Issue 56134 in oss-fuzz: elfutils:fuzz-libdwfl: Use-of-uninitialized-value in check_section
Comment #2 on issue 56134 by evv...@gmail.com: elfutils:fuzz-libdwfl: Use-of-uninitialized-value in check_section https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=56134#c2 It can be confirmed with Valgrind: ``` wget -O OSS-FUZZ-56134 'https://oss-fuzz.com/download?testcase_id=6724057145147392' LD_LIBRARY_PATH="$(pwd)/libdw:$(pwd)/libelf" DEBUGINFOD_URLS= valgrind --track-origins=yes ./src/readelf -w OSS-FUZZ-56134 ==1373524== Memcheck, a memory error detector ==1373524== Copyright (C) 2002-2022, and GNU GPL'd, by Julian Seward et al. ==1373524== Using Valgrind-3.19.0 and LibVEX; rerun with -h for copyright info ==1373524== Command: ./src/readelf -w OSS-FUZZ-56134 ==1373524== ==1373524== Conditional jump or move depends on uninitialised value(s) ==1373524==at 0x4887EAB: check_section (dwarf_begin_elf.c:265) ==1373524==by 0x48885EF: global_read (dwarf_begin_elf.c:444) ==1373524==by 0x48885EF: dwarf_begin_elf (dwarf_begin_elf.c:595) ==1373524==by 0x48A9F0C: load_dw (dwfl_module_getdwarf.c:1341) ==1373524==by 0x48AA0D0: find_dw (dwfl_module_getdwarf.c:1391) ==1373524==by 0x48AA0D0: dwfl_module_getdwarf (dwfl_module_getdwarf.c:1446) ==1373524==by 0x411109: print_debug (readelf.c:11467) ==1373524==by 0x413A31: process_elf_file (readelf.c:1062) ==1373524==by 0x4148BC: process_dwflmod (readelf.c:818) ==1373524==by 0x48A7F20: dwfl_getmodules (dwfl_getmodules.c:86) ==1373524==by 0x40954A: process_file (readelf.c:926) ==1373524==by 0x404D0E: main (readelf.c:395) ==1373524== Uninitialised value was created by a heap allocation ==1373524==at 0x484586F: malloc (vg_replace_malloc.c:381) ==1373524==by 0x48FEA25: convert_data (elf_getdata.c:166) ==1373524==by 0x48FEA25: __libelf_set_data_list_rdlock (elf_getdata.c:455) ==1373524==by 0x48FEC17: __elf_getdata_rdlock (elf_getdata.c:562) ==1373524==by 0x4887E6F: check_section (dwarf_begin_elf.c:246) ==1373524==by 0x48885EF: global_read (dwarf_begin_elf.c:444) ==1373524==by 0x48885EF: dwarf_begin_elf (dwarf_begin_elf.c:595) ==1373524==by 0x48A9F0C: load_dw (dwfl_module_getdwarf.c:1341) ==1373524==by 0x48AA0D0: find_dw (dwfl_module_getdwarf.c:1391) ==1373524==by 0x48AA0D0: dwfl_module_getdwarf (dwfl_module_getdwarf.c:1446) ==1373524==by 0x411109: print_debug (readelf.c:11467) ==1373524==by 0x413A31: process_elf_file (readelf.c:1062) ==1373524==by 0x4148BC: process_dwflmod (readelf.c:818) ==1373524==by 0x48A7F20: dwfl_getmodules (dwfl_getmodules.c:86) ==1373524==by 0x40954A: process_file (readelf.c:926) ==1373524== ./src/readelf: cannot get debug context descriptor: No DWARF information found ``` -- You received this message because: 1. You were specifically CC'd on the issue You may adjust your notification preferences at: https://bugs.chromium.org/hosting/settings Reply to this email to add a comment.
Issue 56134 in oss-fuzz: elfutils:fuzz-libdwfl: Use-of-uninitialized-value in check_section
Comment #1 on issue 56134 by evv...@gmail.com: elfutils:fuzz-libdwfl: Use-of-uninitialized-value in check_section https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=56134#c1 Below is the full backtrace ``` ==2272==WARNING: MemorySanitizer: use-of-uninitialized-value #0 0x5fb3c7 in check_section /src/elfutils/libdw/dwarf_begin_elf.c:265:7 #1 0x5f8d3e in global_read /src/elfutils/libdw/dwarf_begin_elf.c:444:14 #2 0x5f8d3e in dwarf_begin_elf /src/elfutils/libdw/dwarf_begin_elf.c:595:9 #3 0x53f28c in load_dw /src/elfutils/libdwfl/dwfl_module_getdwarf.c:1341:13 #4 0x53c5b9 in find_dw /src/elfutils/libdwfl/dwfl_module_getdwarf.c:1391:16 #5 0x53c5b9 in dwfl_module_getdwarf /src/elfutils/libdwfl/dwfl_module_getdwarf.c:1446:3 #6 0x534b72 in LLVMFuzzerTestOneInput /src/fuzz-libdwfl.c:54:3 #7 0x43dcf3 in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, unsigned long) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerLoop.cpp:611:15 #8 0x429452 in fuzzer::RunOneTest(fuzzer::Fuzzer*, char const*, unsigned long) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerDriver.cpp:324:6 #9 0x42ecfc in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned char const*, unsigned long)) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerDriver.cpp:860:9 #10 0x458232 in main /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerMain.cpp:20:10 #11 0x7fe0978dd0b2 in __libc_start_main /build/glibc-eX1tMB/glibc-2.31/csu/libc-start.c:308:16 #12 0x41f61d in _start Uninitialized value was created by a heap allocation #0 0x4e2310 in __interceptor_malloc /src/llvm-project/compiler-rt/lib/msan/msan_interceptors.cpp:895:3 #1 0x6b9935 in convert_data /src/elfutils/libelf/elf_getdata.c:166:24 #2 0x6b9935 in __libelf_set_data_list_rdlock /src/elfutils/libelf/elf_getdata.c:455:7 #3 0x6ba571 in __elf_getdata_rdlock /src/elfutils/libelf/elf_getdata.c:562:5 #4 0x6ba6cd in elf_getdata /src/elfutils/libelf/elf_getdata.c:580:12 #5 0x5faec7 in check_section /src/elfutils/libdw/dwarf_begin_elf.c:246:20 #6 0x5f8d3e in global_read /src/elfutils/libdw/dwarf_begin_elf.c:444:14 #7 0x5f8d3e in dwarf_begin_elf /src/elfutils/libdw/dwarf_begin_elf.c:595:9 #8 0x53f28c in load_dw /src/elfutils/libdwfl/dwfl_module_getdwarf.c:1341:13 #9 0x53c5b9 in find_dw /src/elfutils/libdwfl/dwfl_module_getdwarf.c:1391:16 #10 0x53c5b9 in dwfl_module_getdwarf /src/elfutils/libdwfl/dwfl_module_getdwarf.c:1446:3 #11 0x534b72 in LLVMFuzzerTestOneInput /src/fuzz-libdwfl.c:54:3 #12 0x43dcf3 in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, unsigned long) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerLoop.cpp:611:15 #13 0x429452 in fuzzer::RunOneTest(fuzzer::Fuzzer*, char const*, unsigned long) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerDriver.cpp:324:6 #14 0x42ecfc in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned char const*, unsigned long)) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerDriver.cpp:860:9 #15 0x458232 in main /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerMain.cpp:20:10 #16 0x7fe0978dd0b2 in __libc_start_main /build/glibc-eX1tMB/glibc-2.31/csu/libc-start.c:308:16 SUMMARY: MemorySanitizer: use-of-uninitialized-value (/mnt/scratch0/clusterfuzz/bot/builds/clusterfuzz-builds_elfutils_3ee01cb67db1a71e7adeb7f3f14722ea62f13cd5/revisions/fuzz-libdwfl+0x5fb3c7) ``` Looks like it was introduced in https://sourceware.org/git/?p=elfutils.git;a=commitdiff;h=fda09f5f188fb173b2123815be71ca4647a8adfb -- You received this message because: 1. You were specifically CC'd on the issue You may adjust your notification preferences at: https://bugs.chromium.org/hosting/settings Reply to this email to add a comment.
Issue 56179 in oss-fuzz: elfutils:fuzz-libdwfl: Use-of-uninitialized-value in check_section
Comment #1 on issue 56179 by evv...@gmail.com: elfutils:fuzz-libdwfl: Use-of-uninitialized-value in check_section https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=56179#c1 It's a duplicate of https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=56134 as far as I can tell. I'm not sure why it was reported once again. I opened https://github.com/google/oss-fuzz/issues/9769. -- You received this message because: 1. You were specifically CC'd on the issue You may adjust your notification preferences at: https://bugs.chromium.org/hosting/settings Reply to this email to add a comment.
Issue 60887 in oss-fuzz: elfutils:fuzz-libelf: Direct-leak in __libelf_decompress_zlib
Comment #1 on issue 60887 by evv...@gmail.com: elfutils:fuzz-libelf: Direct-leak in __libelf_decompress_zlib https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=60887#c1 The full backtrace is ``` ==178009==ERROR: LeakSanitizer: detected memory leaks Direct leak of 1 byte(s) in 1 object(s) allocated from: #0 0x52efd6 in __interceptor_malloc /src/llvm-project/compiler-rt/lib/asan/asan_malloc_linux.cpp:69:3 #1 0x57a228 in __libelf_decompress_zlib /src/elfutils/libelf/elf_compress.c:370:19 #2 0x57a987 in __libelf_decompress /src/elfutils/libelf/elf_compress.c:440:12 #3 0x57a987 in __libelf_decompress_elf /src/elfutils/libelf/elf_compress.c:500:7 #4 0x57629f in get_zdata /src/elfutils/libelf/elf_strptr.c:45:17 #5 0x575c5e in elf_strptr /src/elfutils/libelf/elf_strptr.c:135:38 #6 0x56c5b3 in fuzz_logic_one /src/fuzz-libelf.c:40:26 #7 0x56cc7f in LLVMFuzzerTestOneInput /src/fuzz-libelf.c:88:3 ``` I haven't figured out how to trigger that memory leak without the fuzz target but as far as I can tell `fuzz_logic_one` was inspired by the elfgetzdata test in the sense that it calls elf_nextscn/elf_strptr/elf_compress. The code triggering the memory leak is https://github.com/google/oss-fuzz/blob/24328c88fd610decaf311020ffc7073aec1db252/projects/elfutils/fuzz-libelf.c#L27C6-L27C20 -- You received this message because: 1. You were specifically CC'd on the issue You may adjust your notification preferences at: https://bugs.chromium.org/hosting/settings Reply to this email to add a comment.
Issue 62071 in oss-fuzz: elfutils:fuzz-libdwfl: Null-dereference READ in chunk_compare
Comment #1 on issue 62071 by evv...@gmail.com: elfutils:fuzz-libdwfl: Null-dereference READ in chunk_compare https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=62071#c1 ``` SCARINESS: 10 (null-deref) #0 0x82d35d1 in chunk_compare /src/elfutils/libelf/elf_getdata_rawchunk.c:49:25 #1 0xf7caab3a in __tsearch #2 0x8156826 in __interceptor_tsearch /src/llvm-project/compiler-rt/lib/sanitizer_common/sanitizer_common_interceptors.inc:6057:15 #3 0x82d2a8a in elf_getdata_rawchunk /src/elfutils/libelf/elf_getdata_rawchunk.c:98:28 #4 0x81f4139 in find_elf_build_id /src/elfutils/libdwelf/dwelf_elf_gnu_build_id.c:88:28 #5 0x81f3a28 in __libdwfl_find_elf_build_id /src/elfutils/libdwelf/dwelf_elf_gnu_build_id.c:142:10 #6 0x82795e8 in __libdwfl_find_build_id /src/elfutils/libdwfl/dwfl_module_build_id.c:70:16 #7 0x82795e8 in dwfl_module_build_id /src/elfutils/libdwfl/dwfl_module_build_id.c:91:20 #8 0x81d7ec7 in dwfl_standard_find_debuginfo /src/elfutils/libdwfl/find-debuginfo.c:365:19 #9 0x81d3340 in find_debuginfo /src/elfutils/libdwfl/dwfl_module_getdwarf.c:538:19 #10 0x81cff0f in find_dw /src/elfutils/libdwfl/dwfl_module_getdwarf.c:1412:16 #11 0x81cff0f in dwfl_module_getdwarf /src/elfutils/libdwfl/dwfl_module_getdwarf.c:1446:3 #12 0x81cad03 in LLVMFuzzerTestOneInput /src/fuzz-libdwfl.c:54:3 #13 0x808ba2e in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, unsigned int) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerLoop.cpp:611:15 #14 0x808b168 in fuzzer::Fuzzer::RunOne(unsigned char const*, unsigned int, bool, fuzzer::InputInfo*, bool, bool*) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerLoop.cpp:514:3 #15 0x808cfdd in fuzzer::Fuzzer::ReadAndExecuteSeedCorpora(std::__Fuzzer::vector >&) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerLoop.cpp:826:7 #16 0x808d1de in fuzzer::Fuzzer::Loop(std::__Fuzzer::vector >&) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerLoop.cpp:857:3 #17 0x807c3fc in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned char const*, unsigned int)) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerDriver.cpp:912:6 #18 0x80a6177 in main /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerMain.cpp:20:10 #19 0xf7bc5ed4 in __libc_start_main #20 0x806dad5 in _start ``` The fuzz target can be found at https://github.com/google/oss-fuzz/blob/master/projects/elfutils/fuzz-libdwfl.c OSS-Fuzz says the fuzz target crashed on i386 sporadically and it isn't reliably reproducible anymore so it could be a glitch of some sort. -- You received this message because: 1. You were specifically CC'd on the issue You may adjust your notification preferences at: https://bugs.chromium.org/hosting/settings Reply to this email to add a comment.
Issue 62071 in oss-fuzz: elfutils:fuzz-libdwfl: Null-dereference READ in chunk_compare
Comment #2 on issue 62071 by evv...@gmail.com: elfutils:fuzz-libdwfl: Null-dereference READ in chunk_compare https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=62071#c2 For some reason the testcase isn't public. I'll report it to OSS-Fuzz. I uploaded the test case to GitHub so now it should be possible to download it from https://github.com/evverx/elfutils/files/12549426/clusterfuzz-testcase-fuzz-libdwfl-5999675550072832.gz -- You received this message because: 1. You were specifically CC'd on the issue You may adjust your notification preferences at: https://bugs.chromium.org/hosting/settings Reply to this email to add a comment.
Issue 43356 in oss-fuzz: elfutils:fuzz-dwfl-core: Misaligned-address in Elf32_cvt_Dyn
Comment #1 on issue 43356 by evv...@gmail.com: elfutils:fuzz-dwfl-core: Misaligned-address in Elf32_cvt_Dyn https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=43356#c1 It can be reproduced by downloading the reproducer testcase and passing it to eu-stack: ``` autoreconf -i -f ./configure --enable-maintainer-mode --enable-sanitize-address --enable-sanitize-undefined make -j$(nproc) V=1 wget -O CRASH 'https://oss-fuzz.com/download?testcase_id=6013023414779904' UBSAN_OPTIONS=print_stacktrace=1 LD_LIBRARY_PATH="./libdw;./libelf" ./src/stack --core CRASH gelf_xlate.h:48:1: runtime error: member access within misaligned address 0x7f98edb0206a for type 'struct Elf32_Dyn', which requires 4 byte alignment 0x7f98edb0206a: note: pointer points here 20 20 20 00 00 00 8a 20 20 20 20 00 00 00 10 20 20 20 20 ff 20 20 20 ff ff ff ff 00 00 00 00 00 ^ #0 0x7f98f23ef91f in Elf32_cvt_Dyn /home/vagrant/elfutils/libelf/gelf_xlate.h:48 #1 0x7f98f23ed9f9 in elf32_xlatetom /home/vagrant/elfutils/libelf/elf32_xlatetom.c:104 #2 0x7f98f20eac75 in dwfl_segment_report_module /home/vagrant/elfutils/libdwfl/dwfl_segment_report_module.c:848 #3 0x7f98f20f4ffd in _new.dwfl_core_file_report /home/vagrant/elfutils/libdwfl/core-file.c:563 #4 0x403b34 in parse_opt /home/vagrant/elfutils/src/stack.c:595 #5 0x7f98f1199471 in argp_parse (/lib64/libc.so.6+0x11e471) #6 0x402a7d in main /home/vagrant/elfutils/src/stack.c:695 #7 0x7f98f10a855f in __libc_start_call_main (/lib64/libc.so.6+0x2d55f) #8 0x7f98f10a860b in __libc_start_main_impl (/lib64/libc.so.6+0x2d60b) #9 0x402f44 in _start (/home/vagrant/elfutils/src/stack+0x402f44) ``` -- You received this message because: 1. You were specifically CC'd on the issue You may adjust your notification preferences at: https://bugs.chromium.org/hosting/settings Reply to this email to add a comment.
Issue 43307 in oss-fuzz: elfutils:fuzz-dwfl-core: Crash in read_addrs
Comment #2 on issue 43307 by evv...@gmail.com: elfutils:fuzz-dwfl-core: Crash in read_addrs https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=43307#c2 It can be reproduced by downloading the reproducer testcase and passing it to eu-stack: ``` autoreconf -i -f ./configure --enable-maintainer-mode --enable-sanitize-address --enable-sanitize-undefined make -j$(nproc) V=1 wget -O oss-fuzz-43307 'https://oss-fuzz.com/download?testcase_id=4696722113167360' LD_LIBRARY_PATH="./libdw;./libelf" ./src/stack --core ./oss-fuzz-43307 AddressSanitizer:DEADLYSIGNAL = ==159086==ERROR: AddressSanitizer: SEGV on unknown address 0x7f1c426f6fe0 (pc 0x7f1c47758399 bp 0x60b01170 sp 0x7ffdf9aca7a0 T0) ==159086==The signal is caused by a READ memory access. #0 0x7f1c47758399 in read_8ubyte_unaligned_noncvt ../libdw/memory-access.h:301 #1 0x7f1c47758399 in read_addrs /home/vagrant/elfutils/libdwfl/link_map.c:288 #2 0x7f1c47758399 in report_r_debug /home/vagrant/elfutils/libdwfl/link_map.c:341 #3 0x7f1c47758399 in dwfl_link_map_report /home/vagrant/elfutils/libdwfl/link_map.c:1117 #4 0x7f1c4775df31 in _new.dwfl_core_file_report /home/vagrant/elfutils/libdwfl/core-file.c:552 #5 0x403b34 in parse_opt /home/vagrant/elfutils/src/stack.c:595 #6 0x7f1c46802471 in argp_parse (/lib64/libc.so.6+0x11e471) #7 0x402a7d in main /home/vagrant/elfutils/src/stack.c:695 #8 0x7f1c4671155f in __libc_start_call_main (/lib64/libc.so.6+0x2d55f) #9 0x7f1c4671160b in __libc_start_main_impl (/lib64/libc.so.6+0x2d60b) #10 0x402f44 in _start (/home/vagrant/elfutils/src/stack+0x402f44) AddressSanitizer can not provide additional info. SUMMARY: AddressSanitizer: SEGV ../libdw/memory-access.h:301 in read_8ubyte_unaligned_noncvt ==159086==ABORTING ``` -- You received this message because: 1. You were specifically CC'd on the issue You may adjust your notification preferences at: https://bugs.chromium.org/hosting/settings Reply to this email to add a comment.
Issue 43449 in oss-fuzz: elfutils:fuzz-dwfl-core: Timeout in fuzz-dwfl-core
Comment #1 on issue 43449 by evv...@gmail.com: elfutils:fuzz-dwfl-core: Timeout in fuzz-dwfl-core https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=43449#c1 As far as I can see it takes the fuzzer about 15 seconds to process this file without ASan so it doesn't seem to be an elfutils issue. -- You received this message because: 1. You were specifically CC'd on the issue You may adjust your notification preferences at: https://bugs.chromium.org/hosting/settings Reply to this email to add a comment.
Issue 43505 in oss-fuzz: elfutils:fuzz-dwfl-core: Use-of-uninitialized-value in handle_file_note
Comment #2 on issue 43505 by evv...@gmail.com: elfutils:fuzz-dwfl-core: Use-of-uninitialized-value in handle_file_note https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=43505#c2 I haven't figured out how to reproduce it without clang and MSan yet but here's the backtrace just in case ``` Running: /mnt/scratch0/clusterfuzz/bot/inputs/fuzzer-testcases/crash-19aedce7c369058955d501c7c86af2e6fcb1749c ==7548==WARNING: MemorySanitizer: use-of-uninitialized-value #0 0x63a0d7 in handle_file_note /src/elfutils/libdwfl/dwfl_segment_report_module.c:178:7 #1 0x633493 in dwfl_segment_report_module /src/elfutils/libdwfl/dwfl_segment_report_module.c:776:32 #2 0x537d5d in dwfl_core_file_report /src/elfutils/libdwfl/core-file.c:563:17 #3 0x528af5 in LLVMFuzzerTestOneInput /src/fuzz-dwfl-core.c:52:6 #4 0x455213 in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, unsigned long) cxa_noexception.cpp:0 #5 0x440e52 in fuzzer::RunOneTest(fuzzer::Fuzzer*, char const*, unsigned long) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerDriver.cpp:324:6 #6 0x4466ac in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned char const*, unsigned long)) cxa_noexception.cpp:0 #7 0x46f4b2 in main /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerMain.cpp:20:10 #8 0x7f69d6c700b2 in __libc_start_main /build/glibc-eX1tMB/glibc-2.31/csu/libc-start.c:308:16 #9 0x41f60d in _start Uninitialized value was created by an allocation of 'u.i' in the stack frame of function 'handle_file_note' #0 0x638830 in handle_file_note /src/elfutils/libdwfl/dwfl_segment_report_module.c:152 SUMMARY: MemorySanitizer: use-of-uninitialized-value (/mnt/scratch0/clusterfuzz/bot/builds/clusterfuzz-builds_elfutils_3ee01cb67db1a71e7adeb7f3f14722ea62f13cd5/revisions/fuzz-dwfl-core+0x63a0d7) Unique heap origins: 33 Stack depot allocated bytes: 1638400 Unique origin histories: 7 History depot allocated bytes: 196608 ``` -- You received this message because: 1. You were specifically CC'd on the issue You may adjust your notification preferences at: https://bugs.chromium.org/hosting/settings Reply to this email to add a comment.
Issue 43505 in oss-fuzz: elfutils:fuzz-dwfl-core: Use-of-uninitialized-value in handle_file_note
Comment #3 on issue 43505 by evv...@gmail.com: elfutils:fuzz-dwfl-core: Use-of-uninitialized-value in handle_file_note https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=43505#c3 Looking at another issue that hasn't been reported by OSS-Fuzz yet: ``` Running: /mnt/scratch0/clusterfuzz/bot/inputs/fuzzer-testcases/crash-57876e6ee0a1504e6fa0b22336043846f283f4a2 ==742==WARNING: MemorySanitizer: use-of-uninitialized-value #0 0x6374a5 in dwfl_segment_report_module /src/elfutils/libdwfl/dwfl_segment_report_module.c:401:11 #1 0x537d0d in dwfl_core_file_report /src/elfutils/libdwfl/core-file.c:563:17 #2 0x528aa5 in LLVMFuzzerTestOneInput /src/fuzz-dwfl-core.c:52:6 #3 0x455243 in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, unsigned long) cxa_noexception.cpp:0 #4 0x440e92 in fuzzer::RunOneTest(fuzzer::Fuzzer*, char const*, unsigned long) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerDriver.cpp:324:6 #5 0x4466dc in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned char const*, unsigned long)) cxa_noexception.cpp:0 #6 0x46f4a2 in main /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerMain.cpp:20:10 #7 0x7f5d0ddbc0b2 in __libc_start_main /build/glibc-eX1tMB/glibc-2.31/csu/libc-start.c:308:16 #8 0x41f60d in _start Uninitialized value was created by an allocation of 'ehdr' in the stack frame of function 'dwfl_segment_report_module' #0 0x62d610 in dwfl_segment_report_module /src/elfutils/libdwfl/dwfl_segment_report_module.c:301 ``` it seems MSan doesn't like unions that aren't initialized explicitly -- You received this message because: 1. You were specifically CC'd on the issue You may adjust your notification preferences at: https://bugs.chromium.org/hosting/settings Reply to this email to add a comment.
Issue 45628 in oss-fuzz: elfutils:fuzz-libdwfl: Heap-buffer-overflow in strtol
Comment #3 on issue 45628 by evv...@gmail.com: elfutils:fuzz-libdwfl: Heap-buffer-overflow in strtol https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=45628#c3 > See https://google.github.io/oss-fuzz/advanced-topics/reproducing for > instructions to reproduce this bug locally. FWIW this bug isn't reproducible with libFuzzer and ASan and https://google.github.io/oss-fuzz/advanced-topics/reproducing/#reproducing-bugs seems to be out of date in the sense that it still says that only libFuzzer can be used there. Hopefully I'll fix the documentation once I've gotten round to it. -- You received this message because: 1. You were specifically CC'd on the issue You may adjust your notification preferences at: https://bugs.chromium.org/hosting/settings Reply to this email to add a comment.
Issue 45628 in oss-fuzz: elfutils:fuzz-libdwfl: Heap-buffer-overflow in strtol
Comment #4 on issue 45628 by evv...@gmail.com: elfutils:fuzz-libdwfl: Heap-buffer-overflow in strtol https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=45628#c4 > Hopefully I'll fix the documentation once I've gotten round to it. I opened https://github.com/google/oss-fuzz/pull/7403 where I updated the documentation. It isn't perfect in the sense that it should probably mention how to figure out which fuzzing engines can be used to trigger issues reported by OSS-Fuzz and how to pass them but it's good enough I think. -- You received this message because: 1. You were specifically CC'd on the issue You may adjust your notification preferences at: https://bugs.chromium.org/hosting/settings Reply to this email to add a comment.
Issue 45636 in oss-fuzz: elfutils:fuzz-libdwfl: Crash in read_long_names
Comment #3 on issue 45636 by evv...@gmail.com: elfutils:fuzz-libdwfl: Crash in read_long_names https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=45636#c3 It seems to be a duplicate of https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=45628. Any idea why OSS-Fuzz keeps reporting it? It can't be reproduced with libfuzzer either: https://github.com/google/oss-fuzz/pull/7403 -- You received this message because: 1. You were specifically CC'd on the issue You may adjust your notification preferences at: https://bugs.chromium.org/hosting/settings Reply to this email to add a comment.
Issue 45630 in oss-fuzz: elfutils:fuzz-libelf: Use-of-uninitialized-value in validate_str
Comment #4 on issue 45630 by evv...@gmail.com: elfutils:fuzz-libelf: Use-of-uninitialized-value in validate_str https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=45630#c4 Issues like that are bogus and https://github.com/google/oss-fuzz/pull/7401 should fix them. Since it's a "security" issue it would great if OSS-Fuzz could mark them "Invalid" so that bash scripts generating CVEs based on OSS-Fuzz reports could ignore them (I hope they ignore "Invalid" issues. I'm not exactly sure how they work) -- You received this message because: 1. You were specifically CC'd on the issue You may adjust your notification preferences at: https://bugs.chromium.org/hosting/settings Reply to this email to add a comment.
Issue 45705 in oss-fuzz: elfutils:fuzz-libdwfl: Indirect-leak in __libelf_next_arhdr_wrlock
Comment #3 on issue 45705 by evv...@gmail.com: elfutils:fuzz-libdwfl: Indirect-leak in __libelf_next_arhdr_wrlock https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=45705#c3 Reproducer testcases are publicly available and can be downloaded using links in bug reports. Since every comment is forwarded to the mailing list I wonder if it would be possible to either attach testcases along with backtraces or not attach them at all (since they are already publicly available)? -- You received this message because: 1. You were specifically CC'd on the issue You may adjust your notification preferences at: https://bugs.chromium.org/hosting/settings Reply to this email to add a comment.
Issue 45705 in oss-fuzz: elfutils:fuzz-libdwfl: Indirect-leak in __libelf_next_arhdr_wrlock
Comment #5 on issue 45705 by evv...@gmail.com: elfutils:fuzz-libdwfl: Indirect-leak in __libelf_next_arhdr_wrlock https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=45705#c5 > I did this because I asked in an internal email with Mark if it would be > appreciated (the answer was yet). Sorry. I didn't know that. If it was decided testcases should be attached as well I think it should be OK. It's just that I receive a lot of emails from Monorail and it's hard to keep track of them. I'll just set up a filter to only show the "new owner" and "verified" messages here going forward or something like that. Thanks! -- You received this message because: 1. You were specifically CC'd on the issue You may adjust your notification preferences at: https://bugs.chromium.org/hosting/settings Reply to this email to add a comment.
Issue 45706 in oss-fuzz: elfutils:fuzz-libdwfl: Use-of-uninitialized-value in process_file
Comment #1 on issue 45706 by evv...@gmail.com: elfutils:fuzz-libdwfl: Use-of-uninitialized-value in process_file https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=45706#c1 It's a false positive. https://github.com/google/oss-fuzz/pull/7422 should fix it. -- You received this message because: 1. You were specifically CC'd on the issue You may adjust your notification preferences at: https://bugs.chromium.org/hosting/settings Reply to this email to add a comment.
Issue 46094 in oss-fuzz: elfutils:fuzz-libdwfl: Use-of-uninitialized-value in elf_compress_gnu
Comment #1 on issue 46094 by evv...@gmail.com: elfutils:fuzz-libdwfl: Use-of-uninitialized-value in elf_compress_gnu https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=46094#c1 It was reported in https://sourceware.org/bugzilla/show_bug.cgi?id=29000 -- You received this message because: 1. You were specifically CC'd on the issue You may adjust your notification preferences at: https://bugs.chromium.org/hosting/settings Reply to this email to add a comment.
Issue 46095 in oss-fuzz: elfutils:fuzz-libelf: Use-of-uninitialized-value in elf_compress_gnu
Comment #1 on issue 46095 by evv...@gmail.com: elfutils:fuzz-libelf: Use-of-uninitialized-value in elf_compress_gnu https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=46095#c1 It was reported in https://sourceware.org/bugzilla/show_bug.cgi?id=29000 as well. To avoid duplicates like this the fuzz target should probably be trimmed a bit: https://github.com/google/oss-fuzz/pull/7395#issuecomment-1079246630 -- You received this message because: 1. You were specifically CC'd on the issue You may adjust your notification preferences at: https://bugs.chromium.org/hosting/settings Reply to this email to add a comment.
