp:20:10
#16 0x7f7ca24df0b2 in __libc_start_main 
/build/glibc-eX1tMB/glibc-2.31/csu/libc-start.c:308:16
#17 0x41f6ed in _start

-- 
You received this message because:
  1. You were specifically CC'd on the issue

You may adjust your notification preferences at:
https://bugs.chromium.org/hosting/settings

Reply to this email to add a comment.

Issue 45637 in oss-fuzz: elfutils:fuzz-libelf: Timeout in fuzz-libelf

[da… via monorail via Elfutils-devel]

Comment #2 on issue 45637 by da...@adalogics.com: elfutils:fuzz-libelf: Timeout 
in fuzz-libelf
https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=45637#c2

(No comment was entered for this change.)

Attachments:
clusterfuzz-testcase-minimized-fuzz-libelf-6393240885002240  684 bytes

-- 
You received this message because:
  1. You were specifically CC'd on the issue

You may adjust your notification preferences at:
https://bugs.chromium.org/hosting/settings

Reply to this email to add a comment.

Issue 45646 in oss-fuzz: elfutils:fuzz-libdwfl: Misaligned-address in __libdw_image_header

[da… via monorail via Elfutils-devel]

Comment #1 on issue 45646 by da...@adalogics.com: elfutils:fuzz-libdwfl: 
Misaligned-address in __libdw_image_header
https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=45646#c1

UBSAN report
Running: 
/mnt/scratch0/clusterfuzz/bot/inputs/fuzzer-testcases/crash-137c106fe516c3a5c4d5fb8deeb45c4e982d59a5
image-header.c:84:7: runtime error: load of misaligned address 0x7f2499144202 
for type 'uint32_t' (aka 'unsigned int'), which requires 4 byte alignment
0x7f2499144202: note: pointer points here
 55 aa  20 20 20 20 20 20 20 20  20 20 20 20 20 20 20 20  20 20 20 20 20 20 20 
20  20 20 20 20 20 20
  ^
#0 0x4c04de in __libdw_image_header 
/src/elfutils/libdwfl/image-header.c:84:7
#1 0x4bf336 in libdw_open_elf /src/elfutils/libdwfl/open.c:141:15
#2 0x4bf1dc in __libdw_open_file /src/elfutils/libdwfl/open.c:197:10
#3 0x4b5e6d in __libdwfl_report_offline 
/src/elfutils/libdwfl/offline.c:281:22
#4 0x4b5e6d in dwfl_report_offline /src/elfutils/libdwfl/offline.c:316:10
#5 0x4b2f88 in LLVMFuzzerTestOneInput /src/fuzz-libdwfl.c:47:22
#6 0x43da32 in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, 
unsigned long) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerLoop.cpp:611:15
#7 0x4295e2 in fuzzer::RunOneTest(fuzzer::Fuzzer*, char const*, unsigned 
long) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerDriver.cpp:324:6
#8 0x42ee4c in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned char 
const*, unsigned long)) 
/src/llvm-project/compiler-rt/lib/fuzzer/FuzzerDriver.cpp:860:9
#9 0x4577e2 in main 
/src/llvm-project/compiler-rt/lib/fuzzer/FuzzerMain.cpp:20:10
#10 0x7f2498dd90b2 in __libc_start_main 
/build/glibc-eX1tMB/glibc-2.31/csu/libc-start.c:308:16
#11 0x407d2d in _start
SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior image-header.c:84:7 in

-- 
You received this message because:
  1. You were specifically CC'd on the issue

You may adjust your notification preferences at:
https://bugs.chromium.org/hosting/settings

Reply to this email to add a comment.

Issue 45646 in oss-fuzz: elfutils:fuzz-libdwfl: Misaligned-address in __libdw_image_header

[da… via monorail via Elfutils-devel]

Comment #2 on issue 45646 by da...@adalogics.com: elfutils:fuzz-libdwfl: 
Misaligned-address in __libdw_image_header
https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=45646#c2

(No comment was entered for this change.)

Attachments:
clusterfuzz-testcase-minimized-fuzz-libdwfl-5699171619831808  593 bytes

-- 
You received this message because:
  1. You were specifically CC'd on the issue

You may adjust your notification preferences at:
https://bugs.chromium.org/hosting/settings

Reply to this email to add a comment.

Issue 45682 in oss-fuzz: elfutils:fuzz-libelf: Misaligned-address in elf_cvt_Verneed

[da… via monorail via Elfutils-devel]

Comment #1 on issue 45682 by da...@adalogics.com: elfutils:fuzz-libelf: 
Misaligned-address in elf_cvt_Verneed
https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=45682#c1

UBSAN report
Running: 
/mnt/scratch0/clusterfuzz/bot/inputs/fuzzer-testcases/crash-cf18cd9802d6953b96a96cb2364e46ade2dccddc
version_xlate.h:204:22: runtime error: member access within misaligned address 
0x02dfee46 for type 'GElf_Vernaux' (aka 'Elf64_Vernaux'), which requires 4 
byte alignment
0x02dfee46: note: pointer points here
 4c 46 01 02 01 20  00 00 00 04 20 20 20 20  00 00 00 02 20 20 20 20  20 20 20 
20 20 20 20 20  00 00
 ^
#0 0x4c63b6 in elf_cvt_Verneed /src/elfutils/libelf/version_xlate.h:204:22
#1 0x4be96f in convert_data /src/elfutils/libelf/elf_getdata.c:192:7
#2 0x4be96f in __libelf_set_data_list_rdlock 
/src/elfutils/libelf/elf_getdata.c:453:7
#3 0x4bf17e in __elf_getdata_rdlock /src/elfutils/libelf/elf_getdata.c:560:5
#4 0x4bf39e in elf_getdata /src/elfutils/libelf/elf_getdata.c:578:12
#5 0x4c2d88 in elf_compress_gnu 
/src/elfutils/libelf/elf_compress_gnu.c:150:24
#6 0x4b2e03 in fuzz_logic_one /src/fuzz-libelf.c:48:15
#7 0x4b303f in LLVMFuzzerTestOneInput /src/fuzz-libelf.c:81:3
#8 0x43d812 in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, 
unsigned long) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerLoop.cpp:611:15
#9 0x4293c2 in fuzzer::RunOneTest(fuzzer::Fuzzer*, char const*, unsigned 
long) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerDriver.cpp:324:6
#10 0x42ec2c in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned char 
const*, unsigned long)) 
/src/llvm-project/compiler-rt/lib/fuzzer/FuzzerDriver.cpp:860:9
#11 0x4575c2 in main 
/src/llvm-project/compiler-rt/lib/fuzzer/FuzzerMain.cpp:20:10
#12 0x7f20c9b5d0b2 in __libc_start_main 
/build/glibc-eX1tMB/glibc-2.31/csu/libc-start.c:308:16
#13 0x407b0d in _start
SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior version_xlate.h:204:22 
in

-- 
You received this message because:
  1. You were specifically CC'd on the issue

You may adjust your notification preferences at:
https://bugs.chromium.org/hosting/settings

Reply to this email to add a comment.

Issue 45682 in oss-fuzz: elfutils:fuzz-libelf: Misaligned-address in elf_cvt_Verneed

[da… via monorail via Elfutils-devel]

Comment #2 on issue 45682 by da...@adalogics.com: elfutils:fuzz-libelf: 
Misaligned-address in elf_cvt_Verneed
https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=45682#c2

(No comment was entered for this change.)

Attachments:
clusterfuzz-testcase-minimized-fuzz-libelf-4968585519300608  321 bytes

-- 
You received this message because:
  1. You were specifically CC'd on the issue

You may adjust your notification preferences at:
https://bugs.chromium.org/hosting/settings

Reply to this email to add a comment.

Issue 45705 in oss-fuzz: elfutils:fuzz-libdwfl: Indirect-leak in __libelf_next_arhdr_wrlock

[da… via monorail via Elfutils-devel]

Comment #1 on issue 45705 by da...@adalogics.com: elfutils:fuzz-libdwfl: 
Indirect-leak in __libelf_next_arhdr_wrlock
https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=45705#c1

ASAN report
Running: 
/mnt/scratch0/clusterfuzz/bot/inputs/fuzzer-testcases/leak-919ecedf38381f07ca17919209098f636c73aae7
=
==426037==ERROR: LeakSanitizer: detected memory leaks
Indirect leak of 7175 byte(s) in 1 object(s) allocated from:
#0 0x8179625 in __interceptor_malloc 
/src/llvm-project/compiler-rt/lib/asan/asan_malloc_linux.cpp:129:3
#1 0x82aa297 in read_long_names /src/elfutils/libelf/elf_begin.c:784:10
#2 0x82aa297 in __libelf_next_arhdr_wrlock 
/src/elfutils/libelf/elf_begin.c:912:8
#3 0x82ab8aa in dup_elf /src/elfutils/libelf/elf_begin.c:1061:10
#4 0x82ab8aa in lock_dup_elf /src/elfutils/libelf/elf_begin.c:1119:10
#5 0x82ab3a9 in elf_begin /src/elfutils/libelf/elf_begin.c:0
#6 0x81ba74d in process_archive /src/elfutils/libdwfl/offline.c:251:17
#7 0x81ba74d in process_file /src/elfutils/libdwfl/offline.c:125:14
#8 0x81bb32b in __libdwfl_report_offline 
/src/elfutils/libdwfl/offline.c:287:22
#9 0x81bb32b in dwfl_report_offline /src/elfutils/libdwfl/offline.c:316:10
#10 0x81b79ff in LLVMFuzzerTestOneInput /src/fuzz-libdwfl.c:47:22
#11 0x80a359d in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, 
unsigned int) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerLoop.cpp:611:15
#12 0x808ec3e in fuzzer::RunOneTest(fuzzer::Fuzzer*, char const*, unsigned 
int) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerDriver.cpp:324:6
#13 0x809472f in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned char 
const*, unsigned int)) 
/src/llvm-project/compiler-rt/lib/fuzzer/FuzzerDriver.cpp:860:9
#14 0x80bd397 in main 
/src/llvm-project/compiler-rt/lib/fuzzer/FuzzerMain.cpp:20:10
#15 0xf7c2cee4 in __libc_start_main
Indirect leak of 208 byte(s) in 1 object(s) allocated from:
#0 0x81797d1 in __interceptor_calloc 
/src/llvm-project/compiler-rt/lib/asan/asan_malloc_linux.cpp:138:3
#1 0x82a594b in allocate_elf /src/elfutils/libelf/common.h:74:17
#2 0x82a594b in file_read_ar /src/elfutils/libelf/elf_begin.c:59:9
#3 0x82a594b in __libelf_read_mmaped_file 
/src/elfutils/libelf/elf_begin.c:570:14
#4 0x82abd22 in read_file /src/elfutils/libelf/elf_begin.c:701:28
#5 0x82ab2ed in elf_begin /src/elfutils/libelf/elf_begin.c:0
#6 0x81c7d03 in libdw_open_elf /src/elfutils/libdwfl/open.c:131:14
#7 0x81c7c33 in __libdw_open_file /src/elfutils/libdwfl/open.c:197:10
#8 0x81bb2b8 in __libdwfl_report_offline 
/src/elfutils/libdwfl/offline.c:281:22
#9 0x81bb2b8 in dwfl_report_offline /src/elfutils/libdwfl/offline.c:316:10
#10 0x81b79ff in LLVMFuzzerTestOneInput /src/fuzz-libdwfl.c:47:22
#11 0x80a359d in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, 
unsigned int) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerLoop.cpp:611:15
#12 0x808ec3e in fuzzer::RunOneTest(fuzzer::Fuzzer*, char const*, unsigned 
int) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerDriver.cpp:324:6
#13 0x809472f in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned char 
const*, unsigned int)) 
/src/llvm-project/compiler-rt/lib/fuzzer/FuzzerDriver.cpp:860:9
#14 0x80bd397 in main 
/src/llvm-project/compiler-rt/lib/fuzzer/FuzzerMain.cpp:20:10
#15 0xf7c2cee4 in __libc_start_main
Indirect leak of 208 byte(s) in 1 object(s) allocated from:
#0 0x81797d1 in __interceptor_calloc 
/src/llvm-project/compiler-rt/lib/asan/asan_malloc_linux.cpp:138:3
#1 0x82a5abb in allocate_elf /src/elfutils/libelf/common.h:74:17
#2 0x82a5abb in __libelf_read_mmaped_file 
/src/elfutils/libelf/elf_begin.c:578:10
#3 0x82abd22 in read_file /src/elfutils/libelf/elf_begin.c:701:28
#4 0x82ab83b in dup_elf /src/elfutils/libelf/elf_begin.c:1067:12
#5 0x82ab83b in lock_dup_elf /src/elfutils/libelf/elf_begin.c:1119:10
#6 0x82ab3a9 in elf_begin /src/elfutils/libelf/elf_begin.c:0
#7 0x81ba74d in process_archive /src/elfutils/libdwfl/offline.c:251:17
#8 0x81ba74d in process_file /src/elfutils/libdwfl/offline.c:125:14
#9 0x81bb32b in __libdwfl_report_offline 
/src/elfutils/libdwfl/offline.c:287:22
#10 0x81bb32b in dwfl_report_offline /src/elfutils/libdwfl/offline.c:316:10
#11 0x81b79ff in LLVMFuzzerTestOneInput /src/fuzz-libdwfl.c:47:22
#12 0x80a359d in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, 
unsigned int) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerLoop.cpp:611:15
#13 0x808ec3e in fuzzer::RunOneTest(fuzzer::Fuzzer*, char const*, unsigned 
int) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerDriver.cpp:324:6
#14 0x809472f in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned char 
const*, unsigned int)) 
/src/llvm-project/compiler-rt/lib/fuzzer/FuzzerDriver.cpp:860:9
#15 0x80bd397 in main 
/src/llvm-project/compiler-rt/lib/fuzzer/FuzzerMain.cpp:20:10

Issue 45705 in oss-fuzz: elfutils:fuzz-libdwfl: Indirect-leak in __libelf_next_arhdr_wrlock

[da… via monorail via Elfutils-devel]

Comment #2 on issue 45705 by da...@adalogics.com: elfutils:fuzz-libdwfl: 
Indirect-leak in __libelf_next_arhdr_wrlock
https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=45705#c2

(No comment was entered for this change.)

Attachments:
clusterfuzz-testcase-minimized-fuzz-libdwfl-5085329692950528  11.1 KB

-- 
You received this message because:
  1. You were specifically CC'd on the issue

You may adjust your notification preferences at:
https://bugs.chromium.org/hosting/settings

Reply to this email to add a comment.

[PATCH] libelf: Don't overflow offsets in elf_cvt_Verneed and elf_cvt_Verdef

[Mark Wielaard]

The conversion functions for Verdef and Verneed keep offsets to the next
structure. Make sure that following vd_aux, vda_next, vd_next, vn_aux,
vna_next and vn_next don't overflow (and wrap around) the offsets.

Signed-off-by: Mark Wielaard 
---
 libelf/ChangeLog   |  7 ++
 libelf/version_xlate.h | 56 --
 2 files changed, 55 insertions(+), 8 deletions(-)

diff --git a/libelf/ChangeLog b/libelf/ChangeLog
index f6b47c68..ea204e2b 100644
--- a/libelf/ChangeLog
+++ b/libelf/ChangeLog
@@ -1,3 +1,10 @@
+2022-03-20  Mark Wielaard  
+
+   * version_xlate.h (elf_cvt_Verdef): Make sure aux_offset and
+   def_offset don't overflow.
+   (elf_cvt_Verneed): Make sure aux_offset and need_offset don't
+   overflow.
+
 2022-03-18  Mark Wielaard  
 
* version_xlate.h (elf_cvt_Verdef): Check alignment of def_offset
diff --git a/libelf/version_xlate.h b/libelf/version_xlate.h
index b7bd301d..97f3b730 100644
--- a/libelf/version_xlate.h
+++ b/libelf/version_xlate.h
@@ -87,10 +87,16 @@ elf_cvt_Verdef (void *dest, const void *src, size_t len, 
int encode)
  ddest->vd_aux = bswap_32 (dsrc->vd_aux);
  ddest->vd_next = bswap_32 (dsrc->vd_next);
 
+ if (ddest->vd_aux > len - def_offset)
+   return;
  aux_offset = def_offset + ddest->vd_aux;
}
   else
-   aux_offset = def_offset + dsrc->vd_aux;
+   {
+ if (dsrc->vd_aux > len - def_offset)
+   return;
+ aux_offset = def_offset + dsrc->vd_aux;
+   }
 
   /* Handle all the auxiliary records belonging to this definition.  */
   do
@@ -107,19 +113,29 @@ elf_cvt_Verdef (void *dest, const void *src, size_t len, 
int encode)
  asrc = (GElf_Verdaux *) ((char *) src + aux_offset);
 
  if (encode)
-   aux_offset += asrc->vda_next;
+   {
+ if (asrc->vda_next > len - aux_offset)
+   return;
+ aux_offset += asrc->vda_next;
+   }
 
  adest->vda_name = bswap_32 (asrc->vda_name);
  adest->vda_next = bswap_32 (asrc->vda_next);
 
  if (! encode)
-   aux_offset += adest->vda_next;
+   {
+ if (adest->vda_next > len - aux_offset)
+   return;
+ aux_offset += adest->vda_next;
+   }
}
   while (asrc->vda_next != 0);
 
   /* Encode now if necessary.  */
   if (encode)
{
+ if (dsrc->vd_next > len - def_offset)
+   return;
  def_offset += dsrc->vd_next;
 
  ddest->vd_version = bswap_16 (dsrc->vd_version);
@@ -131,7 +147,11 @@ elf_cvt_Verdef (void *dest, const void *src, size_t len, 
int encode)
  ddest->vd_next = bswap_32 (dsrc->vd_next);
}
   else
-   def_offset += ddest->vd_next;
+   {
+ if (ddest->vd_next > len - def_offset)
+   return;
+ def_offset += ddest->vd_next;
+   }
 }
   while (dsrc->vd_next != 0);
 }
@@ -188,10 +208,16 @@ elf_cvt_Verneed (void *dest, const void *src, size_t len, 
int encode)
  ndest->vn_aux = bswap_32 (nsrc->vn_aux);
  ndest->vn_next = bswap_32 (nsrc->vn_next);
 
+ if (ndest->vn_aux > len - need_offset)
+   return;
  aux_offset = need_offset + ndest->vn_aux;
}
   else
-   aux_offset = need_offset + nsrc->vn_aux;
+   {
+ if (nsrc->vn_aux > len - need_offset)
+   return;
+ aux_offset = need_offset + nsrc->vn_aux;
+   }
 
   /* Handle all the auxiliary records belonging to this requirement.  */
   do
@@ -208,7 +234,11 @@ elf_cvt_Verneed (void *dest, const void *src, size_t len, 
int encode)
  asrc = (GElf_Vernaux *) ((char *) src + aux_offset);
 
  if (encode)
-   aux_offset += asrc->vna_next;
+   {
+ if (asrc->vna_next > len - aux_offset)
+   return;
+ aux_offset += asrc->vna_next;
+   }
 
  adest->vna_hash = bswap_32 (asrc->vna_hash);
  adest->vna_flags = bswap_16 (asrc->vna_flags);
@@ -217,13 +247,19 @@ elf_cvt_Verneed (void *dest, const void *src, size_t len, 
int encode)
  adest->vna_next = bswap_32 (asrc->vna_next);
 
  if (! encode)
-   aux_offset += adest->vna_next;
+   {
+ if (adest->vna_next > len - aux_offset)
+   return;
+ aux_offset += adest->vna_next;
+   }
}
   while (asrc->vna_next != 0);
 
   /* Encode now if necessary.  */
   if (encode)
{
+ if (nsrc->vn_next > len - need_offset)
+   return;
  need_offset += nsrc->vn_next;
 
  ndest->vn_version = bswap_16 (nsrc->vn_version);
@@ -233,7 +269,11 @@ elf_cvt_Verneed (void *dest, const void *src, size_t len, 
int encode)
  ndest->vn_next = bswap_32 (nsrc->vn_next);
}
   else
-   need_offset += ndest->vn_next;
+   {
+ if (ndest->vn

[PATCH] tests: Check addsections test binary is 64bit for run-large-elf-file.sh

[Mark Wielaard]

The test binary should be 64bit to be able to create 4GB, or larger,
ELF files.

https://sourceware.org/bugzilla/show_bug.cgi?id=28975

Signed-off-by: Mark Wielaard 
---
 tests/ChangeLog |  4 
 tests/run-large-elf-file.sh | 11 +++
 2 files changed, 15 insertions(+)

diff --git a/tests/ChangeLog b/tests/ChangeLog
index c97ed52e..c195f9f7 100644
--- a/tests/ChangeLog
+++ b/tests/ChangeLog
@@ -1,3 +1,7 @@
+2022-03-20  Mark Wielaard  
+
+   * run-large-elf-file.sh: Check elf class of addsections binary.
+
 2021-12-17  Mark Wielaard  
 
* run-debuginfod-query-retry.sh: Use /bin/sh instead of /bin/ls.
diff --git a/tests/run-large-elf-file.sh b/tests/run-large-elf-file.sh
index 667d24d8..7116de53 100755
--- a/tests/run-large-elf-file.sh
+++ b/tests/run-large-elf-file.sh
@@ -1,5 +1,6 @@
 #! /usr/bin/env bash
 # Copyright (C) 2019 Red Hat, Inc.
+# Copyright (C) 2022 Mark J. Wielaard 
 # This file is part of elfutils.
 #
 # This file is free software; you can redistribute it and/or modify
@@ -26,6 +27,16 @@ if test $long_bit -ne 64; then
   exit 77
 fi
 
+# The test binary also needs to be 64bits itself
+elfclass=64
+testrun ${abs_top_builddir}/src/readelf -h ${abs_builddir}/addsections | grep 
ELF32 \
+   && elfclass=32
+echo elfclass: $elfclass
+if test $elfclass -ne 64; then
+  echo "Only 64bit binaries can create > 4GB ELF files"
+  exit 77
+fi
+
 # These tests need lots of disk space since they test files > 4GB.
 # Skip if there just isn't enough (2.5 * 4 = 10GB).
 space_available=$[$(stat -f --format="%a*%S" .)/(1024 * 1024 * 1024)]
-- 
2.30.2

[Bug general/28975] run-large-elf-file.sh fails in 32-bit cross-compile on 64-bit machine

[mark at klomp dot org via Elfutils-devel]

https://sourceware.org/bugzilla/show_bug.cgi?id=28975

Mark Wielaard  changed:

   What|Removed |Added

 CC||mark at klomp dot org
   Assignee|unassigned at sourceware dot org   |mark at klomp dot org
 Ever confirmed|0   |1
   Last reconfirmed||2022-03-20
 Status|UNCONFIRMED |ASSIGNED

--- Comment #1 from Mark Wielaard  ---
You are right, we should (also) test that the test binary itself is 64bits.
I would propose adding something like this:

# The test binary also needs to be 64bits itself
elfclass=64
testrun ${abs_top_builddir}/src/readelf -h ${abs_builddir}/addsections | grep
ELF32 \
   && elfclass=32
echo elfclass: $elfclass
if test $elfclass -ne 64; then
  echo "Only 64bit binaries can create > 4GB ELF files"
  exit 77
fi

Full patch:
https://sourceware.org/pipermail/elfutils-devel/2022q1/004752.html

-- 
You are receiving this mail because:
You are on the CC list for the bug.

[PATCH] configure: Don't check whether -m64 works for 32bit host biarch check

[Mark Wielaard]

Running a 32bit backtrace test against a 64bit binary doesn't work.
Only a 64bit binary can backtrace a 32bit binary. So disable the
biarch check that inserts -m64 for a 32bit host.

https://sourceware.org/bugzilla/show_bug.cgi?id=24158

Signed-off-by: Mark Wielaard 
---
 ChangeLog| 5 +
 configure.ac | 2 --
 m4/ChangeLog | 4 
 m4/biarch.m4 | 2 +-
 4 files changed, 10 insertions(+), 3 deletions(-)

diff --git a/ChangeLog b/ChangeLog
index 2f46f903..3357f69b 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,3 +1,8 @@
+2021-03-20  Mark Wielaard  
+
+   * configure.ac: Remove -m64 on 32bit target comments for
+   utrace_BIARCH check.
+
 2021-03-14  Mark Wielaard  
 
* configure.ac: Use AS_HELP_STRING instead of AC_HELP_STRING.
diff --git a/configure.ac b/configure.ac
index 1aff9f30..2418d474 100644
--- a/configure.ac
+++ b/configure.ac
@@ -706,9 +706,7 @@ if test "$sys_user_has_user_regs" = "yes"; then
 fi
 
 # On a 64-bit host where can can use $CC -m32, we'll run two sets of tests.
-# Likewise in a 32-bit build on a host where $CC -m64 works.
 utrace_BIARCH
-# `$utrace_biarch' will be `-m64' even on an uniarch i386 machine.
 CC_BIARCH="$CC $utrace_biarch"
 AC_SUBST([CC_BIARCH])
 
diff --git a/m4/ChangeLog b/m4/ChangeLog
index d4c3c28c..8729f58c 100644
--- a/m4/ChangeLog
+++ b/m4/ChangeLog
@@ -1,3 +1,7 @@
+2022-03-20  Mark Wielaard  
+
+   * biarch.m4: Don't check whether -m64 works for 32bit host.
+
 2022-03-14  Mark Wielaard  
 
* biarch.m4: Use AS_HELP_STRING instead of AC_HELP_STRING.
diff --git a/m4/biarch.m4 b/m4/biarch.m4
index 68618473..c7baead7 100644
--- a/m4/biarch.m4
+++ b/m4/biarch.m4
@@ -34,7 +34,7 @@ AC_ARG_WITH([biarch],
 AS_IF([test $utrace_biarch_forced = yes], [dnl
 utrace_cv_cc_biarch=yes
 AC_MSG_NOTICE([enabling biarch tests regardless using $biarch_CC])], [dnl
-AS_IF([test x$utrace_cv_CC_m32 != xnone], [dnl
+AS_IF([test x$utrace_cv_CC_m32 != xnone -a x$utrace_cv_host64 != xno], [dnl
 AC_CACHE_CHECK([whether $biarch_CC makes executables we can run],
   utrace_cv_cc_biarch, [dnl
 save_CC="$CC"
-- 
2.30.2

Issue 45636 in oss-fuzz: elfutils:fuzz-libdwfl: Crash in read_long_names

[evv… via monorail via Elfutils-devel]

Comment #3 on issue 45636 by evv...@gmail.com: elfutils:fuzz-libdwfl: Crash in 
read_long_names
https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=45636#c3

It seems to be a duplicate of 
https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=45628. Any idea why 
OSS-Fuzz keeps reporting it?

It can't be reproduced with libfuzzer either: 
https://github.com/google/oss-fuzz/pull/7403

-- 
You received this message because:
  1. You were specifically CC'd on the issue

You may adjust your notification preferences at:
https://bugs.chromium.org/hosting/settings

Reply to this email to add a comment.

Re: Some fuzzer workarounds

[Evgeny Vereshchagin]

Hi

> Given that the new fuzz targets seem to just fail to compile with
> ```
> projects/elfutils/fuzz-libdwfl.c:48:10: error: unused variable 'res' 
> [-Werror,-Wunused-variable]
>  Dwarf *res = dwfl_module_getdwarf(mod, &bias);
> ^
> 1 error generated.
> ```

I've just opened https://github.com/google/oss-fuzz/pull/7408 where the fuzz 
targets are built with -Werror -Wall -Wextra
among other things.

Thanks,
Evgeny Vereshchagin

Issue 45630 in oss-fuzz: elfutils:fuzz-libelf: Use-of-uninitialized-value in validate_str

[evv… via monorail via Elfutils-devel]

Comment #4 on issue 45630 by evv...@gmail.com: elfutils:fuzz-libelf: 
Use-of-uninitialized-value in validate_str
https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=45630#c4

Issues like that are bogus and https://github.com/google/oss-fuzz/pull/7401 
should fix them. Since it's a "security" issue
it would great if OSS-Fuzz could mark them "Invalid" so that bash scripts 
generating CVEs based on OSS-Fuzz reports
could ignore them (I hope they ignore "Invalid" issues. I'm not exactly sure 
how they work)

-- 
You received this message because:
  1. You were specifically CC'd on the issue

You may adjust your notification preferences at:
https://bugs.chromium.org/hosting/settings

Reply to this email to add a comment.

Issue 45705 in oss-fuzz: elfutils:fuzz-libdwfl: Indirect-leak in __libelf_next_arhdr_wrlock

[evv… via monorail via Elfutils-devel]

Comment #3 on issue 45705 by evv...@gmail.com: elfutils:fuzz-libdwfl: 
Indirect-leak in __libelf_next_arhdr_wrlock
https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=45705#c3

Reproducer testcases are publicly available and can be downloaded using links 
in bug reports. Since every comment is forwarded to the mailing list I wonder 
if it would be possible to either attach testcases along with backtraces or not 
attach them at all (since they are already publicly available)?

-- 
You received this message because:
  1. You were specifically CC'd on the issue

You may adjust your notification preferences at:
https://bugs.chromium.org/hosting/settings

Reply to this email to add a comment.