Issue 45628 in oss-fuzz: elfutils:fuzz-libdwfl: Heap-buffer-overflow in strtol

Issue 45628 in oss-fuzz: elfutils:fuzz-libdwfl: Heap-buffer-overflow in strtol

[ClusterFuzz-External via monorail]

Status: New
Owner: ----
CC: elfut...@sourceware.org, da...@adalogics.com, evv...@gmail.com, izzeem@google.com 
Labels: ClusterFuzz Stability-Memory-AddressSanitizer Reproducible OS-Linux Security_Severity-Medium Engine-honggfuzz Proj-elfutils Reported-2022-03-17
Type: Bug-Security

New issue 45628 by ClusterFuzz-External: elfutils:fuzz-libdwfl: Heap-buffer-overflow in strtol
https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=45628

Detailed Report: https://oss-fuzz.com/testcase?key=4673586076450816

Project: elfutils
Fuzzing Engine: honggfuzz
Fuzz Target: fuzz-libdwfl
Job Type: honggfuzz_asan_elfutils
Platform Id: linux

Crash Type: Heap-buffer-overflow READ {*}
Crash Address: 0x7fffe2c93000
Crash State:
  strtol
  __libelf_next_arhdr_wrlock
  elf_begin
  
Sanitizer: address (ASAN)

Recommended Security Severity: Medium

Regressed: https://oss-fuzz.com/revisions?job=honggfuzz_asan_elfutils&range=202203161800:202203170000

Reproducer Testcase: https://oss-fuzz.com/download?testcase_id=4673586076450816

Issue filed automatically.

See https://google.github.io/oss-fuzz/advanced-topics/reproducing for instructions to reproduce this bug locally.
When you fix this bug, please
  * mention the fix revision(s).
  * state whether the bug was a short-lived regression or an old bug in any stable releases.
  * add any other useful information.
This information can help downstream consumers.

If you need to contact the OSS-Fuzz team with a question, concern, or any other feedback, please file an issue at https://github.com/google/oss-fuzz/issues. Comments on individual Monorail issues are not monitored.

-- 
You received this message because:
  1. You were specifically CC'd on the issue

You may adjust your notification preferences at:
https://bugs.chromium.org/hosting/settings

Reply to this email to add a comment.

Issue 45628 in oss-fuzz: elfutils:fuzz-libdwfl: Heap-buffer-overflow in strtol

[da… via monorail]

Comment #1 on issue 45628 by da...@adalogics.com: elfutils:fuzz-libdwfl: Heap-buffer-overflow in strtol
https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=45628#c1

Attaches the reproducer testcase

Attachments:
	clusterfuzz-testcase-minimized-fuzz-libdwfl-4673586076450816.fuzz  16.0 KB

-- 
You received this message because:
  1. You were specifically CC'd on the issue

You may adjust your notification preferences at:
https://bugs.chromium.org/hosting/settings

Reply to this email to add a comment.

Issue 45628 in oss-fuzz: elfutils:fuzz-libdwfl: Heap-buffer-overflow in strtol

[da… via monorail]

Comment #2 on issue 45628 by da...@adalogics.com: elfutils:fuzz-libdwfl: Heap-buffer-overflow in strtol
https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=45628#c2

Stack trace from detailed report:
	==2680==ERROR: AddressSanitizer: unknown-crash on address 0x7fd79225d000 at pc 0x00000044fd53 bp 0x7ffd96c8ead0 sp 0x7ffd96c8e288
READ of size 249 at 0x7fd79225d000 thread T0
SCARINESS: 16 (multi-byte-read-unknown-crash)
    #0 0x44fd52 in StrtolFixAndCheck(void*, char const*, char**, char*, int) /src/llvm-project/compiler-rt/lib/sanitizer_common/sanitizer_common_interceptors.inc:3440:3
    #1 0x488f30 in strtol /src/llvm-project/compiler-rt/lib/asan/asan_interceptors.cpp:484:3
    #2 0x5a4f1b in atol /usr/include/stdlib.h:368:10
    #3 0x5a4f1b in read_long_names /src/elfutils/libelf/elf_begin.c:766:13
    #4 0x5a4f1b in __libelf_next_arhdr_wrlock /src/elfutils/libelf/elf_begin.c:912:8
    #5 0x5a65c2 in dup_elf /src/elfutils/libelf/elf_begin.c:1061:10
    #6 0x5a65c2 in lock_dup_elf /src/elfutils/libelf/elf_begin.c:1119:10
    #7 0x5a65c2 in elf_begin /src/elfutils/libelf/elf_begin.c:1165:11
    #8 0x4e3732 in process_archive /src/elfutils/libdwfl/offline.c:251:17
    #9 0x4e3732 in process_file /src/elfutils/libdwfl/offline.c:125:14
    #10 0x4e4136 in __libdwfl_report_offline /src/elfutils/libdwfl/offline.c:287:22
    #11 0x4e4136 in dwfl_report_offline /src/elfutils/libdwfl/offline.c:316:10
    #12 0x4e120d in LLVMFuzzerTestOneInput /src/fuzz-libdwfl.c:47:22
    #13 0x4d732b in main
    #14 0x7fd7930a70b2 in __libc_start_main /build/glibc-eX1tMB/glibc-2.31/csu/libc-start.c:308:16
    #15 0x41d65d in _start

-- 
You received this message because:
  1. You were specifically CC'd on the issue

You may adjust your notification preferences at:
https://bugs.chromium.org/hosting/settings

Reply to this email to add a comment.

Issue 45628 in oss-fuzz: elfutils:fuzz-libdwfl: Heap-buffer-overflow in strtol

[evv… via monorail]

Comment #3 on issue 45628 by evv...@gmail.com: elfutils:fuzz-libdwfl: Heap-buffer-overflow in strtol
https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=45628#c3

> See https://google.github.io/oss-fuzz/advanced-topics/reproducing for instructions to reproduce this bug locally.

FWIW this bug isn't reproducible with libFuzzer and ASan and https://google.github.io/oss-fuzz/advanced-topics/reproducing/#reproducing-bugs seems to be out of date in the sense that it still says that only libFuzzer can be used there. Hopefully I'll fix the documentation once I've gotten round to it.

-- 
You received this message because:
  1. You were specifically CC'd on the issue

You may adjust your notification preferences at:
https://bugs.chromium.org/hosting/settings

Reply to this email to add a comment.

Issue 45628 in oss-fuzz: elfutils:fuzz-libdwfl: Heap-buffer-overflow in strtol

[evv… via monorail]

Comment #4 on issue 45628 by evv...@gmail.com: elfutils:fuzz-libdwfl: Heap-buffer-overflow in strtol
https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=45628#c4

> Hopefully I'll fix the documentation once I've gotten round to it.

I opened https://github.com/google/oss-fuzz/pull/7403 where I updated the documentation.
It isn't perfect in the sense that it should probably mention how to figure out which fuzzing
engines can be used to trigger issues reported by OSS-Fuzz and how to pass them
but it's good enough I think.

-- 
You received this message because:
  1. You were specifically CC'd on the issue

You may adjust your notification preferences at:
https://bugs.chromium.org/hosting/settings

Reply to this email to add a comment.

Issue 45628 in oss-fuzz: elfutils:fuzz-libdwfl: Heap-buffer-overflow in strtol

[ClusterFuzz-External via monorail]

Updates:
	Labels: ClusterFuzz-Verified
	Status: Verified

Comment #5 on issue 45628 by ClusterFuzz-External: elfutils:fuzz-libdwfl: Heap-buffer-overflow in strtol
https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=45628#c5

ClusterFuzz testcase 4673586076450816 is verified as fixed in https://oss-fuzz.com/revisions?job=honggfuzz_asan_elfutils&range=202203210605:202203211200

If this is incorrect, please file a bug on https://github.com/google/oss-fuzz/issues/new

-- 
You received this message because:
  1. You were specifically CC'd on the issue

You may adjust your notification preferences at:
https://bugs.chromium.org/hosting/settings

Reply to this email to add a comment.