Issue 43505 in oss-fuzz: elfutils:fuzz-dwfl-core: Use-of-uninitialized-value in handle_file_note

Issue 43505 in oss-fuzz: elfutils:fuzz-dwfl-core: Use-of-uninitialized-value in handle_file_note

[ClusterFuzz-External via monorail]

Status: New
Owner: ----
CC: elfut...@sourceware.org, evv...@gmail.com, izzeem@google.com 
Labels: ClusterFuzz Reproducible Stability-Memory-MemorySanitizer Engine-libfuzzer OS-Linux Security_Severity-Medium Proj-elfutils Reported-2022-01-10
Type: Bug-Security

New issue 43505 by ClusterFuzz-External: elfutils:fuzz-dwfl-core: Use-of-uninitialized-value in handle_file_note
https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=43505

Detailed Report: https://oss-fuzz.com/testcase?key=5344860645752832

Project: elfutils
Fuzzing Engine: libFuzzer
Fuzz Target: fuzz-dwfl-core
Job Type: libfuzzer_msan_elfutils
Platform Id: linux

Crash Type: Use-of-uninitialized-value
Crash Address: 
Crash State:
  handle_file_note
  dwfl_segment_report_module
  dwfl_core_file_report
  
Sanitizer: memory (MSAN)

Recommended Security Severity: Medium

Regressed: https://oss-fuzz.com/revisions?job=libfuzzer_msan_elfutils&range=202111300602:202112010612

Reproducer Testcase: https://oss-fuzz.com/download?testcase_id=5344860645752832

Issue filed automatically.

See https://google.github.io/oss-fuzz/advanced-topics/reproducing for instructions to reproduce this bug locally.
When you fix this bug, please
  * mention the fix revision(s).
  * state whether the bug was a short-lived regression or an old bug in any stable releases.
  * add any other useful information.
This information can help downstream consumers.

If you need to contact the OSS-Fuzz team with a question, concern, or any other feedback, please file an issue at https://github.com/google/oss-fuzz/issues. Comments on individual Monorail issues are not monitored.

-- 
You received this message because:
  1. You were specifically CC'd on the issue

You may adjust your notification preferences at:
https://bugs.chromium.org/hosting/settings

Reply to this email to add a comment.

Issue 43505 in oss-fuzz: elfutils:fuzz-dwfl-core: Use-of-uninitialized-value in handle_file_note

[ClusterFuzz-External via monorail]

Updates:
	Labels: Fuzz-Blocker

Comment #1 on issue 43505 by ClusterFuzz-External: elfutils:fuzz-dwfl-core: Use-of-uninitialized-value in handle_file_note
https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=43505#c1

This crash occurs very frequently on linux platform and is likely preventing the fuzzer fuzz-dwfl-core from making much progress. Fixing this will allow more bugs to be found.

If this is incorrect, please file a bug on https://github.com/google/oss-fuzz/issues/new

-- 
You received this message because:
  1. You were specifically CC'd on the issue

You may adjust your notification preferences at:
https://bugs.chromium.org/hosting/settings

Reply to this email to add a comment.

Issue 43505 in oss-fuzz: elfutils:fuzz-dwfl-core: Use-of-uninitialized-value in handle_file_note

[evv… via monorail]

Comment #2 on issue 43505 by evv...@gmail.com: elfutils:fuzz-dwfl-core: Use-of-uninitialized-value in handle_file_note
https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=43505#c2

I haven't figured out how to reproduce it without clang and MSan yet but here's the backtrace just in case
```
Running: /mnt/scratch0/clusterfuzz/bot/inputs/fuzzer-testcases/crash-19aedce7c369058955d501c7c86af2e6fcb1749c
==7548==WARNING: MemorySanitizer: use-of-uninitialized-value
    #0 0x63a0d7 in handle_file_note /src/elfutils/libdwfl/dwfl_segment_report_module.c:178:7
    #1 0x633493 in dwfl_segment_report_module /src/elfutils/libdwfl/dwfl_segment_report_module.c:776:32
    #2 0x537d5d in dwfl_core_file_report /src/elfutils/libdwfl/core-file.c:563:17
    #3 0x528af5 in LLVMFuzzerTestOneInput /src/fuzz-dwfl-core.c:52:6
    #4 0x455213 in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, unsigned long) cxa_noexception.cpp:0
    #5 0x440e52 in fuzzer::RunOneTest(fuzzer::Fuzzer*, char const*, unsigned long) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerDriver.cpp:324:6
    #6 0x4466ac in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned char const*, unsigned long)) cxa_noexception.cpp:0
    #7 0x46f4b2 in main /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerMain.cpp:20:10
    #8 0x7f69d6c700b2 in __libc_start_main /build/glibc-eX1tMB/glibc-2.31/csu/libc-start.c:308:16
    #9 0x41f60d in _start
  Uninitialized value was created by an allocation of 'u.i' in the stack frame of function 'handle_file_note'
    #0 0x638830 in handle_file_note /src/elfutils/libdwfl/dwfl_segment_report_module.c:152
SUMMARY: MemorySanitizer: use-of-uninitialized-value (/mnt/scratch0/clusterfuzz/bot/builds/clusterfuzz-builds_elfutils_3ee01cb67db1a71e7adeb7f3f14722ea62f13cd5/revisions/fuzz-dwfl-core+0x63a0d7)
Unique heap origins: 33
Stack depot allocated bytes: 1638400
Unique origin histories: 7
History depot allocated bytes: 196608
```

-- 
You received this message because:
  1. You were specifically CC'd on the issue

You may adjust your notification preferences at:
https://bugs.chromium.org/hosting/settings

Reply to this email to add a comment.

Issue 43505 in oss-fuzz: elfutils:fuzz-dwfl-core: Use-of-uninitialized-value in handle_file_note

[evv… via monorail]

Comment #3 on issue 43505 by evv...@gmail.com: elfutils:fuzz-dwfl-core: Use-of-uninitialized-value in handle_file_note
https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=43505#c3

Looking at another issue that hasn't been reported by OSS-Fuzz yet:
```
	Running: /mnt/scratch0/clusterfuzz/bot/inputs/fuzzer-testcases/crash-57876e6ee0a1504e6fa0b22336043846f283f4a2
==742==WARNING: MemorySanitizer: use-of-uninitialized-value
    #0 0x6374a5 in dwfl_segment_report_module /src/elfutils/libdwfl/dwfl_segment_report_module.c:401:11
    #1 0x537d0d in dwfl_core_file_report /src/elfutils/libdwfl/core-file.c:563:17
    #2 0x528aa5 in LLVMFuzzerTestOneInput /src/fuzz-dwfl-core.c:52:6
    #3 0x455243 in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, unsigned long) cxa_noexception.cpp:0
    #4 0x440e92 in fuzzer::RunOneTest(fuzzer::Fuzzer*, char const*, unsigned long) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerDriver.cpp:324:6
    #5 0x4466dc in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned char const*, unsigned long)) cxa_noexception.cpp:0
    #6 0x46f4a2 in main /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerMain.cpp:20:10
    #7 0x7f5d0ddbc0b2 in __libc_start_main /build/glibc-eX1tMB/glibc-2.31/csu/libc-start.c:308:16
    #8 0x41f60d in _start
  Uninitialized value was created by an allocation of 'ehdr' in the stack frame of function 'dwfl_segment_report_module'
    #0 0x62d610 in dwfl_segment_report_module /src/elfutils/libdwfl/dwfl_segment_report_module.c:301
```

it seems MSan doesn't like unions that aren't initialized explicitly

-- 
You received this message because:
  1. You were specifically CC'd on the issue

You may adjust your notification preferences at:
https://bugs.chromium.org/hosting/settings

Reply to this email to add a comment.

Issue 43505 in oss-fuzz: elfutils:fuzz-dwfl-core: Use-of-uninitialized-value in handle_file_note

[ClusterFuzz-External via monorail]

Updates:
	Cc: da...@adalogics.com

Comment #4 on issue 43505 by ClusterFuzz-External: elfutils:fuzz-dwfl-core: Use-of-uninitialized-value in handle_file_note
https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=43505#c4

(No comment was entered for this change.)

-- 
You received this message because:
  1. You were specifically CC'd on the issue

You may adjust your notification preferences at:
https://bugs.chromium.org/hosting/settings

Reply to this email to add a comment.

Re: Issue 43505 in oss-fuzz: elfutils:fuzz-dwfl-core: Use-of-uninitialized-value in handle_file_note

[Mark Wielaard]

Hi,

Does anybody know why/where these message suddenly come from?
There have now been multiple today and yesterday.
Unfortunately the reply-to address seems to just bounce any of my replies.

On Wed, Mar 16, 2022 at 05:38:15PM -0700, ClusterFuzz-External via monorail via Elfutils-devel wrote:
> Comment #4 on issue 43505 by ClusterFuzz-External: elfutils:fuzz-dwfl-core: Use-of-uninitialized-value in handle_file_note
> https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=43505#c4

As one of the comments in this bug report says "it seems MSan doesn't
like unions that aren't initialized explicitly".

But the backtrace given in the report doesn't seem to match the
current elfutils code. So maybe this is against some old elfutils
version?

Cheers,

Mark

Issue 43505 in oss-fuzz: elfutils:fuzz-dwfl-core: Use-of-uninitialized-value in handle_file_note

[ClusterFuzz-External via monorail]

Updates:
	Labels: ClusterFuzz-Verified
	Status: Verified

Comment #5 on issue 43505 by ClusterFuzz-External: elfutils:fuzz-dwfl-core: Use-of-uninitialized-value in handle_file_note
https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=43505#c5

ClusterFuzz testcase 5344860645752832 is verified as fixed in https://oss-fuzz.com/revisions?job=libfuzzer_msan_elfutils&range=202203230000:202203230602

If this is incorrect, please file a bug on https://github.com/google/oss-fuzz/issues/new

-- 
You received this message because:
  1. You were specifically CC'd on the issue

You may adjust your notification preferences at:
https://bugs.chromium.org/hosting/settings

Reply to this email to add a comment.