Issue 45630 in oss-fuzz: elfutils:fuzz-libelf: Use-of-uninitialized-value in validate_str

Issue 45630 in oss-fuzz: elfutils:fuzz-libelf: Use-of-uninitialized-value in validate_str

[ClusterFuzz-External via monorail]

Status: New
Owner: ----
CC: elfut...@sourceware.org, da...@adalogics.com, evv...@gmail.com, izzeem@google.com 
Labels: ClusterFuzz Reproducible Stability-Memory-MemorySanitizer Engine-libfuzzer OS-Linux Security_Severity-Medium Proj-elfutils Reported-2022-03-17
Type: Bug-Security

New issue 45630 by ClusterFuzz-External: elfutils:fuzz-libelf: Use-of-uninitialized-value in validate_str
https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=45630

Detailed Report: https://oss-fuzz.com/testcase?key=5658767587409920

Project: elfutils
Fuzzing Engine: libFuzzer
Fuzz Target: fuzz-libelf
Job Type: libfuzzer_msan_elfutils
Platform Id: linux

Crash Type: Use-of-uninitialized-value
Crash Address: 
Crash State:
  validate_str
  elf_strptr
  fuzz_logic_one
  
Sanitizer: memory (MSAN)

Recommended Security Severity: Medium

Regressed: https://oss-fuzz.com/revisions?job=libfuzzer_msan_elfutils&range=202203161800:202203170000

Reproducer Testcase: https://oss-fuzz.com/download?testcase_id=5658767587409920

Issue filed automatically.

See https://google.github.io/oss-fuzz/advanced-topics/reproducing for instructions to reproduce this bug locally.
When you fix this bug, please
  * mention the fix revision(s).
  * state whether the bug was a short-lived regression or an old bug in any stable releases.
  * add any other useful information.
This information can help downstream consumers.

If you need to contact the OSS-Fuzz team with a question, concern, or any other feedback, please file an issue at https://github.com/google/oss-fuzz/issues. Comments on individual Monorail issues are not monitored.

-- 
You received this message because:
  1. You were specifically CC'd on the issue

You may adjust your notification preferences at:
https://bugs.chromium.org/hosting/settings

Reply to this email to add a comment.

Issue 45630 in oss-fuzz: elfutils:fuzz-libelf: Use-of-uninitialized-value in validate_str

[ClusterFuzz-External via monorail]

Updates:
	Labels: Fuzz-Blocker

Comment #1 on issue 45630 by ClusterFuzz-External: elfutils:fuzz-libelf: Use-of-uninitialized-value in validate_str
https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=45630#c1

This crash occurs very frequently on linux platform and is likely preventing the fuzzer fuzz-libelf from making much progress. Fixing this will allow more bugs to be found.

If this is incorrect, please file a bug on https://github.com/google/oss-fuzz/issues/new

-- 
You received this message because:
  1. You were specifically CC'd on the issue

You may adjust your notification preferences at:
https://bugs.chromium.org/hosting/settings

Reply to this email to add a comment.

Issue 45630 in oss-fuzz: elfutils:fuzz-libelf: Use-of-uninitialized-value in validate_str

[da… via monorail]

Comment #2 on issue 45630 by da...@adalogics.com: elfutils:fuzz-libelf: Use-of-uninitialized-value in validate_str
https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=45630#c2

MSAN report:
Running: /mnt/scratch0/clusterfuzz/bot/inputs/fuzzer-testcases/crash-ecd598ded30b07196a2ab343f59f7a25442f0560
==744==WARNING: MemorySanitizer: use-of-uninitialized-value
    #0 0x538d7b in validate_str /src/elfutils/libelf/elf_strptr.c:61:4
    #1 0x5383fe in elf_strptr /src/elfutils/libelf/elf_strptr.c:188:11
    #2 0x527361 in fuzz_logic_one /src/fuzz-libelf.c:37:26
    #3 0x527cec in LLVMFuzzerTestOneInput /src/fuzz-libelf.c:82:3
    #4 0x4551d2 in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, unsigned long) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerLoop.cpp:611:15
    #5 0x440d82 in fuzzer::RunOneTest(fuzzer::Fuzzer*, char const*, unsigned long) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerDriver.cpp:324:6
    #6 0x4465ec in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned char const*, unsigned long)) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerDriver.cpp:860:9
    #7 0x46ef82 in main /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerMain.cpp:20:10
    #8 0x7fd73ce3f0b2 in __libc_start_main /build/glibc-eX1tMB/glibc-2.31/csu/libc-start.c:308:16
    #9 0x41f4cd in _start
  Uninitialized value was created by a heap allocation
    #0 0x4d49ad in __interceptor_malloc /src/llvm-project/compiler-rt/lib/msan/msan_interceptors.cpp:911:3
    #1 0x53feb1 in __libelf_decompress /src/elfutils/libelf/elf_compress.c:227:19
    #2 0x5408d7 in __libelf_decompress_elf /src/elfutils/libelf/elf_compress.c:300:19
    #3 0x538903 in get_zdata /src/elfutils/libelf/elf_strptr.c:45:17
    #4 0x537c19 in elf_strptr /src/elfutils/libelf/elf_strptr.c:135:38
    #5 0x527361 in fuzz_logic_one /src/fuzz-libelf.c:37:26
    #6 0x527cec in LLVMFuzzerTestOneInput /src/fuzz-libelf.c:82:3
    #7 0x4551d2 in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, unsigned long) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerLoop.cpp:611:15
    #8 0x440d82 in fuzzer::RunOneTest(fuzzer::Fuzzer*, char const*, unsigned long) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerDriver.cpp:324:6
    #9 0x4465ec in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned char const*, unsigned long)) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerDriver.cpp:860:9
    #10 0x46ef82 in main /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerMain.cpp:20:10
    #11 0x7fd73ce3f0b2 in __libc_start_main /build/glibc-eX1tMB/glibc-2.31/csu/libc-start.c:308:16

-- 
You received this message because:
  1. You were specifically CC'd on the issue

You may adjust your notification preferences at:
https://bugs.chromium.org/hosting/settings

Reply to this email to add a comment.

Issue 45630 in oss-fuzz: elfutils:fuzz-libelf: Use-of-uninitialized-value in validate_str

[da… via monorail]

Comment #3 on issue 45630 by da...@adalogics.com: elfutils:fuzz-libelf: Use-of-uninitialized-value in validate_str
https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=45630#c3

(No comment was entered for this change.)

Attachments:
	clusterfuzz-testcase-minimized-fuzz-libelf-5658767587409920  320 bytes

-- 
You received this message because:
  1. You were specifically CC'd on the issue

You may adjust your notification preferences at:
https://bugs.chromium.org/hosting/settings

Reply to this email to add a comment.

Issue 45630 in oss-fuzz: elfutils:fuzz-libelf: Use-of-uninitialized-value in validate_str

[evv… via monorail]

Comment #4 on issue 45630 by evv...@gmail.com: elfutils:fuzz-libelf: Use-of-uninitialized-value in validate_str
https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=45630#c4

Issues like that are bogus and https://github.com/google/oss-fuzz/pull/7401 should fix them. Since it's a "security" issue
it would great if OSS-Fuzz could mark them "Invalid" so that bash scripts generating CVEs based on OSS-Fuzz reports
could ignore them (I hope they ignore "Invalid" issues. I'm not exactly sure how they work)

-- 
You received this message because:
  1. You were specifically CC'd on the issue

You may adjust your notification preferences at:
https://bugs.chromium.org/hosting/settings

Reply to this email to add a comment.

Issue 45630 in oss-fuzz: elfutils:fuzz-libelf: Use-of-uninitialized-value in validate_str

[ClusterFuzz-External via monorail]

Updates:
	Labels: -Reproducible Unreproducible

Comment #5 on issue 45630 by ClusterFuzz-External: elfutils:fuzz-libelf: Use-of-uninitialized-value in validate_str
https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=45630#c5

ClusterFuzz testcase 5658767587409920 appears to be flaky, updating reproducibility label.

-- 
You received this message because:
  1. You were specifically CC'd on the issue

You may adjust your notification preferences at:
https://bugs.chromium.org/hosting/settings

Reply to this email to add a comment.

Issue 45630 in oss-fuzz: elfutils:fuzz-libelf: Use-of-uninitialized-value in validate_str

[ClusterFuzz-External via monorail]

Updates:
	Status: WontFix

Comment #6 on issue 45630 by ClusterFuzz-External: elfutils:fuzz-libelf: Use-of-uninitialized-value in validate_str
https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=45630#c6

ClusterFuzz testcase 5658767587409920 is flaky and no longer crashes, so closing issue.

If this is incorrect, please file a bug on https://github.com/google/oss-fuzz/issues/new

-- 
You received this message because:
  1. You were specifically CC'd on the issue

You may adjust your notification preferences at:
https://bugs.chromium.org/hosting/settings

Reply to this email to add a comment.

Issue 45630 in oss-fuzz: elfutils:fuzz-libelf: Use-of-uninitialized-value in validate_str

[ClusterFuzz-External via monorail]

Comment #7 on issue 45630 by ClusterFuzz-External: elfutils:fuzz-libelf: Use-of-uninitialized-value in validate_str
https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=45630#c7

ClusterFuzz testcase 5658767587409920 is closed as invalid, so closing issue.

-- 
You received this message because:
  1. You were specifically CC'd on the issue

You may adjust your notification preferences at:
https://bugs.chromium.org/hosting/settings

Reply to this email to add a comment.