From: Mark Wielaard <mark@klomp.org>
To: elfutils-devel@sourceware.org
Cc: "evv… via monorail" <monorail+v2.2672886254@chromium.org>
Subject: Re: Issue 60887 in oss-fuzz: elfutils:fuzz-libelf: Direct-leak in __libelf_decompress_zlib
Date: Sun, 30 Jul 2023 14:03:09 +0200 [thread overview]
Message-ID: <20230730120309.GG28605@gnu.wildebeest.org> (raw)
In-Reply-To: <0000000000008b795d0601a754da@google.com>
Hi,
On Sat, Jul 29, 2023 at 03:00:49PM -0700, evv… via monorail via Elfutils-devel wrote:
>
> Comment #1 on issue 60887 by evv...@gmail.com: elfutils:fuzz-libelf: Direct-leak in __libelf_decompress_zlib
> https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=60887#c1
>
> The full backtrace is
> ```
> ==178009==ERROR: LeakSanitizer: detected memory leaks
> Direct leak of 1 byte(s) in 1 object(s) allocated from:
> #0 0x52efd6 in __interceptor_malloc /src/llvm-project/compiler-rt/lib/asan/asan_malloc_linux.cpp:69:3
> #1 0x57a228 in __libelf_decompress_zlib /src/elfutils/libelf/elf_compress.c:370:19
> #2 0x57a987 in __libelf_decompress /src/elfutils/libelf/elf_compress.c:440:12
> #3 0x57a987 in __libelf_decompress_elf /src/elfutils/libelf/elf_compress.c:500:7
> #4 0x57629f in get_zdata /src/elfutils/libelf/elf_strptr.c:45:17
> #5 0x575c5e in elf_strptr /src/elfutils/libelf/elf_strptr.c:135:38
> #6 0x56c5b3 in fuzz_logic_one /src/fuzz-libelf.c:40:26
> #7 0x56cc7f in LLVMFuzzerTestOneInput /src/fuzz-libelf.c:88:3
> ```
>
> I haven't figured out how to trigger that memory leak without the fuzz target
> but as far as I can tell `fuzz_logic_one` was inspired by the elfgetzdata test in
> the sense that it calls elf_nextscn/elf_strptr/elf_compress.
>
> The code triggering the memory leak is
> https://github.com/google/oss-fuzz/blob/24328c88fd610decaf311020ffc7073aec1db252/projects/elfutils/fuzz-libelf.c#L27C6-L27C20
Thanks, I can replicate it with that and valgrind. The issue is when
elf_strptr has (partially) uncompressed the section data (to read the
uncompressed string), the program never requests the (uncompressed)
section data, but does (re)compress it.
Working on a fix.
Cheers,
Mark
next prev parent reply other threads:[~2023-07-30 12:03 UTC|newest]
Thread overview: 5+ messages / expand[flat|nested] mbox.gz Atom feed top
[not found] <0=71cc74a7ba1af446b7ed6b9a08b414d9=179906139b10d40134117f89b865bd88=oss-fuzz@monorail-prod.appspotmail.com>
2023-07-27 20:44 ` ClusterFuzz-External via monorail
2023-07-29 14:38 ` Mark Wielaard
2023-07-29 22:00 ` evv… via monorail
2023-07-30 12:03 ` Mark Wielaard [this message]
2023-08-03 18:08 ` ClusterFuzz-External via monorail
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20230730120309.GG28605@gnu.wildebeest.org \
--to=mark@klomp.org \
--cc=elfutils-devel@sourceware.org \
--cc=monorail+v2.2672886254@chromium.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).