* Issue 60887 in oss-fuzz: elfutils:fuzz-libelf: Direct-leak in __libelf_decompress_zlib
[not found] <0=71cc74a7ba1af446b7ed6b9a08b414d9=179906139b10d40134117f89b865bd88=oss-fuzz@monorail-prod.appspotmail.com>
@ 2023-07-27 20:44 ` ClusterFuzz-External via monorail
2023-07-29 14:38 ` Mark Wielaard
2023-07-29 22:00 ` evv… via monorail
2023-08-03 18:08 ` ClusterFuzz-External via monorail
2 siblings, 1 reply; 5+ messages in thread
From: ClusterFuzz-External via monorail @ 2023-07-27 20:44 UTC (permalink / raw)
To: elfutils-devel
[-- Attachment #1: Type: text/plain, Size: 1784 bytes --]
Status: New
Owner: ----
CC: elfut...@sourceware.org, da...@adalogics.com, evv...@gmail.com, izzeem@google.com
Labels: ClusterFuzz Stability-Memory-AddressSanitizer Reproducible Stability-Memory-LeakSanitizer Engine-libfuzzer OS-Linux Proj-elfutils Reported-2023-07-27
Type: Bug
New issue 60887 by ClusterFuzz-External: elfutils:fuzz-libelf: Direct-leak in __libelf_decompress_zlib
https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=60887
Detailed Report: https://oss-fuzz.com/testcase?key=4651173658099712
Project: elfutils
Fuzzing Engine: libFuzzer
Fuzz Target: fuzz-libelf
Job Type: libfuzzer_asan_elfutils
Platform Id: linux
Crash Type: Direct-leak
Crash Address:
Crash State:
__libelf_decompress_zlib
__libelf_decompress_elf
get_zdata
Sanitizer: address (ASAN)
Regressed: https://oss-fuzz.com/revisions?job=libfuzzer_asan_elfutils&range=202203161800:202203170000
Reproducer Testcase: https://oss-fuzz.com/download?testcase_id=4651173658099712
Issue filed automatically.
See https://google.github.io/oss-fuzz/advanced-topics/reproducing for instructions to reproduce this bug locally.
When you fix this bug, please
* mention the fix revision(s).
* state whether the bug was a short-lived regression or an old bug in any stable releases.
* add any other useful information.
This information can help downstream consumers.
If you need to contact the OSS-Fuzz team with a question, concern, or any other feedback, please file an issue at https://github.com/google/oss-fuzz/issues. Comments on individual Monorail issues are not monitored.
--
You received this message because:
1. You were specifically CC'd on the issue
You may adjust your notification preferences at:
https://bugs.chromium.org/hosting/settings
Reply to this email to add a comment.
^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: Issue 60887 in oss-fuzz: elfutils:fuzz-libelf: Direct-leak in __libelf_decompress_zlib
2023-07-27 20:44 ` Issue 60887 in oss-fuzz: elfutils:fuzz-libelf: Direct-leak in __libelf_decompress_zlib ClusterFuzz-External via monorail
@ 2023-07-29 14:38 ` Mark Wielaard
0 siblings, 0 replies; 5+ messages in thread
From: Mark Wielaard @ 2023-07-29 14:38 UTC (permalink / raw)
To: Evgeny Vereshchagin; +Cc: elfutils-devel, ClusterFuzz-External via monorail
Hi Evgeny,
Do you happen to know what clusterfuzz is trying to tell us? The
stack trace is not detailed enough to understand what is going on.
The reproducer is a corrupt ELF file with no indication of what code
is being run on it. And the detailed report is not accessible (it
seems to require a google or github account to login).
Thanks,
Mark
On Thu, Jul 27, 2023 at 01:44:24PM -0700, ClusterFuzz-External via monorail via Elfutils-devel wrote:
> Status: New
> Owner: ----
> CC: elfut...@sourceware.org, da...@adalogics.com, evv...@gmail.com, izzeem@google.com
> Labels: ClusterFuzz Stability-Memory-AddressSanitizer Reproducible Stability-Memory-LeakSanitizer Engine-libfuzzer OS-Linux Proj-elfutils Reported-2023-07-27
> Type: Bug
>
> New issue 60887 by ClusterFuzz-External: elfutils:fuzz-libelf: Direct-leak in __libelf_decompress_zlib
> https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=60887
>
> Detailed Report: https://oss-fuzz.com/testcase?key=4651173658099712
>
> Project: elfutils
> Fuzzing Engine: libFuzzer
> Fuzz Target: fuzz-libelf
> Job Type: libfuzzer_asan_elfutils
> Platform Id: linux
>
> Crash Type: Direct-leak
> Crash Address:
> Crash State:
> __libelf_decompress_zlib
> __libelf_decompress_elf
> get_zdata
>
> Sanitizer: address (ASAN)
>
> Regressed: https://oss-fuzz.com/revisions?job=libfuzzer_asan_elfutils&range=202203161800:202203170000
>
> Reproducer Testcase: https://oss-fuzz.com/download?testcase_id=4651173658099712
>
> Issue filed automatically.
>
> See https://google.github.io/oss-fuzz/advanced-topics/reproducing for instructions to reproduce this bug locally.
> When you fix this bug, please
> * mention the fix revision(s).
> * state whether the bug was a short-lived regression or an old bug in any stable releases.
> * add any other useful information.
> This information can help downstream consumers.
>
> If you need to contact the OSS-Fuzz team with a question, concern, or any other feedback, please file an issue at https://github.com/google/oss-fuzz/issues. Comments on individual Monorail issues are not monitored.
>
> --
> You received this message because:
> 1. You were specifically CC'd on the issue
>
> You may adjust your notification preferences at:
> https://bugs.chromium.org/hosting/settings
>
> Reply to this email to add a comment.
^ permalink raw reply [flat|nested] 5+ messages in thread
* Issue 60887 in oss-fuzz: elfutils:fuzz-libelf: Direct-leak in __libelf_decompress_zlib
[not found] <0=71cc74a7ba1af446b7ed6b9a08b414d9=179906139b10d40134117f89b865bd88=oss-fuzz@monorail-prod.appspotmail.com>
2023-07-27 20:44 ` Issue 60887 in oss-fuzz: elfutils:fuzz-libelf: Direct-leak in __libelf_decompress_zlib ClusterFuzz-External via monorail
@ 2023-07-29 22:00 ` evv… via monorail
2023-07-30 12:03 ` Mark Wielaard
2023-08-03 18:08 ` ClusterFuzz-External via monorail
2 siblings, 1 reply; 5+ messages in thread
From: evv… via monorail @ 2023-07-29 22:00 UTC (permalink / raw)
To: elfutils-devel
[-- Attachment #1: Type: text/plain, Size: 1543 bytes --]
Comment #1 on issue 60887 by evv...@gmail.com: elfutils:fuzz-libelf: Direct-leak in __libelf_decompress_zlib
https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=60887#c1
The full backtrace is
```
==178009==ERROR: LeakSanitizer: detected memory leaks
Direct leak of 1 byte(s) in 1 object(s) allocated from:
#0 0x52efd6 in __interceptor_malloc /src/llvm-project/compiler-rt/lib/asan/asan_malloc_linux.cpp:69:3
#1 0x57a228 in __libelf_decompress_zlib /src/elfutils/libelf/elf_compress.c:370:19
#2 0x57a987 in __libelf_decompress /src/elfutils/libelf/elf_compress.c:440:12
#3 0x57a987 in __libelf_decompress_elf /src/elfutils/libelf/elf_compress.c:500:7
#4 0x57629f in get_zdata /src/elfutils/libelf/elf_strptr.c:45:17
#5 0x575c5e in elf_strptr /src/elfutils/libelf/elf_strptr.c:135:38
#6 0x56c5b3 in fuzz_logic_one /src/fuzz-libelf.c:40:26
#7 0x56cc7f in LLVMFuzzerTestOneInput /src/fuzz-libelf.c:88:3
```
I haven't figured out how to trigger that memory leak without the fuzz target
but as far as I can tell `fuzz_logic_one` was inspired by the elfgetzdata test in
the sense that it calls elf_nextscn/elf_strptr/elf_compress.
The code triggering the memory leak is
https://github.com/google/oss-fuzz/blob/24328c88fd610decaf311020ffc7073aec1db252/projects/elfutils/fuzz-libelf.c#L27C6-L27C20
--
You received this message because:
1. You were specifically CC'd on the issue
You may adjust your notification preferences at:
https://bugs.chromium.org/hosting/settings
Reply to this email to add a comment.
^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: Issue 60887 in oss-fuzz: elfutils:fuzz-libelf: Direct-leak in __libelf_decompress_zlib
2023-07-29 22:00 ` evv… via monorail
@ 2023-07-30 12:03 ` Mark Wielaard
0 siblings, 0 replies; 5+ messages in thread
From: Mark Wielaard @ 2023-07-30 12:03 UTC (permalink / raw)
To: elfutils-devel; +Cc: evv… via monorail
Hi,
On Sat, Jul 29, 2023 at 03:00:49PM -0700, evv… via monorail via Elfutils-devel wrote:
>
> Comment #1 on issue 60887 by evv...@gmail.com: elfutils:fuzz-libelf: Direct-leak in __libelf_decompress_zlib
> https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=60887#c1
>
> The full backtrace is
> ```
> ==178009==ERROR: LeakSanitizer: detected memory leaks
> Direct leak of 1 byte(s) in 1 object(s) allocated from:
> #0 0x52efd6 in __interceptor_malloc /src/llvm-project/compiler-rt/lib/asan/asan_malloc_linux.cpp:69:3
> #1 0x57a228 in __libelf_decompress_zlib /src/elfutils/libelf/elf_compress.c:370:19
> #2 0x57a987 in __libelf_decompress /src/elfutils/libelf/elf_compress.c:440:12
> #3 0x57a987 in __libelf_decompress_elf /src/elfutils/libelf/elf_compress.c:500:7
> #4 0x57629f in get_zdata /src/elfutils/libelf/elf_strptr.c:45:17
> #5 0x575c5e in elf_strptr /src/elfutils/libelf/elf_strptr.c:135:38
> #6 0x56c5b3 in fuzz_logic_one /src/fuzz-libelf.c:40:26
> #7 0x56cc7f in LLVMFuzzerTestOneInput /src/fuzz-libelf.c:88:3
> ```
>
> I haven't figured out how to trigger that memory leak without the fuzz target
> but as far as I can tell `fuzz_logic_one` was inspired by the elfgetzdata test in
> the sense that it calls elf_nextscn/elf_strptr/elf_compress.
>
> The code triggering the memory leak is
> https://github.com/google/oss-fuzz/blob/24328c88fd610decaf311020ffc7073aec1db252/projects/elfutils/fuzz-libelf.c#L27C6-L27C20
Thanks, I can replicate it with that and valgrind. The issue is when
elf_strptr has (partially) uncompressed the section data (to read the
uncompressed string), the program never requests the (uncompressed)
section data, but does (re)compress it.
Working on a fix.
Cheers,
Mark
^ permalink raw reply [flat|nested] 5+ messages in thread
* Issue 60887 in oss-fuzz: elfutils:fuzz-libelf: Direct-leak in __libelf_decompress_zlib
[not found] <0=71cc74a7ba1af446b7ed6b9a08b414d9=179906139b10d40134117f89b865bd88=oss-fuzz@monorail-prod.appspotmail.com>
2023-07-27 20:44 ` Issue 60887 in oss-fuzz: elfutils:fuzz-libelf: Direct-leak in __libelf_decompress_zlib ClusterFuzz-External via monorail
2023-07-29 22:00 ` evv… via monorail
@ 2023-08-03 18:08 ` ClusterFuzz-External via monorail
2 siblings, 0 replies; 5+ messages in thread
From: ClusterFuzz-External via monorail @ 2023-08-03 18:08 UTC (permalink / raw)
To: elfutils-devel
[-- Attachment #1: Type: text/plain, Size: 694 bytes --]
Updates:
Labels: ClusterFuzz-Verified
Status: Verified
Comment #2 on issue 60887 by ClusterFuzz-External: elfutils:fuzz-libelf: Direct-leak in __libelf_decompress_zlib
https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=60887#c2
ClusterFuzz testcase 4651173658099712 is verified as fixed in https://oss-fuzz.com/revisions?job=libfuzzer_asan_elfutils&range=202308021200:202308021800
If this is incorrect, please file a bug on https://github.com/google/oss-fuzz/issues/new
--
You received this message because:
1. You were specifically CC'd on the issue
You may adjust your notification preferences at:
https://bugs.chromium.org/hosting/settings
Reply to this email to add a comment.
^ permalink raw reply [flat|nested] 5+ messages in thread
end of thread, other threads:[~2023-08-03 18:08 UTC | newest]
Thread overview: 5+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
[not found] <0=71cc74a7ba1af446b7ed6b9a08b414d9=179906139b10d40134117f89b865bd88=oss-fuzz@monorail-prod.appspotmail.com>
2023-07-27 20:44 ` Issue 60887 in oss-fuzz: elfutils:fuzz-libelf: Direct-leak in __libelf_decompress_zlib ClusterFuzz-External via monorail
2023-07-29 14:38 ` Mark Wielaard
2023-07-29 22:00 ` evv… via monorail
2023-07-30 12:03 ` Mark Wielaard
2023-08-03 18:08 ` ClusterFuzz-External via monorail
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).