From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from gnu.wildebeest.org (gnu.wildebeest.org [45.83.234.184]) by sourceware.org (Postfix) with ESMTPS id 1A4BC3858D1E for ; Thu, 7 Sep 2023 14:25:02 +0000 (GMT) DMARC-Filter: OpenDMARC Filter v1.4.2 sourceware.org 1A4BC3858D1E Authentication-Results: sourceware.org; dmarc=none (p=none dis=none) header.from=klomp.org Authentication-Results: sourceware.org; spf=pass smtp.mailfrom=klomp.org Received: from r6.localdomain (82-217-174-174.cable.dynamic.v4.ziggo.nl [82.217.174.174]) (using TLSv1.2 with cipher ADH-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by gnu.wildebeest.org (Postfix) with ESMTPSA id ADFFC3000716; Thu, 7 Sep 2023 16:25:00 +0200 (CEST) Received: by r6.localdomain (Postfix, from userid 1000) id 332AC3402E2; Thu, 7 Sep 2023 16:25:00 +0200 (CEST) Message-ID: <2387505161d0bf24b8388b1955e517123fea0473.camel@klomp.org> Subject: Re: Issue 62071 in oss-fuzz: elfutils:fuzz-libdwfl: Null-dereference READ in chunk_compare From: Mark Wielaard To: Evgeny Vereshchagin , elfutils-devel@sourceware.org Cc: =?UTF-8?Q?evv=E2=80=A6?= via monorail Date: Thu, 07 Sep 2023 16:25:00 +0200 In-Reply-To: <000000000000aa01b70604c4c284@google.com> References: <0=71cc74a7ba1af446b7ed6b9a08b414d9=1491f90a54bd791097d19cec88a861b0=oss-fuzz@monorail-prod.appspotmail.com> <000000000000aa01b70604c4c284@google.com> Content-Type: multipart/mixed; boundary="=-pVlmoaaJCnOYNUB5gn9d" User-Agent: Evolution 3.48.4 (3.48.4-1.fc38) MIME-Version: 1.0 X-Spam-Status: No, score=-3033.8 required=5.0 tests=BAYES_00,GIT_PATCH_0,JMQ_SPF_NEUTRAL,KAM_DMARC_STATUS,RCVD_IN_BARRACUDACENTRAL,SPF_HELO_NONE,SPF_PASS,TXREP autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on server2.sourceware.org List-Id: --=-pVlmoaaJCnOYNUB5gn9d Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable On Thu, 2023-09-07 at 06:23 -0700, evv=E2=80=A6 via monorail via Elfutils-d= evel wrote: > Comment #2 on issue 62071 by evv...@gmail.com: elfutils:fuzz-libdwfl: Nul= l-dereference READ in chunk_compare > https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=3D62071#c2 >=20 > For some reason the testcase isn't public. I'll report it to OSS-Fuzz. >=20 > I uploaded the test case to GitHub so now it should be > possible to download it from https://github.com/evverx/elfutils/files/125= 49426/clusterfuzz-testcase-fuzz-libdwfl-5999675550072832.gz >=20 Thanks. Unfortunately I have still been unable to replicate the crash. But by reading the code carefully I think I have identified how this might happen. You must get a somewhat unfortunate out of memory or read error at precisely the wrong point. The attached patch should fix it. Cheers, Mark --=-pVlmoaaJCnOYNUB5gn9d Content-Disposition: inline; filename*0=0001-libelf-tdelete-dummy-key-if-anything-goes-wrong-sett.pat; filename*1=ch Content-Type: text/x-patch; name="0001-libelf-tdelete-dummy-key-if-anything-goes-wrong-sett.patch"; charset="UTF-8" Content-Transfer-Encoding: base64 RnJvbSAxODlhNjg5YTczZGI1NjdmMmMyY2EzMGQ4MDU2NjU2NzJjYWUwMWI0IE1vbiBTZXAgMTcg MDA6MDA6MDAgMjAwMQpGcm9tOiBNYXJrIFdpZWxhYXJkIDxtYXJrQGtsb21wLm9yZz4KRGF0ZTog VGh1LCA3IFNlcCAyMDIzIDE2OjE0OjQzICswMjAwClN1YmplY3Q6IFtQQVRDSF0gbGliZWxmOiB0 ZGVsZXRlIGR1bW15IGtleSBpZiBhbnl0aGluZyBnb2VzIHdyb25nIHNldHRpbmcgdXAKIHJhd2No dW5rCgplbGZfZ2V0ZGF0YV9yYXdjaHVuayB1c2VzIGEgYmluYXJ5IHNlYXJjaCB0cmVlIGNhY2hl LiBJZiBhIHJhd2NodW5rIGlzCm5vdCB5ZXQgaW4gdGhlIGNhY2hlIHdlIHNldHVwIGEgbmV3IGVu dHJ5LiBCdXQgaWYgYW55dGhpbmcgd2VudCB3cm9uZwpzZXR0aW5nIHVwIHRoZSBuZXcgcmF3Y2h1 bmsgd2Ugd291bGQgbGVhdmUgYSBOVUxMIGtleSBpbiB0aGUKY2FjaGUuIFRoaXMgY291bGQgYmxv dyB1cCB0aGUgbmV4dCBzZWFyY2guIEZpeCB0aGlzIGJ5IHJlbW92aW5nIHRoZQooZHVtbXkpIGtl eSBmcm9tIHRoZSBjYWNoZSBvbiBhbnkgZmFpbHVyZS4KCgkqIGxpYmVsZi9lbGZfZ2V0ZGF0YV9y YXdjaHVuay5jIChlbGZfZ2V0ZGF0YV9yYXdjaHVuayk6IERvbid0Cglhc3NpZ24gTlVMTCB0byAq Zm91bmQuIENhbGwgdGRlbGV0ZSBpZiBhbnl0aGluZyBnb2VzIHdyb25nLgoKU2lnbmVkLW9mZi1i eTogTWFyayBXaWVsYWFyZCA8bWFya0BrbG9tcC5vcmc+Ci0tLQogbGliZWxmL2VsZl9nZXRkYXRh X3Jhd2NodW5rLmMgfCA4ICsrKysrKy0tCiAxIGZpbGUgY2hhbmdlZCwgNiBpbnNlcnRpb25zKCsp LCAyIGRlbGV0aW9ucygtKQoKZGlmZiAtLWdpdCBhL2xpYmVsZi9lbGZfZ2V0ZGF0YV9yYXdjaHVu ay5jIGIvbGliZWxmL2VsZl9nZXRkYXRhX3Jhd2NodW5rLmMKaW5kZXggY2ZkNDAzOTYuLjA1ZmYz MjljIDEwMDY0NAotLS0gYS9saWJlbGYvZWxmX2dldGRhdGFfcmF3Y2h1bmsuYworKysgYi9saWJl bGYvZWxmX2dldGRhdGFfcmF3Y2h1bmsuYwpAQCAtMTA3LDggKzEwNywxMCBAQCBlbGZfZ2V0ZGF0 YV9yYXdjaHVuayAoRWxmICplbGYsIGludDY0X3Qgb2Zmc2V0LCBzaXplX3Qgc2l6ZSwgRWxmX1R5 cGUgdHlwZSkKICAgICAgIGdvdG8gb3V0OwogICAgIH0KIAotICAvKiBOZXcgZW50cnkuICAqLwot ICAqZm91bmQgPSBOVUxMOworICAvKiBOZXcgZW50cnkuICBOb3RlIHRoYXQgKmZvdW5kIHdpbGwg cG9pbnQgdG8gdGhlIG5ld2x5IGluc2VydGVkCisgICAgIChkdW1teSkga2V5LiAgV2UnbGwgcmVw bGFjZSBpdCB3aXRoIGEgcmVhbCByYXdjaHVuayB3aGVuIHRoYXQgaXMKKyAgICAgc2V0dXAuICBN YWtlIHN1cmUgdG8gdGRlbGV0ZSB0aGUgZHVtbXkga2V5IGlmIGFueXRoaW5nIGdvZXMKKyAgICAg d3JvbmcuICAqLwogCiAgIHNpemVfdCBhbGlnbiA9IF9fbGliZWxmX3R5cGVfYWxpZ24gKGVsZi0+ Y2xhc3MsIHR5cGUpOwogICBpZiAoZWxmLT5tYXBfYWRkcmVzcyAhPSBOVUxMKQpAQCAtMTM0LDYg KzEzNiw3IEBAIGVsZl9nZXRkYXRhX3Jhd2NodW5rIChFbGYgKmVsZiwgaW50NjRfdCBvZmZzZXQs IHNpemVfdCBzaXplLCBFbGZfVHlwZSB0eXBlKQogICAgICAgaWYgKHJhd2NodW5rID09IE5VTEwp CiAJewogCW5vbWVtOgorCSAgdGRlbGV0ZSAoJmtleSwgJmVsZi0+c3RhdGUuZWxmLnJhd2NodW5r cywgJmNodW5rX2NvbXBhcmUpOwogCSAgX19saWJlbGZfc2V0ZXJybm8gKEVMRl9FX05PTUVNKTsK IAkgIGdvdG8gb3V0OwogCX0KQEAgLTE0NCw2ICsxNDcsNyBAQCBlbGZfZ2V0ZGF0YV9yYXdjaHVu ayAoRWxmICplbGYsIGludDY0X3Qgb2Zmc2V0LCBzaXplX3Qgc2l6ZSwgRWxmX1R5cGUgdHlwZSkK IAkJICAgICE9IHNpemUpKQogCXsKIAkgIC8qIFNvbWV0aGluZyB3ZW50IHdyb25nLiAgKi8KKwkg IHRkZWxldGUgKCZrZXksICZlbGYtPnN0YXRlLmVsZi5yYXdjaHVua3MsICZjaHVua19jb21wYXJl KTsKIAkgIGZyZWUgKHJhd2NodW5rKTsKIAkgIF9fbGliZWxmX3NldGVycm5vIChFTEZfRV9SRUFE X0VSUk9SKTsKIAkgIGdvdG8gb3V0OwotLSAKMi40MS4wCgo= --=-pVlmoaaJCnOYNUB5gn9d--