Re: Fuzzing elfutils
Friendly ping on this ? > Le 22 sept. 2022 à 09:05, Philippe Antoine a écrit > : > > Hello fuzzers, > > I am Philippe Antoine, working on oss-fuzz. > > I implemented a new sanitizer to detect arbitrary file open. > One of these was discovered in elfutils with target > libFuzzer_elfutils_fuzz-dwfl-core > Cf https://oss-fuzz.com/testcases?open=yes&q=Arbitrary&proj=elfutils > > I would like to know what you think about this. Is this a bug to you ? Or is > it expected ? > Could this be exploited somehow by an attacker to get secrets such as > ~/.ssh/id_rsa ? > > Cheers, > Philippe >
Re: Fuzzing elfutils
Thanks Evgeny. Could you explain to me why you think it is a false positive ? > Le 21 oct. 2022 à 21:57, Evgeny Vereshchagin a écrit : > Cf https://oss-fuzz.com/testcases?open=yes&q=Arbitrary&proj=elfutils >> >> This is inaccessible without logins. > > To judge from > https://github.com/google/oss-fuzz/tree/master/infra/experimental/SystemSan#arbitrary-file-open > that new experimental fuzzer > isn't documented yet but as far as I can tell it flags "tainted" > strings passed to the open syscall. That backtrace points to > https://sourceware.org/git/?p=elfutils.git;a=blob;f=libdwfl/dwfl_segment_report_module.c;h=28f87f10dd3962082ec4b995f43069ffc4b5e3d4;hb=HEAD#l784 > and I think it's a false positive. Looking at > https://github.com/google/oss-fuzz/issues/8497 it seems it should be > possible > to turn it off eventually. > > Thanks, > Evgeny Vereshchagin
