Issue 45705 in oss-fuzz: elfutils:fuzz-libdwfl: Indirect-leak in __libelf_next_arhdr_wrlock

Issue 45705 in oss-fuzz: elfutils:fuzz-libdwfl: Indirect-leak in __libelf_next_arhdr_wrlock

[ClusterFuzz-External via monorail]

Status: New
Owner: ----
CC: elfut...@sourceware.org, da...@adalogics.com, evv...@gmail.com, izzeem@google.com 
Labels: ClusterFuzz Stability-Memory-AddressSanitizer Reproducible Stability-Memory-LeakSanitizer Engine-libfuzzer OS-Linux Proj-elfutils Reported-2022-03-18
Type: Bug

New issue 45705 by ClusterFuzz-External: elfutils:fuzz-libdwfl: Indirect-leak in __libelf_next_arhdr_wrlock
https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=45705

Detailed Report: https://oss-fuzz.com/testcase?key=5085329692950528

Project: elfutils
Fuzzing Engine: libFuzzer
Fuzz Target: fuzz-libdwfl
Job Type: libfuzzer_asan_i386_elfutils
Platform Id: linux

Crash Type: Indirect-leak
Crash Address: 
Crash State:
  __libelf_next_arhdr_wrlock
  lock_dup_elf
  elf_begin
  
Sanitizer: address (ASAN)

Regressed: https://oss-fuzz.com/revisions?job=libfuzzer_asan_i386_elfutils&range=202203161800:202203170000

Reproducer Testcase: https://oss-fuzz.com/download?testcase_id=5085329692950528

Issue filed automatically.

See https://google.github.io/oss-fuzz/advanced-topics/reproducing for instructions to reproduce this bug locally.
When you fix this bug, please
  * mention the fix revision(s).
  * state whether the bug was a short-lived regression or an old bug in any stable releases.
  * add any other useful information.
This information can help downstream consumers.

If you need to contact the OSS-Fuzz team with a question, concern, or any other feedback, please file an issue at https://github.com/google/oss-fuzz/issues. Comments on individual Monorail issues are not monitored.

-- 
You received this message because:
  1. You were specifically CC'd on the issue

You may adjust your notification preferences at:
https://bugs.chromium.org/hosting/settings

Reply to this email to add a comment.

Issue 45705 in oss-fuzz: elfutils:fuzz-libdwfl: Indirect-leak in __libelf_next_arhdr_wrlock

[da… via monorail]

Comment #1 on issue 45705 by da...@adalogics.com: elfutils:fuzz-libdwfl: Indirect-leak in __libelf_next_arhdr_wrlock
https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=45705#c1

ASAN report
Running: /mnt/scratch0/clusterfuzz/bot/inputs/fuzzer-testcases/leak-919ecedf38381f07ca17919209098f636c73aae7
=================================================================
==426037==ERROR: LeakSanitizer: detected memory leaks
Indirect leak of 7175 byte(s) in 1 object(s) allocated from:
    #0 0x8179625 in __interceptor_malloc /src/llvm-project/compiler-rt/lib/asan/asan_malloc_linux.cpp:129:3
    #1 0x82aa297 in read_long_names /src/elfutils/libelf/elf_begin.c:784:10
    #2 0x82aa297 in __libelf_next_arhdr_wrlock /src/elfutils/libelf/elf_begin.c:912:8
    #3 0x82ab8aa in dup_elf /src/elfutils/libelf/elf_begin.c:1061:10
    #4 0x82ab8aa in lock_dup_elf /src/elfutils/libelf/elf_begin.c:1119:10
    #5 0x82ab3a9 in elf_begin /src/elfutils/libelf/elf_begin.c:0
    #6 0x81ba74d in process_archive /src/elfutils/libdwfl/offline.c:251:17
    #7 0x81ba74d in process_file /src/elfutils/libdwfl/offline.c:125:14
    #8 0x81bb32b in __libdwfl_report_offline /src/elfutils/libdwfl/offline.c:287:22
    #9 0x81bb32b in dwfl_report_offline /src/elfutils/libdwfl/offline.c:316:10
    #10 0x81b79ff in LLVMFuzzerTestOneInput /src/fuzz-libdwfl.c:47:22
    #11 0x80a359d in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, unsigned int) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerLoop.cpp:611:15
    #12 0x808ec3e in fuzzer::RunOneTest(fuzzer::Fuzzer*, char const*, unsigned int) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerDriver.cpp:324:6
    #13 0x809472f in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned char const*, unsigned int)) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerDriver.cpp:860:9
    #14 0x80bd397 in main /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerMain.cpp:20:10
    #15 0xf7c2cee4 in __libc_start_main
Indirect leak of 208 byte(s) in 1 object(s) allocated from:
    #0 0x81797d1 in __interceptor_calloc /src/llvm-project/compiler-rt/lib/asan/asan_malloc_linux.cpp:138:3
    #1 0x82a594b in allocate_elf /src/elfutils/libelf/common.h:74:17
    #2 0x82a594b in file_read_ar /src/elfutils/libelf/elf_begin.c:59:9
    #3 0x82a594b in __libelf_read_mmaped_file /src/elfutils/libelf/elf_begin.c:570:14
    #4 0x82abd22 in read_file /src/elfutils/libelf/elf_begin.c:701:28
    #5 0x82ab2ed in elf_begin /src/elfutils/libelf/elf_begin.c:0
    #6 0x81c7d03 in libdw_open_elf /src/elfutils/libdwfl/open.c:131:14
    #7 0x81c7c33 in __libdw_open_file /src/elfutils/libdwfl/open.c:197:10
    #8 0x81bb2b8 in __libdwfl_report_offline /src/elfutils/libdwfl/offline.c:281:22
    #9 0x81bb2b8 in dwfl_report_offline /src/elfutils/libdwfl/offline.c:316:10
    #10 0x81b79ff in LLVMFuzzerTestOneInput /src/fuzz-libdwfl.c:47:22
    #11 0x80a359d in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, unsigned int) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerLoop.cpp:611:15
    #12 0x808ec3e in fuzzer::RunOneTest(fuzzer::Fuzzer*, char const*, unsigned int) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerDriver.cpp:324:6
    #13 0x809472f in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned char const*, unsigned int)) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerDriver.cpp:860:9
    #14 0x80bd397 in main /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerMain.cpp:20:10
    #15 0xf7c2cee4 in __libc_start_main
Indirect leak of 208 byte(s) in 1 object(s) allocated from:
    #0 0x81797d1 in __interceptor_calloc /src/llvm-project/compiler-rt/lib/asan/asan_malloc_linux.cpp:138:3
    #1 0x82a5abb in allocate_elf /src/elfutils/libelf/common.h:74:17
    #2 0x82a5abb in __libelf_read_mmaped_file /src/elfutils/libelf/elf_begin.c:578:10
    #3 0x82abd22 in read_file /src/elfutils/libelf/elf_begin.c:701:28
    #4 0x82ab83b in dup_elf /src/elfutils/libelf/elf_begin.c:1067:12
    #5 0x82ab83b in lock_dup_elf /src/elfutils/libelf/elf_begin.c:1119:10
    #6 0x82ab3a9 in elf_begin /src/elfutils/libelf/elf_begin.c:0
    #7 0x81ba74d in process_archive /src/elfutils/libdwfl/offline.c:251:17
    #8 0x81ba74d in process_file /src/elfutils/libdwfl/offline.c:125:14
    #9 0x81bb32b in __libdwfl_report_offline /src/elfutils/libdwfl/offline.c:287:22
    #10 0x81bb32b in dwfl_report_offline /src/elfutils/libdwfl/offline.c:316:10
    #11 0x81b79ff in LLVMFuzzerTestOneInput /src/fuzz-libdwfl.c:47:22
    #12 0x80a359d in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, unsigned int) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerLoop.cpp:611:15
    #13 0x808ec3e in fuzzer::RunOneTest(fuzzer::Fuzzer*, char const*, unsigned int) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerDriver.cpp:324:6
    #14 0x809472f in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned char const*, unsigned int)) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerDriver.cpp:860:9
    #15 0x80bd397 in main /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerMain.cpp:20:10
    #16 0xf7c2cee4 in __libc_start_main
SUMMARY: AddressSanitizer: 7591 byte(s) leaked in 3 allocation(s).
INFO: a leak has been found in the initial corpus.
INFO: to ignore leaks on libFuzzer side use -detect_leaks=0.

-- 
You received this message because:
  1. You were specifically CC'd on the issue

You may adjust your notification preferences at:
https://bugs.chromium.org/hosting/settings

Reply to this email to add a comment.

Issue 45705 in oss-fuzz: elfutils:fuzz-libdwfl: Indirect-leak in __libelf_next_arhdr_wrlock

[da… via monorail]

Comment #2 on issue 45705 by da...@adalogics.com: elfutils:fuzz-libdwfl: Indirect-leak in __libelf_next_arhdr_wrlock
https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=45705#c2

(No comment was entered for this change.)

Attachments:
	clusterfuzz-testcase-minimized-fuzz-libdwfl-5085329692950528  11.1 KB

-- 
You received this message because:
  1. You were specifically CC'd on the issue

You may adjust your notification preferences at:
https://bugs.chromium.org/hosting/settings

Reply to this email to add a comment.

Issue 45705 in oss-fuzz: elfutils:fuzz-libdwfl: Indirect-leak in __libelf_next_arhdr_wrlock

[evv… via monorail]

Comment #3 on issue 45705 by evv...@gmail.com: elfutils:fuzz-libdwfl: Indirect-leak in __libelf_next_arhdr_wrlock
https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=45705#c3

Reproducer testcases are publicly available and can be downloaded using links in bug reports. Since every comment is forwarded to the mailing list I wonder if it would be possible to either attach testcases along with backtraces or not attach them at all (since they are already publicly available)?

-- 
You received this message because:
  1. You were specifically CC'd on the issue

You may adjust your notification preferences at:
https://bugs.chromium.org/hosting/settings

Reply to this email to add a comment.

Issue 45705 in oss-fuzz: elfutils:fuzz-libdwfl: Indirect-leak in __libelf_next_arhdr_wrlock

[da… via monorail]

Comment #4 on issue 45705 by da...@adalogics.com: elfutils:fuzz-libdwfl: Indirect-leak in __libelf_next_arhdr_wrlock
https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=45705#c4

Yes -- I did this because I asked in an internal email with Mark if it would be appreciated (the answer was yet). But will stop this as you're taking care of it by way of the mailing list.

-- 
You received this message because:
  1. You were specifically CC'd on the issue

You may adjust your notification preferences at:
https://bugs.chromium.org/hosting/settings

Reply to this email to add a comment.

Issue 45705 in oss-fuzz: elfutils:fuzz-libdwfl: Indirect-leak in __libelf_next_arhdr_wrlock

[evv… via monorail]

Comment #5 on issue 45705 by evv...@gmail.com: elfutils:fuzz-libdwfl: Indirect-leak in __libelf_next_arhdr_wrlock
https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=45705#c5

>  I did this because I asked in an internal email with Mark if it would be appreciated (the answer was yet).

Sorry. I didn't know that. If it was decided testcases should be attached as well I think it should be OK.
It's just that I receive a lot of emails from Monorail and it's hard to keep track of them. I'll just set up a filter to only show
the "new owner" and "verified" messages here going forward or something like that. Thanks!

-- 
You received this message because:
  1. You were specifically CC'd on the issue

You may adjust your notification preferences at:
https://bugs.chromium.org/hosting/settings

Reply to this email to add a comment.

Issue 45705 in oss-fuzz: elfutils:fuzz-libdwfl: Indirect-leak in __libelf_next_arhdr_wrlock

[ClusterFuzz-External via monorail]

Updates:
	Labels: ClusterFuzz-Verified
	Status: Verified

Comment #6 on issue 45705 by ClusterFuzz-External: elfutils:fuzz-libdwfl: Indirect-leak in __libelf_next_arhdr_wrlock
https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=45705#c6

ClusterFuzz testcase 5085329692950528 is verified as fixed in https://oss-fuzz.com/revisions?job=libfuzzer_asan_i386_elfutils&range=202203210605:202203211200

If this is incorrect, please file a bug on https://github.com/google/oss-fuzz/issues/new

-- 
You received this message because:
  1. You were specifically CC'd on the issue

You may adjust your notification preferences at:
https://bugs.chromium.org/hosting/settings

Reply to this email to add a comment.