* Issue 60887 in oss-fuzz: elfutils:fuzz-libelf: Direct-leak in __libelf_decompress_zlib [not found] <0=71cc74a7ba1af446b7ed6b9a08b414d9=179906139b10d40134117f89b865bd88=oss-fuzz@monorail-prod.appspotmail.com> @ 2023-07-27 20:44 ` ClusterFuzz-External via monorail 2023-07-29 14:38 ` Mark Wielaard 2023-07-29 22:00 ` evv… via monorail 2023-08-03 18:08 ` ClusterFuzz-External via monorail 2 siblings, 1 reply; 5+ messages in thread From: ClusterFuzz-External via monorail @ 2023-07-27 20:44 UTC (permalink / raw) To: elfutils-devel [-- Attachment #1: Type: text/plain, Size: 1784 bytes --] Status: New Owner: ---- CC: elfut...@sourceware.org, da...@adalogics.com, evv...@gmail.com, izzeem@google.com Labels: ClusterFuzz Stability-Memory-AddressSanitizer Reproducible Stability-Memory-LeakSanitizer Engine-libfuzzer OS-Linux Proj-elfutils Reported-2023-07-27 Type: Bug New issue 60887 by ClusterFuzz-External: elfutils:fuzz-libelf: Direct-leak in __libelf_decompress_zlib https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=60887 Detailed Report: https://oss-fuzz.com/testcase?key=4651173658099712 Project: elfutils Fuzzing Engine: libFuzzer Fuzz Target: fuzz-libelf Job Type: libfuzzer_asan_elfutils Platform Id: linux Crash Type: Direct-leak Crash Address: Crash State: __libelf_decompress_zlib __libelf_decompress_elf get_zdata Sanitizer: address (ASAN) Regressed: https://oss-fuzz.com/revisions?job=libfuzzer_asan_elfutils&range=202203161800:202203170000 Reproducer Testcase: https://oss-fuzz.com/download?testcase_id=4651173658099712 Issue filed automatically. See https://google.github.io/oss-fuzz/advanced-topics/reproducing for instructions to reproduce this bug locally. When you fix this bug, please * mention the fix revision(s). * state whether the bug was a short-lived regression or an old bug in any stable releases. * add any other useful information. This information can help downstream consumers. If you need to contact the OSS-Fuzz team with a question, concern, or any other feedback, please file an issue at https://github.com/google/oss-fuzz/issues. Comments on individual Monorail issues are not monitored. -- You received this message because: 1. You were specifically CC'd on the issue You may adjust your notification preferences at: https://bugs.chromium.org/hosting/settings Reply to this email to add a comment. ^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: Issue 60887 in oss-fuzz: elfutils:fuzz-libelf: Direct-leak in __libelf_decompress_zlib 2023-07-27 20:44 ` Issue 60887 in oss-fuzz: elfutils:fuzz-libelf: Direct-leak in __libelf_decompress_zlib ClusterFuzz-External via monorail @ 2023-07-29 14:38 ` Mark Wielaard 0 siblings, 0 replies; 5+ messages in thread From: Mark Wielaard @ 2023-07-29 14:38 UTC (permalink / raw) To: Evgeny Vereshchagin; +Cc: elfutils-devel, ClusterFuzz-External via monorail Hi Evgeny, Do you happen to know what clusterfuzz is trying to tell us? The stack trace is not detailed enough to understand what is going on. The reproducer is a corrupt ELF file with no indication of what code is being run on it. And the detailed report is not accessible (it seems to require a google or github account to login). Thanks, Mark On Thu, Jul 27, 2023 at 01:44:24PM -0700, ClusterFuzz-External via monorail via Elfutils-devel wrote: > Status: New > Owner: ---- > CC: elfut...@sourceware.org, da...@adalogics.com, evv...@gmail.com, izzeem@google.com > Labels: ClusterFuzz Stability-Memory-AddressSanitizer Reproducible Stability-Memory-LeakSanitizer Engine-libfuzzer OS-Linux Proj-elfutils Reported-2023-07-27 > Type: Bug > > New issue 60887 by ClusterFuzz-External: elfutils:fuzz-libelf: Direct-leak in __libelf_decompress_zlib > https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=60887 > > Detailed Report: https://oss-fuzz.com/testcase?key=4651173658099712 > > Project: elfutils > Fuzzing Engine: libFuzzer > Fuzz Target: fuzz-libelf > Job Type: libfuzzer_asan_elfutils > Platform Id: linux > > Crash Type: Direct-leak > Crash Address: > Crash State: > __libelf_decompress_zlib > __libelf_decompress_elf > get_zdata > > Sanitizer: address (ASAN) > > Regressed: https://oss-fuzz.com/revisions?job=libfuzzer_asan_elfutils&range=202203161800:202203170000 > > Reproducer Testcase: https://oss-fuzz.com/download?testcase_id=4651173658099712 > > Issue filed automatically. > > See https://google.github.io/oss-fuzz/advanced-topics/reproducing for instructions to reproduce this bug locally. > When you fix this bug, please > * mention the fix revision(s). > * state whether the bug was a short-lived regression or an old bug in any stable releases. > * add any other useful information. > This information can help downstream consumers. > > If you need to contact the OSS-Fuzz team with a question, concern, or any other feedback, please file an issue at https://github.com/google/oss-fuzz/issues. Comments on individual Monorail issues are not monitored. > > -- > You received this message because: > 1. You were specifically CC'd on the issue > > You may adjust your notification preferences at: > https://bugs.chromium.org/hosting/settings > > Reply to this email to add a comment. ^ permalink raw reply [flat|nested] 5+ messages in thread
* Issue 60887 in oss-fuzz: elfutils:fuzz-libelf: Direct-leak in __libelf_decompress_zlib [not found] <0=71cc74a7ba1af446b7ed6b9a08b414d9=179906139b10d40134117f89b865bd88=oss-fuzz@monorail-prod.appspotmail.com> 2023-07-27 20:44 ` Issue 60887 in oss-fuzz: elfutils:fuzz-libelf: Direct-leak in __libelf_decompress_zlib ClusterFuzz-External via monorail @ 2023-07-29 22:00 ` evv… via monorail 2023-07-30 12:03 ` Mark Wielaard 2023-08-03 18:08 ` ClusterFuzz-External via monorail 2 siblings, 1 reply; 5+ messages in thread From: evv… via monorail @ 2023-07-29 22:00 UTC (permalink / raw) To: elfutils-devel [-- Attachment #1: Type: text/plain, Size: 1543 bytes --] Comment #1 on issue 60887 by evv...@gmail.com: elfutils:fuzz-libelf: Direct-leak in __libelf_decompress_zlib https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=60887#c1 The full backtrace is ``` ==178009==ERROR: LeakSanitizer: detected memory leaks Direct leak of 1 byte(s) in 1 object(s) allocated from: #0 0x52efd6 in __interceptor_malloc /src/llvm-project/compiler-rt/lib/asan/asan_malloc_linux.cpp:69:3 #1 0x57a228 in __libelf_decompress_zlib /src/elfutils/libelf/elf_compress.c:370:19 #2 0x57a987 in __libelf_decompress /src/elfutils/libelf/elf_compress.c:440:12 #3 0x57a987 in __libelf_decompress_elf /src/elfutils/libelf/elf_compress.c:500:7 #4 0x57629f in get_zdata /src/elfutils/libelf/elf_strptr.c:45:17 #5 0x575c5e in elf_strptr /src/elfutils/libelf/elf_strptr.c:135:38 #6 0x56c5b3 in fuzz_logic_one /src/fuzz-libelf.c:40:26 #7 0x56cc7f in LLVMFuzzerTestOneInput /src/fuzz-libelf.c:88:3 ``` I haven't figured out how to trigger that memory leak without the fuzz target but as far as I can tell `fuzz_logic_one` was inspired by the elfgetzdata test in the sense that it calls elf_nextscn/elf_strptr/elf_compress. The code triggering the memory leak is https://github.com/google/oss-fuzz/blob/24328c88fd610decaf311020ffc7073aec1db252/projects/elfutils/fuzz-libelf.c#L27C6-L27C20 -- You received this message because: 1. You were specifically CC'd on the issue You may adjust your notification preferences at: https://bugs.chromium.org/hosting/settings Reply to this email to add a comment. ^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: Issue 60887 in oss-fuzz: elfutils:fuzz-libelf: Direct-leak in __libelf_decompress_zlib 2023-07-29 22:00 ` evv… via monorail @ 2023-07-30 12:03 ` Mark Wielaard 0 siblings, 0 replies; 5+ messages in thread From: Mark Wielaard @ 2023-07-30 12:03 UTC (permalink / raw) To: elfutils-devel; +Cc: evv… via monorail Hi, On Sat, Jul 29, 2023 at 03:00:49PM -0700, evv… via monorail via Elfutils-devel wrote: > > Comment #1 on issue 60887 by evv...@gmail.com: elfutils:fuzz-libelf: Direct-leak in __libelf_decompress_zlib > https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=60887#c1 > > The full backtrace is > ``` > ==178009==ERROR: LeakSanitizer: detected memory leaks > Direct leak of 1 byte(s) in 1 object(s) allocated from: > #0 0x52efd6 in __interceptor_malloc /src/llvm-project/compiler-rt/lib/asan/asan_malloc_linux.cpp:69:3 > #1 0x57a228 in __libelf_decompress_zlib /src/elfutils/libelf/elf_compress.c:370:19 > #2 0x57a987 in __libelf_decompress /src/elfutils/libelf/elf_compress.c:440:12 > #3 0x57a987 in __libelf_decompress_elf /src/elfutils/libelf/elf_compress.c:500:7 > #4 0x57629f in get_zdata /src/elfutils/libelf/elf_strptr.c:45:17 > #5 0x575c5e in elf_strptr /src/elfutils/libelf/elf_strptr.c:135:38 > #6 0x56c5b3 in fuzz_logic_one /src/fuzz-libelf.c:40:26 > #7 0x56cc7f in LLVMFuzzerTestOneInput /src/fuzz-libelf.c:88:3 > ``` > > I haven't figured out how to trigger that memory leak without the fuzz target > but as far as I can tell `fuzz_logic_one` was inspired by the elfgetzdata test in > the sense that it calls elf_nextscn/elf_strptr/elf_compress. > > The code triggering the memory leak is > https://github.com/google/oss-fuzz/blob/24328c88fd610decaf311020ffc7073aec1db252/projects/elfutils/fuzz-libelf.c#L27C6-L27C20 Thanks, I can replicate it with that and valgrind. The issue is when elf_strptr has (partially) uncompressed the section data (to read the uncompressed string), the program never requests the (uncompressed) section data, but does (re)compress it. Working on a fix. Cheers, Mark ^ permalink raw reply [flat|nested] 5+ messages in thread
* Issue 60887 in oss-fuzz: elfutils:fuzz-libelf: Direct-leak in __libelf_decompress_zlib [not found] <0=71cc74a7ba1af446b7ed6b9a08b414d9=179906139b10d40134117f89b865bd88=oss-fuzz@monorail-prod.appspotmail.com> 2023-07-27 20:44 ` Issue 60887 in oss-fuzz: elfutils:fuzz-libelf: Direct-leak in __libelf_decompress_zlib ClusterFuzz-External via monorail 2023-07-29 22:00 ` evv… via monorail @ 2023-08-03 18:08 ` ClusterFuzz-External via monorail 2 siblings, 0 replies; 5+ messages in thread From: ClusterFuzz-External via monorail @ 2023-08-03 18:08 UTC (permalink / raw) To: elfutils-devel [-- Attachment #1: Type: text/plain, Size: 694 bytes --] Updates: Labels: ClusterFuzz-Verified Status: Verified Comment #2 on issue 60887 by ClusterFuzz-External: elfutils:fuzz-libelf: Direct-leak in __libelf_decompress_zlib https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=60887#c2 ClusterFuzz testcase 4651173658099712 is verified as fixed in https://oss-fuzz.com/revisions?job=libfuzzer_asan_elfutils&range=202308021200:202308021800 If this is incorrect, please file a bug on https://github.com/google/oss-fuzz/issues/new -- You received this message because: 1. You were specifically CC'd on the issue You may adjust your notification preferences at: https://bugs.chromium.org/hosting/settings Reply to this email to add a comment. ^ permalink raw reply [flat|nested] 5+ messages in thread
end of thread, other threads:[~2023-08-03 18:08 UTC | newest] Thread overview: 5+ messages (download: mbox.gz / follow: Atom feed) -- links below jump to the message on this page -- [not found] <0=71cc74a7ba1af446b7ed6b9a08b414d9=179906139b10d40134117f89b865bd88=oss-fuzz@monorail-prod.appspotmail.com> 2023-07-27 20:44 ` Issue 60887 in oss-fuzz: elfutils:fuzz-libelf: Direct-leak in __libelf_decompress_zlib ClusterFuzz-External via monorail 2023-07-29 14:38 ` Mark Wielaard 2023-07-29 22:00 ` evv… via monorail 2023-07-30 12:03 ` Mark Wielaard 2023-08-03 18:08 ` ClusterFuzz-External via monorail
This is a public inbox, see mirroring instructions for how to clone and mirror all data and code used for this inbox; as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).