Re: Fuzzing elfutils
Friendly ping on this ? > Le 22 sept. 2022 à 09:05, Philippe Antoine a écrit > : > > Hello fuzzers, > > I am Philippe Antoine, working on oss-fuzz. > > I implemented a new sanitizer to detect arbitrary file open. > One of these was discovered in elfutils with target > libFuzzer_elfutils_fuzz-dwfl-core > Cf https://oss-fuzz.com/testcases?open=yes&q=Arbitrary&proj=elfutils > > I would like to know what you think about this. Is this a bug to you ? Or is > it expected ? > Could this be exploited somehow by an attacker to get secrets such as > ~/.ssh/id_rsa ? > > Cheers, > Philippe >
Re: Fuzzing elfutils
Hi - > > Cf https://oss-fuzz.com/testcases?open=yes&q=Arbitrary&proj=elfutils This is inaccessible without logins. > > I would like to know what you think about this. Is this a bug to > > you ? Or is it expected ? [...] Crashes on crafted inputs are generally bugs. Security implications are usually not dire for a tool such as elfutils. - FChE
Re: Fuzzing elfutils
Hey Philippe, > I implemented a new sanitizer to detect arbitrary file open. I think it's an interesting idea. Among other things it seems it can be used to detect path traversal attacks. I'm not sure how exactly it works at this point but if apart from keeping track of the "open" syscall (and its variations) it could detect attempts to write data to random files it would be great. > I would like to know what you think about this. Is this a bug to you ? Or is > it expected ? > Could this be exploited somehow by an attacker to get secrets such as > ~/.ssh/id_rsa ? I don't think it can be exploited to expose stuff that shouldn't be exposed. Thanks, Evgeny Vereshchagin
[Bug debuginfod/29714] New: debuginfod rely on gcc being configured with --enable-linker-build-i
https://sourceware.org/bugzilla/show_bug.cgi?id=29714 Bug ID: 29714 Summary: debuginfod rely on gcc being configured with --enable-linker-build-i Product: elfutils Version: unspecified Status: NEW Severity: normal Priority: P2 Component: debuginfod Assignee: unassigned at sourceware dot org Reporter: mliska at suse dot cz CC: elfutils-devel at sourceware dot org Target Milestone: --- FAIL: run-debuginfod-federation-sqlite.sh ... ++ ... /home/marxin/Programming/elfutils/tests/../src/readelf -a L/foo ++ grep 'Build ID' ++ cut -d ' ' -f 7 + BUILDID= where L/foo is symlink to + ln -s /home/marxin/Programming/elfutils/tests/dwfllines L/foo and this file is not explicitly linked with -Wl,--build-id: rm dwfllines ; make V=1 dwfllines gcc -std=gnu99 -Wall -Wshadow -Wformat=2 -Wold-style-definition -Wstrict-prototypes -Wtrampolines -Wlogical-op -Wduplicated-cond -Wnull-dereference -Wimplicit-fallthrough=5 -Werror -Wunused -Wextra -Wstack-usage=262144 -D_FORTIFY_SOURCE=3 -g -O2 -Wl,-rpath-link,../libasm:../libdw:../libelf -o dwfllines dwfllines.o ../lib/libeu.a ../libdw/libdw.so ../libelf/libelf.so -- You are receiving this mail because: You are on the CC list for the bug.
Re: [PATCH 1/7] Rename 'hello2.spec.' -> 'hello2.spec' 'hello3.spec.' -> 'hello3.spec'
Hi - > C:\work\xemu\elfutils>git reset --hard > 4cc429d2761846967678fb8cf5868d311d1f7862 > error: invalid path 'tests/debuginfod-rpms/hello2.spec.' > fatal: Could not reset index file to revision > '4cc429d2761846967678fb8cf5868d311d1f7862'. Sounds like a git-induced problem. Maybe try a different git client? - FChE
[Bug debuginfod/29714] debuginfod rely on gcc being configured with --enable-linker-build-i
https://sourceware.org/bugzilla/show_bug.cgi?id=29714 Mark Wielaard changed: What|Removed |Added CC||mark at klomp dot org --- Comment #1 from Mark Wielaard --- That is odd, this configure.ac snippet should for build-ids on: # We really want build-ids. Warn and force generating them if gcc was # configure without --enable-linker-build-id AC_CACHE_CHECK([whether the compiler generates build-ids], ac_cv_buildid, [dnl AC_LINK_IFELSE([AC_LANG_PROGRAM()],[ac_cv_buildid=yes; $READELF -n conftest$EXEEXT | grep -q NT_GNU_BUILD_ID || ac_cv_buildid=no],AC_MSG_FAILURE([unexpected compile failure]))]) if test "$ac_cv_buildid" = "no"; then AC_MSG_WARN([compiler doesn't generate build-id by default]) LDFLAGS="$LDFLAGS -Wl,--build-id" fi -- You are receiving this mail because: You are on the CC list for the bug.
[Bug debuginfod/29714] debuginfod rely on gcc being configured with --enable-linker-build-i
https://sourceware.org/bugzilla/show_bug.cgi?id=29714 Martin Liska changed: What|Removed |Added Status|NEW |RESOLVED Resolution|--- |INVALID --- Comment #2 from Martin Liska --- You are correct, fixed after running ./configure with the changed PATH where I have the latest GCC compiler. -- You are receiving this mail because: You are on the CC list for the bug.
Re: Fuzzing elfutils
> > > Cf https://oss-fuzz.com/testcases?open=yes&q=Arbitrary&proj=elfutils > > This is inaccessible without logins. To judge from https://github.com/google/oss-fuzz/tree/master/infra/experimental/SystemSan#arbitrary-file-open that new experimental fuzzer isn't documented yet but as far as I can tell it flags "tainted" strings passed to the open syscall. That backtrace points to https://sourceware.org/git/?p=elfutils.git;a=blob;f=libdwfl/dwfl_segment_report_module.c;h=28f87f10dd3962082ec4b995f43069ffc4b5e3d4;hb=HEAD#l784 and I think it's a false positive. Looking at https://github.com/google/oss-fuzz/issues/8497 it seems it should be possible to turn it off eventually. Thanks, Evgeny Vereshchagin
[PATCH] debuginfod: Support queries for ELF/DWARF sections
I'm resending this patch with a small modification. I added a new
field "progressfn_cancel" to debuginfod_client that indicates whether
the most recent query was cancelled due to progressfn returning 1.
If a server doesn't support section queries and the client begins
downloading a debuginfo or executable in an attempt to extract the
section, progressfn_cancel is used to indicate that if the first
query was cancelled by the progressfn then the second query should
also be skipped.
---
ChangeLog | 4 +
NEWS| 2 +
debuginfod/ChangeLog| 22 ++
debuginfod/Makefile.am | 2 +-
debuginfod/debuginfod-client.c | 295 +-
debuginfod/debuginfod-find.c| 21 +-
debuginfod/debuginfod.cxx | 433 +++-
debuginfod/debuginfod.h.in | 6 +
debuginfod/libdebuginfod.map| 1 +
doc/ChangeLog | 6 +
doc/Makefile.am | 1 +
doc/debuginfod_find_debuginfo.3 | 26 +-
doc/debuginfod_find_section.3 | 1 +
tests/ChangeLog | 5 +
tests/Makefile.am | 4 +-
tests/run-debuginfod-section.sh | 141 +++
16 files changed, 886 insertions(+), 84 deletions(-)
create mode 100644 doc/debuginfod_find_section.3
create mode 100755 tests/run-debuginfod-section.sh
diff --git a/ChangeLog b/ChangeLog
index 60624183..29b2108e 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,3 +1,7 @@
+2022-10-20 Aaron Merey
+
+ * NEWS: Add debuginfod_find_section.
+
2022-09-13 Aleksei Vetrov
* NEWS (libdwfl): Add dwfl_report_offline_memory.
diff --git a/NEWS b/NEWS
index 6ebd172c..3e290ff7 100644
--- a/NEWS
+++ b/NEWS
@@ -4,6 +4,8 @@ readelf: Add -D, --use-dynamic option.
debuginfod: Add --disable-source-scan option.
+debuginfod-client: Add new function debuginfod_find_section.
+
libdwfl: Add new function dwfl_get_debuginfod_client.
Add new function dwfl_frame_reg.
Add new function dwfl_report_offline_memory.
diff --git a/debuginfod/ChangeLog b/debuginfod/ChangeLog
index 59d50df1..aacf655b 100644
--- a/debuginfod/ChangeLog
+++ b/debuginfod/ChangeLog
@@ -1,3 +1,25 @@
+2022-10-20 Aaron Merey
+
+ * Makefile.am (libdebuginfod_so_LDLIBS): Add libelf.
+ * debuginfod-client.c (debuginfod_find_section): New function.
+ (extract_section): New function.
+ (maybe_debuginfo_section): New function.
+ (cache_find_section): New function.
+ (debuginfod_query_server): Add support for section queries.
+ * debuginfod-find.c (main): Add support for section queries.
+ * debuginfod.cxx (extract_section): New function.
+ (handle_buildid_f_match): Add section parameter. When non-empty,
+ try to create response from section contents.
+ (handle_buildid_r_match): Add section parameter. When non-empty,
+ try to create response from section contents.
+ (handle_buildid_match): Add section parameter. Pass to
+ handle_buildid_{f,r}_match.
+ (handle_buildid): Handle section name when artifacttype is set to
+ "section". Query upstream servers via debuginfod_find_section
+ when necessary.
+ (debuginfod.h.in): Add declaration for debuginfod_find_section.
+ (libdebuginfod.map): Add debuginfod_find_section.
+
2022-10-17 Frank Ch. Eigler
* debuginfod.cxx (main): Report libmicrohttpd version.
diff --git a/debuginfod/Makefile.am b/debuginfod/Makefile.am
index 435cb8a6..f27d6e2e 100644
--- a/debuginfod/Makefile.am
+++ b/debuginfod/Makefile.am
@@ -97,7 +97,7 @@ libdebuginfod_so_LIBS = libdebuginfod_pic.a
if DUMMY_LIBDEBUGINFOD
libdebuginfod_so_LDLIBS =
else
-libdebuginfod_so_LDLIBS = -lpthread $(libcurl_LIBS) $(fts_LIBS)
+libdebuginfod_so_LDLIBS = -lpthread $(libcurl_LIBS) $(fts_LIBS) $(libelf)
endif
$(LIBDEBUGINFOD_SONAME): $(srcdir)/libdebuginfod.map $(libdebuginfod_so_LIBS)
$(AM_V_CCLD)$(LINK) $(dso_LDFLAGS) -o $@ \
diff --git a/debuginfod/debuginfod-client.c b/debuginfod/debuginfod-client.c
index 2a14d9d9..c50110b7 100644
--- a/debuginfod/debuginfod-client.c
+++ b/debuginfod/debuginfod-client.c
@@ -44,6 +44,7 @@
#include "system.h"
#include
#include
+#include
/* We might be building a bootstrap dummy library, which is really simple. */
#ifdef DUMMY_LIBDEBUGINFOD
@@ -55,6 +56,9 @@ int debuginfod_find_executable (debuginfod_client *c, const
unsigned char *b,
int s, char **p) { return -ENOSYS; }
int debuginfod_find_source (debuginfod_client *c, const unsigned char *b,
int s, const char *f, char **p) { return -ENOSYS;
}
+int debuginfod_find_section (debuginfod_client *c, const unsigned char *b,
+int s, const char *scn, char **p)
+ { return -ENOSYS; }
void debuginfod_set_progressfn(debuginfod_client *c,
debuginfod_progressfn_t fn) { }
