From mboxrd@z Thu Jan 1 00:00:00 1970
Return-Path:
Received: from 4.mo584.mail-out.ovh.net (4.mo584.mail-out.ovh.net [178.32.98.131])
by sourceware.org (Postfix) with ESMTPS id A61313858D1E
for ; Sat, 22 Oct 2022 09:27:21 +0000 (GMT)
DMARC-Filter: OpenDMARC Filter v1.4.1 sourceware.org A61313858D1E
Authentication-Results: sourceware.org; dmarc=none (p=none dis=none) header.from=catenacyber.fr
Authentication-Results: sourceware.org; spf=pass smtp.mailfrom=catenacyber.fr
Received: from player735.ha.ovh.net (unknown [10.111.208.129])
by mo584.mail-out.ovh.net (Postfix) with ESMTP id 5AD7222278
for ; Sat, 22 Oct 2022 09:27:20 +0000 (UTC)
Received: from catenacyber.fr (lstlambert-656-1-105-200.w80-14.abo.wanadoo.fr [80.14.153.200])
(Authenticated sender: p.antoine@catenacyber.fr)
by player735.ha.ovh.net (Postfix) with ESMTPSA id 3B3C22FBEA59A;
Sat, 22 Oct 2022 09:27:15 +0000 (UTC)
Authentication-Results:garm.ovh; auth=pass (GARM-104R0051d5946f9-47a3-471d-aa31-2a198d219a71,
4AC9DA6453ADF7F2E21BA40E9E0DABCA952A48E1) smtp.auth=p.antoine@catenacyber.fr
X-OVh-ClientIp:80.14.153.200
Content-Type: text/plain;
charset=utf-8
Mime-Version: 1.0 (Mac OS X Mail 16.0 \(3696.120.41.1.1\))
Subject: Re: Fuzzing elfutils
From: Philippe Antoine
In-Reply-To:
Date: Sat, 22 Oct 2022 11:27:14 +0200
Cc: "Frank Ch. Eigler" ,
elfutils-devel@sourceware.org,
david korczynski ,
izzeem@google.com
Content-Transfer-Encoding: quoted-printable
Message-Id: <5321B467-3B16-4E7F-A854-98EC8AD6B2C1@catenacyber.fr>
References: <199C1200-40AC-4AD2-89D4-24E172CBA353@catenacyber.fr>
<20221021132253.GD24703@redhat.com>
To: Evgeny Vereshchagin
X-Mailer: Apple Mail (2.3696.120.41.1.1)
X-Ovh-Tracer-Id: 13220316708232232715
X-VR-SPAMSTATE: OK
X-VR-SPAMSCORE: -100
X-VR-SPAMCAUSE: gggruggvucftvghtrhhoucdtuddrgedvfedrgedttddgudeiucetufdoteggodetrfdotffvucfrrhhofhhilhgvmecuqfggjfdpvefjgfevmfevgfenuceurghilhhouhhtmecuhedttdenucesvcftvggtihhpihgvnhhtshculddquddttddmnecujfgurheptggguffhjgffvefgkfhfvffosehtqhhmtdhhtdejnecuhfhrohhmpefrhhhilhhiphhpvgcutehnthhoihhnvgcuoehprdgrnhhtohhinhgvsegtrghtvghnrggthigsvghrrdhfrheqnecuggftrfgrthhtvghrnhepfeeludegjeetjedttddtkeeggefgffeuhfejtdevgfdtheekgfeggfekgfetveegnecuffhomhgrihhnpehoshhsqdhfuhiiiidrtghomhdpghhithhhuhgsrdgtohhmpdhsohhurhgtvgifrghrvgdrohhrghenucfkphepuddvjedrtddrtddruddpkedtrddugedrudehfedrvddttdenucevlhhushhtvghrufhiiigvpedtnecurfgrrhgrmhepihhnvghtpeduvdejrddtrddtrddupdhmrghilhhfrhhomhepoehprdgrnhhtohhinhgvsegtrghtvghnrggthigsvghrrdhfrheqpdhnsggprhgtphhtthhopedupdhrtghpthhtohepvghlfhhuthhilhhsqdguvghvvghlsehsohhurhgtvgifrghrvgdrohhrghdpoffvtefjohhsthepmhhoheekgedpmhhouggvpehsmhhtphhouhht
X-Spam-Status: No, score=0.7 required=5.0 tests=BAYES_00,KAM_DMARC_STATUS,RCVD_IN_BARRACUDACENTRAL,RCVD_IN_DNSWL_NONE,RCVD_IN_MSPIKE_H3,RCVD_IN_MSPIKE_WL,SPF_HELO_NONE,SPF_PASS,TXREP autolearn=no autolearn_force=no version=3.4.6
X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on server2.sourceware.org
List-Id:
Thanks Evgeny.
Could you explain to me why you think it is a false positive ?
> Le 21 oct. 2022 =C3=A0 21:57, Evgeny Vereshchagin a =
=C3=A9crit :
>=20
>>>> Cf =
https://oss-fuzz.com/testcases?open=3Dyes&q=3DArbitrary&proj=3Delfutils
>>=20
>> This is inaccessible without logins.
>=20
> To judge from =
https://github.com/google/oss-fuzz/tree/master/infra/experimental/SystemSa=
n#arbitrary-file-open
> that new experimental fuzzer
> isn't documented yet but as far as I can tell it flags "tainted"
> strings passed to the open syscall. That backtrace points to
> =
https://sourceware.org/git/?p=3Delfutils.git;a=3Dblob;f=3Dlibdwfl/dwfl_seg=
ment_report_module.c;h=3D28f87f10dd3962082ec4b995f43069ffc4b5e3d4;hb=3DHEA=
D#l784
> and I think it's a false positive. Looking at
> https://github.com/google/oss-fuzz/issues/8497 it seems it should be
> possible
> to turn it off eventually.
>=20
> Thanks,
> Evgeny Vereshchagin