[Bug libelf/29000] Conditional jump or move depends on uninitialised value in elf_compress_gnu
https://sourceware.org/bugzilla/show_bug.cgi?id=29000 --- Comment #4 from Evgeny Vereshchagin --- I rebased the "fuzz" branch on top of my fork and ran all the tests in https://github.com/evverx/elfutils/pull/73. MSan no longer complains. Thanks! -- You are receiving this mail because: You are on the CC list for the bug.
Re: [PATCH] readelf: PR28928 - wrong dynamic section entry number
>From b0da0a6f6c9a57a37a144a806ecd219a76c66b54 Mon Sep 17 00:00:00 2001
From: Di Chen
Date: Tue, 1 Mar 2022 20:44:38 +0800
Subject: [PATCH] readelf: Don't consider padding DT_NULL as dynamic section
entry
when using `$ eu-readelf -d {FILE}` to get the number of dynamic
section entris, it wrongly counts the padding DT_NULLs as dynamic
section entries. However, DT_NULL Marks end of dynamic section.
They should not be considered as dynamic section entries.
https://sourceware.org/bugzilla/show_bug.cgi?id=28928
Signed-off-by: Di Chen
---
src/readelf.c | 49 --
tests/alldts.c | 5 +++--
tests/run-alldts.sh| 2 +-
tests/run-readelf-d.sh | 7 +-
4 files changed, 48 insertions(+), 15 deletions(-)
diff --git a/src/readelf.c b/src/readelf.c
index 93fb5989..0d70bb47 100644
--- a/src/readelf.c
+++ b/src/readelf.c
@@ -296,6 +296,7 @@ static void print_shdr (Ebl *ebl, GElf_Ehdr *ehdr);
static void print_phdr (Ebl *ebl, GElf_Ehdr *ehdr);
static void print_scngrp (Ebl *ebl);
static void print_dynamic (Ebl *ebl);
+static void handle_dynamic (Ebl *ebl, Elf_Scn *scn, GElf_Shdr *shdr);
static void print_relocs (Ebl *ebl, GElf_Ehdr *ehdr);
static void handle_relocs_rel (Ebl *ebl, GElf_Ehdr *ehdr, Elf_Scn *scn,
GElf_Shdr *shdr);
@@ -1781,16 +1782,54 @@ print_dt_posflag_1 (int class, GElf_Xword d_val)
}
+static GElf_Phdr *
+get_dyn_phdr (Elf *elf)
+{
+ GElf_Phdr *phdr = NULL;
+ for (size_t i = 0; i < phnum; ++i) {
+GElf_Phdr phdr_mem;
+phdr = gelf_getphdr(elf, i, &phdr_mem);
+if (phdr->p_type == PT_DYNAMIC) {
+ break;
+}
+ }
+ return phdr;
+}
+
+
+static size_t
+get_dyn_scnents (Elf *elf, GElf_Phdr * dyn_phdr)
+{
+ Elf_Data *data = elf_getdata_rawchunk(
+ elf, dyn_phdr->p_offset, dyn_phdr->p_filesz, ELF_T_DYN);
+ GElf_Dyn *dyn;
+ size_t dyn_idx = 0;
+ do
+ {
+GElf_Dyn dyn_mem;
+dyn = gelf_getdyn(data, dyn_idx, &dyn_mem);
+++dyn_idx;
+ } while (dyn->d_tag != DT_NULL);
+
+ return dyn_idx;
+}
+
+
static void
handle_dynamic (Ebl *ebl, Elf_Scn *scn, GElf_Shdr *shdr)
{
int class = gelf_getclass (ebl->elf);
+ GElf_Phdr *dyn_phdr;
GElf_Shdr glink_mem;
GElf_Shdr *glink;
Elf_Data *data;
size_t cnt;
size_t shstrndx;
- size_t sh_entsize;
+ size_t dyn_scnents;
+
+ /* Get the dynamic section entry number */
+ dyn_phdr = get_dyn_phdr (ebl->elf);
+ dyn_scnents = get_dyn_scnents (ebl->elf, dyn_phdr);
/* Get the data of the section. */
data = elf_getdata (scn, NULL);
@@ -1802,8 +1841,6 @@ handle_dynamic (Ebl *ebl, Elf_Scn *scn, GElf_Shdr
*shdr)
error (EXIT_FAILURE, 0,
_("cannot get section header string table index"));
- sh_entsize = gelf_fsize (ebl->elf, ELF_T_DYN, 1, EV_CURRENT);
-
glink = gelf_getshdr (elf_getscn (ebl->elf, shdr->sh_link), &glink_mem);
if (glink == NULL)
error (EXIT_FAILURE, 0, _("invalid sh_link value in section %zu"),
@@ -1813,15 +1850,15 @@ handle_dynamic (Ebl *ebl, Elf_Scn *scn, GElf_Shdr
*shdr)
\nDynamic segment contains %lu entry:\n Addr: %#0*" PRIx64 " Offset:
%#08" PRIx64 " Link to section: [%2u] '%s'\n",
"\
\nDynamic segment contains %lu entries:\n Addr: %#0*" PRIx64 " Offset:
%#08" PRIx64 " Link to section: [%2u] '%s'\n",
-shdr->sh_size / sh_entsize),
- (unsigned long int) (shdr->sh_size / sh_entsize),
+dyn_scnents),
+ (unsigned long int) dyn_scnents,
class == ELFCLASS32 ? 10 : 18, shdr->sh_addr,
shdr->sh_offset,
(int) shdr->sh_link,
elf_strptr (ebl->elf, shstrndx, glink->sh_name));
fputs_unlocked (_(" Type Value\n"), stdout);
- for (cnt = 0; cnt < shdr->sh_size / sh_entsize; ++cnt)
+ for (cnt = 0; cnt < dyn_scnents; ++cnt)
{
GElf_Dyn dynmem;
GElf_Dyn *dyn = gelf_getdyn (data, cnt, &dynmem);
diff --git a/tests/alldts.c b/tests/alldts.c
index 3e9f9fe6..d0fe4f24 100644
--- a/tests/alldts.c
+++ b/tests/alldts.c
@@ -44,7 +44,7 @@ main (void)
Dwelf_Strent *shstrtabse;
const Elf32_Sword dtflags[] =
{
- DT_NULL, DT_NEEDED, DT_PLTRELSZ, DT_PLTGOT,
+ DT_NEEDED, DT_PLTRELSZ, DT_PLTGOT,
DT_HASH, DT_STRTAB, DT_SYMTAB, DT_RELA,
DT_RELASZ, DT_RELAENT, DT_STRSZ, DT_SYMENT,
DT_INIT, DT_FINI, DT_SONAME, DT_RPATH,
@@ -61,7 +61,8 @@ main (void)
DT_GNU_LIBLIST, DT_CONFIG, DT_DEPAUDIT, DT_AUDIT,
DT_PLTPAD, DT_MOVETAB, DT_SYMINFO, DT_RELACOUNT,
DT_RELCOUNT, DT_FLAGS_1, DT_VERDEF, DT_VERDEFNUM,
- DT_VERNEED, DT_VERNEEDNUM, DT_AUXILIARY, DT_FILTER
+ DT_VERNEED, DT_VERNEEDNUM, DT_AUXILIARY, DT_FILTER,
+ DT_NULL
};
const int ndtflags = sizeof (dtflags) / sizeof (dtflags[0]);
diff --git a/tests/run-alldts.sh b/tests/run-alldts.sh
index 6a9a9ece..ce3630b0 100755
--- a/tests/run-alldts.sh
+++ b/tests/run-alldts.sh
@@ -27,7 +27,6 @@ testrun_compare ${abs_top_builddir}/src/readelf -d
testfile-alldts <<\EOF
Dynamic segment contains 66 entries:
Addr: 0x01a0 Offset: 0x78 Link to section:
[Bug tools/28928] Wrong dynamic section entry number
https://sourceware.org/bugzilla/show_bug.cgi?id=28928
Di Chen changed:
What|Removed |Added
CC||dichen at redhat dot com
--- Comment #1 from Di Chen ---
Created attachment 14042
--> https://sourceware.org/bugzilla/attachment.cgi?id=14042&action=edit
[PATCH] readelf: Don't consider padding DT_NULL as dynamic section
when using `$ eu-readelf -d {FILE}` to get the number of dynamic
section entris, it wrongly counts the padding DT_NULLs as dynamic
section entries. However, DT_NULL Marks end of dynamic section.
They should not be considered as dynamic section entries.
--
You are receiving this mail because:
You are on the CC list for the bug.
[Bug tools/28928] Wrong dynamic section entry number
https://sourceware.org/bugzilla/show_bug.cgi?id=28928 Di Chen changed: What|Removed |Added Blocks||28873 Referenced Bugs: https://sourceware.org/bugzilla/show_bug.cgi?id=28873 [Bug 28873] Implement eu-readelf -D -- You are receiving this mail because: You are on the CC list for the bug.
[Bug tools/28873] Implement eu-readelf -D
https://sourceware.org/bugzilla/show_bug.cgi?id=28873 Di Chen changed: What|Removed |Added Depends on||28928 Referenced Bugs: https://sourceware.org/bugzilla/show_bug.cgi?id=28928 [Bug 28928] Wrong dynamic section entry number -- You are receiving this mail because: You are on the CC list for the bug.
Re: [PATCH] Introduce error_exit as a noreturn variant of error (EXIT_FAILURE, ...)
Hi, On Sun, 2022-03-27 at 23:32 +0200, Mark Wielaard wrote: > error (EXIT_FAILURE, ...) should be noreturn but on some systems it > isn't. This may cause warnings about code that should not be > reachable. So have an explicit error_exit wrapper that is noreturn > (because it calls exit explicitly). Use error_exit in all tools > under the src directory. > > https://bugzilla.redhat.com/show_bug.cgi?id=2068692 Pushed, Mark
[Bug libelf/29000] Conditional jump or move depends on uninitialised value in elf_compress_gnu
https://sourceware.org/bugzilla/show_bug.cgi?id=29000 Mark Wielaard changed: What|Removed |Added Status|ASSIGNED|RESOLVED Resolution|--- |FIXED --- Comment #5 from Mark Wielaard --- (In reply to Evgeny Vereshchagin from comment #4) > I rebased the "fuzz" branch on top of my fork and ran all the tests in > https://github.com/evverx/elfutils/pull/73. MSan no longer complains. Thanks! Thanks for testing. Pushed as: commit e3e2ae06fbfcd1b2f3de6945689ef9d9c94a2123 Author: Mark Wielaard Date: Wed Mar 30 00:17:08 2022 +0200 libelf: Also copy/convert partial datastructures in xlate functions The generated xlate functions can only convert full datastructures, dropping any trailing partial data on the floor. That means some of the data might be undefined. Just copy over the trailing bytes as is. That data isn't really usable. But at least it is defined data. https://sourceware.org/bugzilla/show_bug.cgi?id=29000 Signed-off-by: Mark Wielaard -- You are receiving this mail because: You are on the CC list for the bug.
Issue 46095 in oss-fuzz: elfutils:fuzz-libelf: Use-of-uninitialized-value in elf_compress_gnu
Updates: Labels: ClusterFuzz-Verified Status: Verified Comment #2 on issue 46095 by ClusterFuzz-External: elfutils:fuzz-libelf: Use-of-uninitialized-value in elf_compress_gnu https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=46095#c2 ClusterFuzz testcase 6467719510228992 is verified as fixed in https://oss-fuzz.com/revisions?job=libfuzzer_msan_elfutils&range=202203300608:202203301200 If this is incorrect, please file a bug on https://github.com/google/oss-fuzz/issues/new -- You received this message because: 1. You were specifically CC'd on the issue You may adjust your notification preferences at: https://bugs.chromium.org/hosting/settings Reply to this email to add a comment.
Issue 46094 in oss-fuzz: elfutils:fuzz-libdwfl: Use-of-uninitialized-value in elf_compress_gnu
Updates: Labels: ClusterFuzz-Verified Status: Verified Comment #2 on issue 46094 by ClusterFuzz-External: elfutils:fuzz-libdwfl: Use-of-uninitialized-value in elf_compress_gnu https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=46094#c2 ClusterFuzz testcase 4725021634854912 is verified as fixed in https://oss-fuzz.com/revisions?job=libfuzzer_msan_elfutils&range=202203300608:202203301200 If this is incorrect, please file a bug on https://github.com/google/oss-fuzz/issues/new -- You received this message because: 1. You were specifically CC'd on the issue You may adjust your notification preferences at: https://bugs.chromium.org/hosting/settings Reply to this email to add a comment.
Issue 46192 in oss-fuzz: elfutils:fuzz-libdwfl: Out-of-memory in fuzz-libdwfl
Status: New Owner: CC: elfut...@sourceware.org, da...@adalogics.com, evv...@gmail.com, izz...@google.com Labels: ClusterFuzz Reproducible Engine-libfuzzer OS-Linux Proj-elfutils Reported-2022-03-30 Type: Bug New issue 46192 by ClusterFuzz-External: elfutils:fuzz-libdwfl: Out-of-memory in fuzz-libdwfl https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=46192 Detailed Report: https://oss-fuzz.com/testcase?key=5364854623436800 Project: elfutils Fuzzing Engine: libFuzzer Fuzz Target: fuzz-libdwfl Job Type: libfuzzer_asan_elfutils Platform Id: linux Crash Type: Out-of-memory (exceeds 2560 MB) Crash Address: Crash State: fuzz-libdwfl Sanitizer: address (ASAN) Regressed: https://oss-fuzz.com/revisions?job=libfuzzer_asan_elfutils&range=202203161800:20220317 Reproducer Testcase: https://oss-fuzz.com/download?testcase_id=5364854623436800 Issue filed automatically. See https://google.github.io/oss-fuzz/advanced-topics/reproducing for instructions to reproduce this bug locally. When you fix this bug, please * mention the fix revision(s). * state whether the bug was a short-lived regression or an old bug in any stable releases. * add any other useful information. This information can help downstream consumers. If you need to contact the OSS-Fuzz team with a question, concern, or any other feedback, please file an issue at https://github.com/google/oss-fuzz/issues. Comments on individual Monorail issues are not monitored. -- You received this message because: 1. You were specifically CC'd on the issue You may adjust your notification preferences at: https://bugs.chromium.org/hosting/settings Reply to this email to add a comment.
